1.\" $NetBSD: sysctl.7,v 1.163 2022/12/16 08:42:55 msaitoh Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd December 16, 2022 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Ss Top level names 72The top level names are defined with a 73.Va CTL_ 74prefix in 75.In sys/sysctl.h , 76and are as follows. 77The next and subsequent levels down are found in the include files 78listed here, and described in separate sections below. 79.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits" 80.It Sy Name Ta Sy Constant Ta Sy Next level names Ta Sy Description 81.It kern Ta Dv CTL_KERN Ta In sys/sysctl.h Ta High kernel limits 82.It vm Ta Dv CTL_VM Ta In uvm/uvm_param.h Ta Virtual memory 83.It vfs Ta Dv CTL_VFS Ta In sys/mount.h Ta Filesystem 84.It net Ta Dv CTL_NET Ta In sys/socket.h Ta Networking 85.It debug Ta Dv CTL_DEBUG Ta In sys/sysctl.h Ta Debugging 86.It hw Ta Dv CTL_HW Ta In sys/sysctl.h Ta Generic CPU, I/O 87.It machdep Ta Dv CTL_MACHDEP Ta In sys/sysctl.h Ta Machine dependent 88.It user Ta Dv CTL_USER Ta In sys/sysctl.h Ta User-level 89.It ddb Ta Dv CTL_DDB Ta In sys/sysctl.h Ta In-kernel debugger 90.It proc Ta Dv CTL_PROC Ta In sys/sysctl.h Ta Per-process 91.It vendor Ta Dv CTL_VENDOR Ta ? Ta Vendor specific 92.It emul Ta Dv CTL_EMUL Ta In sys/sysctl.h Ta Emulation settings 93.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h Ta Security settings 94.El 95.Ss The debug.* subtree 96The debugging variables vary from system to system. 97A debugging variable may be added or deleted without need to recompile 98.Nm 99to know about it. 100Each time it runs, 101.Nm 102gets the list of debugging variables from the kernel and 103displays their current values. 104The system defines twenty 105.Vt ( struct ctldebug ) 106variables named 107.Dv debug0 108through 109.Dv debug19 . 110They are declared as separate variables so that they can be 111individually initialized at the location of their associated variable. 112The loader prevents multiple use of the same variable by issuing errors 113if a variable is initialized in more than one place. 114For example, to export the variable 115.Va dospecialcheck 116as a debugging variable, the following declaration would be used: 117.Pp 118.Bd -literal -offset indent -compact 119int dospecialcheck = 1; 120struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck }; 121.Ed 122.Pp 123Note that the dynamic implementation of 124.Nm 125currently in use largely makes this particular 126.Nm 127interface obsolete. 128See 129.Xr sysctl 8 130.\" and 131.\" .Xr sysctl 9 132for more information. 133.Ss The vfs.* subtree 134A distinguished second level name, 135.Li vfs.generic ( Dv VFS_GENERIC ) , 136is used to get general information about all file systems. 137It has the following third level identifiers: 138.Bl -tag -width "123456" 139.It Li vfs.generic.maxtypenum ( Dv VFS_MAXTYPENUM ) 140The highest valid file system type number. 141.It Li vfs.generic.conf ( Dv VFS_CONF ) 142Returns configuration information about the file system type given as a fourth 143level identifier. 144.It Li vfs.generic.usermount ( Dv VFS_USERMOUNT ) 145Determines if non superuser mounts are allowed, defaults to 146.Dv 0 . 147.It Li vfs.generic.magiclinks ( Dv VFS_MAGICLINKS ) 148Controls if expansion of variables is going to be performed on pathnames 149or not. 150Defaults to no variable expansion, 151.Dv 0 . 152Variables are of the form 153.Li @name 154and the variables supported are described in 155.Xr symlink 7 156under 157.Dq "MAGIC SYMLINKS" . 158.El 159.Pp 160A second level name for controlling the 161.Xr wapbl 4 162(Write Ahead Physical Block Logging file system journaling) 163capabilities with the following third level identifiers: 164.Bl -tag -width "123456" 165.It Li vfs.wapbl.flush_disk_cache 166Controls whether to attempt to flush the disk cache on each commit. 167It defaults to 1 and it should always be on to ensure integrity 168of file system metadata in the event of a power loss. 169For slow disks, turning it off can improve performance. 170.It Li vfs.wapbl.verbose_commit 171For each transaction log commit, print the number of bytes written 172and the time it took to commit as seconds.nanoseconds. 173.El 174.Pp 175The remaining second level identifiers are the file system names, identified 176by the type number returned by a 177.Xr statvfs 2 178call or from 179.Li vfs.generic.conf . 180.Pp 181The third level identifiers available for each file system 182are given in the header file that defines the mount 183argument structure for that file system. 184.Ss The hw.* subtree 185The string and integer information available for the 186.Li hw 187level is detailed below. 188The changeable column shows whether a process with appropriate 189privilege may change the value. 190.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 191.It Sy Second level name Ta Sy Type Ta Sy Changeable 192.It hw.alignbytes integer no 193.It hw.byteorder integer no 194.It hw.cnmagic string yes 195.It hw.disknames string no 196.It hw.diskstats struct no 197.It hw.machine string no 198.It hw.machine_arch string no 199.It hw.model string no 200.It hw.ncpu integer no 201.It hw.ncpuonline integer no 202.It hw.pagesize integer no 203.It hw.physmem integer no 204.It hw.physmem64 quad no 205.It hw.usermem integer no 206.It hw.usermem64 quad no 207.El 208.Bl -tag -width "123456" 209.It Li hw.alignbytes ( Dv HW_ALIGNBYTES ) 210Alignment constraint for all possible data types. 211This shows the value 212.Dv ALIGNBYTES 213in 214.In machine/param.h , 215at the kernel compilation time. 216.It Li hw.byteorder ( Dv HW_BYTEORDER ) 217The byteorder (4321, or 1234). 218.It Li hw.cnmagic ( Dv HW_CNMAGIC ) 219The console magic key sequence. 220.It Li hw.disknames ( Dv HW_DISKNAMES ) 221The list of (space separated) disk device names on the system. 222.It Li hw.iostatnames ( Dv HW_IOSTATNAMES ) 223A space separated list of devices that will have I/O statistics 224collected on them. 225.It Li hw.iostats ( Dv HW_IOSTATS ) 226Return statistical information on the NFS mounts, disk and tape 227devices on the system. 228An array of 229.Vt struct io_sysctl 230structures is returned, 231whose size depends on the current number of such objects in the system. 232The third level name is the size of the 233.Vt struct io_sysctl . 234The type of object can be determined by examining the 235.Va type 236element of 237.Vt struct io_sysctl . 238Which can be 239.Dv IOSTAT_DISK 240(disk drive), 241.Dv IOSTAT_TAPE 242(tape drive), or 243.Dv IOSTAT_NFS 244(NFS mount). 245.It Li hw.machine ( Dv HW_MACHINE ) 246The machine class. 247.It Li hw.machine_arch ( Dv HW_MACHINE_ARCH ) 248The machine CPU class. 249.It Li hw.model ( Dv HW_MODEL ) 250The machine model. 251.It Li hw.ncpu ( Dv HW_NCPU ) 252The number of CPUs configured. 253.It Li hw.ncpuonline ( Dv HW_NCPUONLINE ) 254The number of CPUs online. 255.It Li hw.pagesize ( Dv HW_PAGESIZE ) 256The software page size. 257.It Li hw.physmem ( Dv HW_PHYSMEM ) 258The bytes of physical memory as a 32-bit integer. 259.It Li hw.physmem64 ( Dv HW_PHYSMEM64 ) 260The bytes of physical memory as a 64-bit integer. 261.It Li hw.usermem ( Dv HW_USERMEM ) 262The bytes of non-kernel memory as a 32-bit integer. 263.It Li hw.usermem64 ( Dv HW_USERMEM64 ) 264The bytes of non-kernel memory as a 64-bit integer. 265.El 266.Ss The kern.* subtree 267This subtree includes data generally related to the kernel. 268The string and integer information available for the 269.Li kern 270level is detailed below. 271The changeable column shows whether a process with appropriate 272privilege may change the value. 273.Bl -column "kern.posix_reader_writer_locks" \ 274"struct kinfo_drivers" "not applicable" 275.It Sy Second level name Ta Sy Type Ta Sy Changeable 276.It kern.aio_listio_max integer yes 277.It kern.aio_max integer yes 278.It kern.arandom integer no 279.It kern.argmax integer no 280.It kern.boothowto integer no 281.It kern.boottime struct timespec no 282.It kern.buildinfo string no 283.\".It kern.bufq node not applicable 284.It kern.ccpu integer no 285.It kern.clockrate struct clockinfo no 286.It kern.consdev integer no 287.It kern.coredump node not applicable 288.It kern.cp_id struct no 289.It kern.cp_time uint64_t[\|] no 290.It kern.cryptodevallowsoft integer yes 291.It kern.defcorename string yes 292.It kern.detachall integer yes 293.It kern.domainname string yes 294.It kern.drivers struct kinfo_drivers no 295.It kern.dump_on_panic integer yes 296.It kern.expose_address integer yes 297.It kern.file struct file no 298.It kern.forkfsleep integer yes 299.It kern.fscale integer no 300.It kern.fsync integer no 301.It kern.hardclock_ticks integer no 302.It kern.hostid integer yes 303.It kern.hostname string yes 304.It kern.iov_max integer no 305.It kern.ipc node not applicable 306.It kern.job_control integer no 307.It kern.labeloffset integer no 308.It kern.labelsector integer no 309.It kern.login_name_max integer no 310.It kern.logsigexit integer yes 311.It kern.lwp struct kinfo_lwp yes 312.It kern.mapped_files integer no 313.It kern.maxfiles integer yes 314.It kern.maxlwp integer yes 315.It kern.maxpartitions integer no 316.It kern.maxphys integer no 317.It kern.maxproc integer yes 318.It kern.maxptys integer yes 319.It kern.maxvnodes integer yes 320.It kern.messages integer yes 321.It kern.mbuf node not applicable 322.It kern.memlock integer no 323.It kern.memlock_range integer no 324.It kern.memory_protection integer no 325.It kern.module node not applicable 326.It kern.monotonic_clock integer no 327.It kern.mqueue node not applicable 328.It kern.msgbuf integer no 329.It kern.msgbufsize integer no 330.It kern.ngroups integer no 331.\".It kern.no_sa_support integer yes 332.It kern.ntptime struct ntptimeval no 333.It kern.osrelease string no 334.It kern.osrevision integer no 335.It kern.ostype string no 336.\".It kern.panic_now integer yes 337.It kern.pipe node not applicable 338.It kern.pool struct pool_sysctl no 339.\" .It kern.posix node not applicable 340.It kern.posix1version integer no 341.It kern.posix_aio integer no 342.It kern.posix_barriers integer no 343.It kern.posix_reader_writer_locks integer no 344.\".It kern.posix_sched integer yes 345.It kern.posix_semaphores integer no 346.It kern.posix_spin_locks integer no 347.It kern.posix_threads integer no 348.It kern.posix_timers integer no 349.It kern.proc struct kinfo_proc no 350.It kern.proc2 struct kinfo_proc2 no 351.It kern.proc_args string no 352.It kern.profiling node not applicable 353.\".It kern.pset node not applicable 354.It kern.rawpartition integer no 355.It kern.root_device string no 356.It kern.root_partition integer no 357.It kern.rtc_offset integer yes 358.It kern.saved_ids integer no 359.It kern.sbmax integer yes 360.It kern.sched node not applicable 361.It kern.securelevel integer raise only 362.It kern.sofixedbuf boolean yes 363.It kern.somaxkva integer yes 364.It kern.sooptions integer yes 365.It kern.synchronized_io integer no 366.It kern.timecounter node not applicable 367.It kern.timex struct no 368.It kern.tkstat node not applicable 369.It kern.tty node not applicable 370.It kern.urandom integer no 371.It kern.usercrypto integer yes 372.It kern.userasymcrypto integer yes 373.It kern.veriexec node not applicable 374.It kern.version string no 375.It kern.vnode struct vnode no 376.El 377.Bl -tag -width "123456" 378.It Li kern.aio_listio_max 379The maximum number of asynchronous I/O operations in a single list 380I/O call. 381Like with all variables related to 382.Xr aio 3 , 383the variable may be created and removed dynamically 384upon loading or unloading the corresponding kernel module. 385.It Li kern.aio_max 386The maximum number of asynchronous I/O operations. 387.It Li kern.arandom ( Dv KERN_ARND ) 388Returns independent uniformly distributed bytes at random each time, as 389many as requested up to 256, derived from the system entropy pool; see 390.Xr rnd 4 . 391.Pp 392Reading 393.Li kern.arandom 394is equivalent to reading up to 256 bytes at a time from 395.Pa /dev/urandom : 396reading 397.Li kern.arandom 398never blocks, and once the system entropy pool has full entropy, output 399subsequently read from 400.Li kern.arandom 401is fit for use as cryptographic key material. 402For example, the 403.Xr arc4random 3 404library routine uses 405.Li kern.arandom 406internally to seed a cryptographic pseudorandom number generator. 407.It Li kern.argmax ( Dv KERN_ARGMAX ) 408The maximum bytes of argument to 409.Xr execve 2 . 410.It Li kern.boothowto 411Flags passed from the boot loader; see 412.Xr reboot 2 413for the meanings of the flags. 414.It Li kern.boottime ( Dv KERN_BOOTTIME ) 415A 416.Vt struct timespec 417structure is returned. 418This structure contains the time that the system was booted. 419That time is defined (for this purpose) to be the time at 420which the kernel first started accumulating clock ticks. 421.It Li kern.bufq 422This variable contains information on the 423.Xr bufq 9 424subsystem. 425Currently, the only third level name implemented is 426.Dv kern.bufq.strategies 427which provides a list of buffer queue strategies currently available. 428.It Li kern.buildinfo 429When the kernel is built, the build environment may optionally provide 430arbitrary information to be stored in this variable. 431.It Li kern.ccpu ( Dv KERN_CCPU ) 432The scheduler exponential decay value. 433.It Li kern.clockrate ( Dv KERN_CLOCKRATE ) 434A 435.Vt struct clockinfo 436structure is returned. 