1.\" $NetBSD: sysctl.7,v 1.156 2021/12/05 07:35:17 msaitoh Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd December 5, 2021 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Ss Top level names 72The top level names are defined with a 73.Va CTL_ 74prefix in 75.In sys/sysctl.h , 76and are as follows. 77The next and subsequent levels down are found in the include files 78listed here, and described in separate sections below. 79.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits" 80.It Sy Name Ta Sy Constant Ta Sy Next level names Ta Sy Description 81.It kern Ta Dv CTL_KERN Ta In sys/sysctl.h Ta High kernel limits 82.It vm Ta Dv CTL_VM Ta In uvm/uvm_param.h Ta Virtual memory 83.It vfs Ta Dv CTL_VFS Ta In sys/mount.h Ta Filesystem 84.It net Ta Dv CTL_NET Ta In sys/socket.h Ta Networking 85.It debug Ta Dv CTL_DEBUG Ta In sys/sysctl.h Ta Debugging 86.It hw Ta Dv CTL_HW Ta In sys/sysctl.h Ta Generic CPU, I/O 87.It machdep Ta Dv CTL_MACHDEP Ta In sys/sysctl.h Ta Machine dependent 88.It user Ta Dv CTL_USER Ta In sys/sysctl.h Ta User-level 89.It ddb Ta Dv CTL_DDB Ta In sys/sysctl.h Ta In-kernel debugger 90.It proc Ta Dv CTL_PROC Ta In sys/sysctl.h Ta Per-process 91.It vendor Ta Dv CTL_VENDOR Ta ? Ta Vendor specific 92.It emul Ta Dv CTL_EMUL Ta In sys/sysctl.h Ta Emulation settings 93.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h Ta Security settings 94.El 95.Ss The debug.* subtree 96The debugging variables vary from system to system. 97A debugging variable may be added or deleted without need to recompile 98.Nm 99to know about it. 100Each time it runs, 101.Nm 102gets the list of debugging variables from the kernel and 103displays their current values. 104The system defines twenty 105.Vt ( struct ctldebug ) 106variables named 107.Dv debug0 108through 109.Dv debug19 . 110They are declared as separate variables so that they can be 111individually initialized at the location of their associated variable. 112The loader prevents multiple use of the same variable by issuing errors 113if a variable is initialized in more than one place. 114For example, to export the variable 115.Va dospecialcheck 116as a debugging variable, the following declaration would be used: 117.Pp 118.Bd -literal -offset indent -compact 119int dospecialcheck = 1; 120struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck }; 121.Ed 122.Pp 123Note that the dynamic implementation of 124.Nm 125currently in use largely makes this particular 126.Nm 127interface obsolete. 128See 129.Xr sysctl 8 130.\" and 131.\" .Xr sysctl 9 132for more information. 133.Ss The vfs.* subtree 134A distinguished second level name, 135.Li vfs.generic ( Dv VFS_GENERIC ) , 136is used to get general information about all file systems. 137It has the following third level identifiers: 138.Bl -tag -width "123456" 139.It Li vfs.generic.maxtypenum ( Dv VFS_MAXTYPENUM ) 140The highest valid file system type number. 141.It Li vfs.generic.conf ( Dv VFS_CONF ) 142Returns configuration information about the file system type given as a fourth 143level identifier. 144.It Li vfs.generic.usermount ( Dv VFS_USERMOUNT ) 145Determines if non superuser mounts are allowed, defaults to 146.Dv 0 . 147.It Li vfs.generic.magiclinks ( Dv VFS_MAGICLINKS ) 148Controls if expansion of variables is going to be performed on pathnames 149or not. 150Defaults to no variable expansion, 151.Dv 0 . 152Variables are of the form 153.Li @name 154and the variables supported are described in 155.Xr symlink 7 156under 157.Dq "MAGIC SYMLINKS" . 158.El 159.Pp 160A second level name for controlling the 161.Xr wapbl 4 162(Write Ahead Physical Block Logging file system journaling) 163capabilities with the following third level identifiers: 164.Bl -tag -width "123456" 165.It Li vfs.wapbl.flush_disk_cache 166Controls whether to attempt to flush the disk cache on each commit. 