1.\" $NetBSD: sysctl.7,v 1.62 2011/03/18 16:20:12 jruoho Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd March 18, 2011 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Ss Top level names 72The top level names are defined with a 73.Va CTL_ 74prefix in 75.In sys/sysctl.h , 76and are as follows. 77The next and subsequent levels down are found in the include files 78listed here, and described in separate sections below. 79.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits" 80.It Sy Name Ta Sy Constant Ta Sy Next level names Ta Sy Description 81.It kern Ta Dv CTL_KERN Ta In sys/sysctl.h Ta High kernel limits 82.It vm Ta Dv CTL_VM Ta In uvm/uvm_param.h Ta Virtual memory 83.It vfs Ta Dv CTL_VFS Ta In sys/mount.h Ta Filesystem 84.It net Ta Dv CTL_NET Ta In sys/socket.h Ta Networking 85.It debug Ta Dv CTL_DEBUG Ta In sys/sysctl.h Ta Debugging 86.It hw Ta Dv CTL_HW Ta In sys/sysctl.h Ta Generic CPU, I/O 87.It machdep Ta Dv CTL_MACHDEP Ta In sys/sysctl.h Ta Machine dependent 88.It user Ta Dv CTL_USER Ta In sys/sysctl.h Ta User-level 89.It ddb Ta Dv CTL_DDB Ta In sys/sysctl.h Ta In-kernel debugger 90.It proc Ta Dv CTL_PROC Ta In sys/sysctl.h Ta Per-process 91.It vendor Ta Dv CTL_VENDOR Ta ? Ta Vendor specific 92.It emul Ta Dv CTL_EMUL Ta In sys/sysctl.h Ta Emulation settings 93.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h Ta Security settings 94.El 95.Ss The debug.* subtree 96The debugging variables vary from system to system. 97A debugging variable may be added or deleted without need to recompile 98.Nm 99to know about it. 100Each time it runs, 101.Nm 102gets the list of debugging variables from the kernel and 103displays their current values. 104The system defines twenty 105.Vt ( struct ctldebug ) 106variables named 107.Dv debug0 108through 109.Dv debug19 . 110They are declared as separate variables so that they can be 111individually initialized at the location of their associated variable. 112The loader prevents multiple use of the same variable by issuing errors 113if a variable is initialized in more than one place. 114For example, to export the variable 115.Va dospecialcheck 116as a debugging variable, the following declaration would be used: 117.Pp 118.Bd -literal -offset indent -compact 119int dospecialcheck = 1; 120struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 121.Ed 122.Pp 123Note that the dynamic implementation of 124.Nm 125currently in use largely makes this particular 126.Nm 127interface obsolete. 128See 129.Xr sysctl 8 130.\" and 131.\" .Xr sysctl 9 132for more information. 133.Ss The vfs.* subtree 134A distinguished second level name, 135.Li vfs.generic ( VFS_GENERIC ) , 136is used to get general information about all file systems. 137It has the following third level identifiers: 138.Bl -tag -width "123456" 139.It Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 140The highest valid file system type number. 141.It Li vfs.generic.conf ( VFS_CONF ) 142Returns configuration information about the file system type given as a fourth 143level identifier. 144.It Li vfs.generic.usermount ( VFS_USERMOUNT ) 145Determines if non superuser mounts are allowed, default to no 146.Dv 0 . 147.It Li vfs.generic.magiclinks ( VFS_MAGICLINKS ) 148Controls if expansion of variables is going to be performed on pathnames 149or not. 150Defaults to no variable expansion, 151.Dv 0 . 152Variables are of the form 153.Li @name 154and the variables supported are described in 155.Xr symlink 7 156under 157.Dq "MAGIC SYMLINKS" . 158.El 159.Pp 160A second level name for controlling the 161.Xr wapbl 4 162(Write Ahead Physical Block Logging file system journalling) 163capabilities with the following third level identifiers: 164.Bl -tag -width "123456" 165.It Li vfs.wapbl.flush_disk_cache 166Controls whether to attempt to flush the disk cache on each commit. 167It defaults to 1 and it should always be on to ensure data integrity in 168case of a crash. 169For slow disks, turning it off can improve performance. 170.It Li vfs.wapbl.verbose_commit 171For each transaction log commit, print the number of bytes written 172and the time it took to commit as seconds.nanoseconds. 173.El 174.Pp 175The remaining second level identifiers are the file system names, identified 176by the type number returned by a 177.Xr statvfs 2 178call or from 179.Li vfs.generic.conf . 180.Pp 181The third level identifiers available for each file system 182are given in the header file that defines the mount 183argument structure for that file system. 184.Ss The hw.* subtree 185The string and integer information available for the 186.Li hw 187level is detailed below. 188The changeable column shows whether a process with appropriate 189privilege may change the value. 190.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 191.It Sy Second level name Type Changeable 192.It hw.alignbytes integer no 193.It hw.byteorder integer no 194.It hw.cnmagic string yes 195.It hw.disknames string no 196.It hw.diskstats struct no 197.It hw.machine string no 198.It hw.machine_arch string no 199.It hw.model string no 200.It hw.ncpu integer no 201.It hw.pagesize integer no 202.It hw.physmem integer no 203.It hw.physmem64 quad no 204.It hw.usermem integer no 205.It hw.usermem64 quad no 206.El 207.Pp 208.Bl -tag -width "123456" 209.It Li hw.alignbytes ( HW_ALIGNBYTES ) 210Alignment constraint for all possible data types. 211This shows the value 212.Dv ALIGNBYTES 213in 214.In machine/param.h , 215at the kernel compilation time. 216.It Li hw.byteorder ( HW_BYTEORDER ) 217The byteorder (4321, or 1234). 218.It Li hw.cnmagic ( HW_CNMAGIC ) 219The console magic key sequence. 220.It Li hw.disknames ( HW_DISKNAMES ) 221The list of (space separated) disk device names on the system. 222.It Li hw.iostatnames ( HW_IOSTATNAMES ) 223A space separated list of devices that will have I/O statistics 224collected on them. 225.It Li hw.iostats ( HW_IOSTATS ) 226Return statistical information on the NFS mounts, disk and tape 227devices on the system. 228An array of 229.Vt struct io_sysctl 230structures is returned, 231whose size depends on the current number of such objects in the system. 232The third level name is the size of the 233.Vt struct io_sysctl . 234The type of object can be determined by examining the 235.Va type 236element of 237.Vt struct io_sysctl . 238Which can be 239.Dv IOSTAT_DISK 240(disk drive), 241.Dv IOSTAT_TAPE 242(tape drive), or 243.Dv IOSTAT_NFS 244(NFS mount). 245.It Li hw.machine ( HW_MACHINE ) 246The machine class. 247.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 248The machine CPU class. 249.It Li hw.model ( HW_MODEL ) 250The machine model. 251.It Li hw.ncpu ( HW_NCPU ) 252The number of CPUs. 253.It Li hw.pagesize ( HW_PAGESIZE ) 254The software page size. 255.It Li hw.physmem ( HW_PHYSMEM ) 256The bytes of physical memory as a 32-bit integer. 257.It Li hw.physmem64 ( HW_PHYSMEM64 ) 258The bytes of physical memory as a 64-bit integer. 259.It Li hw.usermem ( HW_USERMEM ) 260The bytes of non-kernel memory as a 32-bit integer. 261.It Li hw.usermem64 ( HW_USERMEM64 ) 262The bytes of non-kernel memory as a 64-bit integer. 263.El 264.Ss The kern.* subtree 265This subtree includes data generally related to the kernel. 266The string and integer information available for the 267.Li kern 268level is detailed below. 269The changeable column shows whether a process with appropriate 270privilege may change the value. 271.Bl -column "kern.posix_reader_writer_locks" \ 272"struct kinfo_drivers" "not applicable" 273.It Sy Second level name Type Changeable 274.It kern.aio_listio_max integer yes 275.It kern.aio_max integer yes 276.It kern.arandom integer no 277.It kern.argmax integer no 278.It kern.boothowto integer no 279.It kern.boottime struct timeval no 280.\".It kern.bufq node not applicable 281.It kern.ccpu integer no 282.It kern.clockrate struct clockinfo no 283.It kern.consdev integer no 284.It kern.coredump node not applicable 285.It kern.cp_id struct no 286.It kern.cp_time uint64_t[\|] no 287.It kern.cryptodevallowsoft integer yes 288.It kern.defcorename string yes 289.It kern.detachall integer yes 290.It kern.domainname string yes 291.It kern.drivers struct kinfo_drivers no 292.It kern.dump_on_panic integer yes 293.It kern.file struct file no 294.It kern.forkfsleep integer yes 295.It kern.fscale integer no 296.It kern.fsync integer no 297.It kern.hardclock_ticks integer no 298.It kern.hostid integer yes 299.It kern.hostname string yes 300.It kern.iov_max integer no 301.It kern.ipc node not applicable 302.It kern.job_control integer no 303.It kern.labeloffset integer no 304.It kern.labelsector integer no 305.It kern.login_name_max integer no 306.It kern.logsigexit integer yes 307.It kern.mapped_files integer no 308.It kern.maxfiles integer yes 309.It kern.maxpartitions integer no 310.It kern.maxphys integer no 311.It kern.maxproc integer yes 312.It kern.maxptys integer yes 313.It kern.maxvnodes integer yes 314.It kern.mbuf node not applicable 315.It kern.memlock integer no 316.It kern.memlock_range integer no 317.It kern.memory_protection integer no 318.It kern.module node not applicable 319.It kern.monotonic_clock integer no 320.It kern.mqueue node not applicable 321.It kern.msgbuf integer no 322.It kern.msgbufsize integer no 323.It kern.ngroups integer no 324.\".It kern.no_sa_support integer yes 325.It kern.ntptime struct ntptimeval no 326.It kern.osrelease string no 327.It kern.osrevision integer no 328.It kern.ostype string no 329.\".It kern.panic_now integer yes 330.It kern.pipe node not applicable 331.\" .It kern.posix node not applicable 332.It kern.posix1version integer no 333.It kern.posix_aio integer no 334.It kern.posix_barriers integer no 335.It kern.posix_reader_writer_locks integer no 336.\".It kern.posix_sched integer yes 337.It kern.posix_semaphores integer no 338.It kern.posix_spin_locks integer no 339.It kern.posix_threads integer no 340.It kern.posix_timers integer no 341.It kern.proc struct kinfo_proc no 342.It kern.proc2 struct kinfo_proc2 no 343.It kern.proc_args string no 344.It kern.profiling node not applicable 345.\".It kern.pset node not applicable 346.It kern.rawpartition integer no 347.It kern.root_device string no 348.It kern.root_partition integer no 349.It kern.rtc_offset integer yes 350.It kern.saved_ids integer no 351.It kern.sbmax integer yes 352.\".It kern.sched node not applicable 353.It kern.securelevel integer raise only 354.It kern.somaxkva integer yes 355.It kern.synchronized_io integer no 356.It kern.timecounter node not applicable 357.It kern.timex struct no 358.It kern.tkstat node not applicable 359.It kern.urandom integer no 360.It kern.usercrypto integer yes 361.It kern.userasymcrypto integer yes 362.It kern.veriexec node not applicable 363.It kern.version string no 364.It kern.vnode struct vnode no 365.El 366.Bl -tag -width "123456" 367.It Li kern.aio_listio_max 368The maximum number of asynchronous 369.Tn I/O 370operations in a single list I/O call. 371Like with all variables related to 372.Xr aio 3 , 373the variable may be created and removed dynamically 374upon loading or unloading the corresponding kernel module. 