437This structure contains the clock, statistics clock and profiling clock 438frequencies, the number of micro-seconds per hz tick, and the clock 439skew rate. 440Refer to 441.Xr hz 9 442for additional details. 443.It Li kern.consdev ( Dv KERN_CONSDEV ) 444Console device. 445.It Li kern.coredump 446Settings related to set-id processes coredumps. 447By default, set-id processes do not dump core in situations where 448other processes would. 449The settings in this node allows an administrator to change this 450behavior. 451.Pp 452The third level name is 453.Dv kern.coredump.setid 454and fourth level variables are described below. 455.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent 456.It Sy Fourth level name Ta Sy Type Ta Sy Changeable 457.It kern.coredump.setid.dump integer yes 458.It kern.coredump.setid.group integer yes 459.It kern.coredump.setid.mode integer yes 460.It kern.coredump.setid.owner integer yes 461.It kern.coredump.setid.path string yes 462.El 463.Bl -tag -width "123456" 464.It Li kern.coredump.setid.dump 465If non-zero, set-id processes will dump core. 466.It Li kern.coredump.setid.group 467The group-id for the set-id processes' coredump. 468.It Li kern.coredump.setid.mode 469The mode for the set-id processes' coredump. 470See 471.Xr chmod 1 . 472.It Li kern.coredump.setid.owner 473The user-id that will be used as the owner of the set-id processes' 474coredump. 475.It Li kern.coredump.setid.path 476The path to which set-id processes' coredumps will be saved to. 477Same syntax as kern.defcorename. 478.El 479.It Li kern.cp_id ( Dv KERN_CP_ID ) 480Mapping of CPU number to CPU id. 481.It Li kern.cp_time ( Dv KERN_CP_TIME ) 482Returns an array of 483.Dv CPUSTATES 484.Vt uint64_t Ns s . 485This array contains the 486number of clock ticks spent in different CPU states. 487On multi-processor systems, the sum across all CPUs is returned unless 488appropriate space is given for one data set for each CPU. 489Data for a specific CPU can also be obtained by adding the number of the 490CPU at the end of the MIB, enlarging it by one. 491.It Li kern.cryptodevallowsoft 492This variable controls userland access to hardware versus software transforms 493in the 494.Xr crypto 4 495system. 496The available values are as follows: 497.Bl -tag -width XX0 -offset indent 498.It Dv < 0 499Always force userlevel requests to use software transforms. 500.It Dv = 0 501If present, use hardware and grant userlevel requests for 502non-accelerated transforms (handling the latter in software). 503.It Dv > 0 504Allow user requests only for transforms which are hardware-accelerated. 505.El 506.It Li kern.defcorename ( Dv KERN_DEFCORENAME ) 507Default template for the name of core dump files (see also 508.Li proc.pid.corename 509in the per-process variables 510.Li proc.* , 511and 512.Xr core 5 513for format of this template). 514The default value is 515.Pa %n.core 516and can be changed with the kernel configuration option 517.Cd options DEFCORENAME 518(see 519.Xr options 4 520). 521.It Li kern.detachall 522Detach all devices at shutdown. 523.It Li kern.domainname ( Dv KERN_DOMAINNAME ) 524Get or set the YP domain name. 525.It Li kern.drivers ( Dv KERN_DRIVERS ) 526Return an array of 527.Vt struct kinfo_drivers 528that contains the name and major device numbers of all the device drivers 529in the current kernel. 530The 531.Va d_name 532field is always a NUL terminated string. 533The 534.Va d_bmajor 535field will be set to \-1 if the driver doesn't have a block device. 536.It Li kern.expose_address 537Expose kernel addresses in 538.Xr sysctl 3 539calls used by 540.Xr fstat 1 541and 542.Xr sockstat 1 . 543If it is set to 544.Dv 0 545access is not allowed. 546If it is set to 547.Dv 1 548then only processes that have opened 549.Pa /dev/kmem 550can have access. 551If it is set to 552.Dv 2 553every process is allowed. 554Defaults to 555.Dv 0 556for 557.Dv KASLR 558kernels 559and 560.Dv 1 561otherwise. 562Allowing general access renders KASLR ineffective; allowing only kmem 563accessing programs weakens KASLR if those programs can be subverted 564to leak the addresses. 565.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC ) 566Perform a crash dump on system 567.Xr panic 9 . 568.It Li kern.file ( Dv KERN_FILE ) 569Return the entire file table. 570The returned data consists of a single 571.Vt struct filelist 572followed by an array of 573.Vt struct file , 574whose size depends on the current number of such objects in the system. 575.It Li kern.forkfsleep ( Dv KERN_FORKFSLEEP ) 576If 577.Xr fork 2 578system call fails due to limit on number of processes (either 579the global maxproc limit or user's one), wait for this many 580milliseconds before returning 581.Er EAGAIN 582error to process. 583Useful to keep heavily forking runaway processes in bay. 584Default zero (no sleep). 585Maximum is 20 seconds. 586.It Li kern.fscale ( Dv KERN_FSCALE ) 587The kernel fixed-point scale factor. 588.It Li kern.fsync ( Dv KERN_FSYNC ) 589Return 1 if the 590.St -p1003.1b-93 591File Synchronization Option is available 592on this system, 593otherwise\ 0. 594.It Li kern.hardclock_ticks ( Dv KERN_HARDCLOCK_TICKS ) 595Returns the number of 596.Xr hardclock 9 597ticks. 598.It Li kern.hist 599This variable contains kernel history data if the kernel was 600configured for any of the options 601.Dv UVHMIST , 602.Dv USB_DEBUG , 603.Dv BIOHIST , 604or 605.Dv SCDEBUG . 606(See 607.Xr options 4 608for more details.) 609The third-level names correspond to each available history table. 610The values of the history tables are in an internal format, and can be 611decoded by the 612.Xr vmstat 1 613utility's 614.Fl U 615and 616.Fl u 617options; 618the 619.Fl l 620option can be used to see which tables are available. 621.It Li kern.hostid ( Dv KERN_HOSTID ) 622Get or set the host identifier. 623This is aimed to replace the legacy 624.Xr gethostid 3 625and 626.Xr sethostid 3 627system calls. 628.It Li kern.hostname ( Dv KERN_HOSTNAME ) 629Get or set the 630.Xr hostname 1 . 631.It Li kern.iov_max ( Dv KERN_IOV_MAX ) 632Return the maximum number of 633.Vt iovec 634structures that a process has available for use with 635.Xr preadv 2 , 636.Xr pwritev 2 , 637.Xr readv 2 , 638.Xr recvmsg 2 , 639.Xr sendmsg 2 640and 641.Xr writev 2 . 642.It Li kern.ipc ( Dv KERN_SYSVIPC ) 643Return information about the SysV IPC parameters. 644The third level names for the ipc variables are detailed below. 645.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 646.It Sy Third level name Ta Sy Type Ta Sy Changeable 647.It kern.ipc.sysvmsg integer no 648.It kern.ipc.sysvsem integer no 649.It kern.ipc.sysvshm integer no 650.It kern.ipc.sysvipc_info struct no 651.It kern.ipc.shmmax integer yes 652.It kern.ipc.shmmni integer yes 653.It kern.ipc.shmseg integer yes 654.It kern.ipc.shmmaxpgs integer yes 655.It kern.ipc.shm_use_phys integer yes 656.It kern.ipc.msgmni integer yes 657.It kern.ipc.msgseg integer yes 658.It kern.ipc.semmni integer yes 659.It kern.ipc.semmns integer yes 660.It kern.ipc.semmnu integer yes 661.El 662.Bl -tag -width "123456" 663.It Li kern.ipc.sysvmsg ( Dv KERN_SYSVIPC_MSG ) 664Returns 1 if System V style message queue functionality is available 665on this system, 666otherwise\ 0. 667.It Li kern.ipc.sysvsem ( Dv KERN_SYSVIPC_SEM ) 668Returns 1 if System V style semaphore functionality is available 669on this system, 670otherwise\ 0. 671.It Li kern.ipc.sysvshm ( Dv KERN_SYSVIPC_SHM ) 672Returns 1 if System V style share memory functionality is available 673on this system, 674otherwise\ 0. 675.It Li kern.ipc.sysvipc_info ( Dv KERN_SYSVIPC_INFO ) 676Return System V style IPC configuration and run-time information. 677The fourth level name selects the System V style IPC facility. 678.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 679.It Sy Fourth level name Ta Sy Type 680.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 681.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 682.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 683.El 684.Bl -tag -width "123456" 685.It Li KERN_SYSVIPC_MSG_INFO 686Return information on the System V style message facility. 687The 688.Sy msg_sysctl_info 689structure is defined in 690.In sys/msg.h . 691.It Li KERN_SYSVIPC_SEM_INFO 692Return information on the System V style semaphore facility. 693The 694.Sy sem_sysctl_info 695structure is defined in 696.In sys/sem.h . 697.It Li KERN_SYSVIPC_SHM_INFO 698Return information on the System V style shared memory facility. 699The 700.Sy shm_sysctl_info 701structure is defined in 702.In sys/shm.h . 703.El 704.It Li kern.ipc.shmmax ( Dv KERN_SYSVIPC_SHMMAX ) 705Max shared memory segment size in bytes. 706.It Li kern.ipc.shmmni ( Dv KERN_SYSVIPC_SHMMNI ) 707Max number of shared memory identifiers. 708.It Li kern.ipc.shmseg ( Dv KERN_SYSVIPC_SHMSEG ) 709Max shared memory segments per process. 710.It Li kern.ipc.shmmaxpgs ( Dv KERN_SYSVIPC_SHMMAXPGS ) 711Max amount of shared memory in pages. 712.It Li kern.ipc.shm_use_phys ( Dv KERN_SYSVIPC_SHMUSEPHYS ) 713Locking of shared memory in physical memory. 714If 0, memory can be swapped 715out, otherwise it will be locked in physical memory. 716.It Li kern.ipc.msgmni 717Max number of message queue identifiers. 718.It Li kern.ipc.msgseg 719Max number of number of message segments. 720.It Li kern.ipc.semmni 721Max number of number of semaphore identifiers. 722.It Li kern.ipc.semmns 723Max number of number of semaphores in system. 724.It Li kern.ipc.semmnu 725Max number of undo structures in system. 726.El 727.It Li kern.job_control ( Dv KERN_JOB_CONTROL ) 728Return 1 if job control is available on this system, otherwise\ 0. 729.It Li kern.labeloffset ( Dv KERN_LABELOFFSET ) 730The offset within the sector specified by 731.Dv KERN_LABELSECTOR 732of the 733.Xr disklabel 5 . 734.It Li kern.labelsector ( Dv KERN_LABELSECTOR ) 735The sector number containing the 736.Xr disklabel 5 . 737.It Li kern.login_name_max ( Dv KERN_LOGIN_NAME_MAX ) 738The size of the storage required for a login name, in bytes, 739including the terminating NUL. 740.It Li kern.logsigexit ( Dv KERN_LOGSIGEXIT ) 741If this flag is non-zero, the kernel will 742.Xr log 9 743all process exits due to signals which create a 744.Xr core 5 745file, and whether the coredump was created. 746.It Li kern.lwp ( Dv KERN_LWP ) 747Returns information about the current light-weight process. 748The 749.Sy kinfo_lwp 750structure is defined in 751.In sys/sysctl.h . 752.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES ) 753Returns 1 if the 754.St -p1003.1b-93 755Memory Mapped Files Option is available on this system, 756otherwise\ 0. 757.It Li kern.maxfiles ( Dv KERN_MAXFILES ) 758The maximum number of open files that may be open in the system. 759This also controls the maximum file locks per unprivileged user 760enforced by 761.Xr fcntl 2 762and 763.Xr flock 2 . 764.It Li kern.maxpartitions ( Dv KERN_MAXPARTITIONS ) 765The maximum number of partitions allowed per disk. 766.It Li kern.maxlwp 767The maximum number of Lightweight Processes (threads) the system allows 768per uid. 769.It Li kern.maxphys ( Dv KERN_MAXPHYS ) 770Maximum raw I/O transfer size. 771.It Li kern.maxproc ( Dv KERN_MAXPROC ) 772The maximum number of simultaneous processes the system will allow. 773.It Li kern.maxptys ( Dv KERN_MAXPTYS ) 774The maximum number of pseudo terminals. 775This value can be both raised and lowered, though it cannot 776be set lower than number of currently used ptys. 777See also 778.Xr pty 4 . 779.It Li kern.maxvnodes ( Dv KERN_MAXVNODES ) 780The maximum number of vnodes available on the system. 781This cannot be lowered below the number of currently active vnodes. 782.It Li kern.mbuf ( Dv KERN_MBUF ) 783Return information about the mbuf control variables. 784Mbufs are data structures which store network packets and other data 785structures in the networking code, see 786.Xr mbuf 9 . 787The third level names for the mbuf variables are detailed below. 788The changeable column shows whether a process with appropriate 789privilege may change the value. 790.Bl -column "kern.mbuf.nmbclusters_limit" "integer" "Changeable" -offset indent 791.It Sy Third level name Ta Sy Type Ta Sy Changeable 792.\" XXX Changeable? really? 793.It kern.mbuf.mblowat integer yes 794.It kern.mbuf.mclbytes integer yes 795.It kern.mbuf.mcllowat integer yes 796.It kern.mbuf.msize integer yes 797.It kern.mbuf.nmbclusters integer yes 798.It kern.mbuf.nmbclusters_limit integer no 799.El 800.Pp 801The variables are as follows: 802.Bl -tag -width "123456" 803.It Li kern.mbuf.mblowat ( Dv MBUF_MBLOWAT ) 804The mbuf low water mark. 805.It Li kern.mbuf.mclbytes ( Dv MBUF_MCLBYTES ) 806The mbuf cluster size. 807.It Li kern.mbuf.mcllowat ( Dv MBUF_MCLLOWAT ) 808The mbuf cluster low water mark. 809.It Li kern.mbuf.msize ( Dv MBUF_MSIZE ) 810The mbuf base size. 811.It Li kern.mbuf.nmbclusters ( Dv MBUF_NMBCLUSTERS ) 812The limit on the number of mbuf clusters. 813The variable can only be increased, and only increased on machines with 814direct-mapped pool pages. 815.It Li kern.mbuf.nmbclusters_limit ( Dv MBUF_NMBCLUSTERS_LIMIT ) 816The limit of nmbclusters. 817.El 818.It Li kern.memlock ( Dv KERN_MEMLOCK ) 819Returns 1 if the 820.St -p1003.1b-93 821Process Memory Locking Option is available on this system, 822otherwise\ 0. 823.It Li kern.memlock_range ( Dv KERN_MEMLOCK_RANGE ) 824Returns 1 if the 825.St -p1003.1b-93 826Range Memory Locking Option is available on this system, 827otherwise\ 0. 828.It Li kern.memory_protection ( Dv KERN_MEMORY_PROTECTION ) 829Returns 1 if the 830.St -p1003.1b-93 831Memory Protection Option is available on this system, 832otherwise\ 0. 