1.\" $NetBSD: sysctl.7,v 1.18 2008/12/21 10:30:08 ad Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd December 21, 2008 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Sh Top level names 72The top level names are defined with a CTL_ prefix in 73.Aq Pa sys/sysctl.h , 74and are as follows. 75The next and subsequent levels down are found in the include files 76listed here, and described in separate sections below. 77.Bl -column securityXX CTLXSECURITYXX "Next level namesXX" 78.It Sy Name Constant Next level names Description 79.It kern CTL\_KERN sys/sysctl.h High kernel limits 80.It vm CTL\_VM uvm/uvm_param.h Virtual memory 81.It vfs CTL\_VFS sys/mount.h Filesystem 82.It net CTL\_NET sys/socket.h Networking 83.It debug CTL\_DEBUG sys/sysctl.h Debugging 84.It hw CTL\_HW sys/sysctl.h Generic CPU, I/O 85.It machdep CTL\_MACHDEP sys/sysctl.h Machine dependent 86.It user CTL\_USER sys/sysctl.h User-level 87.It ddb CTL\_DDB sys/sysctl.h In-kernel debugger 88.It proc CTL\_PROC sys/sysctl.h Per-process 89.It vendor CTL\_VENDOR ? Vendor specific 90.It emul CTL\_EMUL sys/sysctl.h Emulation settings 91.It security CTL\_SECURITY sys/sysctl.h Security settings 92.El 93.Sh The debug.* subtree 94The debugging variables vary from system to system. 95A debugging variable may be added or deleted without need to recompile 96.Nm 97to know about it. 98Each time it runs, 99.Nm 100gets the list of debugging variables from the kernel and 101displays their current values. 102The system defines twenty 103.Va ( struct ctldebug ) 104variables named 105.Dv debug0 106through 107.Dv debug19 . 108They are declared as separate variables so that they can be 109individually initialized at the location of their associated variable. 110The loader prevents multiple use of the same variable by issuing errors 111if a variable is initialized in more than one place. 112For example, to export the variable 113.Dv dospecialcheck 114as a debugging variable, the following declaration would be used: 115.Bd -literal -offset indent -compact 116int dospecialcheck = 1; 117struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 118.Ed 119.Pp 120Note that the dynamic implementation of 121.Nm 122currently in use largely makes this particular 123.Nm 124interface obsolete. 125See 126.Xr sysctl 8 127.\" and 128.\" .Xr sysctl 9 129for more information. 130.Sh The vfs.* subtree 131A distinguished second level name, 132.Li vfs.generic ( VFS_GENERIC ) , 133is used to get general information about all filesystems. 134One of its third level identifiers is 135.Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 136that gives the highest valid filesystem type number. 137Its other third level identifier is 138.Li vfs.generic.conf ( VFS_CONF ) 139that returns configuration information about the filesystem 140type given as a fourth level identifier. 141The remaining second level identifiers are the 142filesystem type number returned by a 143.Xr statvfs 2 144call or from 145.Li vfs.generic.conf . 146The third level identifiers available for each filesystem 147are given in the header file that defines the mount 148argument structure for that filesystem. 149.Sh The hw.* subtree 150The string and integer information available for the 151.Li hw 152level is detailed below. 153The changeable column shows whether a process with appropriate 154privilege may change the value. 155.Bl -column "Second level nameXXXXXX" "struct disk_sysctlXXX" -offset indent 156.It Sy Second level name Type Changeable 157.It hw.acpi.supported_states string no 158.It hw.alignbytes integer no 159.It hw.byteorder integer no 160.It hw.cnmagic string yes 161.It hw.disknames string no 162.It hw.diskstats struct no 163.It hw.machine string no 164.It hw.machine_arch string no 165.It hw.model string no 166.It hw.ncpu integer no 167.It hw.pagesize integer no 168.It hw.physmem integer no 169.It hw.physmem64 quad no 170.It hw.usermem integer no 171.It hw.usermem64 quad no 172.El 173.Pp 174.Bl -tag -width "123456" 175.It Li hw.acpi.support_states 176List of possible 177.Tn ACPI 178sleep states. 179The list can contain the following values: 180.Bl -tag -width XS1X 181.It S0 182fully running 183.It S1 184power on suspend (CPU and hard disks are off) 185.It S2 186similar to S3, usually not implemented 187.It S3 188suspend-to-RAM 189.It S4 190suspend-to-disk (needs BIOS support) 191.It S5 192power off 193.El 194.It Li hw.alignbytes ( HW_ALIGNBYTES ) 195Alignment constraint for all possible data types. 196This shows the value 197.Dv ALIGNBYTES 198in 199.Pa /usr/include/machine/param.h , 200at the kernel compilation time. 201.It Li hw.byteorder ( HW_BYTEORDER ) 202The byteorder (4,321, or 1,234). 203.It Li hw.cnmagic ( HW_CNMAGIC ) 204The console magic key sequence. 205.It Li hw.disknames ( HW_DISKNAMES ) 206The list of (space separated) disk device names on the system. 207.It Li hw.iostatnames ( HW_IOSTATNAMES ) 208A space separated list of devices that will have I/O statistics 209collected on them. 210.It Li hw.iostats ( HW_IOSTATS ) 211Return statistical information on the NFS mounts, disk and tape 212devices on the system. 213An array of 214.Va struct io_sysctl 215structures is returned, 216whose size depends on the current number of such objects in the system. 217The third level name is the size of the 218.Va struct io_sysctl . 219The type of object can be determined by examining the 220.Va type 221element of 222.Va struct io_sysctl . 223Which can be 224.Dv IOSTAT_DISK 225(disk drive), 226.Dv IOSTAT_TAPE 227(tape drive), or 228.Dv IOSTAT_NFS 229(NFS mount). 230.It Li hw.machine ( HW_MACHINE ) 231The machine class. 232.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 233The machine CPU class. 234.It Li hw.model ( HW_MODEL ) 235The machine model. 236.It Li hw.ncpu ( HW_NCPU ) 237The number of CPUs. 238.ne 1i 239.It Li hw.pagesize ( HW_PAGESIZE ) 240The software page size. 241.It Li hw.physmem ( HW_PHYSMEM ) 242The bytes of physical memory as a 32-bit integer. 243.It Li hw.physmem64 ( HW_PHYSMEM64 ) 244The bytes of physical memory as a 64-bit integer. 245.It Li hw.usermem ( HW_USERMEM ) 246The bytes of non-kernel memory as a 32-bit integer. 247.It Li hw.usermem64 ( HW_USERMEM64 ) 248The bytes of non-kernel memory as a 64-bit integer. 249.El 250.Sh The kern.* subtree 251The string and integer information available for the 252.Li kern 253level is detailed below. 254The changeable column shows whether a process with appropriate 255privilege may change the value. 256The types of data currently available are process information, 257system vnodes, the open file entries, routing table entries, 258virtual memory statistics, load average history, and clock rate 259information. 260.Bl -column "kern.posix_reader_writer_locks" "struct clockrateXXX" -offset indent 261.It Sy Second level name Type Changeable 262.It kern.argmax integer no 263.It kern.autonicetime integer yes 264.It kern.autoniceval integer yes 265.It kern.boottime struct timeval no 266.It kern.bufq node not applicable 267.It kern.ccpu integer no 268.It kern.clockrate struct clockinfo no 269.It kern.consdev integer no 270.It kern.cp\_id struct no 271.It kern.cp\_time uint64_t[\|] no 272.It kern.defcorename string yes 273.It kern.domainname string yes 274.It kern.drivers struct kinfo_drivers no 275.It kern.file struct file no 276.It kern.forkfsleep integer yes 277.It kern.fscale integer no 278.It kern.fsync integer no 279.It kern.hardclock\_ticks integer no 280.It kern.hostid integer yes 281.It kern.hostname string yes 282.It kern.iov\_max integer no 283.It kern.job\_control integer no 284.It kern.labeloffset integer no 285.It kern.labelsector integer no 286.It kern.login\_name\_max integer no 287.It kern.logsigexit integer yes 288.It kern.mapped\_files integer no 289.It kern.maxfiles integer yes 290.It kern.maxpartitions integer no 291.It kern.maxphys integer no 292.It kern.maxproc integer yes 293.It kern.maxptys integer yes 294.It kern.maxvnodes integer yes 295.It kern.mbuf node not applicable 296.It kern.memlock integer no 297.It kern.memlock\_range integer no 298.It kern.memory\_protection integer no 299.It kern.monotonic\_clock integer no 300.It kern.msgbuf integer no 301.It kern.msgbufsize integer no 302.It kern.ngroups integer no 303.It kern.ntptime struct ntptimeval no 304.It kern.osrelease string no 305.It kern.osrev integer no 306.It kern.ostype string no 307.It kern.pipe node not applicable 308.It kern.posix1 integer no 309.It kern.posix\_barriers integer no 310.It kern.posix\_reader\_writer\_locks integer no 311.It kern.posix\_semaphores integer no 312.It kern.posix\_spin\_locks integer no 313.It kern.posix\_threads integer no 314.It kern.posix\_timers integer no 315.It kern.proc struct kinfo_proc no 316.It kern.proc2 struct kinfo_proc2 no 317.It kern.proc\_args string no 318.It kern.prof node not applicable 319.It kern.rawpartition integer no 320.It kern.root\_device string no 321.It kern.root\_partition integer no 322.It kern.rtc\_offset integer yes 323.It kern.saved\_ids integer no 324.It kern.securelevel integer raise only 325.It kern.synchronized\_io integer no 326.It kern.ipc node not applicable 327.It kern.timex struct no 328.It kern.tkstat node not applicable 329.It kern.urandom integer no 330.It kern.version string no 331.It kern.vnode struct vnode no 332.El 333.ne 1i 334.Pp 335.Bl -tag -width "123456" 336.It Li kern.argmax ( KERN_ARGMAX ) 337The maximum bytes of argument to 338.Xr execve 2 . 339.It Li kern.autonicetime ( KERN_AUTONICETIME ) 340The number of seconds of CPU-time a non-root process may accumulate before 341having its priority lowered from the default to the value of KERN_AUTONICEVAL. 342If set to 0, automatic lowering of priority is not performed, and if set to \-1 343all non-root processes are immediately lowered. 344.It Li kern.autoniceval ( KERN_AUTONICEVAL ) 345The priority assigned for automatically niced processes. 