375.It Li kern.aio_max 376The maximum number of asynchronous I/O operations. 377.It Li kern.arandom 378This variable picks a random number each time it is queried. 379The used random number generator 380.Pf ( Tn RNG ) 381is based on 382.Xr arc4random 3 . 383.It Li kern.argmax ( KERN_ARGMAX ) 384The maximum bytes of argument to 385.Xr execve 2 . 386.It Li kern.boothowto 387Flags passed from the boot loader; see 388.Xr reboot 2 389for the meanings of the flags. 390.It Li kern.boottime ( KERN_BOOTTIME ) 391A 392.Vt struct timeval 393structure is returned. 394This structure contains the time that the system was booted. 395.\" .It Li kern.bufq 396.\" XXX: Undocumented. 397.It Li kern.ccpu ( KERN_CCPU ) 398The scheduler exponential decay value. 399.It Li kern.clockrate ( KERN_CLOCKRATE ) 400A 401.Vt struct clockinfo 402structure is returned. 403This structure contains the clock, statistics clock and profiling clock 404frequencies, the number of micro-seconds per hz tick, and the clock 405skew rate. 406Refer to 407.Xr hz 9 408for additional details. 409.It Li kern.consdev ( KERN_CONSDEV ) 410Console device. 411.It Li kern.coredump 412Settings related to set-id processes coredumps. 413By default, set-id processes do not dump core in situations where 414other processes would. 415The settings in this node allows an administrator to change this 416behavior. 417.Pp 418The third level name is 419.Dv kern.coredump.setid 420and fourth level variables are described below. 421.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent 422.It Sy Fourth level name Type Changeable 423.It kern.coredump.setid.dump integer yes 424.It kern.coredump.setid.group integer yes 425.It kern.coredump.setid.mode integer yes 426.It kern.coredump.setid.owner integer yes 427.It kern.coredump.setid.path string yes 428.El 429.Bl -tag -width "123456" 430.It Li kern.coredump.setid.dump 431If non-zero, set-id processes will dump core. 432.It Li kern.coredump.setid.group 433The group-id for the set-id processes' coredump. 434.It Li kern.coredump.setid.mode 435The mode for the set-id processes' coredump. 436See 437.Xr chmod 1 . 438.It Li kern.coredump.setid.owner 439The user-id that will be used as the owner of the set-id processes' 440coredump. 441.It Li kern.coredump.setid.path 442The path to which set-id processes' coredumps will be saved to. 443Same syntax as kern.defcorename. 444.El 445.It Li kern.cp_id ( KERN_CP_ID ) 446Mapping of CPU number to CPU id. 447.It Li kern.cp_time ( KERN_CP_TIME ) 448Returns an array of 449.Dv CPUSTATES 450.Vt uint64_t Ns s. 451This array contains the 452number of clock ticks spent in different CPU states. 453On multi-processor systems, the sum across all CPUs is returned unless 454appropriate space is given for one data set for each CPU. 455Data for a specific CPU can also be obtained by adding the number of the 456CPU at the end of the MIB, enlarging it by one. 457.It Li kern.cryptodevallowsoft 458This variable controls userland access to hardware versus software transforms 459in the 460.Xr crypto 4 461system. 462The available values are as follows: 463.Bl -tag -width XX0 -offset indent 464.It Dv \*[Lt] 0 465Always force userlevel requests to use software transforms. 466.It Dv = 0 467If present, use hardware and grant userlevel requests for 468non-accelerated transforms (handling the latter in software). 469.It Dv \*[Gt] 0 470Allow user requests only for transforms which are hardware-accelerated. 471.El 472.It Li kern.defcorename ( KERN_DEFCORENAME ) 473Default template for the name of core dump files (see also 474.Li proc.pid.corename 475in the per-process variables 476.Li proc.* , 477and 478.Xr core 5 479for format of this template). 480The default value is 481.Pa %n.core 482and can be changed with the kernel configuration option 483.Cd options DEFCORENAME 484(see 485.Xr options 4 486). 487.It Li kern.detachall 488Detach all devices at shutdown. 489.It Li kern.domainname ( KERN_DOMAINNAME ) 490Get or set the YP domain name. 491.It Li kern.drivers ( KERN_DRIVERS ) 492Return an array of 493.Vt struct kinfo_drivers 494that contains the name and major device numbers of all the device drivers 495in the current kernel. 496The 497.Va d_name 498field is always a NUL terminated string. 499The 500.Va d_bmajor 501field will be set to \-1 if the driver doesn't have a block device. 502.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 503Perform a crash dump on system 504.Xr panic 9 . 505.It Li kern.file ( KERN_FILE ) 506Return the entire file table. 507The returned data consists of a single 508.Vt struct filelist 509followed by an array of 510.Vt struct file , 511whose size depends on the current number of such objects in the system. 512.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 513If 514.Xr fork 2 515system call fails due to limit on number of processes (either 516the global maxproc limit or user's one), wait for this many 517milliseconds before returning 518.Er EAGAIN 519error to process. 520Useful to keep heavily forking runaway processes in bay. 521Default zero (no sleep). 522Maximum is 20 seconds. 523.It Li kern.fscale ( KERN_FSCALE ) 524The kernel fixed-point scale factor. 525.It Li kern.fsync ( KERN_FSYNC ) 526Return 1 if the 527.St -p1003.1b-93 528File Synchronization Option is available 529on this system, 530otherwise\ 0. 531.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 532Returns the number of 533.Xr hardclock 9 534ticks. 535.It Li kern.hostid ( KERN_HOSTID ) 536Get or set the host identifier. 537This is aimed to replace the legacy 538.Xr gethostid 3 539and 540.Xr sethostid 3 541system calls. 542.It Li kern.hostname ( KERN_HOSTNAME ) 543Get or set the 544.Xr hostname 1 . 545.It Li kern.iov_max ( KERN_IOV_MAX ) 546Return the maximum number of 547.Vt iovec 548structures that a process has available for use with 549.Xr preadv 2 , 550.Xr pwritev 2 , 551.Xr readv 2 , 552.Xr recvmsg 2 , 553.Xr sendmsg 2 554and 555.Xr writev 2 . 556.It Li kern.ipc ( KERN_SYSVIPC ) 557Return information about the SysV IPC parameters. 558The third level names for the ipc variables are detailed below. 559.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 560.It Sy Third level name Type Changeable 561.It kern.ipc.sysvmsg integer no 562.It kern.ipc.sysvsem integer no 563.It kern.ipc.sysvshm integer no 564.It kern.ipc.sysvipc_info struct no 565.It kern.ipc.shmmax integer yes 566.It kern.ipc.shmmni integer yes 567.It kern.ipc.shmseg integer yes 568.It kern.ipc.shmmaxpgs integer yes 569.It kern.ipc.shm_use_phys integer yes 570.It kern.ipc.msgmni integer yes 571.It kern.ipc.msgseg integer yes 572.It kern.ipc.semmni integer yes 573.It kern.ipc.semmns integer yes 574.It kern.ipc.semmnu integer yes 575.El 576.Bl -tag -width "123456" 577.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 578Returns 1 if System V style message queue functionality is available 579on this system, 580otherwise\ 0. 581.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 582Returns 1 if System V style semaphore functionality is available 583on this system, 584otherwise\ 0. 585.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 586Returns 1 if System V style share memory functionality is available 587on this system, 588otherwise\ 0. 589.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 590Return System V style IPC configuration and run-time information. 591The fourth level name selects the System V style IPC facility. 592.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 593.It Sy Fourth level name Type 594.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 595.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 596.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 597.El 598.Pp 599.Bl -tag -width "123456" 600.It Li KERN_SYSVIPC_MSG_INFO 601Return information on the System V style message facility. 602The 603.Sy msg_sysctl_info 604structure is defined in 605.In sys/msg.h . 606.It Li KERN_SYSVIPC_SEM_INFO 607Return information on the System V style semaphore facility. 608The 609.Sy sem_sysctl_info 610structure is defined in 611.In sys/sem.h . 612.It Li KERN_SYSVIPC_SHM_INFO 613Return information on the System V style shared memory facility. 614The 615.Sy shm_sysctl_info 616structure is defined in 617.In sys/shm.h . 618.El 619.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 620Max shared memory segment size in bytes. 621.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 622Max number of shared memory identifiers. 623.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 624Max shared memory segments per process. 625.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 626Max amount of shared memory in pages. 627.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 628Locking of shared memory in physical memory. 629If 0, memory can be swapped 630out, otherwise it will be locked in physical memory. 631.It Li kern.ipc.msgmni 632Max number of message queue identifiers. 633.It Li kern.ipc.msgseg 634Max number of number of message segments. 635.It Li kern.ipc.semmni 636Max number of number of semaphore identifiers. 637.It Li kern.ipc.semmns 638Max number of number of semaphores in system. 639.It Li kern.ipc.semmnu 640Max number of undo structures in system. 641.El 642.It Li kern.job_control ( KERN_JOB_CONTROL ) 643Return 1 if job control is available on this system, otherwise\ 0. 644.It Li kern.labeloffset ( KERN_LABELOFFSET ) 645The offset within the sector specified by 646.Dv KERN_LABELSECTOR 647of the 648.Xr disklabel 5 . 649.It Li kern.labelsector ( KERN_LABELSECTOR ) 650The sector number containing the 651.Xr disklabel 5 . 652.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 653The size of the storage required for a login name, in bytes, 654including the terminating NUL. 655.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 656If this flag is non-zero, the kernel will 657.Xr log 9 658all process exits due to signals which create a 659.Xr core 5 660file, and whether the coredump was created. 661.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 662Returns 1 if the 663.St -p1003.1b-93 664Memory Mapped Files Option is available on this system, 665otherwise\ 0. 666.It Li kern.maxfiles ( KERN_MAXFILES ) 667The maximum number of open files that may be open in the system. 668.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 669The maximum number of partitions allowed per disk. 670.It Li kern.maxphys ( KERN_MAXPHYS ) 671Maximum raw I/O transfer size. 672.It Li kern.maxproc ( KERN_MAXPROC ) 673The maximum number of simultaneous processes the system will allow. 674.It Li kern.maxptys ( KERN_MAXPTYS ) 675The maximum number of pseudo terminals. 676This value can be both raised and lowered, though it cannot 677be set lower than number of currently used ptys. 678See also 679.Xr pty 4 . 680.It Li kern.maxvnodes ( KERN_MAXVNODES ) 681The maximum number of vnodes available on the system. 