833.It Li kern.messages 834Kernel console message verbosity. 835See 836.Aq Pa sys/reboot.h 837.Bl -column "verbosity" "setting" -offset indent 838.It Sy Value Ta Sy Verbosity Ta Sy sys/reboot.h equivalent 839.It 0 Ta Silent Ta Sy AB_SILENT 840.It 1 Ta Quiet Ta Sy AB_QUIET 841.It 2 Ta Normal Ta Sy AB_NORMAL 842.It 3 Ta Verbose Ta Sy AB_VERBOSE 843.It 4 Ta Debug Ta Sy AB_DEBUG 844.El 845.It Li kern.module 846Settings related to kernel modules. 847The third level names for the settings are described below. 848.Bl -column "kern.module.autounload_unsafe" "integer" "Changeable" -offset indent 849.It Sy Third level name Ta Sy Type Ta Sy Changeable 850.It kern.module.autoload integer yes 851.It kern.module.autounload_unsafe integer yes 852.It kern.module.autotime integer yes 853.It kern.module.verbose boolean yes 854.El 855.Pp 856The variables are as follows: 857.Bl -tag -width 6n 858.It Li kern.module.autoload 859A boolean that controls whether kernel modules are loaded automatically. 860See 861.Xr module 7 862for details. 863.It Li kern.module.autounload_unsafe 864A boolean that controls whether the kernel will autounload modules that 865were automatically loaded and have not been audited for autounload. 866.Pp 867By default, only modules that have been audited will be autounloaded, 868and only if they were autoloaded to begin with. 869.It Li kern.module.autotime 870An integer that controls the delay before an attempt is made to 871automatically unload a module that was auto-loaded. 872Setting this value to zero disables the auto-unload function. 873.It Li kern.module.verbose 874A boolean that enables or disables verbose 875debug messages related to kernel modules. 876.El 877.It Li kern.monotonic_clock ( Dv KERN_MONOTONIC_CLOCK ) 878Returns the standard version the implementation of the 879.St -p1003.1b-93 880Monotonic Clock Option conforms to, 881otherwise\ 0. 882.It Li kern.mqueue 883Settings related to POSIX message queues; see 884.Xr mqueue 3 . 885This node is created dynamically when 886the corresponding kernel module is loaded. 887The third level names for the settings are described below. 888.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent 889.It Sy Third level name Ta Sy Type Ta Sy Changeable 890.It kern.mqueue.mq_open_max integer yes 891.It kern.mqueue.mq_prio_max integer yes 892.It kern.mqueue.mq_max_msgsize integer yes 893.It kern.mqueue.mq_def_maxmsg integer yes 894.It kern.mqueue.mq_max_maxmsg integer yes 895.El 896.Pp 897The variables are: 898.Bl -tag -width "123456" 899.It Li kern.mqueue.mq_open_max 900The maximum number of message queue descriptors any single process can open. 901.It Li kern.mqueue.mq_prio_max 902The maximum priority of a message. 903.It Li kern.mqueue.mq_max_msgsize 904The maximum size of a message in a message queue. 905.It Li kern.mqueue.mq_def_maxmsg 906The default maximum message count. 907.It Li kern.mqueue.mq_max_maxmsg 908The maximum number of messages in a message queue. 909.El 910.It Li kern.msgbuf ( Dv KERN_MSGBUF ) 911The kernel message buffer, rotated so that the head of the circular kernel 912message buffer is at the start of the returned data. 913The returned data may contain NUL bytes. 914.It Li kern.msgbufsize ( Dv KERN_MSGBUFSIZE ) 915The maximum number of characters that the kernel message buffer can hold. 916.It Li kern.ngroups ( Dv KERN_NGROUPS ) 917The maximum number of supplemental groups. 918.\" .It Li kern.no_sa_support 919.\" XXX: Undocumented. 920.It Li kern.ntptime ( Dv KERN_NTPTIME ) 921A 922.Vt struct ntptimeval 923structure is returned. 924This structure contains data used by the 925.Xr ntpd 8 926program. 927.It Li kern.osrelease ( Dv KERN_OSRELEASE ) 928The system release string. 929.It Li kern.osrevision ( Dv KERN_OSREV ) 930The system revision string. 931.It Li kern.ostype ( Dv KERN_OSTYPE ) 932The system type string. 933.\".It Li kern.panic_now 934.\" XXX: Undocumented. 935.It Li kern.pipe ( Dv KERN_PIPE ) 936Pipe settings. 937The third level names for the integer pipe settings is detailed below. 938The changeable column shows whether a process with appropriate 939privilege may change the value. 940.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 941.It Sy Third level name Ta Sy Type Ta Sy Changeable 942.It kern.pipe.kvasiz integer yes 943.It kern.pipe.maxbigpipes integer yes 944.It kern.pipe.maxkvasz integer yes 945.It kern.pipe.limitkva integer yes 946.It kern.pipe.nbigpipes integer yes 947.El 948.Pp 949The variables are as follows: 950.Bl -tag -width "123456" 951.It Li kern.pipe.kvasiz ( Dv KERN_PIPE_KVASIZ ) 952Amount of kernel memory consumed by pipe buffers. 953.It Li kern.pipe.maxbigpipes ( Dv KERN_PIPE_MAXBIGPIPES ) 954Maximum number of 955.Dq big 956pipes. 957.It Li kern.pipe.maxkvasz ( Dv KERN_PIPE_MAXKVASZ ) 958Maximum amount of kernel memory to be used for pipes. 959.It Li kern.pipe.limitkva ( Dv KERN_PIPE_LIMITKVA ) 960Limit for direct transfers via page loan. 961.It Li kern.pipe.nbigpipes ( Dv KERN_PIPE_NBIGPIPES ) 962Number of 963.Dq big 964pipes. 965.El 966.It Li kern.pool 967Provides statistics about the 968.Xr pool 9 969and 970.Xr pool_cache 9 971subsystems. 972.\" XXX: Undocumented .It Li kern.posix ( ? ) 973.\" This is a node in which the only variable is semmax. 974.It Li kern.posix1version ( Dv KERN_POSIX1 ) 975The version of ISO/IEC 9945 976.Pq St -p1003.1 977with which the system attempts to comply. 978.It Li kern.posix_aio 979The version of 980.St -p1003.1 981and its Asynchronous I/O option to which the system attempts to conform. 982.It Li kern.posix_barriers ( Dv KERN_POSIX_BARRIERS ) 983The version of 984.St -p1003.1 985and its 986Barriers 987option to which the system attempts to conform, 988otherwise\ 0. 989.It Li kern.posix_reader_writer_locks ( Dv KERN_POSIX_READER_WRITER_LOCKS ) 990The version of 991.St -p1003.1 992and its 993Read-Write Locks 994option to which the system attempts to conform, 995otherwise\ 0. 996.\".It Li kern.posix_sched 997.\" XXX: Undocumented. 998.It Li kern.posix_semaphores ( Dv KERN_POSIX_SEMAPHORES ) 999The version of 1000.St -p1003.1 1001and its 1002Semaphores 1003option to which the system attempts to conform, 1004otherwise\ 0. 1005.It Li kern.posix_spin_locks ( Dv KERN_POSIX_SPIN_LOCKS ) 1006The version of 1007.St -p1003.1 1008and its 1009Spin Locks 1010option to which the system attempts to conform, 1011otherwise\ 0. 1012.It Li kern.posix_threads ( Dv KERN_POSIX_THREADS ) 1013The version of 1014.St -p1003.1 1015and its 1016Threads 1017option to which the system attempts to conform, 1018otherwise\ 0. 1019.It Li kern.posix_timers ( Dv KERN_POSIX_TIMERS ) 1020The version of 1021.St -p1003.1 1022and its 1023Timers 1024option to which the system attempts to conform, 1025otherwise\ 0. 1026.It Li kern.proc ( Dv KERN_PROC ) 1027Return the entire process table, or a subset of it. 1028An array of 1029.Vt struct kinfo_proc 1030structures is returned, 1031whose size depends on the current number of such objects in the system. 1032The third and fourth level numeric names are as follows: 1033.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 1034.It Sy Third level name Ta Sy Fourth level is : 1035.It KERN_PROC_ALL None 1036.It KERN_PROC_GID A group ID 1037.It KERN_PROC_PID A process ID 1038.It KERN_PROC_PGRP A process group 1039.It KERN_PROC_RGID A real group ID 1040.It KERN_PROC_RUID A real user ID 1041.It KERN_PROC_SESSION A session ID 1042.It KERN_PROC_TTY A tty device 1043.It KERN_PROC_UID A user ID 1044.El 1045.It Li kern.proc2 ( Dv KERN_PROC2 ) 1046As for 1047.Dv KERN_PROC , 1048but an array of 1049.Vt struct kinfo_proc2 1050structures are returned. 1051The fifth level name is the size of the 1052.Vt struct kinfo_proc2 1053and the sixth level name is the number of structures to return. 1054.It Li kern.proc_args ( Dv KERN_PROC_ARGS ) 1055Return the argv or environment strings (or the number thereof) 1056of a process. 1057Multiple strings are returned separated by NUL characters. 1058The third level name is the process ID. 1059The fourth level name is as follows: 1060.Bl -column "KERN_PROG_PATHNAME" "The full pathname of the executable" -offset indent 1061.It Dv KERN_PROC_ARGV The argv strings 1062.It Dv KERN_PROC_ENV The environ strings 1063.It Dv KERN_PROC_NARGV The number of argv strings 1064.It Dv KERN_PROC_NENV The number of environ strings 1065.It Dv KERN_PROC_PATHNAME The full pathname of the executable 1066.It Dv KERN_PROC_CWD The current working directory 1067.El 1068.It Li kern.profiling ( Dv KERN_PROF ) 1069Return profiling information about the kernel. 1070If the kernel is not compiled for profiling, 1071attempts to retrieve any of the 1072.Dv KERN_PROF 1073values will fail with 1074.Er EOPNOTSUPP . 1075The third level names for the string and integer profiling information 1076is detailed below. 1077The changeable column shows whether a process with appropriate 1078privilege may change the value. 1079.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 1080.It Sy Third level name Ta Sy Type Ta Sy Changeable 1081.It kern.profiling.count u_short[\|] yes 1082.It kern.profiling.froms u_short[\|] yes 1083.It kern.profiling.gmonparam struct gmonparam no 1084.It kern.profiling.state integer yes 1085.It kern.profiling.tos struct tostruct yes 1086.El 1087.Pp 1088The variables are as follows: 1089.Bl -tag -width "123456" 1090.It Li kern.profiling.count ( Dv GPROF_COUNT ) 1091Array of statistical program counter counts. 1092.It Li kern.profiling.froms ( Dv GPROF_FROMS ) 1093Array indexed by program counter of call-from points. 1094.It Li kern.profiling.gmonparams ( Dv GPROF_GMONPARAM ) 1095Structure giving the sizes of the above arrays. 1096.It Li kern.profiling.state ( Dv GPROF_STATE ) 1097Profiling state. 1098If set to 1099.Dv GMON_PROF_ON , 1100starts profiling. 1101If set to 1102.Dv GMON_PROF_OFF , 1103stops profiling. 1104.It Li kern.profiling.tos ( Dv GPROF_TOS ) 1105Array of 1106.Vt struct tostruct 1107describing destination of calls and their counts. 1108.El 1109.\" .It Li kern.pset 1110.\" XXX: Undocumented. 1111.It Li kern.rawpartition ( Dv KERN_RAWPARTITION ) 1112The raw partition of a disk (a == 0). 1113.It Li kern.root_device ( Dv KERN_ROOT_DEVICE ) 1114The name of the root device (e.g., 1115.Dq wd0 ) . 1116.It Li kern.root_partition ( Dv KERN_ROOT_PARTITION ) 1117The root partition on the root device (a == 0). 1118.It Li kern.rtc_offset ( Dv KERN_RTC_OFFSET ) 1119Return the offset of real time clock from UTC in minutes. 1120.It Li kern.saved_ids ( Dv KERN_SAVED_IDS ) 1121Returns 1 if saved set-group and saved set-user ID is available. 1122.It Li kern.sbmax ( Dv KERN_SBMAX ) 1123Maximum socket buffer size in bytes. 1124.It Li kern.securelevel ( Dv KERN_SECURELVL ) 1125See 1126.Xr secmodel_securelevel 9 . 1127.It Li kern.sched ( dynamic ) 1128Influence the scheduling of LWPs, their priorisation and how they are 1129distributed on and moved between CPUs. 1130.Bl -column "kern.sched.balance_period" "integer" "Changeable" -offset indent 1131.It Sy Third level name Sy Type Sy Changeable 1132.It kern.sched.cacheht_time integer yes 1133.It kern.sched.balance_period integer yes 1134.It kern.sched.average_weight integer yes 1135.It kern.sched.min_catch integer yes 1136.It kern.sched.timesoftints integer yes 1137.It kern.sched.kpreempt_pri integer yes 1138.It kern.sched.upreempt_pri integer yes 1139.It kern.sched.maxts integer yes 1140.It kern.sched.mints integer yes 1141.It kern.sched.name string no 1142.It kern.sched.rtts integer no 1143.It kern.sched.pri_min integer no 1144.It kern.sched.pri_max integer no 1145.El 1146.Pp 1147The variables are as follows: 1148.Bl -tag -width "123456" 1149.It Li kern.sched.cacheht_time ( dynamic ) 1150Cache hotness time in which a LWP is kept on one particular CPU 1151and not moved to another CPU. 1152This reduces the overhead of flushing and reloading caches. 1153Defaults to 3ms. 1154Needs to be given in 1155.Dq hz 1156units, see 1157.Xr mstohz 9 . 1158.It Li kern.sched.balance_period ( dynamic ) 1159Interval at which the CPU queues are checked for re-balancing. 1160Defaults to 300ms. 1161Needs to be given in 1162.Dq hz 1163units, see 1164.Xr mstohz 9 . 1165.It Li kern.sched.average_weight ( dynamic ) 1166Can be used to influence how likely LWPs are to be migrated from 1167one CPU's queue of LWPs that are ready to run to a different, idle CPU. 1168The value gives the percentage for weighting the average count of 1169migratable threads from the past against the current number of 1170migratable threads. 1171A small value gives more weight to the past, a larger values more weight 1172on the current situation. 1173Defaults to 50 and must be between 0 and 100. 1174.It Li kern.sched.min_catch ( dynamic ) 1175Minimum count of migratable (runnable) threads for catching (stealing) 1176from another CPU. 1177Defaults to 1 but can be increased to decrease chance of thread 1178migration between CPUs. 1179.It Li kern.sched.timesoftints ( dynamic ) 1180Enable tracking of CPU time for soft interrupts 1181as part of a LWP's real execution time. 1182Set to a non-zero value to enable, 1183and see 1184.Xr ps 1 1185for printing CPU times. 1186.It Li kern.sched.kpreempt_pri ( dynamic ) 1187Minimum priority to trigger kernel preemption. 1188.It Li kern.sched.upreempt_pri ( dynamic ) 1189Minimum priority to trigger user preemption. 1190.It Li kern.sched.maxts ( dynamic ) 1191Scheduler specific maximal time quantum (in milliseconds). 