167It defaults to 1 and it should always be on to ensure integrity 168of file system metadata in the event of a power loss. 169For slow disks, turning it off can improve performance. 170.It Li vfs.wapbl.verbose_commit 171For each transaction log commit, print the number of bytes written 172and the time it took to commit as seconds.nanoseconds. 173.El 174.Pp 175The remaining second level identifiers are the file system names, identified 176by the type number returned by a 177.Xr statvfs 2 178call or from 179.Li vfs.generic.conf . 180.Pp 181The third level identifiers available for each file system 182are given in the header file that defines the mount 183argument structure for that file system. 184.Ss The hw.* subtree 185The string and integer information available for the 186.Li hw 187level is detailed below. 188The changeable column shows whether a process with appropriate 189privilege may change the value. 190.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 191.It Sy Second level name Ta Sy Type Ta Sy Changeable 192.It hw.alignbytes integer no 193.It hw.byteorder integer no 194.It hw.cnmagic string yes 195.It hw.disknames string no 196.It hw.diskstats struct no 197.It hw.machine string no 198.It hw.machine_arch string no 199.It hw.model string no 200.It hw.ncpu integer no 201.It hw.ncpuonline integer no 202.It hw.pagesize integer no 203.It hw.physmem integer no 204.It hw.physmem64 quad no 205.It hw.usermem integer no 206.It hw.usermem64 quad no 207.El 208.Bl -tag -width "123456" 209.It Li hw.alignbytes ( Dv HW_ALIGNBYTES ) 210Alignment constraint for all possible data types. 211This shows the value 212.Dv ALIGNBYTES 213in 214.In machine/param.h , 215at the kernel compilation time. 216.It Li hw.byteorder ( Dv HW_BYTEORDER ) 217The byteorder (4321, or 1234). 218.It Li hw.cnmagic ( Dv HW_CNMAGIC ) 219The console magic key sequence. 220.It Li hw.disknames ( Dv HW_DISKNAMES ) 221The list of (space separated) disk device names on the system. 222.It Li hw.iostatnames ( Dv HW_IOSTATNAMES ) 223A space separated list of devices that will have I/O statistics 224collected on them. 225.It Li hw.iostats ( Dv HW_IOSTATS ) 226Return statistical information on the NFS mounts, disk and tape 227devices on the system. 228An array of 229.Vt struct io_sysctl 230structures is returned, 231whose size depends on the current number of such objects in the system. 232The third level name is the size of the 233.Vt struct io_sysctl . 234The type of object can be determined by examining the 235.Va type 236element of 237.Vt struct io_sysctl . 238Which can be 239.Dv IOSTAT_DISK 240(disk drive), 241.Dv IOSTAT_TAPE 242(tape drive), or 243.Dv IOSTAT_NFS 244(NFS mount). 245.It Li hw.machine ( Dv HW_MACHINE ) 246The machine class. 247.It Li hw.machine_arch ( Dv HW_MACHINE_ARCH ) 248The machine CPU class. 249.It Li hw.model ( Dv HW_MODEL ) 250The machine model. 251.It Li hw.ncpu ( Dv HW_NCPU ) 252The number of CPUs configured. 253.It Li hw.ncpuonline ( Dv HW_NCPUONLINE ) 254The number of CPUs online. 255.It Li hw.pagesize ( Dv HW_PAGESIZE ) 256The software page size. 257.It Li hw.physmem ( Dv HW_PHYSMEM ) 258The bytes of physical memory as a 32-bit integer. 259.It Li hw.physmem64 ( Dv HW_PHYSMEM64 ) 260The bytes of physical memory as a 64-bit integer. 261.It Li hw.usermem ( Dv HW_USERMEM ) 262The bytes of non-kernel memory as a 32-bit integer. 263.It Li hw.usermem64 ( Dv HW_USERMEM64 ) 264The bytes of non-kernel memory as a 64-bit integer. 265.El 266.Ss The kern.* subtree 267This subtree includes data generally related to the kernel. 268The string and integer information available for the 269.Li kern 270level is detailed below. 