346.It Li kern.boottime ( KERN_BOOTTIME ) 347A 348.Va struct timeval 349structure is returned. 350This structure contains the time that the system was booted. 351.It Li kern.ccpu ( KERN_CCPU ) 352The scheduler exponential decay value. 353.It Li kern.clockrate ( KERN_CLOCKRATE ) 354A 355.Va struct clockinfo 356structure is returned. 357This structure contains the clock, statistics clock and profiling clock 358frequencies, the number of micro-seconds per hz tick, and the clock 359skew rate. 360.It Li kern.consdev ( KERN_CONSDEV ) 361Console device. 362.It Li kern.cp_id ( KERN_CP_ID ) 363Mapping of CPU number to CPU id. 364.It Li kern.cp_time ( KERN_CP_TIME ) 365Returns an array of CPUSTATES uint64_ts. 366This array contains the 367number of clock ticks spent in different CPU states. 368On multi-processor systems, the sum across all CPUs is returned unless 369appropriate space is given for one data set for each CPU. 370Data for a specific CPU can also be obtained by adding the number of the 371CPU at the end of the MIB, enlarging it by one. 372.It Li kern.defcorename ( KERN_DEFCORENAME ) 373Default template for the name of core dump files (see also 374.Li proc.pid.corename 375in the per-process variables 376.Li proc.* , 377and 378.Xr core 5 379for format of this template). 380The default value is 381.Nm %n.core 382and can be changed with the kernel configuration option 383.Cd options DEFCORENAME 384(see 385.Xr options 4 386). 387.It Li kern.domainname ( KERN_DOMAINNAME ) 388Get or set the YP domain name. 389.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 390Perform a crash dump on system panic. 391.It Li kern.drivers ( KERN_DRIVERS ) 392Return an array of 393.Va struct kinfo_drivers 394that contains the name and major device numbers of all the device drivers 395in the current kernel. 396The 397.Va d_name 398field is always a NUL terminated string. 399The 400.Va d_bmajor 401field will be set to \-1 if the driver doesn't have a block device. 402.It Li kern.file ( KERN_FILE ) 403Return the entire file table. 404The returned data consists of a single 405.Va struct filelist 406followed by an array of 407.Va struct file , 408whose size depends on the current number of such objects in the system. 409.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 410If 411.Xr fork 2 412system call fails due to limit on number of processes (either 413the global maxproc limit or user's one), wait for this many 414milliseconds before returning 415.Er EAGAIN 416error to process. 417Useful to keep heavily forking runaway processes in bay. 418Default zero (no sleep). 419Maximum is 20 seconds. 420.It Li kern.fscale ( KERN_FSCALE ) 421The kernel fixed-point scale factor. 422.It Li kern.fsync ( KERN_FSYNC ) 423Return 1 if the POSIX 1003.1b File Synchronization Option is available 424on this system, 425otherwise 0. 426.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 427Returns the number of 428.Xr hardclock 9 429ticks. 430.It Li kern.hostid ( KERN_HOSTID ) 431Get or set the host id. 432.It Li kern.hostname ( KERN_HOSTNAME ) 433Get or set the hostname. 434.It Li kern.iov_max ( KERN_IOV_MAX ) 435Return the maximum number of 436.Va iovec 437structures that a process has available for use with 438.Xr preadv 2 , 439.Xr pwritev 2 , 440.Xr readv 2 , 441.Xr recvmsg 2 , 442.Xr sendmsg 2 443and 444.Xr writev 2 . 445.It Li kern.job_control ( KERN_JOB_CONTROL ) 446Return 1 if job control is available on this system, otherwise 0. 447.It Li kern.labeloffset ( KERN_LABELOFFSET ) 448The offset within the sector specified by KERN_LABELSECTOR of the 449.Xr disklabel 5 . 450.It Li kern.labelsector ( KERN_LABELSECTOR ) 451The sector number containing the 452.Xr disklabel 5 . 453.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 454The size of the storage required for a login name, in bytes, 455including the terminating NUL. 456.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 457If this flag is non-zero, the kernel will 458.Xr log 9 459all process exits due to signals which create a 460.Xr core 5 461file, and whether the coredump was created. 462.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 463Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 464on this system, 465otherwise 0. 466.It Li kern.maxfiles ( KERN_MAXFILES ) 467The maximum number of open files that may be open in the system. 468.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 469The maximum number of partitions allowed per disk. 470.It Li kern.maxphys ( KERN_MAXPHYS ) 471Maximum raw I/O transfer size. 472.It Li kern.maxproc ( KERN_MAXPROC ) 473The maximum number of simultaneous processes the system will allow. 474.It Li kern.maxptys ( KERN_MAXPTYS ) 475The maximum number of pseudo terminals. 476This value can be both raised and lowered, though it cannot 477be set lower than number of currently used ptys. 478See also 479.Xr pty 4 . 480.It Li kern.maxvnodes ( KERN_MAXVNODES ) 481The maximum number of vnodes available on the system. 482This can only be raised. 483.It Li kern.mbuf ( KERN_MBUF ) 484Return information about the mbuf control variables. 485Mbufs are data structures which store network packets and other data 486structures in the networking code, see 487.Xr mbuf 9 . 488The third level names for the mbuf variables are detailed below. 489The changeable column shows whether a process with appropriate 490privilege may change the value. 491.Bl -column "kern.mbuf.nmbclusters" "struct integerXXX" -offset indent 492.It Sy Third level name Type Changeable 493.\" XXX Changeable? really? 494.It kern.mbuf.mblowat integer yes 495.It kern.mbuf.mclbytes integer yes 496.It kern.mbuf.mcllowat integer yes 497.It kern.mbuf.msize integer yes 498.It kern.mbuf.nmbclusters integer yes 499.El 500.Pp 501The variables are as follows: 502.Bl -tag -width "123456" 503.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 504The mbuf low water mark. 505.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 506The mbuf cluster size. 507.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 508The mbuf cluster low water mark. 509.It Li kern.mbuf.msize ( MBUF_MSIZE ) 510The mbuf base size. 511.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 512The limit on the number of mbuf clusters. 513The variable can only be increased, and only increased on machines with 514direct-mapped pool pages. 515.El 516.It Li kern.memlock ( KERN_MEMLOCK ) 517Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 518on this system, 519otherwise 0. 520.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 521Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 522on this system, 523otherwise 0. 524.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 525Returns 1 if the POSIX 1003.1b Memory Protection Option is available 526on this system, 527otherwise 0. 528.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 529Returns the standard version the implementation of the POSIX 1003.1b 530Monotonic Clock Option conforms to, 531otherwise 0. 532.It Li kern.msgbuf ( KERN_MSGBUF ) 533The kernel message buffer, rotated so that the head of the circular kernel 534message buffer is at the start of the returned data. 535The returned data may contain NUL bytes. 536.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 537The maximum number of characters that the kernel message buffer can hold. 538.It Li kern.ngroups ( KERN_NGROUPS ) 539The maximum number of supplemental groups. 540.It Li kern.ntptime ( KERN_NTPTIME ) 541A 542.Va struct ntptimeval 543structure is returned. 544This structure contains data used by the 545.Xr ntpd 8 546program. 547.It Li kern.osrelease ( KERN_OSRELEASE ) 548The system release string. 549.It Li kern.osrevision ( KERN_OSREV ) 550The system revision string. 551.It Li kern.ostype ( KERN_OSTYPE ) 552The system type string. 553.It Li kern.pipe ( KERN_PIPE ) 554Pipe settings. 555The third level names for the integer pipe settings is detailed below. 556The changeable column shows whether a process with appropriate 557privilege may change the value. 558.Bl -column "kern.pipe.maxbigpipesXXX" "integerXXX" -offset indent 559.It Sy Third level name Type Changeable 560.It kern.pipe.kvasiz integer yes 561.It kern.pipe.maxbigpipes integer yes 562.It kern.pipe.maxkvasz integer yes 563.It kern.pipe.limitkva integer yes 564.It kern.pipe.nbigpipes integer yes 565.El 566.Pp 567The variables are as follows: 568.Bl -tag -width "123456" 569.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 570Amount of kernel memory consumed by pipe buffers. 571.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 572Maximum number of "big" pipes. 573.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 574Maximum amount of kernel memory to be used for pipes. 575.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 576Limit for direct transfers via page loan. 577.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 578Number of "big" pipes. 579.El 580.It Li kern.posix1version ( KERN_POSIX1 ) 581The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 582attempts to comply. 583.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 584The version of 585.St -p1003.1 586and its 587Barriers 588option to which the system attempts to conform, 589otherwise 0. 590.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 591The version of 592.St -p1003.1 593and its 594Read-Write Locks 595option to which the system attempts to conform, 596otherwise 0. 597.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 598The version of 599.St -p1003.1 600and its 601Semaphores 602option to which the system attempts to conform, 603otherwise 0. 604.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 605The version of 606.St -p1003.1 607and its 608Spin Locks 609option to which the system attempts to conform, 610otherwise 0. 611.