1192Must be set to a value larger than 1193.Dq mints 1194and between 10 and 1195.Dq hz 1196as given by the 1197.Dv kern.clockrate 1198sysctl. 1199Provided by the M2 scheduler. 1200.It Li kern.sched.mints ( dynamic ) 1201Scheduler specific minimal time quantum (in milliseconds). 1202Must be set to a value smaller than 1203.Dq maxts 1204and between 1 and 1205.Dq hz 1206as given by the 1207.Dq kern.clockrate 1208sysctl. 1209Provided by the M2 scheduler. 1210.It Li kern.sched.name ( dynamic ) 1211Scheduler name. 1212Provided both by the M2 and the 4BSD scheduler. 1213.It Li kern.sched.rtts ( dynamic ) 1214Fixed scheduler specific round-robin time quantum in milliseconds. 1215Provided both by the M2 and the 4BSD scheduler. 1216.It Li kern.sched.pri_min ( dynamic ) 1217Minimal POSIX real-time priority. 1218See 1219.Xr sched 3 . 1220.It Li kern.sched.pri_max ( dynamic ) 1221Maximal POSIX real-time priority. 1222See 1223.Xr sched 3 . 1224.El 1225.It Li kern.sofixedbuf ( Dv KERN_SOFIXEDBUF ) 1226Prevent socket buffer autoscaling when a size is set with 1227.Dv SO_SNDBUF 1228or 1229.Dv SO_RCVBUF . 1230.It Li kern.somaxkva ( Dv KERN_SOMAXKVA ) 1231Maximum amount of kernel memory to be used for socket buffers in bytes. 1232.It Li kern.sooptions 1233Set the default socket option flags for 1234.Xr socket 2 1235creation. 1236See 1237.Xr setsockopt 2 1238for a list of supported flags. 1239.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO ) 1240Returns 1 if the 1241.St -p1003.1b-93 1242Synchronized I/O Option is available on this system, 1243otherwise\ 0. 1244.It Li kern.timecounter ( dynamic ) 1245Display and control the timecounter source of the system. 1246.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 1247.It Sy Third level name Ta Sy Type Ta Sy Changeable 1248.It kern.timecounter.choice string no 1249.It kern.timecounter.hardware string yes 1250.It kern.timecounter.timestepwarnings integer yes 1251.El 1252.Pp 1253The variables are as follows: 1254.Bl -tag -width "123456" 1255.It Li kern.timecounter.choice ( dynamic ) 1256The list of available timecounters with their quality and frequency. 1257.It Li kern.timecounter.hardware ( dynamic ) 1258The currently selected timecounter source. 1259.It Li kern.timecounter.timestepwarnings ( dynamic ) 1260If non-zero display a message each time the time is stepped. 1261.El 1262.It Li kern.timex ( Dv KERN_TIMEX ) 1263Not available. 1264.It Li kern.tkstat ( Dv KERN_TKSTAT ) 1265Return information about the number of characters sent and received 1266on ttys. 1267The third level names for the tty statistic variables are detailed below. 1268The changeable column shows whether a process 1269with appropriate privilege may change the value. 1270.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 1271.It Sy Third level name Ta Sy Type Ta Sy Changeable 1272.It kern.tkstat.cancc quad no 1273.It kern.tkstat.nin quad no 1274.It kern.tkstat.nout quad no 1275.It kern.tkstat.rawcc quad no 1276.El 1277.Pp 1278The variables are as follows: 1279.Bl -tag -width "123456" 1280.It Li kern.tkstat.cancc ( Dv KERN_TKSTAT_CANCC ) 1281The number of canonical input characters. 1282.It Li kern.tkstat.nin ( Dv KERN_TKSTAT_NIN ) 1283The total number of input characters. 1284.It Li kern.tkstat.nout ( Dv KERN_TKSTAT_NOUT ) 1285The total number of output characters. 1286.It Li kern.tkstat.rawcc ( Dv KERN_TKSTAT_RAWCC ) 1287The number of raw input characters. 1288.El 1289.It Li kern.tty 1290The third level names for the tty setup variables are detailed below. 1291The changeable column shows whether a process 1292with appropriate privilege may change the value. 1293.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent 1294.It Sy Third level name Ta Sy Type Ta Sy Changeable 1295.It kern.tty.qsize int yes 1296.El 1297.Pp 1298The variables are as follows: 1299.Bl -tag -width "123456" 1300.It Li kern.tty.qsize 1301Control/display the size of the default input and output queues selected 1302during tty creation. 1303Is converted to a power of two and its range is between 1304.Dv 1024 1305and 1306.Dv 65536 . 1307.El 1308.It Li kern.uidinfo 1309Resource usage for the current user. 1310.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent 1311.It Sy Third level name Ta Sy Type Ta Sy Changeable 1312.It kern.uidinfo.proccnt integer no 1313.It kern.uidinfo.lwpcnt integer no 1314.It kern.uidinfo.lockcnt integer no 1315.It kern.uidinfo.semcnt integer no 1316.It kern.uidinfo.sbsize integer no 1317.El 1318.Bl -tag -width "123456" 1319.It Li kern.uidinfo.proccnt 1320Returns the number of active processes for the current user. 1321.It Li kern.uidinfo.lwpcnt 1322Returns the number of active threads for the current user; the first thread 1323of each process is not counted. 1324.It Li kern.uidinfo.lockcnt 1325Number of locks held by the current user. 1326.It Li kern.uidinfo.semcnt 1327Number of semaphores held by the current user. 1328.It Li kern.uidinfo.sbsize 1329Number of bytes in socket buffers allocated to the current user. 1330.El 1331.It Li kern.urandom ( Dv KERN_URND ) 1332Random integer value. 1333.It Li kern.usercrypto 1334When enabled, allows userland to 1335.Xr open 2 1336the 1337.Pa /dev/crypto 1338special device, used by the 1339.Xr crypto 4 1340system. 1341.It Li kern.userasymcrypto 1342Enables or disables the use of software asymmetric crypto support in the 1343.Xr crypto 4 1344system. 1345.It Li kern.veriexec 1346Runtime information for 1347.Xr veriexec 8 . 1348.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent 1349.It Sy Third level name Ta Sy Type Ta Sy Changeable 1350.It kern.veriexec.algorithms string no 1351.It kern.veriexec.count node not applicable 1352.It kern.veriexec.strict integer yes 1353.It kern.veriexec.verbose integer yes 1354.El 1355.Bl -tag -width "123456" 1356.It Li kern.veriexec.algorithms 1357Returns a string with the supported algorithms in Veriexec. 1358.It Li kern.veriexec.count 1359Sub-nodes are added to this node as new mounts are monitored by Veriexec. 1360Each mount will be under its own 1361.No tableN 1362node. 1363Under each node there will be three variables, indicating the mount 1364point, the file system type, and the number of entries. 1365.It Li kern.veriexec.strict 1366Controls the strict level of Veriexec. 1367See 1368.Xr security 7 1369for more information on each level's implications. 1370.It Li kern.veriexec.verbose 1371Controls the verbosity level of Veriexec. 1372If 0, only the minimal 1373indication required will be given about what's happening - fingerprint 1374mismatches, removal of entries from the tables, modification of a 1375fingerprinted file. 1376If 1, more messages will be printed (ie., when a file with a valid 1377fingerprint is accessed). 1378Verbose level 2 is debug mode. 1379.El 1380.It Li kern.version ( Dv KERN_VERSION ) 1381The system version string. 1382.It Li kern.vnode ( Dv KERN_VNODE ) 1383Return the entire vnode table. 1384Note, the vnode table is not necessarily a consistent snapshot of 1385the system. 1386The returned data consists of an array whose size depends on the 1387current number of such objects in the system. 1388Each element of the array contains the kernel address of a vnode 1389.Vt struct vnode * 1390followed by the vnode itself 1391.Vt struct vnode . 1392.El 1393.Ss The machdep.* subtree 1394The set of variables defined is architecture dependent. 1395Most architectures define at least the following variables. 1396.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent 1397.It Sy Second level name Ta Sy Type Ta Sy Changeable 1398.It Li machdep.booted_kernel string no 1399.El 1400.\" XXX: Document the above. 1401.Ss The net.* subtree 1402The string and integer information available for the 1403.Li net 1404level is detailed below. 1405The changeable column shows whether a process with appropriate 1406privilege may change the value. 1407The second and third levels are typically the protocol family and 1408protocol number, though this is not always the case. 1409.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 1410.It Sy Second level name Ta Sy Type Ta Sy Changeable 1411.It net.route routing messages no 1412.It net.inet IPv4 values yes 1413.It net.inet6 IPv6 values yes 1414.It net.key IPsec key management values yes 1415.El 1416.Bl -tag -width "123456" 1417.It Li net.route ( Dv PF_ROUTE ) 1418.\" XXX really? 1419Return the entire routing table or a subset of it. 1420The data is returned as a sequence of routing messages (see 1421.Xr route 4 1422for the header file, format and meaning). 1423The length of each message is contained in the message header. 1424.Pp 1425The third level name is a protocol number, which is currently always\ 0. 1426The fourth level name is an address family, which may be set to 0 to 1427select all address families. 1428The fifth and sixth level names are as follows: 1429.Bl -column "Fifth level name" "Sixth level is:" -offset indent 1430.It Sy Fifth level name Ta Sy Sixth level is : 1431.It NET_RT_FLAGS rtflags 1432.It NET_RT_DUMP None 1433.It NET_RT_IFLIST None 1434.El 1435.It Li net.inet ( Dv PF_INET ) 1436Get or set various global information about the IPv4 1437.Pq Internet Protocol version 4 . 1438The third level name is the protocol. 1439The fourth level name is the variable name. 1440The currently defined protocols and names are: 1441.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent 1442.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable 1443.It arp nd_delay integer yes 1444.It arp nd_bmaxtries integer yes 1445.It arp nd_umaxtries integer yes 1446.It arp nd_basereachable integer yes 1447.It arp nd_retrans integer yes 1448.It arp nd_nud integer yes 1449.It arp nd_maxnudhint integer yes 1450.It arp log_movements integer yes 1451.It arp log_permanent_modify integer yes 1452.It arp log_unknown_network integer yes 1453.It arp log_wrong_iface integer yes 1454.It carp allow integer yes 1455.It carp preempt integer yes 1456.It carp log integer yes 1457.It carp arpbalance integer yes 1458.It icmp errppslimit integer yes 1459.It icmp maskrepl integer yes 1460.It icmp rediraccept integer yes 1461.It icmp redirtimeout integer yes 1462.It icmp bmcastecho integer yes 1463.It icmp dynamic_rt_msg boolean yes 1464.It ip allowsrcrt integer yes 1465.It ip anonportalgo.selected string yes 1466.It ip anonportalgo.available string yes 1467.It ip anonportalgo.reserve struct yes 1468.It ip anonportmax integer yes 1469.It ip anonportmin integer yes 1470.It ip checkinterface integer yes 1471.It ip dad_count integer yes 1472.It ip directed-broadcast integer yes 1473.It ip do_loopback_cksum integer yes 1474.It ip forwarding integer yes 1475.It ip forwsrcrt integer yes 1476.It ip gifttl integer yes 1477.It ip grettl integer yes 1478.It ip hashsize integer yes 1479.It ip hostzerobroadcast integer yes 1480.It ip lowportmin integer yes 1481.It ip lowportmax integer yes 1482.It ip maxflows integer yes 1483.It ip maxfragpackets integer yes 1484.It ip mtudisc integer yes 1485.It ip mtudisctimeout integer yes 1486.It ip random_id integer yes 1487.It ip redirect integer yes 1488.It ip subnetsarelocal integer yes 1489.It ip ttl integer yes 1490.It tcp rfc1323 integer yes 1491.It tcp sendspace integer yes 1492.It tcp recvspace integer yes 1493.It tcp mssdflt integer yes 1494.It tcp syn_cache_limit integer yes 1495.It tcp syn_bucket_limit integer yes 1496.It tcp syn_cache_interval integer yes 1497.It tcp init_win integer yes 1498.It tcp init_win_local integer yes 1499.It tcp mss_ifmtu integer yes 1500.It tcp win_scale integer yes 1501.It tcp timestamps integer yes 1502.It tcp cwm integer yes 1503.It tcp cwm_burstsize integer yes 1504.It tcp ack_on_push integer yes 1505.It tcp keepidle integer yes 1506.It tcp keepintvl integer yes 1507.It tcp keepcnt integer yes 1508.It tcp slowhz integer no 1509.It tcp keepinit integer yes 1510.It tcp log_refused integer yes 1511.It tcp rstppslimit integer yes 1512.It tcp ident struct no 1513.It tcp drop struct no 1514.It tcp sack.enable integer yes 1515.It tcp sack.globalholes integer no 1516.It tcp sack.globalmaxholes integer yes 1517.It tcp sack.maxholes integer yes 1518.It tcp ecn.enable integer yes 1519.It tcp ecn.maxretries integer yes 1520.It tcp congctl.selected string yes 1521.It tcp congctl.available string yes 1522.It tcp abc.enable integer yes 1523.It tcp abc.aggressive integer yes 1524.It udp checksum integer yes 1525.It udp do_loopback_cksum integer yes 1526.It udp recvspace integer yes 1527.It udp sendspace integer yes 1528.El 1529.Pp 1530The variables are as follows: 1531.Bl -tag -width "123456" 1532.It Li arp.nd_delay 1533The delay in seconds before sending the first probe, 1534after it has been decided that the entry is stale. 1535.It Li arp.nd_bmaxtries 1536The maximum number of broadcasts send to discover the hardware address 1537claiming an IP address. 1538.It Li arp.nd_umaxtries 1539The maximum number of unicasts send to the hardware address to ensure 1540it still claims an IP address. 1541.It Li arp.nd_basereachable 1542The number of milliseconds the ARP entry is considered reachable before 1543probing reachability. 1544.It Li arp.nd_retrans 1545The number of milliseconds between ARP probes. 1546.It Li arp.nd_nud 1547If set to non-zero, perform Neighor Unreachability Detection. 1548.It Li arp.nd_maxnudhint 1549Neighbor discovery permits upper layer protocols to supply reachability 1550hints, to avoid unnecessary neighbor discovery exchanges. 1551The variable defines the number of consecutive hints the neighbor discovery 1552layer will take. 1553For example, by setting the variable to 3, neighbor discovery layer 1554will take 3 consecutive hints in maximum. 