271The changeable column shows whether a process with appropriate 272privilege may change the value. 273.Bl -column "kern.posix_reader_writer_locks" \ 274"struct kinfo_drivers" "not applicable" 275.It Sy Second level name Ta Sy Type Ta Sy Changeable 276.It kern.aio_listio_max integer yes 277.It kern.aio_max integer yes 278.It kern.arandom integer no 279.It kern.argmax integer no 280.It kern.boothowto integer no 281.It kern.boottime struct timespec no 282.It kern.buildinfo string no 283.\".It kern.bufq node not applicable 284.It kern.ccpu integer no 285.It kern.clockrate struct clockinfo no 286.It kern.consdev integer no 287.It kern.coredump node not applicable 288.It kern.cp_id struct no 289.It kern.cp_time uint64_t[\|] no 290.It kern.cryptodevallowsoft integer yes 291.It kern.defcorename string yes 292.It kern.detachall integer yes 293.It kern.domainname string yes 294.It kern.drivers struct kinfo_drivers no 295.It kern.dump_on_panic integer yes 296.It kern.expose_address integer yes 297.It kern.file struct file no 298.It kern.forkfsleep integer yes 299.It kern.fscale integer no 300.It kern.fsync integer no 301.It kern.hardclock_ticks integer no 302.It kern.hostid integer yes 303.It kern.hostname string yes 304.It kern.iov_max integer no 305.It kern.ipc node not applicable 306.It kern.job_control integer no 307.It kern.labeloffset integer no 308.It kern.labelsector integer no 309.It kern.login_name_max integer no 310.It kern.logsigexit integer yes 311.It kern.lwp struct kinfo_lwp yes 312.It kern.mapped_files integer no 313.It kern.maxfiles integer yes 314.It kern.maxlwp integer yes 315.It kern.maxpartitions integer no 316.It kern.maxphys integer no 317.It kern.maxproc integer yes 318.It kern.maxptys integer yes 319.It kern.maxvnodes integer yes 320.It kern.messages integer yes 321.It kern.mbuf node not applicable 322.It kern.memlock integer no 323.It kern.memlock_range integer no 324.It kern.memory_protection integer no 325.It kern.module node not applicable 326.It kern.monotonic_clock integer no 327.It kern.mqueue node not applicable 328.It kern.msgbuf integer no 329.It kern.msgbufsize integer no 330.It kern.ngroups integer no 331.\".It kern.no_sa_support integer yes 332.It kern.ntptime struct ntptimeval no 333.It kern.osrelease string no 334.It kern.osrevision integer no 335.It kern.ostype string no 336.\".It kern.panic_now integer yes 337.It kern.pipe node not applicable 338.It kern.pool struct pool_sysctl no 339.\" .It kern.posix node not applicable 340.It kern.posix1version integer no 341.It kern.posix_aio integer no 342.It kern.posix_barriers integer no 343.It kern.posix_reader_writer_locks integer no 344.\".It kern.posix_sched integer yes 345.It kern.posix_semaphores integer no 346.It kern.posix_spin_locks integer no 347.It kern.posix_threads integer no 348.It kern.posix_timers integer no 349.It kern.proc struct kinfo_proc no 350.It kern.proc2 struct kinfo_proc2 no 351.It kern.proc_args string no 352.It kern.profiling node not applicable 353.\".It kern.pset node not applicable 354.It kern.rawpartition integer no 355.It kern.root_device string no 356.It kern.root_partition integer no 357.It kern.rtc_offset integer yes 358.It kern.saved_ids integer no 359.It kern.sbmax integer yes 360.It kern.sched node not applicable 361.It kern.securelevel integer raise only 362.It kern.sofixedbuf boolean yes 363.It kern.somaxkva integer yes 364.It kern.sooptions integer yes 365.It kern.synchronized_io integer no 366.It kern.timecounter node not applicable 367.It kern.timex struct no 368.It kern.tkstat node not applicable 369.It kern.tty node not applicable 370.It kern.urandom integer no 371.It kern.usercrypto integer yes 372.It kern.userasymcrypto integer yes 373.It kern.veriexec node not applicable 374.It kern.version string no 375.It kern.vnode struct vnode no 376.El 377.Bl -tag -width "123456" 378.It Li kern.aio_listio_max 379The maximum number of asynchronous I/O operations in a single list 380I/O call. 381Like with all variables related to 382.Xr aio 3 , 383the variable may be created and removed dynamically 384upon loading or unloading the corresponding kernel module. 