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 612The version of 613.St -p1003.1 614and its 615Threads 616option to which the system attempts to conform, 617otherwise 0. 618.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 619The version of 620.St -p1003.1 621and its 622Timers 623option to which the system attempts to conform, 624otherwise 0. 625.It Li kern.proc ( KERN_PROC ) 626Return the entire process table, or a subset of it. 627An array of 628.Va struct kinfo_proc 629structures is returned, 630whose size depends on the current number of such objects in the system. 631The third and fourth level numeric names are as follows: 632.Bl -column "Third level nameXXXXXX" "Fourth level is:XXXXXX" -offset indent 633.It Sy Third level name Fourth level is: 634.It KERN\_PROC\_ALL None 635.It KERN\_PROC\_GID A group ID 636.It KERN\_PROC\_PID A process ID 637.It KERN\_PROC\_PGRP A process group 638.It KERN\_PROC\_RGID A real group ID 639.It KERN\_PROC\_RUID A real user ID 640.It KERN\_PROC\_SESSION A session ID 641.It KERN\_PROC\_TTY A tty device 642.It KERN\_PROC\_UID A user ID 643.El 644.It Li kern.proc2 ( KERN_PROC2 ) 645As for KERN_PROC, but an array of 646.Va struct kinfo_proc2 647structures are returned. 648The fifth level name is the size of the 649.Va struct kinfo_proc2 650and the sixth level name is the number of structures to return. 651.It Li kern.proc_args ( KERN_PROC_ARGS ) 652Return the argv or environment strings (or the number thereof) 653of a process. 654Multiple strings are returned separated by NUL characters. 655The third level name is the process ID. 656The fourth level name is as follows: 657.Bl -column "Third level nameXXXXXX" -offset indent 658.It KERN\_PROC\_ARGV The argv strings 659.It KERN\_PROC\_ENV The environ strings 660.It KERN\_PROC\_NARGV The number of argv strings 661.It KERN\_PROC\_NENV The number of environ strings 662.El 663.It Li kern.profiling ( KERN_PROF ) 664Return profiling information about the kernel. 665If the kernel is not compiled for profiling, 666attempts to retrieve any of the KERN_PROF values will 667fail with 668.Er EOPNOTSUPP . 669The third level names for the string and integer profiling information 670is detailed below. 671The changeable column shows whether a process with appropriate 672privilege may change the value. 673.Bl -column "kern.profiling.gmonparam" "struct gmonparam" -offset indent 674.It Sy Third level name Type Changeable 675.It kern.profiling.count u_short[\|] yes 676.It kern.profiling.froms u_short[\|] yes 677.It kern.profiling.gmonparam struct gmonparam no 678.It kern.profiling.state integer yes 679.It kern.profiling.tos struct tostruct yes 680.El 681.Pp 682The variables are as follows: 683.Bl -tag -width "123456" 684.It Li kern.profiling.count ( GPROF_COUNT ) 685Array of statistical program counter counts. 686.It Li kern.profiling.froms ( GPROF_FROMS ) 687Array indexed by program counter of call-from points. 688.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 689Structure giving the sizes of the above arrays. 690.It Li kern.profiling.state ( GPROF_STATE ) 691Profiling state. 692If set to GMON_PROF_ON, starts profiling. 693If set to GMON_PROF_OFF, stops profiling. 694.It Li kern.profiling.tos ( GPROF_TOS ) 695Array of 696.Va struct tostruct 697describing destination of calls and their counts. 698.El 699.It Li kern.rawpartition ( KERN_RAWPARTITION ) 700The raw partition of a disk (a == 0). 701.It Li kern.root_device ( KERN_ROOT_DEVICE ) 702The name of the root device (e.g., 703.Dq wd0 ) . 704.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 705The root partition on the root device (a == 0). 706.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 707Return the offset of real time clock from UTC in minutes. 708.It Li kern.saved_ids ( KERN_SAVED_IDS ) 709Returns 1 if saved set-group and saved set-user ID is available. 710.It Li kern.sbmax ( KERN_SBMAX ) 711Maximum socket buffer size. 712.\" XXX units? 713.It Li kern.securelevel ( KERN_SECURELVL ) 714The system security level. 715This level may be raised by processes with appropriate privilege. 716It may only be lowered by process 1. 717.It Li kern.somaxkva ( KERN_SOMAXKVA ) 718Maximum amount of kernel memory to be used for socket buffers. 719.\" XXX units? 720.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 721Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 722on this system, 723otherwise 0. 724.It Li kern.ipc ( KERN_SYSVIPC ) 725Return information about the SysV IPC parameters. 726The third level names for the ipc variables are detailed below. 727.Bl -column "KERN_SYSVIPC_MSGXXX" "integerXXX" "noXXX" -offset indent 728.It Sy Third level name Type Changeable 729.It kern.ipc.sysvmsg integer no 730.It kern.ipc.sysvsem integer no 731.It kern.ipc.sysvshm integer no 732.It kern.ipc.sysvipc_info struct no 733.It kern.ipc.shmmax integer yes 734.It kern.ipc.shmmni integer yes 735.It kern.ipc.shmseg integer yes 736.It kern.ipc.shmmaxpgs integer yes 737.It kern.ipc.shm_use_phys integer yes 738.It kern.ipc.msgmni integer yes 739.It kern.ipc.msgseg integer yes 740.It kern.ipc.semmni integer yes 741.It kern.ipc.semmns integer yes 742.It kern.ipc.semmnu integer yes 743.El 744.Bl -tag -width "123456" 745.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 746Returns 1 if System V style message queue functionality is available 747on this system, 748otherwise 0. 749.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 750Returns 1 if System V style semaphore functionality is available 751on this system, 752otherwise 0. 753.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 754Returns 1 if System V style share memory functionality is available 755on this system, 756otherwise 0. 757.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 758Return System V style IPC configuration and run-time information. 759The fourth level name selects the System V style IPC facility. 760.Bl -column "KERN_SYSVIPC_MSG_INFOXXX" "struct shm_sysctl_infoXXX" -offset indent 761.It Sy Fourth level name Type 762.It KERN\_SYSVIPC\_MSG\_INFO struct msg_sysctl_info 763.It KERN\_SYSVIPC\_SEM\_INFO struct sem_sysctl_info 764.It KERN\_SYSVIPC\_SHM\_INFO struct shm_sysctl_info 765.El 766.Pp 767.Bl -tag -width "123456" 768.It Li KERN_SYSVIPC_MSG_INFO 769Return information on the System V style message facility. 770The 771.Sy msg_sysctl_info 772structure is defined in 773.Aq Pa sys/msg.h . 774.It Li KERN_SYSVIPC_SEM_INFO 775Return information on the System V style semaphore facility. 776The 777.Sy sem_sysctl_info 778structure is defined in 779.Aq Pa sys/sem.h . 780.It Li KERN_SYSVIPC_SHM_INFO 781Return information on the System V style shared memory facility. 782The 783.Sy shm_sysctl_info 784structure is defined in 785.Aq Pa sys/shm.h . 786.El 787.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 788Max shared memory segment size in bytes. 789.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 790Max number of shared memory identifiers. 791.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 792Max shared memory segments per process. 793.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 794Max amount of shared memory in pages. 795.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 796Locking of shared memory in physical memory. 797If 0, memory can be swapped 798out, otherwise it will be locked in physical memory. 799.It Li kern.ipc.msgmni 800Max number of message queue identifiers. 801.It Li kern.ipc.msgseg 802Max number of number of message segments. 803.It Li kern.ipc.semmni 804Max number of number of semaphore identifiers. 805.It Li kern.ipc.semmns 806Max number of number of semaphores in system. 807.It Li kern.ipc.semmnu 808Max number of undo structures in system. 809.El 810.It Li kern.timex ( KERN_TIMEX ) 811Not available. 812.It Li kern.tkstat ( KERN_TKSTAT ) 813Return information about the number of characters sent and received 814on ttys. 815The third level names for the tty statistic variables are detailed below. 816The changeable column shows whether a process 817with appropriate privilege may change the value. 818.Bl -column "KERNXTKSTATXRAWCCXXX" "struct integerXXX" -offset indent 819.It Sy Third level name Type Changeable 820.It kern.tkstat.cancc quad no 821.It kern.tkstat.nin quad no 822.It kern.tkstat.nout quad no 823.It kern.tkstat.rawcc quad no 824.El 825.Pp 826The variables are as follows: 827.Bl -tag -width "123456" 828.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 829The number of canonical input characters. 830.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 831The total number of input characters. 832.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 833The total number of output characters. 834.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 835The number of raw input characters. 836.El 837.It Li kern.urandom ( KERN_URND ) 838Random integer value. 839.It Li kern.veriexec 840Tunings for Verixec. 841.Bl -tag -width "123456" 842.It Li kern.veriexec.algorithms 843Returns a string with the supported algorithms in Veriexec. 844.It Li kern.veriexec.count 845Sub-nodes are added to this node as new mounts are monitored by Veriexec. 846Each mount will be under its own 847.No tableN 848node. 849Under each node there will be three variables, indicating the mount 850point, the file-system type, and the number of entries. 851.It Li kern.veriexec.strict 852Controls the strict level of Veriexec. 853See 854.Xr security 8 855for more information on each level's implications. 856.It Li kern.veriexec.verbose 857Controls the verbosity level of Veriexec. 858If 0, only the minimal 859indication required will be given about what's happening - fingerprint 860mismatches, removal of entries from the tables, modification of a 861fingerprinted file. 862If 1, more messages will be printed (ie., when a file with a valid 863fingerprint is accessed). 