682This can only be raised. 683.It Li kern.mbuf ( KERN_MBUF ) 684Return information about the mbuf control variables. 685Mbufs are data structures which store network packets and other data 686structures in the networking code, see 687.Xr mbuf 9 . 688The third level names for the mbuf variables are detailed below. 689The changeable column shows whether a process with appropriate 690privilege may change the value. 691.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 692.It Sy Third level name Type Changeable 693.\" XXX Changeable? really? 694.It kern.mbuf.mblowat integer yes 695.It kern.mbuf.mclbytes integer yes 696.It kern.mbuf.mcllowat integer yes 697.It kern.mbuf.msize integer yes 698.It kern.mbuf.nmbclusters integer yes 699.El 700.Pp 701The variables are as follows: 702.Bl -tag -width "123456" 703.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 704The mbuf low water mark. 705.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 706The mbuf cluster size. 707.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 708The mbuf cluster low water mark. 709.It Li kern.mbuf.msize ( MBUF_MSIZE ) 710The mbuf base size. 711.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 712The limit on the number of mbuf clusters. 713The variable can only be increased, and only increased on machines with 714direct-mapped pool pages. 715.El 716.It Li kern.memlock ( KERN_MEMLOCK ) 717Returns 1 if the 718.St -p1003.1b-93 719Process Memory Locking Option is available on this system, 720otherwise\ 0. 721.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 722Returns 1 if the 723.St -p1003.1b-93 724Range Memory Locking Option is available on this system, 725otherwise\ 0. 726.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 727Returns 1 if the 728.St -p1003.1b-93 729Memory Protection Option is available on this system, 730otherwise\ 0. 731.It Li kern.module 732Settings related to kernel modules. 733The third level names for the settings are described below. 734.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent 735.It Sy Third level name Type Changeable 736.It kern.module.autoload integer yes 737.It kern.module.verbose integer yes 738.El 739.Pp 740The variables are as follows: 741.Bl -tag -width "123456" 742.It Li kern.module.autoload 743A boolean that controls whether kernel modules are loaded automatically. 744See 745.Xr module 7 746for additional details. 747.It Li kern.module.verbose 748A boolean that enables or disables verbose 749debug messages related to kernel modules. 750.El 751.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 752Returns the standard version the implementation of the 753.St -p1003.1b-93 754Monotonic Clock Option conforms to, 755otherwise\ 0. 756.It Li kern.mqueue 757Settings related to 758.Tn POSIX 759message queues; see 760.Xr mqueue 3 . 761This node is created dynamically when 762the corresponding kernel module is loaded. 763The third level names for the settings are described below. 764.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent 765.It Sy Third level name Type Changeable 766.It kern.mqueue.mq_open_max integer yes 767.It kern.mqueue.mq_prio_max integer yes 768.It kern.mqueue.mq_max_msgsize integer yes 769.It kern.mqueue.mq_def_maxmsg integer yes 770.It kern.mqueue.mq_max_maxmsg integer yes 771.El 772.Pp 773The variables are: 774.Bl -tag -width "123456" 775.It Li kern.mqueue.mq_open_max 776The maximum number of message queue descriptors any single process can open. 777.It Li kern.mqueue.mq_prio_max 778The maximum priority of a message. 779.It Li kern.mqueue.mq_max_msgsize 780The maximum size of a message in a message queue. 781.It Li kern.mqueue.mq_def_maxmsg 782The default maximum message count. 783.It Li kern.mqueue.mq_max_maxmsg 784The maximum number of messages in a message queue. 785.El 786.It Li kern.msgbuf ( KERN_MSGBUF ) 787The kernel message buffer, rotated so that the head of the circular kernel 788message buffer is at the start of the returned data. 789The returned data may contain NUL bytes. 790.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 791The maximum number of characters that the kernel message buffer can hold. 792.It Li kern.ngroups ( KERN_NGROUPS ) 793The maximum number of supplemental groups. 794.\" .It Li kern.no_sa_support 795.\" XXX: Undocumented. 796.It Li kern.ntptime ( KERN_NTPTIME ) 797A 798.Vt struct ntptimeval 799structure is returned. 800This structure contains data used by the 801.Xr ntpd 8 802program. 803.It Li kern.osrelease ( KERN_OSRELEASE ) 804The system release string. 805.It Li kern.osrevision ( KERN_OSREV ) 806The system revision string. 807.It Li kern.ostype ( KERN_OSTYPE ) 808The system type string. 809.\".It Li kern.panic_now 810.\" XXX: Undocumented. 811.It Li kern.pipe ( KERN_PIPE ) 812Pipe settings. 813The third level names for the integer pipe settings is detailed below. 814The changeable column shows whether a process with appropriate 815privilege may change the value. 816.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 817.It Sy Third level name Type Changeable 818.It kern.pipe.kvasiz integer yes 819.It kern.pipe.maxbigpipes integer yes 820.It kern.pipe.maxkvasz integer yes 821.It kern.pipe.limitkva integer yes 822.It kern.pipe.nbigpipes integer yes 823.El 824.Pp 825The variables are as follows: 826.Bl -tag -width "123456" 827.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 828Amount of kernel memory consumed by pipe buffers. 829.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 830Maximum number of 831.Dq big 832pipes. 833.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 834Maximum amount of kernel memory to be used for pipes. 835.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 836Limit for direct transfers via page loan. 837.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 838Number of 839.Dq big 840pipes. 841.El 842.\" XXX: Undocumented .It Li kern.posix ( ? ) 843.\" This is a node in which the only variable is semmax. 844.It Li kern.posix1version ( KERN_POSIX1 ) 845The version of ISO/IEC 9945 846.Pq St -p1003.1 847with which the system attempts to comply. 848.It Li kern.posix_aio 849The version of 850.St -p1003.1 851and its Asynchronous I/O option to which the system attempts to conform. 852.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 853The version of 854.St -p1003.1 855and its 856Barriers 857option to which the system attempts to conform, 858otherwise\ 0. 859.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 860The version of 861.St -p1003.1 862and its 863Read-Write Locks 864option to which the system attempts to conform, 865otherwise\ 0. 866.\".It Li kern.posix_sched 867.\" XXX: Undocumented. 868.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 869The version of 870.St -p1003.1 871and its 872Semaphores 873option to which the system attempts to conform, 874otherwise\ 0. 875.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 876The version of 877.St -p1003.1 878and its 879Spin Locks 880option to which the system attempts to conform, 881otherwise\ 0. 882.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 883The version of 884.St -p1003.1 885and its 886Threads 887option to which the system attempts to conform, 888otherwise\ 0. 889.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 890The version of 891.St -p1003.1 892and its 893Timers 894option to which the system attempts to conform, 895otherwise\ 0. 896.It Li kern.proc ( KERN_PROC ) 897Return the entire process table, or a subset of it. 898An array of 899.Vt struct kinfo_proc 900structures is returned, 901whose size depends on the current number of such objects in the system. 902The third and fourth level numeric names are as follows: 903.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 904.It Sy Third level name Fourth level is: 905.It KERN_PROC_ALL None 906.It KERN_PROC_GID A group ID 907.It KERN_PROC_PID A process ID 908.It KERN_PROC_PGRP A process group 909.It KERN_PROC_RGID A real group ID 910.It KERN_PROC_RUID A real user ID 911.It KERN_PROC_SESSION A session ID 912.It KERN_PROC_TTY A tty device 913.It KERN_PROC_UID A user ID 914.El 915.It Li kern.proc2 ( KERN_PROC2 ) 916As for 917.Dv KERN_PROC , 918but an array of 919.Vt struct kinfo_proc2 920structures are returned. 921The fifth level name is the size of the 922.Vt struct kinfo_proc2 923and the sixth level name is the number of structures to return. 924.It Li kern.proc_args ( KERN_PROC_ARGS ) 925Return the argv or environment strings (or the number thereof) 926of a process. 927Multiple strings are returned separated by NUL characters. 928The third level name is the process ID. 929The fourth level name is as follows: 930.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent 931.It KERN_PROC_ARGV The argv strings 932.It KERN_PROC_ENV The environ strings 933.It KERN_PROC_NARGV The number of argv strings 934.It KERN_PROC_NENV The number of environ strings 935.El 936.It Li kern.profiling ( KERN_PROF ) 937Return profiling information about the kernel. 938If the kernel is not compiled for profiling, 939attempts to retrieve any of the 940.Dv KERN_PROF 941values will fail with 942.Er EOPNOTSUPP . 943The third level names for the string and integer profiling information 944is detailed below. 945The changeable column shows whether a process with appropriate 946privilege may change the value. 947.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 948.It Sy Third level name Type Changeable 949.It kern.profiling.count u_short[\|] yes 950.It kern.profiling.froms u_short[\|] yes 951.It kern.profiling.gmonparam struct gmonparam no 952.It kern.profiling.state integer yes 953.It kern.profiling.tos struct tostruct yes 954.El 955.Pp 956The variables are as follows: 957.Bl -tag -width "123456" 958.It Li kern.profiling.count ( GPROF_COUNT ) 959Array of statistical program counter counts. 960.It Li kern.profiling.froms ( GPROF_FROMS ) 961Array indexed by program counter of call-from points. 962.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 963Structure giving the sizes of the above arrays. 964.It Li kern.profiling.state ( GPROF_STATE ) 965Profiling state. 966If set to 967.Dv GMON_PROF_ON , 968starts profiling. 969If set to 970.Dv GMON_PROF_OFF , 971stops profiling. 972.It Li kern.profiling.tos ( GPROF_TOS ) 973Array of 974.Vt struct tostruct 975describing destination of calls and their counts. 976.El 977.\" .It Li kern.pset 978.\" XXX: Undocumented. 979.It Li kern.rawpartition ( KERN_RAWPARTITION ) 980The raw partition of a disk (a == 0). 981.It Li kern.root_device ( KERN_ROOT_DEVICE ) 982The name of the root device (e.g., 983.Dq wd0 ) . 984.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 985The root partition on the root device (a == 0). 986.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 987Return the offset of real time clock from UTC in minutes. 988.It Li kern.saved_ids ( KERN_SAVED_IDS ) 989Returns 1 if saved set-group and saved set-user ID is available. 