385.It Li kern.aio_max 386The maximum number of asynchronous I/O operations. 387.It Li kern.arandom ( Dv KERN_ARND ) 388Returns independent uniformly distributed bytes at random each time, as 389many as requested up to 256, derived from the system entropy pool; see 390.Xr rnd 4 . 391.Pp 392Reading 393.Li kern.arandom 394is equivalent to reading up to 256 bytes at a time from 395.Pa /dev/urandom : 396reading 397.Li kern.arandom 398never blocks, and once the system entropy pool has full entropy, output 399subsequently read from 400.Li kern.arandom 401is fit for use as cryptographic key material. 402For example, the 403.Xr arc4random 3 404library routine uses 405.Li kern.arandom 406internally to seed a cryptographic pseudorandom number generator. 407.It Li kern.argmax ( Dv KERN_ARGMAX ) 408The maximum bytes of argument to 409.Xr execve 2 . 410.It Li kern.boothowto 411Flags passed from the boot loader; see 412.Xr reboot 2 413for the meanings of the flags. 414.It Li kern.boottime ( Dv KERN_BOOTTIME ) 415A 416.Vt struct timespec 417structure is returned. 418This structure contains the time that the system was booted. 419That time is defined (for this purpose) to be the time at 420which the kernel first started accumulating clock ticks. 421.It Li kern.bufq 422This variable contains information on the 423.Xr bufq 9 424subsystem. 425Currently, the only third level name implemented is 426.Dv kern.bufq.strategies 427which provides a list of buffer queue strategies currently available. 428.It Li kern.buildinfo 429When the kernel is built, the build environment may optionally provide 430arbitrary information to be stored in this variable. 431.It Li kern.ccpu ( Dv KERN_CCPU ) 432The scheduler exponential decay value. 433.It Li kern.clockrate ( Dv KERN_CLOCKRATE ) 434A 435.Vt struct clockinfo 436structure is returned. 437This structure contains the clock, statistics clock and profiling clock 438frequencies, the number of micro-seconds per hz tick, and the clock 439skew rate. 440Refer to 441.Xr hz 9 442for additional details. 443.It Li kern.consdev ( Dv KERN_CONSDEV ) 444Console device. 445.It Li kern.coredump 446Settings related to set-id processes coredumps. 447By default, set-id processes do not dump core in situations where 448other processes would. 449The settings in this node allows an administrator to change this 450behavior. 451.Pp 452The third level name is 453.Dv kern.coredump.setid 454and fourth level variables are described below. 455.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent 456.It Sy Fourth level name Ta Sy Type Ta Sy Changeable 457.It kern.coredump.setid.dump integer yes 458.It kern.coredump.setid.group integer yes 459.It kern.coredump.setid.mode integer yes 460.It kern.coredump.setid.owner integer yes 461.It kern.coredump.setid.path string yes 462.El 463.Bl -tag -width "123456" 464.It Li kern.coredump.setid.dump 465If non-zero, set-id processes will dump core. 466.It Li kern.coredump.setid.group 467The group-id for the set-id processes' coredump. 468.It Li kern.coredump.setid.mode 469The mode for the set-id processes' coredump. 470See 471.Xr chmod 1 . 472.It Li kern.coredump.setid.owner 473The user-id that will be used as the owner of the set-id processes' 474coredump. 475.It Li kern.coredump.setid.path 476The path to which set-id processes' coredumps will be saved to. 477Same syntax as kern.defcorename. 