864Verbose level 2 is debug mode. 865.El 866.It Li kern.version ( KERN_VERSION ) 867The system version string. 868.It Li kern.vnode ( KERN_VNODE ) 869Return the entire vnode table. 870Note, the vnode table is not necessarily a consistent snapshot of 871the system. 872The returned data consists of an array whose size depends on the 873current number of such objects in the system. 874Each element of the array contains the kernel address of a vnode 875.Va struct vnode * 876followed by the vnode itself 877.Va struct vnode . 878.It Li kern.coredump.setid 879Settings related to set-id processes coredumps. 880By default, set-id processes do not dump core in situations where 881other processes would. 882The settings in this node allows an administrator to change this 883behavior. 884.Pp 885.Bl -tag -width "123456" 886.It Li kern.coredump.setid.dump 887If non-zero, set-id processes will dump core. 888.It Li kern.coredump.setid.group 889The group-id for the set-id processes' coredump. 890.It Li kern.coredump.setid.mode 891The mode for the set-id processes' coredump. 892See 893.Xr chmod 1 . 894.It Li kern.coredump.setid.owner 895The user-id that will be used as the owner of the set-id processes' 896coredump. 897.It Li kern.coredump.setid.path 898The path to which set-id processes' coredumps will be saved to. 899Same syntax as kern.defcorename. 900.El 901.\" XXX kern.lwp 902.El 903.Sh The machdep.* subtree 904The set of variables defined is architecture dependent. 905Most architectures define at least the following variables. 906.Bl -column "CONSOLE_DEVICEXXX" "integerXXX" -offset indent 907.It Sy Second level name Type Changeable 908.It Li CPU_CONSDEV dev_t no 909.El 910.Sh The net.* subtree 911The string and integer information available for the 912.Li net 913level is detailed below. 914The changeable column shows whether a process with appropriate 915privilege may change the value. 916The second and third levels are typically the protocol family and 917protocol number, though this is not always the case. 918.Bl -column "Second level nameX" "IPsec key management valuesX" -offset indent 919.It Sy Second level name Type Changeable 920.It net.route routing messages no 921.It net.inet IPv4 values yes 922.It net.inet6 IPv6 values yes 923.It net.key IPsec key management values yes 924.El 925.Pp 926.Bl -tag -width "123456" 927.It Li net.route ( PF_ROUTE ) 928.\" XXX really? 929Return the entire routing table or a subset of it. 930The data is returned as a sequence of routing messages (see 931.Xr route 4 932for the header file, format and meaning). 933The length of each message is contained in the message header. 934.Pp 935The third level name is a protocol number, which is currently always 0. 936The fourth level name is an address family, which may be set to 0 to 937select all address families. 938The fifth and sixth level names are as follows: 939.Bl -column "Fifth level nameXXXXXX" "Sixth level is:XXX" -offset indent 940.It Sy Fifth level name Sixth level is: 941.It NET\_RT\_FLAGS rtflags 942.It NET\_RT\_DUMP None 943.It NET\_RT\_IFLIST None 944.El 945.It Li net.inet ( PF_INET ) 946Get or set various global information about the IPv4 947.Pq Internet Protocol version 4 . 948The third level name is the protocol. 949The fourth level name is the variable name. 950The currently defined protocols and names are: 951.Bl -column "Protocol name" "sack.globalmaxholes" "integer" -offset 4n 952.It Sy Protocol name Variable name Type Changeable 953.It arp down integer yes 954.It arp keep integer yes 955.It arp prune integer yes 956.It arp refresh integer yes 957.It carp allow integer yes 958.It carp preempt integer yes 959.It carp log integer yes 960.It carp arpbalance integer yes 961.It icmp errppslimit integer yes 962.It icmp maskrepl integer yes 963.It icmp rediraccept integer yes 964.It icmp redirtimeout integer yes 965.It ip allowsrcrt integer yes 966.It ip anonportmax integer yes 967.It ip anonportmin integer yes 968.It ip checkinterface integer yes 969.It ip directed-broadcast integer yes 970.It ip do_loopback_cksum integer yes 971.It ip forwarding integer yes 972.It ip forwsrcrt integer yes 973.It ip gifttl integer yes 974.It ip grettl integer yes 975.It ip hashsize integer yes 976.It ip hostzerobroadcast integer yes 977.It ip lowportmin integer yes 978.It ip lowportmax integer yes 979.It ip maxflows integer yes 980.It ip maxfragpackets integer yes 981.It ip mtudisc integer yes 982.It ip mtudisctimeout integer yes 983.It ip random_id integer yes 984.It ip redirect integer yes 985.It ip subnetsarelocal integer yes 986.It ip ttl integer yes 987.It tcp rfc1323 integer yes 988.It tcp sendspace integer yes 989.It tcp recvspace integer yes 990.It tcp mssdflt integer yes 991.It tcp syn_cache_limit integer yes 992.It tcp syn_bucket_limit integer yes 993.It tcp syn_cache_interval integer yes 994.It tcp init_win integer yes 995.It tcp init_win_local integer yes 996.It tcp mss_ifmtu integer yes 997.It tcp win_scale integer yes 998.It tcp timestamps integer yes 999.It tcp compat_42 integer yes 1000.It tcp cwm integer yes 1001.It tcp cwm_burstsize integer yes 1002.It tcp ack_on_push integer yes 1003.It tcp keepidle integer yes 1004.It tcp keepintvl integer yes 1005.It tcp keepcnt integer yes 1006.It tcp slowhz integer no 1007.It tcp keepinit integer yes 1008.It tcp log_refused integer yes 1009.It tcp rstppslimit integer yes 1010.It tcp ident struct no 1011.It tcp drop struct no 1012.It tcp sack.enable integer yes 1013.It tcp sack.globalholes integer no 1014.It tcp sack.globalmaxholes integer yes 1015.It tcp sack.maxholes integer yes 1016.It tcp ecn.enable integer yes 1017.It tcp ecn.maxretries integer yes 1018.It tcp congctl.selected string yes 1019.It tcp congctl.available string yes 1020.It tcp abc.enable integer yes 1021.It tcp abc.aggressive integer yes 1022.It udp checksum integer yes 1023.It udp do_loopback_cksum integer yes 1024.It udp recvspace integer yes 1025.It udp sendspace integer yes 1026.El 1027.Pp 1028The variables are as follows: 1029.Bl -tag -width "123456" 1030.It Li arp.down 1031Failed ARP entry lifetime. 1032.It Li arp.keep 1033Valid ARP entry lifetime. 1034.It Li arp.prune 1035ARP cache pruning interval. 1036.It Li arp.refresh 1037ARP entry refresh interval. 1038.It Li carp.allow 1039If set to 0, incoming 1040.Xr carp 4 1041packets will not be processed. 1042If set to any other value, processing will occur. 1043Enabled by default. 1044.It Li carp.arpbalance 1045If set to any value other than 0, the ARP balancing functionality of 1046.Xr carp 4 1047is enabled. 1048When ARP requests are received for an IP address which is part of any virtual 1049host, carp will hash the source IP in the ARP request to select one of the 1050virtual hosts from the set of all the virtual hosts which have that IP address. 1051The master of that host will respond with the correct virtual MAC address. 1052Disabled by default. 1053.It Li carp.log 1054If set to any value other than 0, 1055.Xr carp 4 1056will log errors. 1057Disabled by default. 1058.It Li carp.preempt 1059If set to 0, 1060.Xr carp 4 1061will not attempt to become master if it is receiving advertisements from 1062another active master. 1063If set to any other value, carp will become master of the virtual host if it 1064believes it can send advertisements more frequently than the current master. 1065Disabled by default. 1066.It Li ip.allowsrcrt 1067If set to 1, the host accepts source routed packets. 1068.It Li ip.anonportmax 1069The highest port number to use for TCP and UDP ephemeral port allocation. 1070This cannot be set to less than 1024 or greater than 65535, and must 1071be greater than 1072.Li ip.anonportmin . 1073.It Li ip.anonportmin 1074The lowest port number to use for TCP and UDP ephemeral port allocation. 1075This cannot be set to less than 1024 or greater than 65535. 1076.It Li ip.checkinterface 1077If set to non-zero, the host will reject packets addressed to it 1078that arrive on an interface not bound to that address. 1079Currently, this must be disabled if ipnat is used to translate the 1080destination address to another local interface, or if addresses 1081are added to the loopback interface instead of the interface where 1082the packets for those packets are received. 1083.It Li ip.directed-broadcast 1084If set to 1, enables directed broadcast behavior for the host. 1085.It Li ip.do_loopback_cksum 1086Perform IP checksum on loopback. 1087.It Li ip.forwarding 1088If set to 1, enables IP forwarding for the host, 1089meaning that the host is acting as a router. 1090.It Li ip.forwsrcrt 1091If set to 1, enables forwarding of source-routed packets for the host. 1092This value may only be changed if the kernel security level is less than 1. 1093.It Li ip.gifttl 1094The maximum time-to-live (hop count) value for an IPv4 packet generated by 1095.Xr gif 4 1096tunnel interface. 1097.It Li ip.grettl 1098The maximum time-to-live (hop count) value for an IPv4 packet generated by 1099.Xr gre 4 1100tunnel interface. 1101.It Li ip.hashsize 1102The size of IPv4 Fast Forward hash table. 1103This value must be a power of 2 (64, 256...). 1104A larger hash table size results in fewer collisions. 1105Also see 1106.Li ip.maxflows . 1107.It Li ip.hostzerobroadcast 1108All zeroes address is broadcast address. 1109.It Li ip.lowportmax 1110The highest port number to use for TCP and UDP reserved port allocation. 1111This cannot be set to less than 0 or greater than 1024, and must 1112be greater than 1113.Li ip.lowportmin . 1114.It Li ip.lowportmin 1115The lowest port number to use for TCP and UDP reserved port allocation. 1116This cannot be set to less than 0 or greater than 1024, and must 1117be smaller than 1118.Li ip.lowportmax . 1119.It Li ip.maxflows 1120IPv4 Fast Forwarding is enabled by default. 1121If set to 0, IPv4 Fast Forwarding is disabled. 1122.Li ip.maxflows 1123controls the maximum amount of flows which can be created. 