990.It Li kern.sbmax ( KERN_SBMAX ) 991Maximum socket buffer size. 992.\" XXX units? 993.It Li kern.securelevel ( KERN_SECURELVL ) 994See 995.Xr secmodel_securelevel 9 . 996.\" .It Li kern.sched 997.\" XXX: Undocumented. 998.It Li kern.somaxkva ( KERN_SOMAXKVA ) 999Maximum amount of kernel memory to be used for socket buffers. 1000.\" XXX units? 1001.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 1002Returns 1 if the 1003.St -p1003.1b-93 1004Synchronized I/O Option is available on this system, 1005otherwise\ 0. 1006.It Li kern.timecounter ( dynamic ) 1007Display and control the timecounter source of the system. 1008.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 1009.It Sy Third level name Type Changeable 1010.It kern.timecounter.choice string no 1011.It kern.timecounter.hardware string yes 1012.It kern.timecounter.timestepwarnings integer yes 1013.El 1014.Pp 1015The variables are as follows: 1016.Bl -tag -width "123456" 1017.It Li kern.timecounter.choice ( dynamic ) 1018The list of available timecounters with their quality and frequency. 1019.It Li kern.timecounter.hardware ( dynamic ) 1020The currently selected timecounter source. 1021.It Li kern.timecounter.timestepwarnings ( dynamic ) 1022If non-zero display a message each time the time is stepped. 1023.El 1024.It Li kern.timex ( KERN_TIMEX ) 1025Not available. 1026.It Li kern.tkstat ( KERN_TKSTAT ) 1027Return information about the number of characters sent and received 1028on ttys. 1029The third level names for the tty statistic variables are detailed below. 1030The changeable column shows whether a process 1031with appropriate privilege may change the value. 1032.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 1033.It Sy Third level name Type Changeable 1034.It kern.tkstat.cancc quad no 1035.It kern.tkstat.nin quad no 1036.It kern.tkstat.nout quad no 1037.It kern.tkstat.rawcc quad no 1038.El 1039.Pp 1040The variables are as follows: 1041.Bl -tag -width "123456" 1042.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 1043The number of canonical input characters. 1044.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 1045The total number of input characters. 1046.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 1047The total number of output characters. 1048.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 1049The number of raw input characters. 1050.El 1051.It Li kern.urandom ( KERN_URND ) 1052Random integer value. 1053.It Li kern.usercrypto 1054When enabled, allows userland to 1055.Xr open 2 1056the 1057.Pa /dev/crypto 1058special device, used by the 1059.Xr crypto 4 1060system. 1061.It Li kern.userasymcrypto 1062Enables or disables the use of software asymmetric crypto support in the 1063.Xr crypto 4 1064system. 1065.It Li kern.veriexec 1066Runtime information for 1067.Xr veriexec 8 . 1068.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent 1069.It Sy Third level name Type Changeable 1070.It kern.veriexec.algorithms string no 1071.It kern.veriexec.count node not applicable 1072.It kern.veriexec.strict integer yes 1073.It kern.veriexec.verbose integer yes 1074.El 1075.Bl -tag -width "123456" 1076.It Li kern.veriexec.algorithms 1077Returns a string with the supported algorithms in Veriexec. 1078.It Li kern.veriexec.count 1079Sub-nodes are added to this node as new mounts are monitored by Veriexec. 1080Each mount will be under its own 1081.No tableN 1082node. 1083Under each node there will be three variables, indicating the mount 1084point, the file system type, and the number of entries. 1085.It Li kern.veriexec.strict 1086Controls the strict level of Veriexec. 1087See 1088.Xr security 7 1089for more information on each level's implications. 1090.It Li kern.veriexec.verbose 1091Controls the verbosity level of Veriexec. 1092If 0, only the minimal 1093indication required will be given about what's happening - fingerprint 1094mismatches, removal of entries from the tables, modification of a 1095fingerprinted file. 1096If 1, more messages will be printed (ie., when a file with a valid 1097fingerprint is accessed). 1098Verbose level 2 is debug mode. 1099.El 1100.It Li kern.version ( KERN_VERSION ) 1101The system version string. 1102.It Li kern.vnode ( KERN_VNODE ) 1103Return the entire vnode table. 1104Note, the vnode table is not necessarily a consistent snapshot of 1105the system. 1106The returned data consists of an array whose size depends on the 1107current number of such objects in the system. 1108Each element of the array contains the kernel address of a vnode 1109.Vt struct vnode * 1110followed by the vnode itself 1111.Vt struct vnode . 1112.\" XXX: Undocumented: kern.lwp: no children? 1113.El 1114.Ss The machdep.* subtree 1115The set of variables defined is architecture dependent. 1116Most architectures define at least the following variables. 1117.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent 1118.It Sy Second level name Type Changeable 1119.It Li machdep.booted_kernel string no 1120.El 1121.\" XXX: Document the above. 1122.Ss The net.* subtree 1123The string and integer information available for the 1124.Li net 1125level is detailed below. 1126The changeable column shows whether a process with appropriate 1127privilege may change the value. 1128The second and third levels are typically the protocol family and 1129protocol number, though this is not always the case. 1130.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 1131.It Sy Second level name Type Changeable 1132.It net.route routing messages no 1133.It net.inet IPv4 values yes 1134.It net.inet6 IPv6 values yes 1135.It net.key IPsec key management values yes 1136.El 1137.Pp 1138.Bl -tag -width "123456" 1139.It Li net.route ( PF_ROUTE ) 1140.\" XXX really? 1141Return the entire routing table or a subset of it. 1142The data is returned as a sequence of routing messages (see 1143.Xr route 4 1144for the header file, format and meaning). 1145The length of each message is contained in the message header. 1146.Pp 1147The third level name is a protocol number, which is currently always\ 0. 1148The fourth level name is an address family, which may be set to 0 to 1149select all address families. 1150The fifth and sixth level names are as follows: 1151.Bl -column "Fifth level name" "Sixth level is:" -offset indent 1152.It Sy Fifth level name Sixth level is: 1153.It NET_RT_FLAGS rtflags 1154.It NET_RT_DUMP None 1155.It NET_RT_IFLIST None 1156.El 1157.It Li net.inet ( PF_INET ) 1158Get or set various global information about the IPv4 1159.Pq Internet Protocol version 4 . 1160The third level name is the protocol. 1161The fourth level name is the variable name. 1162The currently defined protocols and names are: 1163.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n 1164.It Sy Protocol name Variable name Type Changeable 1165.It arp down integer yes 1166.It arp keep integer yes 1167.It arp prune integer yes 1168.It arp refresh integer yes 1169.It carp allow integer yes 1170.It carp preempt integer yes 1171.It carp log integer yes 1172.It carp arpbalance integer yes 1173.It icmp errppslimit integer yes 1174.It icmp maskrepl integer yes 1175.It icmp rediraccept integer yes 1176.It icmp redirtimeout integer yes 1177.It icmp bmcastecho integer yes 1178.It ip allowsrcrt integer yes 1179.It ip anonportmax integer yes 1180.It ip anonportmin integer yes 1181.It ip checkinterface integer yes 1182.It ip directed-broadcast integer yes 1183.It ip do_loopback_cksum integer yes 1184.It ip forwarding integer yes 1185.It ip forwsrcrt integer yes 1186.It ip gifttl integer yes 1187.It ip grettl integer yes 1188.It ip hashsize integer yes 1189.It ip hostzerobroadcast integer yes 1190.It ip lowportmin integer yes 1191.It ip lowportmax integer yes 1192.It ip maxflows integer yes 1193.It ip maxfragpackets integer yes 1194.It ip mtudisc integer yes 1195.It ip mtudisctimeout integer yes 1196.It ip random_id integer yes 1197.It ip redirect integer yes 1198.It ip subnetsarelocal integer yes 1199.It ip ttl integer yes 1200.It tcp rfc1323 integer yes 1201.It tcp sendspace integer yes 1202.It tcp recvspace integer yes 1203.It tcp mssdflt integer yes 1204.It tcp syn_cache_limit integer yes 1205.It tcp syn_bucket_limit integer yes 1206.It tcp syn_cache_interval integer yes 1207.It tcp init_win integer yes 1208.It tcp init_win_local integer yes 1209.It tcp mss_ifmtu integer yes 1210.It tcp win_scale integer yes 1211.It tcp timestamps integer yes 1212.It tcp compat_42 integer yes 1213.It tcp cwm integer yes 1214.It tcp cwm_burstsize integer yes 1215.It tcp ack_on_push integer yes 1216.It tcp keepidle integer yes 1217.It tcp keepintvl integer yes 1218.It tcp keepcnt integer yes 1219.It tcp slowhz integer no 1220.It tcp keepinit integer yes 1221.It tcp log_refused integer yes 1222.It tcp rstppslimit integer yes 1223.It tcp ident struct no 1224.It tcp drop struct no 1225.It tcp sack.enable integer yes 1226.It tcp sack.globalholes integer no 1227.It tcp sack.globalmaxholes integer yes 1228.It tcp sack.maxholes integer yes 1229.It tcp ecn.enable integer yes 1230.It tcp ecn.maxretries integer yes 1231.It tcp congctl.selected string yes 1232.It tcp congctl.available string yes 1233.It tcp abc.enable integer yes 1234.It tcp abc.aggressive integer yes 1235.It udp checksum integer yes 1236.It udp do_loopback_cksum integer yes 1237.It udp recvspace integer yes 1238.It udp sendspace integer yes 1239.El 1240.Pp 1241The variables are as follows: 1242.Bl -tag -width "123456" 1243.It Li arp.down 1244Failed ARP entry lifetime. 1245.It Li arp.keep 1246Valid ARP entry lifetime. 1247.It Li arp.prune 1248ARP cache pruning interval. 1249.It Li arp.refresh 1250ARP entry refresh interval. 1251.It Li carp.allow 1252If set to 0, incoming 1253.Xr carp 4 1254packets will not be processed. 1255If set to any other value, processing will occur. 1256Enabled by default. 1257.It Li carp.arpbalance 1258If set to any value other than 0, the ARP balancing functionality of 1259.Xr carp 4 1260is enabled. 1261When ARP requests are received for an IP address which is part of any virtual 1262host, carp will hash the source IP in the ARP request to select one of the 1263virtual hosts from the set of all the virtual hosts which have that IP address. 1264The master of that host will respond with the correct virtual MAC address. 1265Disabled by default. 1266.It Li carp.log 1267If set to any value other than 0, 1268.Xr carp 4 1269will log errors. 1270Disabled by default. 1271.It Li carp.preempt 1272If set to 0, 1273.Xr carp 4 1274will not attempt to become master if it is receiving advertisements from 1275another active master. 1276If set to any other value, carp will become master of the virtual host if it 1277believes it can send advertisements more frequently than the current master. 1278Disabled by default. 1279.It Li ip.allowsrcrt 1280If set to 1, the host accepts source routed packets. 1281.It Li ip.anonportmax 1282The highest port number to use for TCP and UDP ephemeral port allocation. 