478.El 479.It Li kern.cp_id ( Dv KERN_CP_ID ) 480Mapping of CPU number to CPU id. 481.It Li kern.cp_time ( Dv KERN_CP_TIME ) 482Returns an array of 483.Dv CPUSTATES 484.Vt uint64_t Ns s . 485This array contains the 486number of clock ticks spent in different CPU states. 487On multi-processor systems, the sum across all CPUs is returned unless 488appropriate space is given for one data set for each CPU. 489Data for a specific CPU can also be obtained by adding the number of the 490CPU at the end of the MIB, enlarging it by one. 491.It Li kern.cryptodevallowsoft 492This variable controls userland access to hardware versus software transforms 493in the 494.Xr crypto 4 495system. 496The available values are as follows: 497.Bl -tag -width XX0 -offset indent 498.It Dv < 0 499Always force userlevel requests to use software transforms. 500.It Dv = 0 501If present, use hardware and grant userlevel requests for 502non-accelerated transforms (handling the latter in software). 503.It Dv > 0 504Allow user requests only for transforms which are hardware-accelerated. 505.El 506.It Li kern.defcorename ( Dv KERN_DEFCORENAME ) 507Default template for the name of core dump files (see also 508.Li proc.pid.corename 509in the per-process variables 510.Li proc.* , 511and 512.Xr core 5 513for format of this template). 514The default value is 515.Pa %n.core 516and can be changed with the kernel configuration option 517.Cd options DEFCORENAME 518(see 519.Xr options 4 520). 521.It Li kern.detachall 522Detach all devices at shutdown. 523.It Li kern.domainname ( Dv KERN_DOMAINNAME ) 524Get or set the YP domain name. 525.It Li kern.drivers ( Dv KERN_DRIVERS ) 526Return an array of 527.Vt struct kinfo_drivers 528that contains the name and major device numbers of all the device drivers 529in the current kernel. 530The 531.Va d_name 532field is always a NUL terminated string. 533The 534.Va d_bmajor 535field will be set to \-1 if the driver doesn't have a block device. 536.It Li kern.expose_address 537Expose kernel addresses in 538.Xr sysctl 3 539calls used by 540.Xr fstat 1 541and 542.Xr sockstat 1 . 543If it is set to 544.Dv 0 545access is not allowed. 546If it is set to 547.Dv 1 548then only processes that have opened 549.Pa /dev/kmem 550can have access. 551If it is set to 552.Dv 2 553every process is allowed. 554Defaults to 555.Dv 0 556for 557.Dv KASLR 558kernels 559and 560.Dv 1 561otherwise. 562Allowing general access renders KASLR ineffective; allowing only kmem 563accessing programs weakens KASLR if those programs can be subverted 564to leak the addresses. 565.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC ) 566Perform a crash dump on system 567.Xr panic 9 . 568.It Li kern.file ( Dv KERN_FILE ) 569Return the entire file table. 570The returned data consists of a single 571.Vt struct filelist 572followed by an array of 573.Vt struct file , 574whose size depends on the current number of such objects in the system. 575.It Li kern.forkfsleep ( Dv KERN_FORKFSLEEP ) 576If 577.Xr fork 2 578system call fails due to limit on number of processes (either 579the global maxproc limit or user's one), wait for this many 580milliseconds before returning 581.Er EAGAIN 582error to process. 583Useful to keep heavily forking runaway processes in bay. 584Default zero (no sleep). 585Maximum is 20 seconds. 586.It Li kern.fscale ( Dv KERN_FSCALE ) 587The kernel fixed-point scale factor. 588.It Li kern.fsync ( Dv KERN_FSYNC ) 589Return 1 if the 590.St -p1003.1b-93 591File Synchronization Option is available 592on this system, 593otherwise\ 0. 594.It Li kern.hardclock_ticks ( Dv KERN_HARDCLOCK_TICKS ) 595Returns the number of 596.Xr hardclock 9 597ticks. 598.It Li kern.hist 599This variable contains kernel history data if the kernel was 600configured for any of the options 601.Dv UVHMIST , 602.Dv USB_DEBUG , 603.Dv BIOHIST , 604or 605.Dv SCDEBUG . 