1124The default value is 256. 1125.It Li ip.maxfragpackets 1126The maximum number of fragmented packets the node will accept. 11270 means that the node will not accept any fragmented packets. 1128\-1 means that the node will accept as many fragmented packets as it receives. 1129The flag is provided basically for avoiding possible DoS attacks. 1130.It Li ip.mtudisc 1131If set to 1, enables Path MTU Discovery (RFC 1191). 1132When Path MTU Discovery is enabled, the transmitted TCP segment 1133size will be determined by the advertised maximum segment size 1134(MSS) from the remote end, as constrained by the path MTU. 1135If MTU Discovery is disabled, the transmitted segment size will 1136never be greater than 1137.Li tcp.mssdflt 1138(the local maximum segment size). 1139.It Li ip.mtudisctimeout 1140The number of seconds in which a route added by the Path MTU 1141Discovery engine will time out. 1142When the route times out, the Path 1143MTU Discovery engine will attempt to probe a larger path MTU. 1144.It Li ip.random_id 1145Assign random ip_id values. 1146.It Li ip.redirect 1147If set to 1, ICMP redirects may be sent by the host. 1148This option is ignored unless the host is routing IP packets, 1149and should normally be enabled on all systems. 1150.It Li ip.subnetsarelocal 1151If set to 1, subnets are to be considered local addresses. 1152.It Li ip.ttl 1153The maximum time-to-live (hop count) value for an IP packet sourced by 1154the system. 1155This value applies to normal transport protocols, not to ICMP. 1156.It Li icmp.errppslimit 1157The variable specifies the maximum number of outgoing ICMP error messages, 1158per second. 1159ICMP error messages that exceeded the value are subject to rate limitation 1160and will not go out from the node. 1161Negative value disables rate limitation. 1162.It Li icmp.maskrepl 1163If set to 1, ICMP network mask requests are to be answered. 1164.It Li icmp.rediraccept 1165If set to non-zero, the host will accept ICMP redirect packets. 1166Note that routers will never accept ICMP redirect packets, 1167and the variable is meaningful on IP hosts only. 1168.It Li icmp.redirtimeout 1169The variable specifies lifetime of routing entries generated by incoming 1170ICMP redirect. 1171This defaults to 600 seconds. 1172.It Li icmp.returndatabytes 1173Number of bytes to return in an ICMP error message. 1174.It Li tcp.ack_on_push 1175If set to 1, TCP is to immediately transmit an ACK upon reception of 1176a packet with PUSH set. 1177This can avoid losing a round trip time in some rare situations, 1178but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1179Use of this option is generally not recommended, but 1180the variable exists in case your configuration really needs it. 1181.It Li tcp.compat_42 1182If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1183Use of this option is not recommended, although it may be 1184required in order to communicate with extremely old TCP implementations. 1185.It Li tcp.cwm 1186If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1187Monitoring algorithm. 1188This algorithm prevents line-rate bursts of packets that could 1189otherwise occur when data begins flowing on an idle TCP connection. 1190These line-rate bursts can contribute to network and router congestion. 1191This can be particularly useful on World Wide Web servers 1192which support HTTP/1.1, which has lingering connections. 1193.It Li tcp.cwm_burstsize 1194The Congestion Window Monitoring allowed burst size, in terms 1195of packet count. 1196.It Li tcp.delack_ticks 1197Number of ticks to delay sending an ACK. 1198.It Li tcp.do_loopback_cksum 1199Perform TCP checksum on loopback. 1200.It Li tcp.init_win 1201A value indicating the TCP initial congestion window. 1202If this value is 0, an auto-tuning algorithm designed to use an initial 1203window of approximately 4K bytes is in use. 1204Otherwise, this value indicates a fixed number of packets. 1205.It Li tcp.init_win_local 1206Like 1207.Li tcp.init_win , 1208but used when communicating with hosts on a local network. 1209.It Li tcp.keepcnt 1210Number of keepalive probes sent before declaring a connection dead. 1211If set to zero, there is no limit; 1212keepalives will be sent until some kind of 1213response is received from the peer. 1214.It Li tcp.keepidle 1215Time a connection must be idle before keepalives are sent (if keepalives 1216are enabled for the connection). 1217See also tcp.slowhz. 1218.It Li tcp.keepintvl 1219Time after a keepalive probe is sent until, in the absence of any response, 1220another probe is sent. 1221See also tcp.slowhz. 1222.It Li tcp.log_refused 1223If set to 1, refused TCP connections to the host will be logged. 1224.It Li tcp.keepinit 1225Timeout in seconds during connection establishment. 1226.It Li tcp.mss_ifmtu 1227If set to 1, TCP calculates the outgoing maximum segment size based on 1228the MTU of the appropriate interface. 1229If set to 0, it is calculated based on the greater of the MTU of the 1230interface, and the largest (non-loopback) interface MTU on the system. 1231.It Li tcp.mssdflt 1232The default maximum segment size both advertised to the peer 1233and to use when either the peer does not advertise a maximum segment size to 1234us during connection setup or Path MTU Discovery 1235.Li ( ip.mtudisc ) 1236is disabled. 1237Do not change this value unless you really know what you are doing. 1238.It Li tcp.recvspace 1239The default TCP receive buffer size. 1240.It Li tcp.rfc1323 1241If set to 1, enables RFC 1323 extensions to TCP. 1242.It Li tcp.rstppslimit 1243The variable specifies the maximum number of outgoing TCP RST packets, 1244per second. 1245TCP RST packet that exceeded the value are subject to rate limitation 1246and will not go out from the node. 1247Negative value disables rate limitation. 1248.It Li tcp.ident 1249Return the user ID of a connected socket pair. 1250(RFC1413 Identification Protocol lookups.) 1251.It Li tcp.drop 1252Drop a TCP socket pair connection. 1253.It Li tcp.sack.enable 1254If set to 1, enables RFC 2018 Selective ACKnowledgement. 1255.It Li tcp.sack.globalholes 1256Global number of TCP SACK holes. 1257.It Li tcp.sack.globalmaxholes 1258Global maximum number of TCP SACK holes. 1259.It Li tcp.sack.maxholes 1260Maximum number of TCP SACK holes allowed per connection. 1261.It Li tcp.ecn.enable 1262If set to 1, enables RFC 3168 Explicit Congestion Notification. 1263.It Li tcp.ecn.maxretries 1264Number of times to retry sending the ECN-setup packet. 1265.It Li tcp.sendspace 1266The default TCP send buffer size. 1267.It Li tcp.slowhz 1268The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1269of a clock that ticks tcp.slowhz times per second. 1270(That is, their values 1271must be divided by the tcp.slowhz value to get times in seconds.) 1272.It Li tcp.syn_bucket_limit 1273The maximum number of entries allowed per hash bucket in the TCP 1274compressed state engine. 1275.It Li tcp.syn_cache_limit 1276The maximum number of entries allowed in the TCP compressed state 1277engine. 1278.It Li tcp.timestamps 1279If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1280used for measuring TCP round trip times, are enabled. 1281.It Li tcp.win_scale 1282If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1283for increasing the TCP window size, are enabled. 1284.It Li tcp.congctl.available 1285The available TCP congestion control algorithms. 1286.It Li tcp.congctl.selected 1287The currently selected TCP congestion control algorithm. 1288.It Li tcp.abc.enable 1289If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1290If set to 0, use traditional Packet Counting. 1291.It Li tcp.abc.aggressive 1292Choose the L parameter found in RFC 3465. 1293L is the maximum cwnd increase for an ack during slow start. 1294If set to 1, use L=2*SMSS. 1295If set to 0, use L=1*SMSS. 1296It has no effect unless tcp.abc.enable is set to 1. 1297.It Li udp.checksum 1298If set to 1, UDP checksums are being computed. 1299Received non-zero UDP checksums are always checked. 1300Disabling UDP checksums is strongly discouraged. 1301.It Li udp.sendspace 1302The default UDP send buffer size. 1303.It Li udp.recvspace 1304The default UDP receive buffer size. 1305.El 1306.Pp 1307For variables net.*.ipsec, please refer to 1308.Xr ipsec 4 . 1309.It Li net.inet6 ( PF_INET6 ) 1310Get or set various global information about the IPv6 1311.Pq Internet Protocol version 6 . 1312The third level name is the protocol. 1313The fourth level name is the variable name. 1314The currently defined protocols and names are: 1315.Bl -column "Protocol name" "Variable nameXX" "integer" "yes" -offset indent 1316.It Sy Protocol name Variable name Type Changeable 1317.It icmp6 errppslimit integer yes 1318.It icmp6 mtudisc_hiwat integer yes 1319.It icmp6 mtudisc_lowat integer yes 1320.It icmp6 nd6_debug integer yes 1321.It icmp6 nd6_delay integer yes 1322.It icmp6 nd6_maxnudhint integer yes 1323.It icmp6 nd6_mmaxtries integer yes 1324.It icmp6 nd6_prune integer yes 1325.It icmp6 nd6_umaxtries integer yes 1326.It icmp6 nd6_useloopback integer yes 1327.It icmp6 nodeinfo integer yes 1328.It icmp6 rediraccept integer yes 1329.It icmp6 redirtimeout integer yes 1330.It ip6 accept_rtadv integer yes 1331.It ip6 anonportmax integer yes 1332.It ip6 anonportmin integer yes 1333.It ip6 auto_flowlabel integer yes 1334.It ip6 dad_count integer yes 1335.It ip6 defmcasthlim integer yes 1336.It ip6 forwarding integer yes 1337.It ip6 gifhlim integer yes 1338.It ip6 hashsize integer yes 1339.It ip6 hlim integer yes 1340.It ip6 hdrnestlimit integer yes 1341.It ip6 kame_version string no 1342.It ip6 keepfaith integer yes 1343.It ip6 log_interval integer yes 1344.It ip6 lowportmax integer yes 1345.It ip6 lowportmin integer yes 1346.It ip6 maxflows integer yes 1347.It ip6 maxfragpackets integer yes 1348.It ip6 maxfrags integer yes 1349.It ip6 redirect integer yes 1350.It ip6 rr_prune integer yes 1351.It ip6 use_deprecated integer yes 1352.It ip6 v6only integer yes 1353.It udp6 do_loopback_cksum integer yes 1354.It udp6 recvspace integer yes 1355.It udp6 sendspace integer yes 1356.El 1357.Pp 1358The variables are as follows: 1359.Bl -tag -width "123456" 1360.It Li ip6.accept_rtadv 1361If set to non-zero, the node will accept ICMPv6 router advertisement packets 1362and autoconfigures address prefixes and default routers. 