1283This cannot be set to less than 1024 or greater than 65535, and must 1284be greater than 1285.Li ip.anonportmin . 1286.It Li ip.anonportmin 1287The lowest port number to use for TCP and UDP ephemeral port allocation. 1288This cannot be set to less than 1024 or greater than 65535. 1289.It Li ip.checkinterface 1290If set to non-zero, the host will reject packets addressed to it 1291that arrive on an interface not bound to that address. 1292Currently, this must be disabled if ipnat is used to translate the 1293destination address to another local interface, or if addresses 1294are added to the loopback interface instead of the interface where 1295the packets for those packets are received. 1296.It Li ip.directed-broadcast 1297If set to 1, enables directed broadcast behavior for the host. 1298.It Li ip.do_loopback_cksum 1299Perform IP checksum on loopback. 1300.It Li ip.forwarding 1301If set to 1, enables IP forwarding for the host, 1302meaning that the host is acting as a router. 1303.It Li ip.forwsrcrt 1304If set to 1, enables forwarding of source-routed packets for the host. 1305This value may only be changed if the kernel security level is less than 1. 1306.It Li ip.gifttl 1307The maximum time-to-live (hop count) value for an IPv4 packet generated by 1308.Xr gif 4 1309tunnel interface. 1310.It Li ip.grettl 1311The maximum time-to-live (hop count) value for an IPv4 packet generated by 1312.Xr gre 4 1313tunnel interface. 1314.It Li ip.hashsize 1315The size of IPv4 Fast Forward hash table. 1316This value must be a power of 2 (64, 256...). 1317A larger hash table size results in fewer collisions. 1318Also see 1319.Li ip.maxflows . 1320.It Li ip.hostzerobroadcast 1321All zeroes address is broadcast address. 1322.It Li ip.lowportmax 1323The highest port number to use for TCP and UDP reserved port allocation. 1324This cannot be set to less than 0 or greater than 1024, and must 1325be greater than 1326.Li ip.lowportmin . 1327.It Li ip.lowportmin 1328The lowest port number to use for TCP and UDP reserved port allocation. 1329This cannot be set to less than 0 or greater than 1024, and must 1330be smaller than 1331.Li ip.lowportmax . 1332.It Li ip.maxflows 1333IPv4 Fast Forwarding is enabled by default. 1334If set to 0, IPv4 Fast Forwarding is disabled. 1335.Li ip.maxflows 1336controls the maximum amount of flows which can be created. 1337The default value is 256. 1338.It Li ip.maxfragpackets 1339The maximum number of fragmented packets the node will accept. 13400 means that the node will not accept any fragmented packets. 1341\-1 means that the node will accept as many fragmented packets as it receives. 1342The flag is provided basically for avoiding possible DoS attacks. 1343.It Li ip.mtudisc 1344If set to 1, enables Path MTU Discovery (RFC 1191). 1345When Path MTU Discovery is enabled, the transmitted TCP segment 1346size will be determined by the advertised maximum segment size 1347(MSS) from the remote end, as constrained by the path MTU. 1348If MTU Discovery is disabled, the transmitted segment size will 1349never be greater than 1350.Li tcp.mssdflt 1351(the local maximum segment size). 1352.It Li ip.mtudisctimeout 1353The number of seconds in which a route added by the Path MTU 1354Discovery engine will time out. 1355When the route times out, the Path 1356MTU Discovery engine will attempt to probe a larger path MTU. 1357.It Li ip.random_id 1358Assign random ip_id values. 1359.It Li ip.redirect 1360If set to 1, ICMP redirects may be sent by the host. 1361This option is ignored unless the host is routing IP packets, 1362and should normally be enabled on all systems. 1363.It Li ip.subnetsarelocal 1364If set to 1, subnets are to be considered local addresses. 1365.It Li ip.ttl 1366The maximum time-to-live (hop count) value for an IP packet sourced by 1367the system. 1368This value applies to normal transport protocols, not to ICMP. 1369.It Li icmp.errppslimit 1370The variable specifies the maximum number of outgoing ICMP error messages, 1371per second. 1372ICMP error messages that exceeded the value are subject to rate limitation 1373and will not go out from the node. 1374Negative value disables rate limitation. 1375.It Li icmp.maskrepl 1376If set to 1, ICMP network mask requests are to be answered. 1377.It Li icmp.rediraccept 1378If set to non-zero, the host will accept ICMP redirect packets. 1379Note that routers will never accept ICMP redirect packets, 1380and the variable is meaningful on IP hosts only. 1381.It Li icmp.redirtimeout 1382The variable specifies lifetime of routing entries generated by incoming 1383ICMP redirect. 1384This defaults to 600 seconds. 1385.It Li icmp.returndatabytes 1386Number of bytes to return in an ICMP error message. 1387.It Li icmp.bmcastecho 1388If set to 1, enables responding to ICMP echo or timestamp request to the 1389broadcast address. 1390.It Li tcp.ack_on_push 1391If set to 1, TCP is to immediately transmit an ACK upon reception of 1392a packet with PUSH set. 1393This can avoid losing a round trip time in some rare situations, 1394but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1395Use of this option is generally not recommended, but 1396the variable exists in case your configuration really needs it. 1397.It Li tcp.compat_42 1398If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1399Use of this option is not recommended, although it may be 1400required in order to communicate with extremely old TCP implementations. 1401.It Li tcp.cwm 1402If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1403Monitoring algorithm. 1404This algorithm prevents line-rate bursts of packets that could 1405otherwise occur when data begins flowing on an idle TCP connection. 1406These line-rate bursts can contribute to network and router congestion. 1407This can be particularly useful on World Wide Web servers 1408which support HTTP/1.1, which has lingering connections. 1409.It Li tcp.cwm_burstsize 1410The Congestion Window Monitoring allowed burst size, in terms 1411of packet count. 1412.It Li tcp.delack_ticks 1413Number of ticks to delay sending an ACK. 1414.It Li tcp.do_loopback_cksum 1415Perform TCP checksum on loopback. 1416.It Li tcp.init_win 1417A value indicating the TCP initial congestion window. 1418If this value is 0, an auto-tuning algorithm designed to use an initial 1419window of approximately 4K bytes is in use. 1420Otherwise, this value indicates a fixed number of packets. 1421.It Li tcp.init_win_local 1422Like 1423.Li tcp.init_win , 1424but used when communicating with hosts on a local network. 1425.It Li tcp.keepcnt 1426Number of keepalive probes sent before declaring a connection dead. 1427If set to zero, there is no limit; 1428keepalives will be sent until some kind of 1429response is received from the peer. 1430.It Li tcp.keepidle 1431Time a connection must be idle before keepalives are sent (if keepalives 1432are enabled for the connection). 1433See also tcp.slowhz. 1434.It Li tcp.keepintvl 1435Time after a keepalive probe is sent until, in the absence of any response, 1436another probe is sent. 1437See also tcp.slowhz. 1438.It Li tcp.log_refused 1439If set to 1, refused TCP connections to the host will be logged. 1440.It Li tcp.keepinit 1441Timeout in seconds during connection establishment. 1442.It Li tcp.mss_ifmtu 1443If set to 1, TCP calculates the outgoing maximum segment size based on 1444the MTU of the appropriate interface. 1445If set to 0, it is calculated based on the greater of the MTU of the 1446interface, and the largest (non-loopback) interface MTU on the system. 1447.It Li tcp.mssdflt 1448The default maximum segment size both advertised to the peer 1449and to use when either the peer does not advertise a maximum segment size to 1450us during connection setup or Path MTU Discovery 1451.Li ( ip.mtudisc ) 1452is disabled. 1453Do not change this value unless you really know what you are doing. 1454.It Li tcp.recvspace 1455The default TCP receive buffer size. 1456.It Li tcp.rfc1323 1457If set to 1, enables RFC 1323 extensions to TCP. 1458.It Li tcp.rstppslimit 1459The variable specifies the maximum number of outgoing TCP RST packets, 1460per second. 1461TCP RST packet that exceeded the value are subject to rate limitation 1462and will not go out from the node. 1463Negative value disables rate limitation. 1464.It Li tcp.ident 1465Return the user ID of a connected socket pair. 1466(RFC1413 Identification Protocol lookups.) 1467.It Li tcp.drop 1468Drop a TCP socket pair connection. 1469.It Li tcp.sack.enable 1470If set to 1, enables RFC 2018 Selective ACKnowledgement. 1471.It Li tcp.sack.globalholes 1472Global number of TCP SACK holes. 1473.It Li tcp.sack.globalmaxholes 1474Global maximum number of TCP SACK holes. 1475.It Li tcp.sack.maxholes 1476Maximum number of TCP SACK holes allowed per connection. 1477.It Li tcp.ecn.enable 1478If set to 1, enables RFC 3168 Explicit Congestion Notification. 1479.It Li tcp.ecn.maxretries 1480Number of times to retry sending the ECN-setup packet. 1481.It Li tcp.sendspace 1482The default TCP send buffer size. 1483.It Li tcp.slowhz 1484The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1485of a clock that ticks tcp.slowhz times per second. 1486(That is, their values 1487must be divided by the tcp.slowhz value to get times in seconds.) 1488.It Li tcp.syn_bucket_limit 1489The maximum number of entries allowed per hash bucket in the TCP 1490compressed state engine. 1491.It Li tcp.syn_cache_limit 1492The maximum number of entries allowed in the TCP compressed state 1493engine. 1494.It Li tcp.timestamps 1495If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1496used for measuring TCP round trip times, are enabled. 1497.It Li tcp.win_scale 1498If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1499for increasing the TCP window size, are enabled. 1500.It Li tcp.congctl.available 1501The available TCP congestion control algorithms. 1502.It Li tcp.congctl.selected 1503The currently selected TCP congestion control algorithm. 1504.It Li tcp.abc.enable 1505If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1506If set to 0, use traditional Packet Counting. 1507.It Li tcp.abc.aggressive 1508Choose the L parameter found in RFC 3465. 1509L is the maximum cwnd increase for an ack during slow start. 1510If set to 1, use L=2*SMSS. 1511If set to 0, use L=1*SMSS. 1512It has no effect unless tcp.abc.enable is set to 1. 1513.It Li udp.checksum 1514If set to 1, UDP checksums are being computed. 1515Received non-zero UDP checksums are always checked. 1516Disabling UDP checksums is strongly discouraged. 1517.It Li udp.sendspace 1518The default UDP send buffer size. 1519.It Li udp.recvspace 1520The default UDP receive buffer size. 1521.El 1522.Pp 1523For variables net.*.ipsec, please refer to 1524.Xr ipsec 4 . 1525.It Li net.inet6 ( PF_INET6 ) 1526Get or set various global information about the IPv6 1527.Pq Internet Protocol version 6 . 1528The third level name is the protocol. 1529The fourth level name is the variable name. 1530The currently defined protocols and names are: 1531.