1555After receiving 3 hints, neighbor discovery layer will perform 1556normal neighbor discovery process. 1557.It Li carp.allow 1558If set to 0, incoming 1559.Xr carp 4 1560packets will not be processed. 1561If set to any other value, processing will occur. 1562Enabled by default. 1563.It Li carp.arpbalance 1564If set to any value other than 0, the ARP balancing functionality of 1565.Xr carp 4 1566is enabled. 1567When ARP requests are received for an IP address which is part of any virtual 1568host, carp will hash the source IP in the ARP request to select one of the 1569virtual hosts from the set of all the virtual hosts which have that IP address. 1570The master of that host will respond with the correct virtual MAC address. 1571Disabled by default. 1572.It Li carp.log 1573If set to any value other than 0, 1574.Xr carp 4 1575will log errors. 1576Disabled by default. 1577.It Li carp.preempt 1578If set to 0, 1579.Xr carp 4 1580will not attempt to become master if it is receiving advertisements from 1581another active master. 1582If set to any other value, carp will become master of the virtual host if it 1583believes it can send advertisements more frequently than the current master. 1584Disabled by default. 1585.It Li ip.allowsrcrt 1586If set to 1, the host accepts source routed packets. 1587.It Li ip.anonportalgo.available 1588The available RFC 6056 port randomization algorithms. 1589.It Li ip.anonportalgo.reserve 1590A bitmask of ports that will not be used during anonymous or privileged 1591port selection. 1592.It Li ip.anonportalgo.selected 1593The currently selected RFC 6056 port randomization algorithm; see 1594.Xr rfc6056 7 1595for details. 1596.It Li ip.anonportmax 1597The highest port number to use for TCP and UDP ephemeral port allocation. 1598This cannot be set to less than 1024 or greater than 65535, and must 1599be greater than 1600.Li ip.anonportmin . 1601.It Li ip.anonportmin 1602The lowest port number to use for TCP and UDP ephemeral port allocation. 1603This cannot be set to less than 1024 or greater than 65535. 1604.It Li ip.checkinterface 1605If set to non-zero, the host will reject packets addressed to it 1606that arrive on an interface not bound to that address. 1607Currently, this must be disabled if NAT is used to translate the 1608destination address to another local interface, or if addresses 1609are added to the loopback interface instead of the interface where 1610the packets for those packets are received. 1611.It Li ip.dad_count 1612The number of 1613.Xr arp 4 1614probes sent for Address Conflict Detection. 1615Set to 0 to disable this. 1616.It Li ip.directed-broadcast 1617If set to 1, enables directed broadcast behavior for the host. 1618.It Li ip.do_loopback_cksum 1619Perform IP checksum on loopback. 1620.It Li ip.forwarding 1621If set to 1, enables IP forwarding for the host, 1622meaning that the host is acting as a router. 1623.It Li ip.forwsrcrt 1624If set to 1, enables forwarding of source-routed packets for the host. 1625This value may only be changed if the kernel security level is less than 1. 1626.It Li ip.gifttl 1627The maximum time-to-live (hop count) value for an IPv4 packet generated by 1628.Xr gif 4 1629tunnel interface. 1630.It Li ip.grettl 1631The maximum time-to-live (hop count) value for an IPv4 packet generated by 1632.Xr gre 4 1633tunnel interface. 1634.It Li ip.hashsize 1635The size of IPv4 Fast Forward hash table. 1636This value must be a power of 2 (64, 256...). 1637A larger hash table size results in fewer collisions. 1638Also see 1639.Li ip.maxflows . 1640.It Li ip.hostzerobroadcast 1641All zeroes address is broadcast address. 1642.It Li ip.lowportmax 1643The highest port number to use for TCP and UDP reserved port allocation. 1644This cannot be set to less than 0 or greater than 1024, and must 1645be greater than 1646.Li ip.lowportmin . 1647.It Li ip.lowportmin 1648The lowest port number to use for TCP and UDP reserved port allocation. 1649This cannot be set to less than 0 or greater than 1024, and must 1650be smaller than 1651.Li ip.lowportmax . 1652.It Li ip.maxflows 1653IPv4 Fast Forwarding is enabled by default. 1654If set to 0, IPv4 Fast Forwarding is disabled. 1655.Li ip.maxflows 1656controls the maximum amount of flows which can be created. 1657The default value is 256. 1658.It Li ip.maxfragpackets 1659The maximum number of fragmented packets the node will accept. 16600 means that the node will not accept any fragmented packets. 1661\-1 means that the node will accept as many fragmented packets as it receives. 1662The flag is provided basically for avoiding possible DoS attacks. 1663.It Li ip.mtudisc 1664If set to 1, enables Path MTU Discovery (RFC 1191). 1665When Path MTU Discovery is enabled, the transmitted TCP segment 1666size will be determined by the advertised maximum segment size 1667(MSS) from the remote end, as constrained by the path MTU. 1668If MTU Discovery is disabled, the transmitted segment size will 1669never be greater than 1670.Li tcp.mssdflt 1671(the local maximum segment size). 1672.It Li ip.mtudisctimeout 1673The number of seconds in which a route added by the Path MTU 1674Discovery engine will time out. 1675When the route times out, the Path 1676MTU Discovery engine will attempt to probe a larger path MTU. 1677.It Li ip.random_id 1678Assign random ip_id values. 1679.It Li ip.redirect 1680If set to 1, ICMP redirects may be sent by the host. 1681This option is ignored unless the host is routing IP packets, 1682and should normally be enabled on all systems. 1683.It Li ip.subnetsarelocal 1684If set to 1, subnets are to be considered local addresses. 1685.It Li ip.ttl 1686The maximum time-to-live (hop count) value for an IP packet sourced by 1687the system. 1688This value applies to normal transport protocols, not to ICMP. 1689.It Li icmp.errppslimit 1690The variable specifies the maximum number of outgoing ICMP error messages, 1691per second. 1692ICMP error messages that exceeded the value are subject to rate limitation 1693and will not go out from the node. 1694Negative value disables rate limitation. 1695.It Li icmp.maskrepl 1696If set to 1, ICMP network mask requests are to be answered. 1697.It Li icmp.rediraccept 1698If set to non-zero, the host will accept ICMP redirect packets. 1699Note that routers will never accept ICMP redirect packets, 1700and the variable is meaningful on IP hosts only. 1701.It Li icmp.redirtimeout 1702The variable specifies lifetime of routing entries generated by incoming 1703ICMP redirect. 1704This defaults to 600 seconds. 1705.It Li icmp.returndatabytes 1706Number of bytes to return in an ICMP error message. 1707.It Li icmp.bmcastecho 1708If set to 1, enables responding to ICMP echo or timestamp request to the 1709broadcast address. 1710.It Li icmp.dynamic_rt_msg 1711A boolean that the kernel sends routing message for RTM_DYNAMIC or not. 1712If set to true, sends such routing message. 1713.It Li tcp.ack_on_push 1714If set to 1, TCP is to immediately transmit an ACK upon reception of 1715a packet with PUSH set. 1716This can avoid losing a round trip time in some rare situations, 1717but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1718Use of this option is generally not recommended, but 1719the variable exists in case your configuration really needs it. 1720.It Li tcp.cwm 1721If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1722Monitoring algorithm. 1723This algorithm prevents line-rate bursts of packets that could 1724otherwise occur when data begins flowing on an idle TCP connection. 1725These line-rate bursts can contribute to network and router congestion. 1726This can be particularly useful on World Wide Web servers 1727which support HTTP/1.1, which has lingering connections. 1728.It Li tcp.cwm_burstsize 1729The Congestion Window Monitoring allowed burst size, in terms 1730of packet count. 1731.It Li tcp.delack_ticks 1732Number of ticks to delay sending an ACK. 1733.It Li tcp.do_loopback_cksum 1734Perform TCP checksum on loopback. 1735.It Li tcp.init_win 1736A value indicating the TCP initial congestion window. 1737The valid range 1738is 0 to 10 (maximum specified by RFC6928), 1739with a default of 4 (approximately 4K per RFC3390). 1740.It Li tcp.init_win_local 1741Like 1742.Li tcp.init_win , 1743but used when communicating with hosts on a local network. 1744.It Li tcp.keepcnt 1745Number of keepalive probes sent before declaring a connection dead. 1746If set to zero, there is no limit; 1747keepalives will be sent until some kind of 1748response is received from the peer. 1749.It Li tcp.keepidle 1750Time a connection must be idle before keepalives are sent (if keepalives 1751are enabled for the connection). 1752See also tcp.slowhz. 1753.It Li tcp.keepintvl 1754Time after a keepalive probe is sent until, in the absence of any response, 1755another probe is sent. 1756See also tcp.slowhz. 1757.It Li tcp.log_refused 1758If set to 1, refused TCP connections to the host will be logged. 1759.It Li tcp.keepinit 1760Timeout in seconds during connection establishment. 1761.It Li tcp.mss_ifmtu 1762If set to 1, TCP calculates the outgoing maximum segment size based on 1763the MTU of the appropriate interface. 1764If set to 0, it is calculated based on the greater of the MTU of the 1765interface, and the largest (non-loopback) interface MTU on the system. 1766.It Li tcp.mssdflt 1767The default maximum segment size both advertised to the peer 1768and to use when either the peer does not advertise a maximum segment size to 1769us during connection setup or Path MTU Discovery 1770.Li ( ip.mtudisc ) 1771is disabled. 1772Do not change this value unless you really know what you are doing. 1773.It Li tcp.recvspace 1774The default TCP receive buffer size. 1775.It Li tcp.rfc1323 1776If set to 1, enables RFC 1323 extensions to TCP. 1777.It Li tcp.rstppslimit 1778The variable specifies the maximum number of outgoing TCP RST packets, 1779per second. 1780TCP RST packet that exceeded the value are subject to rate limitation 1781and will not go out from the node. 1782Negative value disables rate limitation. 1783.It Li tcp.ident 1784Return the user ID of a connected socket pair. 1785(RFC1413 Identification Protocol lookups.) 1786.It Li tcp.drop 1787Drop a TCP socket pair connection. 1788.It Li tcp.sack.enable 1789If set to 1, enables RFC 2018 Selective ACKnowledgement. 1790.It Li tcp.sack.globalholes 1791Global number of TCP SACK holes. 1792.It Li tcp.sack.globalmaxholes 1793Global maximum number of TCP SACK holes. 1794.It Li tcp.sack.maxholes 1795Maximum number of TCP SACK holes allowed per connection. 1796.It Li tcp.ecn.enable 1797If set to 1, enables RFC 3168 Explicit Congestion Notification. 1798.It Li tcp.ecn.maxretries 1799Number of times to retry sending the ECN-setup packet. 1800.It Li tcp.sendspace 1801The default TCP send buffer size. 1802.It Li tcp.slowhz 1803The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1804of a clock that ticks tcp.slowhz times per second. 1805(That is, their values 1806must be divided by the tcp.slowhz value to get times in seconds.) 1807.It Li tcp.syn_bucket_limit 1808The maximum number of entries allowed per hash bucket in the TCP 1809compressed state engine. 1810.It Li tcp.syn_cache_limit 1811The maximum number of entries allowed in the TCP compressed state 1812engine. 1813.It Li tcp.timestamps 1814If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1815used for measuring TCP round trip times, are enabled. 1816.It Li tcp.win_scale 1817If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1818for increasing the TCP window size, are enabled. 1819.It Li tcp.congctl.available 1820The available TCP congestion control algorithms. 1821.It Li tcp.congctl.selected 1822The currently selected TCP congestion control algorithm. 1823.It Li tcp.abc.enable 1824If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1825If set to 0, use traditional Packet Counting. 1826.It Li tcp.abc.aggressive 1827Choose the L parameter found in RFC 3465. 1828L is the maximum cwnd increase for an ack during slow start. 1829If set to 1, use L=2*SMSS. 1830If set to 0, use L=1*SMSS. 1831It has no effect unless tcp.abc.enable is set to 1. 1832.It Li udp.checksum 1833If set to 1, UDP checksums are being computed. 1834Received non-zero UDP checksums are always checked. 1835Disabling UDP checksums is strongly discouraged. 1836.It Li udp.recvspace 1837The default UDP receive buffer size. 1838.It Li udp.sendspace 1839The default UDP send buffer size. 1840.El 1841.Pp 1842For variables net.*.ipsec, please refer to 1843.Xr ipsec 4 . 1844.It Li net.inet6 ( Dv PF_INET6 ) 1845Get or set various global information about the IPv6 1846.Pq Internet Protocol version 6 . 1847The third level name is the protocol. 1848The fourth level name is the variable name. 1849The currently defined protocols and names are: 1850.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent 1851.