606(See 607.Xr options 4 608for more details.) 609The third-level names correspond to each available history table. 610The values of the history tables are in an internal format, and can be 611decoded by the 612.Xr vmstat 1 613utility's 614.Fl U 615and 616.Fl u 617options; 618the 619.Fl l 620option can be used to see which tables are available. 621.It Li kern.hostid ( Dv KERN_HOSTID ) 622Get or set the host identifier. 623This is aimed to replace the legacy 624.Xr gethostid 3 625and 626.Xr sethostid 3 627system calls. 628.It Li kern.hostname ( Dv KERN_HOSTNAME ) 629Get or set the 630.Xr hostname 1 . 631.It Li kern.iov_max ( Dv KERN_IOV_MAX ) 632Return the maximum number of 633.Vt iovec 634structures that a process has available for use with 635.Xr preadv 2 , 636.Xr pwritev 2 , 637.Xr readv 2 , 638.Xr recvmsg 2 , 639.Xr sendmsg 2 640and 641.Xr writev 2 . 642.It Li kern.ipc ( Dv KERN_SYSVIPC ) 643Return information about the SysV IPC parameters. 644The third level names for the ipc variables are detailed below. 645.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 646.It Sy Third level name Ta Sy Type Ta Sy Changeable 647.It kern.ipc.sysvmsg integer no 648.It kern.ipc.sysvsem integer no 649.It kern.ipc.sysvshm integer no 650.It kern.ipc.sysvipc_info struct no 651.It kern.ipc.shmmax integer yes 652.It kern.ipc.shmmni integer yes 653.It kern.ipc.shmseg integer yes 654.It kern.ipc.shmmaxpgs integer yes 655.It kern.ipc.shm_use_phys integer yes 656.It kern.ipc.msgmni integer yes 657.It kern.ipc.msgseg integer yes 658.It kern.ipc.semmni integer yes 659.It kern.ipc.semmns integer yes 660.It kern.ipc.semmnu integer yes 661.El 662.Bl -tag -width "123456" 663.It Li kern.ipc.sysvmsg ( Dv KERN_SYSVIPC_MSG ) 664Returns 1 if System V style message queue functionality is available 665on this system, 666otherwise\ 0. 667.It Li kern.ipc.sysvsem ( Dv KERN_SYSVIPC_SEM ) 668Returns 1 if System V style semaphore functionality is available 669on this system, 670otherwise\ 0. 671.It Li kern.ipc.sysvshm ( Dv KERN_SYSVIPC_SHM ) 672Returns 1 if System V style share memory functionality is available 673on this system, 674otherwise\ 0. 675.It Li kern.ipc.sysvipc_info ( Dv KERN_SYSVIPC_INFO ) 676Return System V style IPC configuration and run-time information. 677The fourth level name selects the System V style IPC facility. 678.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 679.It Sy Fourth level name Ta Sy Type 680.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 681.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 682.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 683.El 684.Bl -tag -width "123456" 685.It Li KERN_SYSVIPC_MSG_INFO 686Return information on the System V style message facility. 687The 688.Sy msg_sysctl_info 689structure is defined in 690.In sys/msg.h . 691.It Li KERN_SYSVIPC_SEM_INFO 692Return information on the System V style semaphore facility. 693The 694.Sy sem_sysctl_info 695structure is defined in 696.In sys/sem.h . 697.It Li KERN_SYSVIPC_SHM_INFO 698Return information on the System V style shared memory facility. 699The 700.Sy shm_sysctl_info 701structure is defined in 702.In sys/shm.h . 703.El 704.It Li kern.ipc.shmmax ( Dv KERN_SYSVIPC_SHMMAX ) 705Max shared memory segment size in bytes. 706.It Li kern.ipc.shmmni ( Dv KERN_SYSVIPC_SHMMNI ) 707Max number of shared memory identifiers. 708.It Li kern.ipc.shmseg ( Dv KERN_SYSVIPC_SHMSEG ) 709Max shared memory segments per process. 710.It Li kern.ipc.shmmaxpgs ( Dv KERN_SYSVIPC_SHMMAXPGS ) 711Max amount of shared memory in pages. 712.It Li kern.ipc.shm_use_phys ( Dv KERN_SYSVIPC_SHMUSEPHYS ) 713Locking of shared memory in physical memory. 714If 0, memory can be swapped 715out, otherwise it will be locked in physical memory. 