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent 1532.It Sy Protocol name Variable name Type Changeable 1533.It icmp6 errppslimit integer yes 1534.It icmp6 mtudisc_hiwat integer yes 1535.It icmp6 mtudisc_lowat integer yes 1536.It icmp6 nd6_debug integer yes 1537.It icmp6 nd6_delay integer yes 1538.It icmp6 nd6_maxnudhint integer yes 1539.It icmp6 nd6_mmaxtries integer yes 1540.It icmp6 nd6_prune integer yes 1541.It icmp6 nd6_umaxtries integer yes 1542.It icmp6 nd6_useloopback integer yes 1543.It icmp6 nodeinfo integer yes 1544.It icmp6 rediraccept integer yes 1545.It icmp6 redirtimeout integer yes 1546.It ip6 accept_rtadv integer yes 1547.It ip6 anonportmax integer yes 1548.It ip6 anonportmin integer yes 1549.It ip6 auto_flowlabel integer yes 1550.It ip6 dad_count integer yes 1551.It ip6 defmcasthlim integer yes 1552.It ip6 forwarding integer yes 1553.It ip6 gifhlim integer yes 1554.It ip6 hashsize integer yes 1555.It ip6 hlim integer yes 1556.It ip6 hdrnestlimit integer yes 1557.It ip6 kame_version string no 1558.It ip6 keepfaith integer yes 1559.It ip6 log_interval integer yes 1560.It ip6 lowportmax integer yes 1561.It ip6 lowportmin integer yes 1562.It ip6 maxflows integer yes 1563.It ip6 maxfragpackets integer yes 1564.It ip6 maxfrags integer yes 1565.It ip6 redirect integer yes 1566.It ip6 rr_prune integer yes 1567.It ip6 use_deprecated integer yes 1568.It ip6 v6only integer yes 1569.It udp6 do_loopback_cksum integer yes 1570.It udp6 recvspace integer yes 1571.It udp6 sendspace integer yes 1572.El 1573.Pp 1574The variables are as follows: 1575.Bl -tag -width "123456" 1576.It Li ip6.accept_rtadv 1577If set to non-zero, the node will accept ICMPv6 router advertisement packets 1578and autoconfigures address prefixes and default routers. 1579The node must be a host 1580.Pq not a router 1581for the option to be meaningful. 1582.It Li ip6.anonportmax 1583The highest port number to use for TCP and UDP ephemeral port allocation. 1584This cannot be set to less than 1024 or greater than 65535, and must 1585be greater than 1586.Li ip6.anonportmin . 1587.It Li ip6.anonportmin 1588The lowest port number to use for TCP and UDP ephemeral port allocation. 1589This cannot be set to less than 1024 or greater than 65535. 1590.It Li ip6.auto_flowlabel 1591On connected transport protocol packets, 1592fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1593.It Li ip6.dad_count 1594The variable configures number of IPv6 DAD 1595.Pq duplicated address detection 1596probe packets. 1597The packets will be generated when IPv6 interface addresses are configured. 1598.It Li ip6.defmcasthlim 1599The default hop limit value for an IPv6 multicast packet sourced by the node. 1600This value applies to all the transport protocols on top of IPv6. 1601There are APIs to override the value, as documented in 1602.Xr ip6 4 . 1603.It Li ip6.forwarding 1604If set to 1, enables IPv6 forwarding for the node, 1605meaning that the node is acting as a router. 1606If set to 0, disables IPv6 forwarding for the node, 1607meaning that the node is acting as a host. 1608IPv6 specification defines node behavior for 1609.Dq router 1610case and 1611.Dq host 1612case quite differently, and changing this variable during operation 1613may cause serious trouble. 1614It is recommended to configure the variable at bootstrap time, 1615and bootstrap time only. 1616.It Li ip6.gifhlim 1617The maximum hop limit value for an IPv6 packet generated by 1618.Xr gif 4 1619tunnel interface. 1620.It Li ip6.hdrnestlimit 1621The number of IPv6 extension headers permitted on incoming IPv6 packets. 1622If set to 0, the node will accept as many extension headers as possible. 1623.It Li ip6.hashsize 1624The size of IPv6 Fast Forward hash table. 1625This value must be a power of 2 (64, 256, ...). 1626A larger hash table size results in fewer collisions. 1627Also see 1628.Li ip6.maxflows . 1629.It Li ip6.hlim 1630The default hop limit value for an IPv6 unicast packet sourced by the node. 1631This value applies to all the transport protocols on top of IPv6. 1632There are APIs to override the value, as documented in 1633.Xr ip6 4 . 1634.It Li ip6.kame_version 1635The string identifies the version of KAME IPv6 stack implemented in the kernel. 1636.It Li ip6.keepfaith 1637If set to non-zero, it enables 1638.Dq FAITH 1639TCP relay IPv6-to-IPv4 translator code in the kernel. 1640Refer 1641.Xr faith 4 1642and 1643.Xr faithd 8 1644for detail. 1645.It Li ip6.log_interval 1646The variable controls amount of logs generated by IPv6 packet 1647forwarding engine, by setting interval between log output 1648.Pq in seconds . 1649.It Li ip6.lowportmax 1650The highest port number to use for TCP and UDP reserved port allocation. 1651This cannot be set to less than 0 or greater than 1024, and must 1652be greater than 1653.Li ip6.lowportmin . 1654.It Li ip6.lowportmin 1655The lowest port number to use for TCP and UDP reserved port allocation. 1656This cannot be set to less than 0 or greater than 1024, and must 1657be smaller than 1658.Li ip6.lowportmax . 1659.It Li ip6.maxflows 1660IPv6 Fast Forwarding is enabled by default. 1661If set to 0, IPv6 Fast Forwarding is disabled. 1662.Li ip6.maxflows 1663controls the maximum amount of flows which can be created. 1664The default value is 256. 1665.It Li ip6.maxfragpackets 1666The maximum number of fragmented packets the node will accept. 16670 means that the node will not accept any fragmented packets. 1668\-1 means that the node will accept as many fragmented packets as it receives. 1669The flag is provided basically for avoiding possible DoS attacks. 1670.It Li ip6.maxfrags 1671The maximum number of fragments the node will accept. 16720 means that the node will not accept any fragments. 1673\-1 means that the node will accept as many fragments as it receives. 1674The flag is provided basically for avoiding possible DoS attacks. 1675.It Li ip6.redirect 1676If set to 1, ICMPv6 redirects may be sent by the node. 1677This option is ignored unless the node is routing IP packets, 1678and should normally be enabled on all systems. 1679.It Li ip6.rr_prune 1680The variable specifies interval between IPv6 router renumbering prefix 1681babysitting, in seconds. 1682.It Li ip6.use_deprecated 1683The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1684.It Li ip6.v6only 1685The variable specifies initial value for 1686.Dv IPV6_V6ONLY 1687socket option for 1688.Dv AF_INET6 1689socket. 1690Please refer to 1691.Xr ip6 4 1692for detail. 1693.It Li icmp6.errppslimit 1694The variable specifies the maximum number of outgoing ICMPv6 error messages, 1695per second. 1696ICMPv6 error messages that exceeded the value are subject to rate limitation 1697and will not go out from the node. 1698Negative value disables rate limitation. 1699.It Li icmp6.mtudisc_hiwat 1700.It Li icmp6.mtudisc_lowat 1701The variables define the maximum number of routing table entries, 1702created due to path MTU discovery 1703.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1704When IPv6 path MTU discovery happens, we keep path MTU information into 1705the routing table. 1706If the number of routing table entries exceed the value, 1707the kernel will not attempt to keep the path MTU information. 1708.Li icmp6.mtudisc_hiwat 1709is used when we have verified ICMPv6 too big messages. 1710.Li icmp6.mtudisc_lowat 1711is used when we have unverified ICMPv6 too big messages. 1712Verification is performed by using address/port pairs kept in connected pcbs. 1713Negative value disables the upper limit. 1714.It Li icmp6.nd6_debug 1715If set to non-zero, kernel IPv6 neighbor discovery code will generate 1716debugging messages. 1717The debug outputs are useful to diagnose IPv6 interoperability issues. 1718The flag must be set to 0 for normal operation. 1719.It Li icmp6.nd6_delay 1720The variable specifies 1721.Dv DELAY_FIRST_PROBE_TIME 1722timing constant in IPv6 neighbor discovery specification 1723.Pq RFC 2461 , 1724in seconds. 1725.It Li icmp6.nd6_maxnudhint 1726IPv6 neighbor discovery permits upper layer protocols to supply reachability 1727hints, to avoid unnecessary neighbor discovery exchanges. 1728The variable defines the number of consecutive hints the neighbor discovery 1729layer will take. 1730For example, by setting the variable to 3, neighbor discovery layer 1731will take 3 consecutive hints in maximum. 1732After receiving 3 hints, neighbor discovery layer will perform 1733normal neighbor discovery process. 1734.It Li icmp6.nd6_mmaxtries 1735The variable specifies 1736.Dv MAX_MULTICAST_SOLICIT 1737constant in IPv6 neighbor discovery specification 1738.Pq RFC 2461 . 1739.It Li icmp6.nd6_prune 1740The variable specifies interval between IPv6 neighbor cache babysitting, 1741in seconds. 1742.It Li icmp6.nd6_umaxtries 1743The variable specifies 1744.Dv MAX_UNICAST_SOLICIT 1745constant in IPv6 neighbor discovery specification 1746.Pq RFC 2461 . 1747.It Li icmp6.nd6_useloopback 1748If set to non-zero, kernel IPv6 stack will use loopback interface for 1749local traffic. 1750.It Li icmp6.nodeinfo 1751The variable enables responses to ICMPv6 node information queries. 1752If you set the variable to 0, responses will not be generated for 1753ICMPv6 node information queries. 1754Since node information queries can have a security impact, it is 1755possible to fine tune which responses should be answered. 1756Two separate bits can be set. 1757.Bl -tag -width "12345" 1758.It 1 1759Respond to ICMPv6 FQDN queries, e.g. 1760.Li ping6 -w . 1761.It 2 1762Respond to ICMPv6 node addresses queries, e.g. 1763.Li ping6 -a . 1764.El 1765.It Li icmp6.rediraccept 1766If set to non-zero, the host will accept ICMPv6 redirect packets. 1767Note that IPv6 routers will never accept ICMPv6 redirect packets, 1768and the variable is meaningful on IPv6 hosts 1769.Pq non-router 1770only. 1771.It Li icmp6.redirtimeout 1772The variable specifies lifetime of routing entries generated by incoming 1773ICMPv6 redirect. 1774.It Li udp6.do_loopback_cksum 1775Perform UDP checksum on loopback. 1776.It Li udp6.recvspace 1777Default UDP receive buffer size. 1778.It Li udp6.sendspace 1779Default UDP send buffer size. 1780.El 1781.Pp 1782We reuse net.*.tcp for 1783.Tn TCP 1784over 1785.Tn IPv6 , 1786and therefore we do not have variables net.*.tcp6. 1787Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1788Please refer to 1789.Li PF_INET 1790section above. 1791For variables net.*.ipsec6, please refer to 1792.Xr ipsec 4 . 1793.It Li net.key ( PF_KEY ) 1794Get or set various global information about the IPsec key management. 1795The third level name is the variable name. 1796The currently defined variable and names are: 1797.