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable 1852.It icmp6 errppslimit integer yes 1853.It icmp6 mtudisc_hiwat integer yes 1854.It icmp6 mtudisc_lowat integer yes 1855.It icmp6 nd6_debug integer yes 1856.It icmp6 nd6_delay integer yes 1857.It icmp6 nd6_maxnudhint integer yes 1858.It icmp6 nd6_mmaxtries integer yes 1859.It icmp6 nd6_prune integer yes 1860.It icmp6 nd6_umaxtries integer yes 1861.It icmp6 nd6_useloopback integer yes 1862.It icmp6 nodeinfo integer yes 1863.It icmp6 rediraccept integer yes 1864.It icmp6 redirtimeout integer yes 1865.It icmp6 reflect_pmtu boolean yes 1866.It icmp6 dynamic_rt_msg boolean yes 1867.It ip6 accept_rtadv integer yes 1868.It ip6 addctlpolicy struct in6_addrpolicy no 1869.It ip6 anonportalgo.selected string yes 1870.It ip6 anonportalgo.available string yes 1871.It ip6 anonportalgo.reserve struct yes 1872.It ip6 anonportmax integer yes 1873.It ip6 anonportmin integer yes 1874.It ip6 auto_flowlabel integer yes 1875.It ip6 dad_count integer yes 1876.It ip6 defmcasthlim integer yes 1877.It ip6 forwarding integer yes 1878.It ip6 gifhlim integer yes 1879.It ip6 hashsize integer yes 1880.It ip6 hlim integer yes 1881.It ip6 hdrnestlimit integer yes 1882.It ip6 kame_version string no 1883.It ip6 keepfaith integer yes 1884.It ip6 log_interval integer yes 1885.It ip6 lowportmax integer yes 1886.It ip6 lowportmin integer yes 1887.It ip6 maxdynroutes integer yes 1888.It ip6 maxifprefixes integer yes 1889.It ip6 maxifdefrouters integer yes 1890.It ip6 maxflows integer yes 1891.It ip6 maxfragpackets integer yes 1892.It ip6 maxfrags integer yes 1893.It ip6 neighborgcthresh integer yes 1894.It ip6 param_rt_msg integer yes 1895.It ip6 redirect integer yes 1896.It ip6 rr_prune integer yes 1897.It ip6 use_deprecated integer yes 1898.It ip6 v6only integer yes 1899.It udp6 do_loopback_cksum integer yes 1900.It udp6 recvspace integer yes 1901.It udp6 sendspace integer yes 1902.El 1903.Pp 1904The variables are as follows: 1905.Bl -tag -width "123456" 1906.It Li ip6.accept_rtadv 1907If set to non-zero, the node will accept ICMPv6 router advertisement packets 1908and autoconfigures address prefixes and default routers. 1909The node must be a host 1910.Pq not a router 1911for the option to be meaningful. 1912.It Li ip6.anonportalgo.available 1913The available RFC 6056 port randomization algorithms. 1914.It Li ip6.anonportalgo.reserve 1915A bitmask of ports that will not be used during anonymous or privileged 1916port selection. 1917.It Li ip6.anonportalgo.selected 1918The currently selected RFC 6056 port randomization algorithm; see 1919.Xr rfc6056 7 1920for details. 1921.It Li ip6.anonportmax 1922The highest port number to use for TCP and UDP ephemeral port allocation. 1923This cannot be set to less than 1024 or greater than 65535, and must 1924be greater than 1925.Li ip6.anonportmin . 1926.It Li ip6.anonportmin 1927The lowest port number to use for TCP and UDP ephemeral port allocation. 1928This cannot be set to less than 1024 or greater than 65535. 1929.It Li ip6.auto_flowlabel 1930On connected transport protocol packets, 1931fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1932.It Li ip6.dad_count 1933The variable configures number of IPv6 DAD 1934.Pq duplicated address detection 1935probe packets. 1936The packets will be generated when IPv6 interface addresses are configured. 1937.It Li ip6.defmcasthlim 1938The default hop limit value for an IPv6 multicast packet sourced by the node. 1939This value applies to all the transport protocols on top of IPv6. 1940There are APIs to override the value, as documented in 1941.Xr ip6 4 . 1942.It Li ip6.forwarding 1943If set to 1, enables IPv6 forwarding for the node, 1944meaning that the node is acting as a router. 1945If set to 0, disables IPv6 forwarding for the node, 1946meaning that the node is acting as a host. 1947IPv6 specification defines node behavior for 1948.Dq router 1949case and 1950.Dq host 1951case quite differently, and changing this variable during operation 1952may cause serious trouble. 1953It is recommended to configure the variable at bootstrap time, 1954and bootstrap time only. 1955.It Li ip6.gifhlim 1956The maximum hop limit value for an IPv6 packet generated by 1957.Xr gif 4 1958tunnel interface. 1959.It Li ip6.hdrnestlimit 1960The number of IPv6 extension headers permitted on incoming IPv6 packets. 1961If set to 0, the node will accept as many extension headers as possible. 1962.It Li ip6.hashsize 1963The size of IPv6 Fast Forward hash table. 1964This value must be a power of 2 (64, 256, ...). 1965A larger hash table size results in fewer collisions. 1966Also see 1967.Li ip6.maxflows . 1968.It Li ip6.hlim 1969The default hop limit value for an IPv6 unicast packet sourced by the node. 1970This value applies to all the transport protocols on top of IPv6. 1971There are APIs to override the value, as documented in 1972.Xr ip6 4 . 1973.It Li ip6.kame_version 1974The string identifies the version of KAME IPv6 stack implemented in the kernel. 1975.It Li ip6.keepfaith 1976If set to non-zero, it enables 1977.Dq FAITH 1978TCP relay IPv6-to-IPv4 translator code in the kernel. 1979Refer 1980.Xr faith 4 1981and 1982.Xr faithd 8 1983for detail. 1984.It Li ip6.log_interval 1985The variable controls amount of logs generated by IPv6 packet 1986forwarding engine, by setting interval between log output 1987.Pq in seconds . 1988.It Li ip6.lowportmax 1989The highest port number to use for TCP and UDP reserved port allocation. 1990This cannot be set to less than 0 or greater than 1024, and must 1991be greater than 1992.Li ip6.lowportmin . 1993.It Li ip6.lowportmin 1994The lowest port number to use for TCP and UDP reserved port allocation. 1995This cannot be set to less than 0 or greater than 1024, and must 1996be smaller than 1997.Li ip6.lowportmax . 1998.It Li ip6.maxdynroutes 1999Maximum number of routes created by redirect. 2000Set it to negative to disable. 2001The default value is 4096. 2002.It Li ip6.maxifprefixes 2003Maximum number of prefixes created by route advertisements per interface. 2004Set it to negative to disable. 2005The default value is 16. 2006.It Li ip6.maxifdefrouters 16 2007Maximum number of default routers created by route advertisements per interface. 2008Set it to negative to disable. 2009The default value is 16. 2010.It Li ip6.maxflows 2011IPv6 Fast Forwarding is enabled by default. 2012If set to 0, IPv6 Fast Forwarding is disabled. 2013.Li ip6.maxflows 2014controls the maximum amount of flows which can be created. 2015The default value is 256. 2016.It Li ip6.maxfragpackets 2017The maximum number of fragmented packets the node will accept. 20180 means that the node will not accept any fragmented packets. 2019\-1 means that the node will accept as many fragmented packets as it receives. 2020The flag is provided basically for avoiding possible DoS attacks. 2021.It Li ip6.maxfrags 2022The maximum number of fragments the node will accept. 20230 means that the node will not accept any fragments. 2024\-1 means that the node will accept as many fragments as it receives. 2025The flag is provided basically for avoiding possible DoS attacks. 2026.It Li ip6.neighborgcthresh 2027Maximum number of entries in neighbor cache per interface. 2028Set to negative to disable. 2029The default value is 2048. 2030.It Li ip6.param_rt_msg 2031If set to 0, parameter changing routing message is suppressed. 2032If set to 1, parameter changing routing message is sent by RTM_NEWADDR. 2033Other values are undefined yet. 2034.It Li ip6.redirect 2035If set to 1, ICMPv6 redirects may be sent by the node. 2036This option is ignored unless the node is routing IP packets, 2037and should normally be enabled on all systems. 2038.It Li ip6.rr_prune 2039The variable specifies interval between IPv6 router renumbering prefix 2040babysitting, in seconds. 2041.It Li ip6.use_deprecated 2042The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 2043.It Li ip6.v6only 2044The variable specifies initial value for 2045.Dv IPV6_V6ONLY 2046socket option for 2047.Dv AF_INET6 2048socket. 2049Please refer to 2050.Xr ip6 4 2051for detail. 2052.It Li icmp6.errppslimit 2053The variable specifies the maximum number of outgoing ICMPv6 error messages, 2054per second. 2055ICMPv6 error messages that exceeded the value are subject to rate limitation 2056and will not go out from the node. 2057Negative value disables rate limitation. 2058.It Li icmp6.mtudisc_hiwat 2059.It Li icmp6.mtudisc_lowat 2060The variables define the maximum number of routing table entries, 2061created due to path MTU discovery 2062.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 2063When IPv6 path MTU discovery happens, we keep path MTU information into 2064the routing table. 2065If the number of routing table entries exceed the value, 2066the kernel will not attempt to keep the path MTU information. 2067.Li icmp6.mtudisc_hiwat 2068is used when we have verified ICMPv6 too big messages. 2069.Li icmp6.mtudisc_lowat 2070is used when we have unverified ICMPv6 too big messages. 2071Verification is performed by using address/port pairs kept in connected pcbs. 2072Negative value disables the upper limit. 2073.It Li icmp6.nd6_debug 2074If set to non-zero, kernel IPv6 neighbor discovery code will generate 2075debugging messages. 2076The debug outputs are useful to diagnose IPv6 interoperability issues. 2077The flag must be set to 0 for normal operation. 2078.It Li icmp6.nd6_delay 2079The variable specifies 2080.Dv DELAY_FIRST_PROBE_TIME 2081timing constant in IPv6 neighbor discovery specification 2082.Pq RFC 2461 , 2083in seconds. 2084.It Li icmp6.nd6_maxnudhint 2085Neighbor discovery permits upper layer protocols to supply reachability 2086hints, to avoid unnecessary neighbor discovery exchanges. 2087The variable defines the number of consecutive hints the neighbor discovery 2088layer will take. 2089For example, by setting the variable to 3, neighbor discovery layer 2090will take 3 consecutive hints in maximum. 2091After receiving 3 hints, neighbor discovery layer will perform 2092normal neighbor discovery process. 2093.It Li icmp6.nd6_mmaxtries 2094The variable specifies 2095.Dv MAX_MULTICAST_SOLICIT 2096constant in IPv6 neighbor discovery specification 2097.Pq RFC 2461 . 2098.It Li icmp6.nd6_prune 2099The variable specifies interval between IPv6 neighbor cache babysitting, 2100in seconds. 2101.It Li icmp6.nd6_umaxtries 2102The variable specifies 2103.Dv MAX_UNICAST_SOLICIT 2104constant in IPv6 neighbor discovery specification 2105.Pq RFC 2461 . 2106.It Li icmp6.nd6_useloopback 2107If set to non-zero, kernel IPv6 stack will use loopback interface for 2108local traffic. 2109.It Li icmp6.nodeinfo 2110The variable enables responses to ICMPv6 node information queries. 2111If you set the variable to 0, responses will not be generated for 2112ICMPv6 node information queries. 2113Since node information queries can have a security impact, it is 2114possible to fine tune which responses should be answered. 2115Two separate bits can be set. 2116.Bl -tag -width "12345" 2117.It 1 2118Respond to ICMPv6 FQDN queries, e.g. 2119.Li ping6 -w . 2120.It 2 2121Respond to ICMPv6 node addresses queries, e.g. 2122.Li ping6 -a . 2123.El 2124.It Li icmp6.rediraccept 2125If set to non-zero, the host will accept ICMPv6 redirect packets. 2126Note that IPv6 routers will never accept ICMPv6 redirect packets, 2127and the variable is meaningful on IPv6 hosts 2128.Pq non-router 2129only. 2130.It Li icmp6.redirtimeout 2131The variable specifies lifetime of routing entries generated by incoming 2132ICMPv6 redirect. 2133.It Li icmp6.reflect_pmtu 2134A boolean that icmpv6 reflecting uses path MTU discovery or not. 2135When not, icmpv6 reflecting uses IPV6_MINMTU. 2136.It Li icmp6.dynamic_rt_msg 2137A boolean that the kernel sends routing message for RTM_DYNAMIC or not. 2138If set to true, sends such routing message. 2139.It Li udp6.do_loopback_cksum 2140Perform UDP checksum on loopback. 2141.It Li udp6.recvspace 2142Default UDP receive buffer size. 2143.It Li udp6.sendspace 2144Default UDP send buffer size. 2145.El 2146.Pp 2147We reuse net.*.tcp for TCP over IPv6, 2148and therefore we do not have variables net.*.tcp6. 2149Variables net.inet6.udp6 have identical meaning to net.inet.udp. 2150Please refer to 2151.Li PF_INET 2152section above. 2153For variables net.*.ipsec6, please refer to 2154.Xr ipsec 4 . 2155.It Li net.key ( Dv PF_KEY ) 2156Get or set various global information about the IPsec key management. 2157The third level name is the variable name. 2158The currently defined variable and names are: 2159.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 2160.It Sy Variable Type Ta Sy Changeable 2161.It debug integer yes 2162.It enabled integer yes 2163.It used integer no 2164.It spi_try integer yes 2165.It spi_min_value integer yes 2166.It spi_max_value integer yes 2167.It larval_lifetime integer yes 2168.It blockacq_count integer yes 2169.It blockacq_lifetime integer yes 2170.It esp_keymin integer yes 2171.It esp_auth integer yes 2172.It ah_keymin integer yes 2173.It allow_different_idtype boolean yes 2174.El 2175The variables are as follows: 2176.Bl -tag -width "123456" 2177.It Li debug 2178Turn on debugging message from within the kernel. 2179The value is a bitmap, as defined in 2180.In netipsec/key_debug.h . 2181.It Li enabled 2182Control processing of IPsec control messages. 2183.Bl -tag -width indent 2184.It 0 2185Never allow IPsec processing 2186.It 1 2187Allow IPsec processing when SPD policies are present. 2188.It 2 2189Force IPsec processing even when SPD policies are not present. 2190.El 2191.It Li used 2192Based on if IPsec is enabled, and SPD rule existence, show if 2193IPsec is being used. 2194Note that currently once IPsec is being used, it cannot be disabled. 2195.It Li spi_try 2196The number of times the kernel will try to obtain an unique SPI 2197when it generates it from random number generator. 2198.It Li spi_min_value 2199Minimum SPI value when generating it within the kernel. 