716.It Li kern.ipc.msgmni 717Max number of message queue identifiers. 718.It Li kern.ipc.msgseg 719Max number of number of message segments. 720.It Li kern.ipc.semmni 721Max number of number of semaphore identifiers. 722.It Li kern.ipc.semmns 723Max number of number of semaphores in system. 724.It Li kern.ipc.semmnu 725Max number of undo structures in system. 726.El 727.It Li kern.job_control ( Dv KERN_JOB_CONTROL ) 728Return 1 if job control is available on this system, otherwise\ 0. 729.It Li kern.labeloffset ( Dv KERN_LABELOFFSET ) 730The offset within the sector specified by 731.Dv KERN_LABELSECTOR 732of the 733.Xr disklabel 5 . 734.It Li kern.labelsector ( Dv KERN_LABELSECTOR ) 735The sector number containing the 736.Xr disklabel 5 . 737.It Li kern.login_name_max ( Dv KERN_LOGIN_NAME_MAX ) 738The size of the storage required for a login name, in bytes, 739including the terminating NUL. 740.It Li kern.logsigexit ( Dv KERN_LOGSIGEXIT ) 741If this flag is non-zero, the kernel will 742.Xr log 9 743all process exits due to signals which create a 744.Xr core 5 745file, and whether the coredump was created. 746.It Li kern.lwp ( Dv KERN_LWP ) 747Returns information about the current light-weight process. 748The 749.Sy kinfo_lwp 750structure is defined in 751.In sys/sysctl.h . 752.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES ) 753Returns 1 if the 754.St -p1003.1b-93 755Memory Mapped Files Option is available on this system, 756otherwise\ 0. 757.It Li kern.maxfiles ( Dv KERN_MAXFILES ) 758The maximum number of open files that may be open in the system. 759This also controls the maximum file locks per unprivileged user 760enforced by 761.Xr fcntl 2 762and 763.Xr flock 2 . 764.It Li kern.maxpartitions ( Dv KERN_MAXPARTITIONS ) 765The maximum number of partitions allowed per disk. 766.It Li kern.maxlwp 767The maximum number of Lightweight Processes (threads) the system allows 768per uid. 769.It Li kern.maxphys ( Dv KERN_MAXPHYS ) 770Maximum raw I/O transfer size. 771.It Li kern.maxproc ( Dv KERN_MAXPROC ) 772The maximum number of simultaneous processes the system will allow. 773.It Li kern.maxptys ( Dv KERN_MAXPTYS ) 774The maximum number of pseudo terminals. 775This value can be both raised and lowered, though it cannot 776be set lower than number of currently used ptys. 777See also 778.Xr pty 4 . 779.It Li kern.maxvnodes ( Dv KERN_MAXVNODES ) 780The maximum number of vnodes available on the system. 781This can only be raised. 782.It Li kern.mbuf ( Dv KERN_MBUF ) 783Return information about the mbuf control variables. 784Mbufs are data structures which store network packets and other data 785structures in the networking code, see 786.Xr mbuf 9 . 787The third level names for the mbuf variables are detailed below. 788The changeable column shows whether a process with appropriate 789privilege may change the value. 790.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 791.It Sy Third level name Ta Sy Type Ta Sy Changeable 792.\" XXX Changeable? really? 793.It kern.mbuf.mblowat integer yes 794.It kern.mbuf.mclbytes integer yes 795.It kern.mbuf.mcllowat integer yes 796.It kern.mbuf.msize integer yes 797.It kern.mbuf.nmbclusters integer yes 798.El 799.Pp 800The variables are as follows: 801.Bl -tag -width "123456" 802.It Li kern.mbuf.mblowat ( Dv MBUF_MBLOWAT ) 803The mbuf low water mark. 804.It Li kern.mbuf.mclbytes ( Dv MBUF_MCLBYTES ) 805The mbuf cluster size. 806.It Li kern.mbuf.mcllowat ( Dv MBUF_MCLLOWAT ) 807The mbuf cluster low water mark. 808.It Li kern.mbuf.msize ( Dv MBUF_MSIZE ) 809The mbuf base size. 810.It Li kern.mbuf.nmbclusters ( Dv MBUF_NMBCLUSTERS ) 811The limit on the number of mbuf clusters. 812The variable can only be increased, and only increased on machines with 813direct-mapped pool pages. 