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 1798.It Sy Variable name Type Changeable 1799.It debug integer yes 1800.It spi_try integer yes 1801.It spi_min_value integer yes 1802.It spi_max_value integer yes 1803.It larval_lifetime integer yes 1804.It blockacq_count integer yes 1805.It blockacq_lifetime integer yes 1806.It esp_keymin integer yes 1807.It esp_auth integer yes 1808.It ah_keymin integer yes 1809.El 1810.Pp 1811The variables are as follows: 1812.Bl -tag -width "123456" 1813.It Li debug 1814Turn on debugging message from within the kernel. 1815The value is a bitmap, as defined in 1816.In netkey/key_debug.h . 1817.It Li spi_try 1818The number of times the kernel will try to obtain an unique SPI 1819when it generates it from random number generator. 1820.It Li spi_min_value 1821Minimum SPI value when generating it within the kernel. 1822.It Li spi_max_value 1823Maximum SPI value when generating it within the kernel. 1824.It Li larval_lifetime 1825Lifetime for LARVAL SAD entries, in seconds. 1826.It Li blockacq_count 1827Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1828It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1829key management daemon. 1830.It Li blockacq_lifetime 1831Lifetime of ACQUIRE PF_KEY message. 1832.It Li esp_keymin 1833Minimum ESP key length, in bits. 1834The value is used when the kernel creates proposal payload 1835on ACQUIRE PF_KEY message. 1836.It Li esp_auth 1837Whether ESP authentication should be used or not. 1838Non-zero value indicates that ESP authentication should be used. 1839The value is used when the kernel creates proposal payload 1840on ACQUIRE PF_KEY message. 1841.It Li ah_keymin 1842Minimum AH key length, in bits, 1843The value is used when the kernel creates proposal payload 1844on ACQUIRE PF_KEY message. 1845.El 1846.El 1847.Ss The proc.* subtree 1848The string and integer information available for the 1849.Li proc 1850level is detailed below. 1851The changeable column shows whether a process with appropriate 1852privilege may change the value. 1853These values are per-process, 1854and as such may change from one process to another. 1855When a process is created, 1856the default values are inherited from its parent. 1857When a set-user-ID or set-group-ID binary is executed, the 1858value of PROC_PID_CORENAME is reset to the system default value. 1859The second level name is either the magic value PROC_CURPROC, which 1860points to the current process, or the PID of the target process. 1861.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 1862.It Sy Third level name Type Changeable 1863.It proc.pid.corename string yes 1864.It proc.pid.rlimit node not applicable 1865.It proc.pid.stopfork int yes 1866.It proc.pid.stopexec int yes 1867.It proc.pid.stopexit int yes 1868.El 1869.Bl -tag -width "123456" 1870.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1871The template used for the core dump file name (see 1872.Xr core 5 1873for details). 1874The base name must either be 1875.Pa core 1876or end with the suffix 1877.Pa .core 1878(the super-user may set arbitrary names). 1879By default it points to 1880.Dv KERN_DEFCORENAME . 1881.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1882Return resources limits, as defined for the 1883.Xr getrlimit 2 1884and 1885.Xr setrlimit 2 1886system calls. 1887The fourth level name is one of: 1888.Bl -tag -width "123456" 1889.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1890The maximum amount of CPU time (in seconds) to be used by each process. 1891.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1892The largest size (in bytes) file that may be created. 1893.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1894The maximum size (in bytes) of the data segment for a process; 1895this defines how far a program may extend its break with the 1896.Xr sbrk 2 1897system call. 1898.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1899The maximum size (in bytes) of the stack segment for a process; 1900this defines how far a program's stack segment may be extended. 1901Stack extension is performed automatically by the system. 1902.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1903The largest size (in bytes) 1904.Pa core 1905file that may be created. 1906.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1907The maximum size (in bytes) to which a process's resident set size may 1908grow. 1909This imposes a limit on the amount of physical memory to be given to 1910a process; if memory is tight, the system will prefer to take memory 1911from processes that are exceeding their declared resident set size. 1912.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1913The maximum size (in bytes) which a process may lock into memory 1914using the 1915.Xr mlock 2 1916function. 1917.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1918The maximum number of simultaneous processes for this user id. 1919.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1920The maximum number of open files for this process. 1921.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) 1922The maximum size (in bytes) of the socket buffers 1923set by the 1924.Xr setsockopt 2 1925.Dv SO_RCVBUF 1926and 1927.Dv SO_SNDBUF 1928options. 1929.El 1930.Pp 1931The fifth level name is one of 1932.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) 1933or 1934.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1935to select respectively the soft or hard limit. 1936Both are of type integer. 1937.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1938If non zero, the process' children will be stopped after 1939.Xr fork 2 1940calls. 1941The children is created in the SSTOP state and is never scheduled 1942for running before being stopped. 1943This feature helps attaching a process with a debugger such as 1944.Xr gdb 1 1945before it had the opportunity to actually do anything. 1946.Pp 1947This value is inherited by the process's children, and it also 1948apply to emulation specific system calls that fork a new process, such as 1949.Fn sproc 1950or 1951.Fn clone . 1952.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1953If non zero, the process will be stopped on next 1954.Xr exec 3 1955call. 1956The process created by 1957.Xr exec 3 1958is created in the SSTOP state and is never scheduled for running 1959before being stopped. 1960This feature helps attaching a process with a debugger such as 1961.Xr gdb 1 1962before it had the opportunity to actually do anything. 1963.Pp 1964This value is inherited by the process's children. 1965.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1966If non zero, the process will be stopped on when it has cause to exit, 1967either by way of calling 1968.Xr exit 3 , 1969.Xr _exit 2 , 1970or by the receipt of a specific signal. 1971The process is stopped before any of its resources or vm space is 1972released allowing examination of the termination state of a process 1973before it disappears. 1974This feature can be used to examine the final conditions of the 1975process's vmspace via 1976.Xr pmap 1 1977or its resource settings with 1978.Xr sysctl 8 1979before it disappears. 1980.Pp 1981This value is also inherited by the process's children. 1982.El 1983.Ss The user.* subtree ( CTL_USER ) 1984The string and integer information available for the 1985.Li user 1986level is detailed below. 1987The changeable column shows whether a process with appropriate 1988privilege may change the value. 1989.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 1990.It Sy Second level name Type Changeable 1991.It user.atexit_max integer no 1992.It user.bc_base_max integer no 1993.It user.bc_dim_max integer no 1994.It user.bc_scale_max integer no 1995.It user.bc_string_max integer no 1996.It user.coll_weights_max integer no 1997.It user.cs_path string no 1998.It user.expr_nest_max integer no 1999.It user.line_max integer no 2000.It user.posix2_c_bind integer no 2001.It user.posix2_c_dev integer no 2002.It user.posix2_char_term integer no 2003.It user.posix2_fort_dev integer no 2004.It user.posix2_fort_run integer no 2005.It user.posix2_localedef integer no 2006.It user.posix2_sw_dev integer no 2007.It user.posix2_upe integer no 2008.It user.posix2_version integer no 2009.It user.re_dup_max integer no 2010.It user.stream_max integer no 2011.It user.stream_max integer no 2012.It user.tzname_max integer no 2013.El 2014.Bl -tag -width "123456" 2015.It Li user.atexit_max ( USER_ATEXIT_MAX ) 2016The maximum number of functions that may be registered with 2017.Xr atexit 3 . 2018.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 2019The maximum ibase/obase values in the 2020.Xr bc 1 2021utility. 2022.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 2023The maximum array size in the 2024.Xr bc 1 2025utility. 2026.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 2027The maximum scale value in the 2028.Xr bc 1 2029utility. 2030.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 2031The maximum string length in the 2032.Xr bc 1 2033utility. 2034.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 2035The maximum number of weights that can be assigned to any entry of 2036the LC_COLLATE order keyword in the locale definition file. 2037.It Li user.cs_path ( USER_CS_PATH ) 2038Return a value for the 2039.Ev PATH 2040environment variable that finds all the standard utilities. 2041.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 2042The maximum number of expressions that can be nested within 2043parenthesis by the 2044.Xr expr 1 2045utility. 2046.It Li user.line_max ( USER_LINE_MAX ) 2047The maximum length in bytes of a text-processing utility's input 2048line. 2049.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 2050Return 1 if the system supports at least one terminal type capable of 2051all operations described in 2052.St -p1003.2 , 2053otherwise\ 0. 2054.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 2055Return 1 if the system's C-language development facilities support the 2056C-Language Bindings Option, otherwise\ 0. 2057.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 2058Return 1 if the system supports the C-Language Development Utilities Option, 2059otherwise\ 0. 2060.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 2061Return 1 if the system supports the FORTRAN Development Utilities Option, 2062otherwise\ 0. 2063.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 2064Return 1 if the system supports the FORTRAN Runtime Utilities Option, 2065otherwise\ 0. 2066.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 2067Return 1 if the system supports the creation of locales, otherwise\ 0. 2068.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 2069Return 1 if the system supports the Software Development Utilities Option, 2070otherwise\ 0. 2071.It Li user.posix2_upe ( USER_POSIX2_UPE ) 2072Return 1 if the system supports the User Portability Utilities Option, 2073otherwise\ 0. 2074.It Li user.posix2_version ( USER_POSIX2_VERSION ) 2075The version of 2076.St -p1003.2 2077with which the system attempts to comply. 2078.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 2079The maximum number of repeated occurrences of a regular expression 2080permitted when using interval notation. 