1363The node must be a host 1364.Pq not a router 1365for the option to be meaningful. 1366.It Li ip6.anonportmax 1367The highest port number to use for TCP and UDP ephemeral port allocation. 1368This cannot be set to less than 1024 or greater than 65535, and must 1369be greater than 1370.Li ip6.anonportmin . 1371.It Li ip6.anonportmin 1372The lowest port number to use for TCP and UDP ephemeral port allocation. 1373This cannot be set to less than 1024 or greater than 65535. 1374.It Li ip6.auto_flowlabel 1375On connected transport protocol packets, 1376fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1377.It Li ip6.dad_count 1378The variable configures number of IPv6 DAD 1379.Pq duplicated address detection 1380probe packets. 1381The packets will be generated when IPv6 interface addresses are configured. 1382.It Li ip6.defmcasthlim 1383The default hop limit value for an IPv6 multicast packet sourced by the node. 1384This value applies to all the transport protocols on top of IPv6. 1385There are APIs to override the value, as documented in 1386.Xr ip6 4 . 1387.It Li ip6.forwarding 1388If set to 1, enables IPv6 forwarding for the node, 1389meaning that the node is acting as a router. 1390If set to 0, disables IPv6 forwarding for the node, 1391meaning that the node is acting as a host. 1392IPv6 specification defines node behavior for 1393.Dq router 1394case and 1395.Dq host 1396case quite differently, and changing this variable during operation 1397may cause serious trouble. 1398It is recommended to configure the variable at bootstrap time, 1399and bootstrap time only. 1400.It Li ip6.gifhlim 1401The maximum hop limit value for an IPv6 packet generated by 1402.Xr gif 4 1403tunnel interface. 1404.It Li ip6.hdrnestlimit 1405The number of IPv6 extension headers permitted on incoming IPv6 packets. 1406If set to 0, the node will accept as many extension headers as possible. 1407.It Li ip6.hashsize 1408The size of IPv6 Fast Forward hash table. 1409This value must be a power of 2 (64, 256...). 1410A larger hash table size results in fewer collisions. 1411Also see 1412.Li ip6.maxflows . 1413.It Li ip6.hlim 1414The default hop limit value for an IPv6 unicast packet sourced by the node. 1415This value applies to all the transport protocols on top of IPv6. 1416There are APIs to override the value, as documented in 1417.Xr ip6 4 . 1418.It Li ip6.kame_version 1419The string identifies the version of KAME IPv6 stack implemented in the kernel. 1420.It Li ip6.keepfaith 1421If set to non-zero, it enables 1422.Dq FAITH 1423TCP relay IPv6-to-IPv4 translator code in the kernel. 1424Refer 1425.Xr faith 4 1426and 1427.Xr faithd 8 1428for detail. 1429.It Li ip6.log_interval 1430The variable controls amount of logs generated by IPv6 packet 1431forwarding engine, by setting interval between log output 1432.Pq in seconds . 1433.It Li ip6.lowportmax 1434The highest port number to use for TCP and UDP reserved port allocation. 1435This cannot be set to less than 0 or greater than 1024, and must 1436be greater than 1437.Li ip6.lowportmin . 1438.It Li ip6.lowportmin 1439The lowest port number to use for TCP and UDP reserved port allocation. 1440This cannot be set to less than 0 or greater than 1024, and must 1441be smaller than 1442.Li ip6.lowportmax . 1443.It Li ip6.maxflows 1444IPv6 Fast Forwarding is enabled by default. 1445If set to 0, IPv6 Fast Forwarding is disabled. 1446.Li ip6.maxflows 1447controls the maximum amount of flows which can be created. 1448The default value is 256. 1449.It Li ip6.maxfragpackets 1450The maximum number of fragmented packets the node will accept. 14510 means that the node will not accept any fragmented packets. 1452\-1 means that the node will accept as many fragmented packets as it receives. 1453The flag is provided basically for avoiding possible DoS attacks. 1454.It Li ip6.maxfrags 1455The maximum number of fragments the node will accept. 14560 means that the node will not accept any fragments. 1457\-1 means that the node will accept as many fragments as it receives. 1458The flag is provided basically for avoiding possible DoS attacks. 1459.It Li ip6.redirect 1460If set to 1, ICMPv6 redirects may be sent by the node. 1461This option is ignored unless the node is routing IP packets, 1462and should normally be enabled on all systems. 1463.It Li ip6.rr_prune 1464The variable specifies interval between IPv6 router renumbering prefix 1465babysitting, in seconds. 1466.It Li ip6.use_deprecated 1467The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1468.It Li ip6.v6only 1469The variable specifies initial value for 1470.Dv IPV6_V6ONLY 1471socket option for 1472.Dv AF_INET6 1473socket. 1474Please refer to 1475.Xr ip6 4 1476for detail. 1477.It Li icmp6.errppslimit 1478The variable specifies the maximum number of outgoing ICMPv6 error messages, 1479per second. 1480ICMPv6 error messages that exceeded the value are subject to rate limitation 1481and will not go out from the node. 1482Negative value disables rate limitation. 1483.It Li icmp6.mtudisc_hiwat 1484.It Li icmp6.mtudisc_lowat 1485The variables define the maximum number of routing table entries, 1486created due to path MTU discovery 1487.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1488When IPv6 path MTU discovery happens, we keep path MTU information into 1489the routing table. 1490If the number of routing table entries exceed the value, 1491the kernel will not attempt to keep the path MTU information. 1492.Li icmp6.mtudisc_hiwat 1493is used when we have verified ICMPv6 too big messages. 1494.Li icmp6.mtudisc_lowat 1495is used when we have unverified ICMPv6 too big messages. 1496Verification is performed by using address/port pairs kept in connected pcbs. 1497Negative value disables the upper limit. 1498.It Li icmp6.nd6_debug 1499If set to non-zero, kernel IPv6 neighbor discovery code will generate 1500debugging messages. 1501The debug outputs are useful to diagnose IPv6 interoperability issues. 1502The flag must be set to 0 for normal operation. 1503.It Li icmp6.nd6_delay 1504The variable specifies 1505.Dv DELAY_FIRST_PROBE_TIME 1506timing constant in IPv6 neighbor discovery specification 1507.Pq RFC 2461 , 1508in seconds. 1509.It Li icmp6.nd6_maxnudhint 1510IPv6 neighbor discovery permits upper layer protocols to supply reachability 1511hints, to avoid unnecessary neighbor discovery exchanges. 1512The variable defines the number of consecutive hints the neighbor discovery 1513layer will take. 1514For example, by setting the variable to 3, neighbor discovery layer 1515will take 3 consecutive hints in maximum. 1516After receiving 3 hints, neighbor discovery layer will perform 1517normal neighbor discovery process. 1518.It Li icmp6.nd6_mmaxtries 1519The variable specifies 1520.Dv MAX_MULTICAST_SOLICIT 1521constant in IPv6 neighbor discovery specification 1522.Pq RFC 2461 . 1523.It Li icmp6.nd6_prune 1524The variable specifies interval between IPv6 neighbor cache babysitting, 1525in seconds. 1526.It Li icmp6.nd6_umaxtries 1527The variable specifies 1528.Dv MAX_UNICAST_SOLICIT 1529constant in IPv6 neighbor discovery specification 1530.Pq RFC 2461 . 1531.It Li icmp6.nd6_useloopback 1532If set to non-zero, kernel IPv6 stack will use loopback interface for 1533local traffic. 1534.It Li icmp6.nodeinfo 1535The variable enables responses to ICMPv6 node information queries. 1536If you set the variable to 0, responses will not be generated for 1537ICMPv6 node information queries. 1538Since node information queries can have a security impact, it is 1539possible to fine tune which responses should be answered. 1540Two separate bits can be set. 1541.Bl -tag -width "12345" 1542.It 1 1543Respond to ICMPv6 FQDN queries, e.g. 1544.Li ping6 -w . 1545.It 2 1546Respond to ICMPv6 node addresses queries, e.g. 1547.Li ping6 -a . 1548.El 1549.It Li icmp6.rediraccept 1550If set to non-zero, the host will accept ICMPv6 redirect packets. 1551Note that IPv6 routers will never accept ICMPv6 redirect packets, 1552and the variable is meaningful on IPv6 hosts 1553.Pq non-router 1554only. 1555.It Li icmp6.redirtimeout 1556The variable specifies lifetime of routing entries generated by incoming 1557ICMPv6 redirect. 1558.It Li udp6.do_loopback_cksum 1559Perform UDP checksum on loopback. 1560.It Li udp6.recvspace 1561Default UDP receive buffer size. 1562.It Li udp6.sendspace 1563Default UDP send buffer size. 1564.El 1565.Pp 1566We reuse net.*.tcp for 1567.Tn TCP 1568over 1569.Tn IPv6 , 1570and therefore we do not have variables net.*.tcp6. 1571Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1572Please refer to 1573.Li PF_INET 1574section above. 1575For variables net.*.ipsec6, please refer to 1576.Xr ipsec 4 . 1577.It Li net.key ( PF_KEY ) 1578Get or set various global information about the IPsec key management. 1579The third level name is the variable name. 1580The currently defined variable and names are: 1581.Bl -column "blockacq_lifetime" "integer" "yes" -offset indent 1582.It Sy Variable name Type Changeable 1583.It debug integer yes 1584.It spi_try integer yes 1585.It spi_min_value integer yes 1586.It spi_max_value integer yes 1587.It larval_lifetime integer yes 1588.It blockacq_count integer yes 1589.It blockacq_lifetime integer yes 1590.It esp_keymin integer yes 1591.It esp_auth integer yes 1592.It ah_keymin integer yes 1593.El 1594The variables are as follows: 1595.Bl -tag -width "123456" 1596.It Li debug 1597Turn on debugging message from within the kernel. 