2200.It Li spi_max_value 2201Maximum SPI value when generating it within the kernel. 2202.It Li larval_lifetime 2203Lifetime for LARVAL SAD entries, in seconds. 2204.It Li blockacq_count 2205Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 2206It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 2207key management daemon. 2208.It Li blockacq_lifetime 2209Lifetime of ACQUIRE PF_KEY message. 2210.It Li esp_keymin 2211Minimum ESP key length, in bits. 2212The value is used when the kernel creates proposal payload 2213on ACQUIRE PF_KEY message. 2214.It Li esp_auth 2215Whether ESP authentication should be used or not. 2216Non-zero value indicates that ESP authentication should be used. 2217The value is used when the kernel creates proposal payload 2218on ACQUIRE PF_KEY message. 2219.It Li ah_keymin 2220Minimum AH key length, in bits, 2221The value is used when the kernel creates proposal payload 2222on ACQUIRE PF_KEY message. 2223.It Li allow_different_idtype 2224A boolean that allow or disallow different identifier types 2225on IDii and IDir. 2226Allowing that can improve interconnectivity to some VPN appliances. 2227.El 2228.It Li net.local ( Dv PF_LOCAL ) 2229Get or set various global information about 2230.Dv AF_LOCAL 2231type sockets. 2232For some variables, the third level name is the variable name: 2233.Bl -column "Variable" "integer" "Changeable" -offset indent 2234.It Sy Variable Type Ta Sy Changeable 2235.It inflight integer no 2236.It deferred integer no 2237.El 2238The variables are as follows: 2239.Bl -tag -width "123456" 2240.It Li inflight 2241The number of file descriptors currently passed between processes, 2242.Qq in flight . 2243.It Li deferred 2244The number of file descriptors passed between processes that have been 2245deferred for cleanup by a kernel task. 2246.El 2247.Pp 2248Other variables are specific to a socket type: 2249.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent 2250.It Sy "Socket Type" Sy Variable Type Ta Sy Changeable 2251.It dgram pcblist struct no 2252.It dgram recvspace integer yes 2253.It dgram sendspace integer yes 2254.It seqpacket pcblist struct no 2255.It stream pcblist struct no 2256.It stream recvspace integer yes 2257.It stream sendspace integer yes 2258.El 2259The variables are as follows: 2260.Bl -tag -width "123456" 2261.It Li dgram.pcblist 2262The Protocol Control Block list structure for datagram sockets. 2263Parsed by 2264.Xr netstat 1 2265or 2266.Xr sockstat 1 . 2267.It Li dgram.recvspace 2268The default datagram receive buffer size. 2269.It Li dgram.sendspace 2270The default datagram send buffer size. 2271.It Li seqpacket.pcblist 2272The Protocol Control Block list structure for Sequential Packet sockets. 2273Parsed by 2274.Xr netstat 1 2275or 2276.Xr sockstat 1 . 2277.It Li stream.pcblist 2278The Protocol Control Block list structure for stream sockets. 2279Parsed by 2280.Xr netstat 1 2281or 2282.Xr sockstat 1 . 2283.It Li stream.recvspace 2284The default stream receive buffer size. 2285.It Li stream.sendspace 2286The default stream send buffer size. 2287.El 2288.El 2289.Ss The proc.* subtree 2290The string and integer information available for the 2291.Li proc 2292level is detailed below. 2293The changeable column shows whether a process with appropriate 2294privilege may change the value. 2295These values are per-process, 2296and as such may change from one process to another. 2297When a process is created, 2298the default values are inherited from its parent. 2299When a set-user-ID or set-group-ID binary is executed, the 2300value of PROC_PID_CORENAME is reset to the system default value. 2301The second level name is either the magic value PROC_CURPROC, which 2302points to the current process, or the PID of the target process. 2303.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 2304.It Sy Third level name Ta Sy Type Ta Sy Changeable 2305.It proc.pid.corename string yes 2306.It proc.pid.rlimit node not applicable 2307.It proc.pid.stopfork int yes 2308.It proc.pid.stopexec int yes 2309.It proc.pid.stopexit int yes 2310.It proc.pid.paxflags int no 2311.El 2312.Bl -tag -width "123456" 2313.It Li proc.pid.corename ( Dv PROC_PID_CORENAME ) 2314The template used for the core dump file name (see 2315.Xr core 5 2316for details). 2317The base name must either be 2318.Pa core 2319or end with the suffix 2320.Pa .core 2321(the super-user may set arbitrary names). 2322By default it points to 2323.Dv KERN_DEFCORENAME . 2324.It Li proc.pid.rlimit ( Dv PROC_PID_LIMIT ) 2325Return resources limits, as defined for the 2326.Xr getrlimit 2 2327and 2328.Xr setrlimit 2 2329system calls. 2330The fourth level name is one of: 2331.Bl -tag -width "123456" 2332.It Li proc.pid.rlimit.cputime ( Dv PROC_PID_LIMIT_CPU ) 2333The maximum amount of CPU time (in seconds) to be used by each process. 2334.It Li proc.pid.rlimit.filesize ( Dv PROC_PID_LIMIT_FSIZE ) 2335The largest size (in bytes) file that may be created. 2336.It Li proc.pid.rlimit.datasize ( Dv PROC_PID_LIMIT_DATA ) 2337The maximum size (in bytes) of the data segment for a process; 2338this defines how far a program may extend its break with the 2339.Xr sbrk 2 2340system call. 2341.It Li proc.pid.rlimit.stacksize ( Dv PROC_PID_LIMIT_STACK ) 2342The maximum size (in bytes) of the stack segment for a process; 2343this defines how far a program's stack segment may be extended. 2344Stack extension is performed automatically by the system. 2345.It Li proc.pid.rlimit.coredumpsize ( Dv PROC_PID_LIMIT_CORE ) 2346The largest size (in bytes) 2347.Pa core 2348file that may be created. 2349.It Li proc.pid.rlimit.memoryuse ( Dv PROC_PID_LIMIT_RSS ) 2350The maximum size (in bytes) to which a process's resident set size may 2351grow. 2352This imposes a limit on the amount of physical memory to be given to 2353a process; if memory is tight, the system will prefer to take memory 2354from processes that are exceeding their declared resident set size. 2355.It Li proc.pid.rlimit.memorylocked ( Dv PROC_PID_LIMIT_MEMLOCK ) 2356The maximum size (in bytes) which a process may lock into memory 2357using the 2358.Xr mlock 2 2359function. 2360.It Li proc.pid.rlimit.maxproc ( Dv PROC_PID_LIMIT_NPROC ) 2361The maximum number of simultaneous processes for this user id. 2362.It Li proc.pid.rlimit.descriptors ( Dv PROC_PID_LIMIT_NOFILE ) 2363The maximum number of open files for this process. 2364.It Li proc.pid.rlimit.sbsize ( Dv PROC_PID_LIMIT_SBSIZE ) 2365The maximum size (in bytes) of the socket buffers 2366set by the 2367.Xr setsockopt 2 2368.Dv SO_RCVBUF 2369and 2370.Dv SO_SNDBUF 2371options. 2372.It Li proc.pid.rlimit.vmemoryuse ( Dv PROC_PID_LIMIT_AS ) 2373The maximum size (in bytes) which a process can obtain. 2374.It Li proc.pid.rlimit.maxlwp ( Dv PROC_PID_LIMIT_NTHR ) 2375The maximum number of threads that cen be created and running at one time in 2376the process. 2377The first thread of each process is not counted against this. 2378.El 2379.Pp 2380The fifth level name is one of 2381.Li soft ( Dv PROC_PID_LIMIT_TYPE_SOFT ) 2382or 2383.Li hard ( Dv PROC_PID_LIMIT_TYPE_HARD ) , 2384to select respectively the soft or hard limit. 2385Both are of type integer. 2386.It Li proc.pid.stopfork ( Dv PROC_PID_STOPFORK ) 2387If non zero, the process' children will be stopped after 2388.Xr fork 2 2389calls. 2390The children are created in the SSTOP state and are never scheduled 2391for running before being stopped. 2392This feature enables attaching to a process with a debugger such as 2393.Xr gdb 1 2394before the process has the opportunity to actually do anything. 2395.Pp 2396This value is inherited by the process's children, and it also 2397applies to emulation specific system calls that fork a new process, such as 2398.Fn sproc 2399or 2400.Fn clone . 2401.It Li proc.pid.stopexec ( Dv PROC_PID_STOPEXEC ) 2402If non zero, the process will be stopped on the next 2403.Xr exec 3 2404call. 2405The process created by 2406.Xr exec 3 2407is created in the SSTOP state and is never scheduled for running 2408before being stopped. 2409This feature enables attaching to a process with a debugger such as 2410.Xr gdb 1 2411before the process has the opportunity to actually do anything. 2412.Pp 2413This value is inherited by the process's children. 2414.It Li proc.pid.stopexit ( Dv PROC_PID_STOPEXIT ) 2415If non zero, the process will be stopped when it has cause to exit, 2416either by way of calling 2417.Xr exit 3 , 2418.Xr _exit 2 , 2419or by the receipt of a specific signal. 2420The process is stopped before any of its resources or vm space is 2421released allowing examination of the termination state of the process 2422before it disappears. 2423This feature can be used to examine the final conditions of the 2424process's vmspace via 2425.Xr pmap 1 2426or its resource settings with 2427.Xr sysctl 8 2428before it disappears. 2429.Pp 2430This value is also inherited by the process's children. 2431.It Li proc.pid.paxflags ( Dv PROC_PID_PAXFLAGS ) 2432This read-only variable returns the current value of the process's pax 2433flags (see 2434.Xr paxctl 8 ) . 2435.El 2436.Ss The user.* subtree ( Dv CTL_USER ) 2437The string and integer information available for the 2438.Li user 2439level is detailed below. 2440The changeable column shows whether a process with appropriate 2441privilege may change the value. 2442.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 2443.It Sy Second level name Ta Sy Type Ta Sy Changeable 2444.It user.atexit_max integer no 2445.It user.bc_base_max integer no 2446.It user.bc_dim_max integer no 2447.It user.bc_scale_max integer no 2448.It user.bc_string_max integer no 2449.It user.coll_weights_max integer no 2450.It user.cs_path string no 2451.It user.expr_nest_max integer no 2452.It user.line_max integer no 2453.It user.posix2_c_bind integer no 2454.It user.posix2_c_dev integer no 2455.It user.posix2_char_term integer no 2456.It user.posix2_fort_dev integer no 2457.It user.posix2_fort_run integer no 2458.It user.posix2_localedef integer no 2459.It user.posix2_sw_dev integer no 2460.It user.posix2_upe integer no 2461.It user.posix2_version integer no 2462.It user.re_dup_max integer no 2463.It user.stream_max integer no 2464.It user.stream_max integer no 2465.It user.tzname_max integer no 2466.El 2467.Bl -tag -width "123456" 2468.It Li user.atexit_max ( Dv USER_ATEXIT_MAX ) 2469The maximum number of functions that may be registered with 2470.Xr atexit 3 . 2471.It Li user.bc_base_max ( Dv USER_BC_BASE_MAX ) 2472The maximum ibase/obase values in the 2473.Xr bc 1 2474utility. 2475.It Li user.bc_dim_max ( Dv USER_BC_DIM_MAX ) 2476The maximum array size in the 2477.Xr bc 1 2478utility. 2479.It Li user.bc_scale_max ( Dv USER_BC_SCALE_MAX ) 2480The maximum scale value in the 2481.Xr bc 1 2482utility. 2483.It Li user.bc_string_max ( Dv USER_BC_STRING_MAX ) 2484The maximum string length in the 2485.Xr bc 1 2486utility. 2487.It Li user.coll_weights_max ( Dv USER_COLL_WEIGHTS_MAX ) 2488The maximum number of weights that can be assigned to any entry of 2489the LC_COLLATE order keyword in the locale definition file. 2490.It Li user.cs_path ( USER_CS_PATH ) 2491Return a value for the 2492.Ev PATH 2493environment variable that finds all the standard utilities. 2494.It Li user.expr_nest_max ( Dv USER_EXPR_NEST_MAX ) 2495The maximum number of expressions that can be nested within 2496parenthesis by the 2497.Xr expr 1 2498utility. 2499.It Li user.line_max ( Dv USER_LINE_MAX ) 2500The maximum length in bytes of a text-processing utility's input 2501line. 2502.It Li user.posix2_char_term ( Dv USER_POSIX2_CHAR_TERM ) 2503Return 1 if the system supports at least one terminal type capable of 2504all operations described in 2505.St -p1003.2 , 2506otherwise\ 0. 2507.It Li user.posix2_c_bind ( Dv USER_POSIX2_C_BIND ) 2508Return 1 if the system's C-language development facilities support the 2509C-Language Bindings Option, otherwise\ 0. 2510.It Li user.posix2_c_dev ( Dv USER_POSIX2_C_DEV ) 2511Return 1 if the system supports the C-Language Development Utilities Option, 2512otherwise\ 0. 2513.It Li user.posix2_fort_dev ( Dv USER_POSIX2_FORT_DEV ) 2514Return 1 if the system supports the FORTRAN Development Utilities Option, 2515otherwise\ 0. 2516.It Li user.posix2_fort_run ( Dv USER_POSIX2_FORT_RUN ) 2517Return 1 if the system supports the FORTRAN Runtime Utilities Option, 2518otherwise\ 0. 2519.It Li user.posix2_localedef ( Dv USER_POSIX2_LOCALEDEF ) 2520Return 1 if the system supports the creation of locales, otherwise\ 0. 2521.It Li user.posix2_sw_dev ( Dv USER_POSIX2_SW_DEV ) 2522Return 1 if the system supports the Software Development Utilities Option, 2523otherwise\ 0. 2524.It Li user.posix2_upe ( Dv USER_POSIX2_UPE ) 2525Return 1 if the system supports the User Portability Utilities Option, 2526otherwise\ 0. 2527.It Li user.posix2_version ( Dv USER_POSIX2_VERSION ) 2528The version of 2529.St -p1003.2 2530with which the system attempts to comply. 2531.It Li user.re_dup_max ( Dv USER_RE_DUP_MAX ) 2532The maximum number of repeated occurrences of a regular expression 2533permitted when using interval notation. 2534.It Li user.stream_max ( Dv USER_STREAM_MAX ) 2535The minimum maximum number of streams that a process may have open 2536at any one time. 2537.It Li user.tzname_max ( Dv USER_TZNAME_MAX ) 2538The minimum maximum number of types supported for the name of a 2539timezone. 2540.El 2541.Ss The vm.* subtree ( Dv CTL_VM ) 2542The string and integer information available for the 2543.Li vm 2544level is detailed below. 