2081.It Li user.stream_max ( USER_STREAM_MAX ) 2082The minimum maximum number of streams that a process may have open 2083at any one time. 2084.It Li user.tzname_max ( USER_TZNAME_MAX ) 2085The minimum maximum number of types supported for the name of a 2086timezone. 2087.El 2088.Ss The vm.* subtree ( CTL_VM ) 2089The string and integer information available for the 2090.Li vm 2091level is detailed below. 2092The changeable column shows whether a process with appropriate 2093privilege may change the value. 2094.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 2095.It Sy Second level name Type Changeable 2096.It vm.anonmax int yes 2097.It vm.anonmin int yes 2098.It vm.bufcache int yes 2099.It vm.bufmem int no 2100.It vm.bufmem_hiwater int yes 2101.It vm.bufmem_lowater int yes 2102.It vm.execmax int yes 2103.It vm.execmin int yes 2104.It vm.filemax int yes 2105.It vm.filemin int yes 2106.It vm.loadavg struct loadavg no 2107.It vm.maxslp int no 2108.It vm.nkmempages int no 2109.It vm.uspace int no 2110.It vm.uvmexp struct uvmexp no 2111.It vm.uvmexp2 struct uvmexp_sysctl no 2112.It vm.vmmeter struct vmtotal no 2113.El 2114.Pp 2115.Bl -tag -width "123456" 2116.It Li vm.anonmax ( VM_ANONMAX ) 2117The percentage of physical memory which will be reclaimed 2118from other types of memory usage to store anonymous application data. 2119.It Li vm.anonmin ( VM_ANONMIN ) 2120The percentage of physical memory which will be always be available for 2121anonymous application data. 2122.It Li vm.bufcache ( VM_BUFCACHE ) 2123The percentage of physical memory which will be available 2124for the buffer cache. 2125.It Li vm.bufmem ( VM_BUFMEM ) 2126The amount of kernel memory that is being used by the buffer cache. 2127.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 2128The minimum amount of kernel memory to reserve for the 2129buffer cache. 2130.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 2131The maximum amount of kernel memory to be used for the 2132buffer cache. 2133.It Li vm.execmax ( VM_EXECMAX ) 2134The percentage of physical memory which will be reclaimed 2135from other types of memory usage to store cached executable data. 2136.It Li vm.execmin ( VM_EXECMIN ) 2137The percentage of physical memory which will be always be available for 2138cached executable data. 2139.It Li vm.filemax ( VM_FILEMAX ) 2140The percentage of physical memory which will be reclaimed 2141from other types of memory usage to store cached file data. 2142.It Li vm.filemin ( VM_FILEMIN ) 2143The percentage of physical memory which will be always be available for 2144cached file data. 2145.It Li vm.loadavg ( VM_LOADAVG ) 2146Return the load average history. 2147The returned data consists of a 2148.Vt struct loadavg . 2149.It Li vm.maxslp ( VM_MAXSLP ) 2150The value of the maxslp kernel global variable. 2151.It Li vm.vmmeter ( VM_METER ) 2152Return system wide virtual memory statistics. 2153The returned data consists of a 2154.Vt struct vmtotal . 2155.It vm.user_va0_disable 2156A flag which controls whether user processes can map virtual address\ 0. 2157.It Li vm.uspace ( VM_USPACE ) 2158The number of bytes allocated for each kernel stack. 2159.It Li vm.uvmexp ( VM_UVMEXP ) 2160Return system wide virtual memory statistics. 2161The returned data consists of a 2162.Vt struct uvmexp . 2163.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 2164Return system wide virtual memory statistics. 2165The returned data consists of a 2166.Vt struct uvmexp_sysctl . 2167.\" XXX vm.idlezero 2168.El 2169.Ss The ddb.* subtree ( CTL_DDB ) 2170The information available for the 2171.Li ddb 2172level is detailed below. 2173The changeable column shows whether a process with appropriate 2174privilege may change the value. 2175.\" XXX sort 2176.Bl -column "Second level name" "integer" "Changeable" -offset indent 2177.It Sy Second level name Type Changeable 2178.It ddb.radix integer yes 2179.It ddb.maxoff integer yes 2180.It ddb.maxwidth integer yes 2181.It ddb.lines integer yes 2182.It ddb.tabstops integer yes 2183.It ddb.onpanic integer yes 2184.It ddb.fromconsole integer yes 2185.It ddb.tee_msgbuf integer yes 2186.It ddb.commandonenter string yes 2187.El 2188.Pp 2189.Bl -tag -width "123456" 2190.It Li ddb.radix ( DDBCTL_RADIX ) 2191The input and output radix. 2192.It Li ddb.maxoff ( DDBCTL_MAXOFF ) 2193The maximum symbol offset. 2194.It Li ddb.maxwidth ( DDBCTL_MAXWIDTH ) 2195The maximum output line width. 2196.It Li ddb.lines ( DDBCTL_LINES ) 2197Number of display lines. 2198.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) 2199Tab width. 2200.It Li ddb.onpanic ( DDBCTL_ONPANIC ) 2201If non-zero, DDB will be entered if the kernel panics. 2202.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) 2203If not zero, DDB may be entered by sending a break on a serial 2204console or by a special key sequence on a graphics console. 2205.It Li ddb.tee_msgbuf 2206If not zero, DDB will output also to the kernel message buffer. 2207.It Li ddb.commandonenter 2208If not empty, a command to be executed on each enter to the 2209.Tn DDB . 2210.\" 2211.\" XXX: (a) ddb.commandonenter is missing in ddb(4); 2212.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. 2213.El 2214.Pp 2215Some of these 2216.Tn MIB 2217nodes are also available as variables from within the debugger. 2218See 2219.Xr ddb 4 2220for more details. 2221.Ss The security.* subtree ( CTL_SECURITY ) 2222The 2223.Li security 2224level contains various security-related settings for 2225the system. 2226The available second level names are: 2227.Bl -column "Second level name" "integer" "Changeable" -offset indent 2228.It Sy Second level name Type Changeable 2229.It Li security.curtain integer yes 2230.It Li security.models node not applicable 2231.It Li security.pax node not applicable 2232.El 2233.Pp 2234Available settings are detailed below. 2235.Pp 2236.Bl -tag -width "123456" 2237.It Li security.curtain 2238If non-zero, will filter return objects according to the user 2239.Tn ID 2240requesting information about them, preventing from users any 2241access to objects they do not own. 2242.Pp 2243At the moment, it affects 2244.Xr ps 1 , 2245.Xr netstat 1 2246(for 2247.Dv PF_INET , 2248.Dv PF_INET6 , 2249and 2250.Dv PF_UNIX 2251PCBs), and 2252.Xr w 1 . 2253.It Li security.models 2254.Nx 2255supports pluggable security models. 2256Every security model used, whether if loaded as a module or built with the system, 2257is required to add an entry to this node with at least one element, 2258.Dq name , 2259indicating the name of the security model. 2260.Pp 2261In addition to the name, any settings and other information private to the 2262security model will be available under this node. 2263See 2264.Xr secmodel 9 2265for more information. 2266.It Li security.pax 2267Settings for PaX -- exploit mitigation features. 2268For more information on any of the PaX features, please see 2269.Xr paxctl 8 2270and 2271.Xr security 7 . 2272The available third and fourth level names are: 2273.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ 2274-offset 2n 2275.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable 2276.It Li security.pax.aslr.enabled integer yes 2277.\".It Li security.pax.aslr.exec_len integer yes 2278.It Li security.pax.aslr.global integer yes 2279.\".It Li security.pax.aslr.mmap_len integer yes 2280.\".It Li security.pax.aslr.stack_len integer yes 2281.It Li security.pax.mprotect.enabled integer yes 2282.It Li security.pax.mprotect.global integer yes 2283.It Li security.pax.segvguard.enabled integer yes 2284.It Li security.pax.segvguard.expiry_timeout integer yes 2285.It Li security.pax.segvguard.global integer yes 2286.It Li security.pax.segvguard.max_crashes integer yes 2287.It Li security.pax.segvguard.suspend_timeout integer yes 2288.El 2289.Pp 2290.Bl -tag -width "123456" 2291.It Li security.pax.aslr.enabled 2292Enable PaX ASLR (Address Space Layout Randomization). 2293.Pp 2294The value of this 2295knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2296explicit enable. 2297.\".It Li security.pax.aslr.exec_len 2298.\" XXX: Undocumented. 2299.It Li security.pax.aslr.global 2300Specifies the default global policy for programs without an 2301explicit enable/disable flag. 2302.Pp 2303When non-zero, all programs will get PaX ASLR, except those exempted with 2304.Xr paxctl 8 . 2305Otherwise, all programs will not get PaX ASLR, except those specifically 2306marked as such with 2307.Xr paxctl 8 . 2308.\".It Li security.pax.aslr.mmap_len 2309.\" XXX: Undocumented. 2310.\" .It Li security.pax.aslr.stack_len 2311.\" XXX: Undocumented. 2312.It Li security.pax.mprotect.enabled 2313Enable PaX MPROTECT restrictions. 2314.Pp 2315These are 2316.Xr mprotect 2 2317restrictions to better enforce a W^X policy. 2318The value of this 2319knob must be non-zero for PaX MPROTECT to be enabled, even if a 2320program is set to explicit enable. 2321.It Li security.pax.mprotect.global 2322Specifies the default global policy for programs without an 2323explicit enable/disable flag. 2324.Pp 2325When non-zero, all programs will get the PaX MPROTECT restrictions, 2326except those exempted with 2327.Xr paxctl 8 . 2328Otherwise, all programs will not get the PaX MPROTECT restrictions, 2329except those specifically marked as such with 2330.Xr paxctl 8 . 2331.It Li security.pax.segvguard.enabled 2332Enable PaX Segvguard. 2333.Pp 2334PaX Segvguard can detect and prevent certain exploitation attempts, where 2335an attacker may try for example to brute-force function return addresses 2336of respawning daemons. 2337.Pp 2338.Em Note : 2339The 2340.Nx 2341interface and implementation of the Segvguard is still experimental, and may 2342change in future releases. 2343.It Li security.pax.segvguard.expiry_timeout 2344If the max number was not reached within this timeout (in seconds), the entry 2345will expire. 2346.It Li security.pax.segvguard.global 2347Specifies the default global policy for programs without an 2348explicit enable/disable flag. 2349.Pp 2350When non-zero, all programs will get the PaX Segvguard, 2351except those exempted with 2352.Xr paxctl 8 . 2353Otherwise, no program will get the PaX Segvguard restrictions, 2354except those specifically marked as such with 2355.Xr paxctl 8 . 2356.It Li security.pax.segvguard.max_crashes 2357The maximum number of segfaults a program can receive before suspension. 2358.It Li security.pax.segvguard.suspend_timeout 2359Number of seconds to suspend a user from running a faulting program when the 2360limit was exceeded. 2361.El 2362.El 2363.Ss The vendor.* subtree ( CTL_VENDOR ) 2364The 2365.Li vendor 2366toplevel name is reserved to be used by vendors who wish to 2367have their own private MIB tree. 2368Intended use is to store values under 2369.Dq vendor.\*[Lt]yourname\*[Gt].* . 2370.Sh SEE ALSO 2371.Xr sysctl 3 , 2372.Xr ipsec 4 , 2373.Xr tcp 4 , 2374.Xr security 7 , 2375.Xr sysctl 8 2376.Sh HISTORY 2377The 2378.Nm 2379variables first appeared in 2380.Bx 4.4 . 2381