1598The value is a bitmap, as defined in 1599.Pa /usr/include/netkey/key_debug.h . 1600.It Li spi_try 1601The number of times the kernel will try to obtain an unique SPI 1602when it generates it from random number generator. 1603.It Li spi_min_value 1604Minimum SPI value when generating it within the kernel. 1605.It Li spi_max_value 1606Maximum SPI value when generating it within the kernel. 1607.It Li larval_lifetime 1608Lifetime for LARVAL SAD entries, in seconds. 1609.It Li blockacq_count 1610Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1611It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1612key management daemon. 1613.It Li blockacq_lifetime 1614Lifetime of ACQUIRE PF_KEY message. 1615.It Li esp_keymin 1616Minimum ESP key length, in bits. 1617The value is used when the kernel creates proposal payload 1618on ACQUIRE PF_KEY message. 1619.It Li esp_auth 1620Whether ESP authentication should be used or not. 1621Non-zero value indicates that ESP authentication should be used. 1622The value is used when the kernel creates proposal payload 1623on ACQUIRE PF_KEY message. 1624.It Li ah_keymin 1625Minimum AH key length, in bits, 1626The value is used when the kernel creates proposal payload 1627on ACQUIRE PF_KEY message. 1628.El 1629.El 1630.Sh The proc.* subtree 1631The string and integer information available for the 1632.Li proc 1633level is detailed below. 1634The changeable column shows whether a process with appropriate 1635privilege may change the value. 1636These values are per-process, 1637and as such may change from one process to another. 1638When a process is created, 1639the default values are inherited from its parent. 1640When a set-user-ID or set-group-ID binary is executed, the 1641value of PROC_PID_CORENAME is reset to the system default value. 1642The second level name is either the magic value PROC_CURPROC, which 1643points to the current process, or the PID of the target process. 1644.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" "yes" -offset indent 1645.It Sy Third level name Type Changeable 1646.It proc.pid.corename string yes 1647.It proc.pid.rlimit node not applicable 1648.It proc.pid.stopfork int yes 1649.It proc.pid.stopexec int yes 1650.It proc.pid.stopexit int yes 1651.El 1652.Bl -tag -width "123456" 1653.Pp 1654.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1655The template used for the core dump file name (see 1656.Xr core 5 1657for details). 1658The base name must either be 1659.Nm core 1660or end with the suffix ``.core'' (the super-user may set arbitrary names). 1661By default it points to KERN_DEFCORENAME. 1662.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1663Return resources limits, as defined for the 1664.Xr getrlimit 2 1665and 1666.Xr setrlimit 2 1667system calls. 1668The fourth level name is one of: 1669.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1670.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1671The maximum amount of CPU time (in seconds) to be used by each process. 1672.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1673The largest size (in bytes) file that may be created. 1674.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1675The maximum size (in bytes) of the data segment for a process; 1676this defines how far a program may extend its break with the 1677.Xr sbrk 2 1678system call. 1679.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1680The maximum size (in bytes) of the stack segment for a process; 1681this defines how far a program's stack segment may be extended. 1682Stack extension is performed automatically by the system. 1683.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1684The largest size (in bytes) 1685.Pa core 1686file that may be created. 1687.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1688The maximum size (in bytes) to which a process's resident set size may 1689grow. 1690This imposes a limit on the amount of physical memory to be given to 1691a process; if memory is tight, the system will prefer to take memory 1692from processes that are exceeding their declared resident set size. 1693.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1694The maximum size (in bytes) which a process may lock into memory 1695using the 1696.Xr mlock 2 1697function. 1698.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1699The maximum number of simultaneous processes for this user id. 1700.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1701The maximum number of open files for this process. 1702.\" XXX proc.pid.rlimit.sbsize 1703.El 1704.Pp 1705The fifth level name is one of 1706.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or 1707.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1708to select respectively the soft or hard limit. 1709Both are of type integer. 1710.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1711If non zero, the process' children will be stopped after 1712.Xr fork 2 1713calls. 1714The children is created in the SSTOP state and is never scheduled 1715for running before being stopped. 1716This feature helps attaching a process with a debugger such as 1717.Xr gdb 1 1718before it had the opportunity to actually do anything. 1719.Pp 1720This value is inherited by the process's children, and it also 1721apply to emulation specific system calls that fork a new process, such as 1722.Fn sproc 1723or 1724.Fn clone . 1725.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1726If non zero, the process will be stopped on next 1727.Xr exec 3 1728call. 1729The process created by 1730.Xr exec 3 1731is created in the SSTOP state and is never scheduled for running 1732before being stopped. 1733This feature helps attaching a process with a debugger such as 1734.Xr gdb 1 1735before it had the opportunity to actually do anything. 1736.Pp 1737This value is inherited by the process's children. 1738.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1739If non zero, the process will be stopped on when it has cause to exit, 1740either by way of calling 1741.Xr exit 3 , 1742.Xr _exit 2 , 1743or by the receipt of a specific signal. 1744The process is stopped before any of its resources or vm space is 1745released allowing examination of the termination state of a process 1746before it disappears. 1747This feature can be used to examine the final conditions of the 1748process's vmspace via 1749.Xr pmap 1 1750or its resource settings with 1751.Xr sysctl 8 1752before it disappears. 1753.Pp 1754This value is also inherited by the process's children. 1755.El 1756.Sh The user.* subtree ( CTL_USER ) 1757The string and integer information available for the 1758.Li user 1759level is detailed below. 1760The changeable column shows whether a process with appropriate 1761privilege may change the value. 1762.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" -offset indent 1763.It Sy Second level name Type Changeable 1764.It user.atexit_max integer no 1765.It user.bc_base_max integer no 1766.It user.bc_dim_max integer no 1767.It user.bc_scale_max integer no 1768.It user.bc_string_max integer no 1769.It user.coll_weights_max integer no 1770.It user.cs_path string no 1771.It user.expr_nest_max integer no 1772.It user.line_max integer no 1773.It user.posix2_c_bind integer no 1774.It user.posix2_c_dev integer no 1775.It user.posix2_char_term integer no 1776.It user.posix2_fort_dev integer no 1777.It user.posix2_fort_run integer no 1778.It user.posix2_localedef integer no 1779.It user.posix2_sw_dev integer no 1780.It user.posix2_upe integer no 1781.It user.posix2_version integer no 1782.It user.re_dup_max integer no 1783.It user.stream_max integer no 1784.It user.stream_max integer no 1785.It user.tzname_max integer no 1786.El 1787.Bl -tag -width "123456" 1788.Pp 1789.It Li user.atexit_max ( USER_ATEXIT_MAX ) 1790The maximum number of functions that may be registered with 1791.Xr atexit 3 . 1792.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 1793The maximum ibase/obase values in the 1794.Xr bc 1 1795utility. 1796.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 1797The maximum array size in the 1798.Xr bc 1 1799utility. 1800.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 1801The maximum scale value in the 1802.Xr bc 1 1803utility. 1804.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 1805The maximum string length in the 1806.Xr bc 1 1807utility. 1808.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 1809The maximum number of weights that can be assigned to any entry of 1810the LC_COLLATE order keyword in the locale definition file. 1811.It Li user.cs_path ( USER_CS_PATH ) 1812Return a value for the 1813.Ev PATH 1814environment variable that finds all the standard utilities. 1815.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 1816The maximum number of expressions that can be nested within 1817parenthesis by the 1818.Xr expr 1 1819utility. 1820.It Li user.line_max ( USER_LINE_MAX ) 1821The maximum length in bytes of a text-processing utility's input 1822line. 1823.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 1824Return 1 if the system supports at least one terminal type capable of 1825all operations described in POSIX 1003.2, otherwise 0. 1826.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 1827Return 1 if the system's C-language development facilities support the 1828C-Language Bindings Option, otherwise 0. 1829.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 1830Return 1 if the system supports the C-Language Development Utilities Option, 1831otherwise 0. 1832.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 1833Return 1 if the system supports the FORTRAN Development Utilities Option, 1834otherwise 0. 1835.