2545The changeable column shows whether a process with appropriate 2546privilege may change the value. 2547.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 2548.It Sy Second level name Ta Sy Type Ta Sy Changeable 2549.It vm.anonmax int yes 2550.It vm.anonmin int yes 2551.It vm.bufcache int yes 2552.It vm.bufmem int no 2553.It vm.bufmem_hiwater int yes 2554.It vm.bufmem_lowater int yes 2555.It vm.execmax int yes 2556.It vm.execmin int yes 2557.It vm.filemax int yes 2558.It vm.filemin int yes 2559.It vm.loadavg struct loadavg no 2560.It vm.maxslp int no 2561.It vm.nkmempages int no 2562.It vm.uspace int no 2563.It vm.uvmexp struct uvmexp no 2564.It vm.uvmexp2 struct uvmexp_sysctl no 2565.It vm.vmmeter struct vmtotal no 2566.It vm.proc.map struct kinfo_vmentry no 2567.It vm.guard_size unsigned int no 2568.It vm.thread_guard_size unsigned int yes 2569.It vm.swap_encrypt bool yes 2570.El 2571.Bl -tag -width "123456" 2572.It Li vm.anonmax ( Dv VM_ANONMAX ) 2573The percentage of physical memory which will be reclaimed 2574from other types of memory usage to store anonymous application data. 2575.It Li vm.anonmin ( Dv VM_ANONMIN ) 2576The percentage of physical memory which will be always be available for 2577anonymous application data. 2578.It Li vm.bufcache ( Dv VM_BUFCACHE ) 2579The percentage of physical memory which will be available 2580for the buffer cache. 2581.It Li vm.bufmem ( Dv VM_BUFMEM ) 2582The amount of kernel memory that is being used by the buffer cache. 2583.It Li vm.bufmem_lowater ( Dv VM_BUFMEM_LOWATER ) 2584The minimum amount of kernel memory to reserve for the 2585buffer cache. 2586.It Li vm.bufmem_hiwater ( Dv VM_BUFMEM_HIWATER ) 2587The maximum amount of kernel memory to be used for the 2588buffer cache. 2589.It Li vm.execmax ( Dv VM_EXECMAX ) 2590The percentage of physical memory which will be reclaimed 2591from other types of memory usage to store cached executable data. 2592.It Li vm.execmin ( Dv VM_EXECMIN ) 2593The percentage of physical memory which will be always be available for 2594cached executable data. 2595.It Li vm.filemax ( Dv VM_FILEMAX ) 2596The percentage of physical memory which will be reclaimed 2597from other types of memory usage to store cached file data. 2598.It Li vm.filemin ( Dv VM_FILEMIN ) 2599The percentage of physical memory which will be always be available for 2600cached file data. 2601.It Li vm.loadavg ( Dv VM_LOADAVG ) 2602Return the load average history. 2603The returned data consists of a 2604.Vt struct loadavg . 2605.It Li vm.maxslp ( Dv VM_MAXSLP ) 2606The value of the maxslp kernel global variable. 2607.It Li vm.vmmeter ( Dv VM_METER ) 2608Return system wide virtual memory statistics. 2609The returned data consists of a 2610.Vt struct vmtotal . 2611.It vm.user_va0_disable 2612A flag which controls whether user processes can map virtual address\ 0. 2613.It Li vm.proc.map ( Dv VM_PROC ) 2614The third level is 2615.Dv VM_PROC_MAP , 2616the fourth is the pid of the process to display the vm object entries for, and 2617the fifth is the size of 2618.Vt struct kinfo_vmentry . 2619Returns an array of 2620.Vt struct kinfo_vmentry 2621objects. 2622.It Li vm.ubc_direct Bq Sy "EXPERIMENTAL" Ns No , default off 2623Use direct map for UBC I/O, avoiding need to map and unmap buffer memory. 2624Speeds up operation for fast I/O devices like NVMe, especially 2625on multi-CPU systems. 2626Only available on some architectures. 2627.It Li vm.uspace ( Dv VM_USPACE ) 2628The number of bytes allocated for each kernel stack. 2629.It Li vm.uvmexp ( Dv VM_UVMEXP ) 2630Return system wide virtual memory statistics. 2631The returned data consists of a 2632.Vt struct uvmexp . 2633.It Li vm.uvmexp2 ( Dv VM_UVMEXP2 ) 2634Return system wide virtual memory statistics. 2635The returned data consists of a 2636.Vt struct uvmexp_sysctl . 2637.It Li vm.guard_size 2638Return system wide guard size for the main thread of a program. 2639.It Li vm.thread_guard_size 2640Return system wide default size for the guard area of all other threads 2641of a program. 2642.It Li vm.swap_encrypt 2643If true, encrypt data while swapped out to disk. 2644.Pp 2645Each swap device maintains an independent AES-256 key, generated when 2646the first page is swapped to that device. 2647Each page is swapped independently using AES-CBC, with an 2648initialization vector chosen by the encryption under the AES-256 key of 2649the little-endian swap slot number padded to 128 bits with zeros. 2650(This is essentially the 2651.Xr cgd 4 2652.Sq encblkno1 2653method.) 2654.Pp 2655Changes to 2656.Li vm.swap_encrypt 2657only affect pages of swap newly written out. 2658To force encrypting or decrypting all existing swap, or to rekey 2659previously encrypted swap, you can remove the swap devices and re-add 2660them with 2661.Xr swapctl 8 , 2662with the caveat that whatever pages were already written to disk 2663unencrypted or encrypted with a compromised key may still be written to 2664disk afterward. 2665.El 2666.Ss The ddb.* subtree ( Dv CTL_DDB ) 2667The information available for the 2668.Li ddb 2669level is detailed below. 2670The changeable column shows whether a process with appropriate 2671privilege may change the value. 2672.Bl -column "Second level name" "integer" "Changeable" -offset indent 2673.It Sy Second level name Ta Sy Type Ta Sy Changeable 2674.It ddb.commandonenter string yes 2675.It ddb.dumpstack integer yes 2676.It ddb.fromconsole integer yes 2677.It ddb.lines integer yes 2678.It ddb.maxoff integer yes 2679.It ddb.maxwidth integer yes 2680.It ddb.onpanic integer yes 2681.It ddb.panicstackframes integer yes 2682.It ddb.radix integer yes 2683.It ddb.tabstops integer yes 2684.It ddb.tee_msgbuf integer yes 2685.El 2686.Bl -tag -width "123456" 2687.It Li ddb.commandonenter 2688If not empty, the string is used as the DDB command to be executed each time 2689DDB is entered. 2690.It Li ddb.dumpstack 2691A value of 1 causes a stack trace to be printed on entering ddb from a panic. 2692A value of 0 disables this behaviour. 2693The default value is 1. 2694.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE ) 2695If not zero, DDB may be entered by sending a break on a serial 2696console or by a special key sequence on a graphics console. 2697.It Li ddb.lines ( Dv DDBCTL_LINES ) 2698Number of display lines. 2699.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF ) 2700The maximum symbol offset. 2701.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH ) 2702The maximum output line width. 2703.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC ) 2704If greater than zero, DDB will be entered if the kernel panics. 2705A value of 1 causes the system to enter DDB on panic. 2706A value of 0 causes the kernel to attempt to print a stack trace, then 2707reboot, while a value of \-1 means neither a stack trace will be printed 2708nor DDB entered. 2709.It Li ddb.panicstackframes 2710Number of stack frames to display on panic. 2711Useful to avoid scrolling away the interesting frames on a glass tty. 2712Default value is 2713.Dv 65535 2714(all frames), useful value around 2715.Dv 10 . 2716.It Li ddb.radix ( Dv DDBCTL_RADIX ) 2717The input and output radix. 2718.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS ) 2719Tab width. 2720.It Li ddb.tee_msgbuf 2721If not zero, DDB will output also to the kernel message buffer. 2722.El 2723.Pp 2724Some of these MIB 2725nodes are also available as variables from within the debugger. 2726See 2727.Xr ddb 4 2728for more details. 2729.Ss The security.* subtree ( Dv CTL_SECURITY ) 2730The 2731.Li security 2732level contains various security-related settings for 2733the system. 2734The available second level names are: 2735.Bl -column "Second level name" "integer" "Changeable" -offset indent 2736.It Sy Second level name Ta Sy Type Ta Sy Changeable 2737.It Li security.curtain integer yes 2738.It Li security.models node not applicable 2739.It Li security.pax node not applicable 2740.El 2741.Pp 2742Available settings are detailed below. 2743.Bl -tag -width "123456" 2744.It Li security.curtain 2745If non-zero, will filter return objects according to the user ID 2746requesting information about them, preventing users from 2747accessing any objects they do not own. 2748.Pp 2749At the moment, it affects 2750.Xr ps 1 , 2751.Xr netstat 1 2752(for 2753.Dv PF_INET , 2754.Dv PF_INET6 , 2755and 2756.Dv PF_UNIX 2757PCBs), and 2758.Xr w 1 . 2759.It Li security.models 2760.Nx 2761supports pluggable security models. 2762Every security model used, whether if loaded as a module or built with the system, 2763is required to add an entry to this node with at least one element, 2764.Dq name , 2765indicating the name of the security model. 2766.Pp 2767In addition to the name, any settings and other information private to the 2768security model will be available under this node. 2769See 2770.Xr secmodel 9 2771for more information. 2772.It Li security.pax 2773Settings for PaX \(em exploit mitigation features. 2774For more information on any of the PaX features, please see 2775.Xr paxctl 8 2776and 2777.Xr security 7 . 2778The available third and fourth level names are: 2779.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ 2780-offset 2n 2781.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable 2782.It Li security.pax.aslr.enabled integer yes 2783.\".It Li security.pax.aslr.exec_len integer yes 2784.It Li security.pax.aslr.global integer yes 2785.\".It Li security.pax.aslr.mmap_len integer yes 2786.\".It Li security.pax.aslr.stack_len integer yes 2787.It Li security.pax.mprotect.enabled integer yes 2788.It Li security.pax.mprotect.global integer yes 2789.It Li security.pax.mprotect.ptrace integer yes 2790.It Li security.pax.segvguard.enabled integer yes 2791.It Li security.pax.segvguard.expiry_timeout integer yes 2792.It Li security.pax.segvguard.global integer yes 2793.It Li security.pax.segvguard.max_crashes integer yes 2794.It Li security.pax.segvguard.suspend_timeout integer yes 2795.El 2796.Bl -tag -width "123456" 2797.It Li security.pax.aslr.enabled 2798Enable PaX ASLR (Address Space Layout Randomization). 2799.Pp 2800The value of this 2801knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2802explicit enable. 2803.\".It Li security.pax.aslr.exec_len 2804.\" XXX: Undocumented. 2805.It Li security.pax.aslr.global 2806Specifies the default global policy for programs without an 2807explicit enable/disable flag. 2808.Pp 2809When non-zero, all programs will get PaX ASLR, except those exempted with 2810.Xr paxctl 8 . 2811Otherwise, all programs will not get PaX ASLR, except those specifically 2812marked as such with 2813.Xr paxctl 8 . 2814.\".It Li security.pax.aslr.mmap_len 2815.\" XXX: Undocumented. 2816.\" .It Li security.pax.aslr.stack_len 2817.\" XXX: Undocumented. 2818.It Li security.pax.mprotect.enabled 2819Enable PaX MPROTECT restrictions. 2820.Pp 2821These are 2822.Xr mprotect 2 2823restrictions to better enforce a W^X policy. 2824The value of this 2825knob must be non-zero for PaX MPROTECT to be enabled, even if a 2826program is set to explicit enable. 2827.It Li security.pax.mprotect.global 2828Specifies the default global policy for programs without an 2829explicit enable/disable flag. 2830.Pp 2831When non-zero, all programs will get the PaX MPROTECT restrictions, 2832except those exempted with 2833.Xr paxctl 8 . 2834Otherwise, all programs will not get the PaX MPROTECT restrictions, 2835except those specifically marked as such with 2836.Xr paxctl 8 . 2837.It Li security.pax.mprotect.ptrace 2838This variable allows 2839.Xr ptrace 2 2840to override PaX MPROTECT permissions. 2841It can have the following values: 2842.Bl -tag -width XX -compact 2843.It 0 2844Does not let override any permissions. 2845.It 1 2846Disables PaX MPROTECT from processes that start executing while traced (default). 2847.It 2 2848Bypasses PaX MPROTECT for all processes being traced. 2849.El 2850.It Li security.pax.segvguard.enabled 2851Enable PaX Segvguard. 2852.Pp 2853PaX Segvguard can detect and prevent certain exploitation attempts, where 2854an attacker may try for example to brute-force function return addresses 2855of respawning daemons. 2856.Pp 2857.Em Note : 2858The 2859.Nx 2860interface and implementation of the Segvguard is still experimental, and may 2861change in future releases. 2862.It Li security.pax.segvguard.expiry_timeout 2863If the max number was not reached within this timeout (in seconds), the entry 2864will expire. 2865.It Li security.pax.segvguard.global 2866Specifies the default global policy for programs without an 2867explicit enable/disable flag. 2868.Pp 2869When non-zero, all programs will get the PaX Segvguard, 2870except those exempted with 2871.Xr paxctl 8 . 2872Otherwise, no program will get the PaX Segvguard restrictions, 2873except those specifically marked as such with 2874.Xr paxctl 8 . 2875.It Li security.pax.segvguard.max_crashes 2876The maximum number of segfaults a program can receive before suspension. 2877.It Li security.pax.segvguard.suspend_timeout 2878Number of seconds to suspend a user from running a faulting program when the 2879limit was exceeded. 2880.El 2881.El 2882.Ss The vendor.* subtree ( Dv CTL_VENDOR ) 2883The 2884.Li vendor 2885toplevel name is reserved to be used by vendors who wish to 2886have their own private MIB tree. 2887Intended use is to store values under 2888.Dq vendor.<yourname>.* . 2889.Sh SEE ALSO 2890.Xr sysctl 3 , 2891.Xr ipsec 4 , 2892.Xr tcp 4 , 2893.Xr security 7 , 2894.Xr sysctl 8 2895.Sh HISTORY 2896The 2897.Nm 2898variables first appeared in 2899.Bx 4.4 . 2900