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 1836Return 1 if the system supports the FORTRAN Runtime Utilities Option, 1837otherwise 0. 1838.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 1839Return 1 if the system supports the creation of locales, otherwise 0. 1840.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 1841Return 1 if the system supports the Software Development Utilities Option, 1842otherwise 0. 1843.It Li user.posix2_upe ( USER_POSIX2_UPE ) 1844Return 1 if the system supports the User Portability Utilities Option, 1845otherwise 0. 1846.It Li user.posix2_version ( USER_POSIX2_VERSION ) 1847The version of POSIX 1003.2 with which the system attempts to comply. 1848.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 1849The maximum number of repeated occurrences of a regular expression 1850permitted when using interval notation. 1851.ne 1i 1852.It Li user.stream_max ( USER_STREAM_MAX ) 1853The minimum maximum number of streams that a process may have open 1854at any one time. 1855.It Li user.tzname_max ( USER_TZNAME_MAX ) 1856The minimum maximum number of types supported for the name of a 1857timezone. 1858.El 1859.Sh The vm.* subtree ( CTL_VM ) 1860The string and integer information available for the 1861.Li vm 1862level is detailed below. 1863The changeable column shows whether a process with appropriate 1864privilege may change the value. 1865.Bl -column "Second level nameXXXXXX" "struct uvmexp_sysctlXXX" -offset indent 1866.It Sy Second level name Type Changeable 1867.It vm.anonmax int yes 1868.It vm.anonmin int yes 1869.It vm.bufcache int yes 1870.It vm.bufmem int no 1871.It vm.bufmem_hiwater int yes 1872.It vm.bufmem_lowater int yes 1873.It vm.execmax int yes 1874.It vm.execmin int yes 1875.It vm.filemax int yes 1876.It vm.filemin int yes 1877.It vm.loadavg struct loadavg no 1878.It vm.maxslp int no 1879.It vm.nkmempages int no 1880.It vm.uspace int no 1881.It vm.uvmexp struct uvmexp no 1882.It vm.uvmexp2 struct uvmexp_sysctl no 1883.It vm.vmmeter struct vmtotal no 1884.El 1885.Pp 1886.Bl -tag -width "123456" 1887.It Li vm.anonmax ( VM_ANONMAX ) 1888The percentage of physical memory which will be reclaimed 1889from other types of memory usage to store anonymous application data. 1890.It Li vm.anonmin ( VM_ANONMIN ) 1891The percentage of physical memory which will be always be available for 1892anonymous application data. 1893.It Li vm.bufcache ( VM_BUFCACHE ) 1894The percentage of physical memory which will be available 1895for the buffer cache. 1896.It Li vm.bufmem ( VM_BUFMEM ) 1897The amount of kernel memory that is being used by the buffer cache. 1898.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 1899The minimum amount of kernel memory to reserve for the 1900buffer cache. 1901.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 1902The maximum amount of kernel memory to be used for the 1903buffer cache. 1904.It Li vm.execmax ( VM_EXECMAX ) 1905The percentage of physical memory which will be reclaimed 1906from other types of memory usage to store cached executable data. 1907.It Li vm.execmin ( VM_EXECMIN ) 1908The percentage of physical memory which will be always be available for 1909cached executable data. 1910.It Li vm.filemax ( VM_FILEMAX ) 1911The percentage of physical memory which will be reclaimed 1912from other types of memory usage to store cached file data. 1913.It Li vm.filemin ( VM_FILEMIN ) 1914The percentage of physical memory which will be always be available for 1915cached file data. 1916.It Li vm.loadavg ( VM_LOADAVG ) 1917Return the load average history. 1918The returned data consists of a 1919.Va struct loadavg . 1920.It Li vm.maxslp ( VM_MAXSLP ) 1921The value of the maxslp kernel global variable. 1922.It Li vm.vmmeter ( VM_METER ) 1923Return system wide virtual memory statistics. 1924The returned data consists of a 1925.Va struct vmtotal . 1926.It Li vm.uspace ( VM_USPACE ) 1927The number of bytes allocated for each kernel stack. 1928.It Li vm.uvmexp ( VM_UVMEXP ) 1929Return system wide virtual memory statistics. 1930The returned data consists of a 1931.Va struct uvmexp . 1932.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 1933Return system wide virtual memory statistics. 1934The returned data consists of a 1935.Va struct uvmexp_sysctl . 1936.\" XXX vm.idlezero 1937.El 1938.Sh The ddb.* subtree ( CTL_DDB ) 1939The integer information available for the 1940.Li ddb 1941level is detailed below. 1942The changeable column shows whether a process with appropriate 1943privilege may change the value. 1944.\" XXX sort 1945.Bl -column "ddb.fromconsoleXXX" "integerXXX" -offset indent 1946.It Sy Second level name Type Changeable 1947.It ddb.radix integer yes 1948.It ddb.maxoff integer yes 1949.It ddb.lines integer yes 1950.It ddb.tabstops integer yes 1951.It ddb.onpanic integer yes 1952.It ddb.fromconsole integer yes 1953.El 1954.Pp 1955.Bl -tag -width "123456" 1956.It Li ddb.radix ( DBCTL_RADIX ) 1957The input and output radix. 1958.It Li ddb.maxoff ( DBCTL_MAXOFF ) 1959The maximum symbol offset. 1960.It Li ddb.lines ( DBCTL_LINES ) 1961Number of display lines. 1962.It Li ddb.tabstops ( DBCTL_TABSTOPS ) 1963Tab width. 1964.It Li ddb.onpanic ( DBCTL_ONPANIC ) 1965If non-zero, DDB will be entered if the kernel panics. 1966.It Li ddb.fromconsole ( DBCTL_FROMCONSOLE ) 1967If not zero, DDB may be entered by sending a break on a serial 1968console or by a special key sequence on a graphics console. 1969.\" XXX tee_msgbuf maxwidth commandonenter 1970.El 1971.Pp 1972These MIB nodes are also available as variables from within the DDB. 1973See 1974.Xr ddb 4 1975for more details. 1976.Sh The security.* subtree ( CTL_SECURITY ) 1977The 1978.Li security 1979level contains various security-related settings for 1980the system. 1981Available settings are detailed below. 1982.Pp 1983.Bl -tag -width "123456" 1984.It Li security.curtain 1985If non-zero, will filter return objects according to the user-id 1986requesting information about them, preventing from users any 1987access to objects they don't own. 1988.Pp 1989At the moment, it affects 1990.Xr ps 1 , 1991.Xr netstat 1 1992(for 1993.Dv PF_INET , 1994.Dv PF_INET6 , 1995and 1996.Dv PF_UNIX 1997PCBs), and 1998.Xr w 1 . 1999.It Li security.models 2000.Nx 2001supports pluggable security models. 2002Every security model used, whether if loaded as a module or built with the system, 2003is required to add an entry to this node with at least one element, 2004.Dq name , 2005indicating the name of the security model. 2006.Pp 2007In addition to the name, any settings and other information private to the 2008security model will be available under this node. 2009See 2010.Xr secmodel 9 2011for more information. 2012.It Li security.pax 2013Settings for PaX -- exploit mitigation features. 2014For more information on any of the PaX features, please see 2015.Xr paxctl 8 2016and 2017.Xr security 8 . 2018.Pp 2019.Bl -tag -width "123456" 2020.It Li security.pax.aslr.enable 2021Enable PaX ASLR (Address Space Layout Randomization). 2022.Pp 2023The value of this 2024knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2025explicit enable. 2026.It Li security.pax.aslr.global 2027Specifies the default global policy for programs without an 2028explicit enable/disable flag. 2029.Pp 2030When non-zero, all programs will get PaX ASLR, except those exempted with 2031.Xr paxctl 8 . 2032Otherwise, all programs will not get PaX ASLR, except those specifically 2033marked as such with 2034.Xr paxctl 8 . 2035.It Li security.pax.mprotect.enable 2036Enable PaX MPROTECT restrictions. 2037.Pp 2038These are 2039.Xr mprotect 2 2040restrictions to better enforce a W^X policy. 2041The value of this 2042knob must be non-zero for PaX MPROTECT to be enabled, even if a 2043program is set to explicit enable. 2044.It Li security.pax.mprotect.global 2045Specifies the default global policy for programs without an 2046explicit enable/disable flag. 2047.Pp 2048When non-zero, all programs will get the PaX MPROTECT restrictions, 2049except those exempted with 2050.Xr paxctl 8 . 2051Otherwise, all programs will not get the PaX MPROTECT restrictions, 2052except those specifically marked as such with 2053.Xr paxctl 8 . 2054.It Li security.pax.segvguard.enable 2055Enable PaX Segvguard. 2056.Pp 2057PaX Segvguard can detect and prevent certain exploitation attempts, where 2058an attacker may try for example to brute-force function return addresses 2059of respawning daemons. 2060.Pp 2061.Em Note : 2062The 2063.Nx 2064interface and implementation of the Segvguard is still experimental, and may 2065change in future releases. 2066.It Li security.pax.segvguard.global 2067Specifies the default global policy for programs without an 2068explicit enable/disable flag. 2069.Pp 2070When non-zero, all programs will get the PaX Segvguard, 2071except those exempted with 2072.Xr paxctl 8 . 2073Otherwise, no program will get the PaX Segvguard restrictions, 2074except those specifically marked as such with 2075.Xr paxctl 8 . 2076.It Li security.pax.segvguard.expiry_timeout 2077If the max number was not reached within this timeout (in seconds), the entry 2078will expire. 2079.It Li security.pax.segvguard.suspend_timeout 2080Number of seconds to suspend a user from running a faulting program when the 2081limit was exceeded. 2082.It Li security.pax.segvguard.max_crashes 2083Max number of segfaults a program can receive before suspension. 2084.El 2085.El 2086.Sh The vendor.* subtree ( CTL_VENDOR ) 2087The 2088.Li vendor 2089toplevel name is reserved to be used by vendors who wish to 2090have their own private MIB tree. 2091Intended use is to store values under 2092.Dq vendor.\*[Lt]yourname\*[Gt].* . 2093.Sh SEE ALSO 2094.Xr sysctl 3 , 2095.Xr ipsec 4 , 2096.Xr tcp 4 , 2097.Xr security 8 , 2098.Xr sysctl 8 2099.Sh HISTORY 2100The 2101.Nm 2102variables first appeared in 2103.Bx 4.4 . 2104