814.El 815.It Li kern.memlock ( Dv KERN_MEMLOCK ) 816Returns 1 if the 817.St -p1003.1b-93 818Process Memory Locking Option is available on this system, 819otherwise\ 0. 820.It Li kern.memlock_range ( Dv KERN_MEMLOCK_RANGE ) 821Returns 1 if the 822.St -p1003.1b-93 823Range Memory Locking Option is available on this system, 824otherwise\ 0. 825.It Li kern.memory_protection ( Dv KERN_MEMORY_PROTECTION ) 826Returns 1 if the 827.St -p1003.1b-93 828Memory Protection Option is available on this system, 829otherwise\ 0. 830.It Li kern.messages 831Kernel console message verbosity. 832See 833.Aq Pa sys/reboot.h 834.Bl -column "verbosity" "setting" -offset indent 835.It Sy Value Ta Sy Verbosity Ta Sy sys/reboot.h equivalent 836.It 0 Ta Silent Ta Sy AB_SILENT 837.It 1 Ta Quiet Ta Sy AB_QUIET 838.It 2 Ta Normal Ta Sy AB_NORMAL 839.It 3 Ta Verbose Ta Sy AB_VERBOSE 840.It 4 Ta Debug Ta Sy AB_DEBUG 841.El 842.It Li kern.module 843Settings related to kernel modules. 844The third level names for the settings are described below. 845.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent 846.It Sy Third level name Ta Sy Type Ta Sy Changeable 847.It kern.module.autoload integer yes 848.It kern.module.autotime integer yes 849.It kern.module.verbose boolean yes 850.El 851.Pp 852The variables are as follows: 853.Bl -tag -width "123456" 854.It Li kern.module.autoload 855A boolean that controls whether kernel modules are loaded automatically. 856See 857.Xr module 7 858for additional details. 859.It Li kern.module.autotime 860An integer that controls the delay before an attempt is made to 861automatically unload a module that was auto-loaded. 862Setting this value to zero disables the auto-unload function. 863.It Li kern.module.verbose 864A boolean that enables or disables verbose 865debug messages related to kernel modules. 866.El 867.It Li kern.monotonic_clock ( Dv KERN_MONOTONIC_CLOCK ) 868Returns the standard version the implementation of the 869.St -p1003.1b-93 870Monotonic Clock Option conforms to, 871otherwise\ 0. 872.It Li kern.mqueue 873Settings related to POSIX message queues; see 874.Xr mqueue 3 . 875This node is created dynamically when 876the corresponding kernel module is loaded. 877The third level names for the settings are described below. 878.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent 879.It Sy Third level name Ta Sy Type Ta Sy Changeable 880.It kern.mqueue.mq_open_max integer yes 881.It kern.mqueue.mq_prio_max integer yes 882.It kern.mqueue.mq_max_msgsize integer yes 883.It kern.mqueue.mq_def_maxmsg integer yes 884.It kern.mqueue.mq_max_maxmsg integer yes 885.El 886.Pp 887The variables are: 888.Bl -tag -width "123456" 889.It Li kern.mqueue.mq_open_max 890The maximum number of message queue descriptors any single process can open. 891.It Li kern.mqueue.mq_prio_max 892The maximum priority of a message. 893.It Li kern.mqueue.mq_max_msgsize 894The maximum size of a message in a message queue. 895.It Li kern.mqueue.mq_def_maxmsg 896The default maximum message count. 897.It Li kern.mqueue.mq_max_maxmsg 898The maximum number of messages in a message queue. 899.El 900.It Li kern.msgbuf ( Dv KERN_MSGBUF ) 901The kernel message buffer, rotated so that the head of the circular kernel 902message buffer is at the start of the returned data. 903The returned data may contain NUL bytes. 904.It Li kern.msgbufsize ( Dv KERN_MSGBUFSIZE ) 905The maximum number of characters that the kernel message buffer can hold. 906.It Li kern.ngroups ( Dv KERN_NGROUPS ) 907The maximum number of supplemental groups. 908.\" .It Li kern.no_sa_support 909.\" XXX: Undocumented. 910.It Li kern.ntptime ( Dv KERN_NTPTIME ) 911A 912.Vt struct ntptimeval 913structure is returned. 914This structure contains data used by the 915.Xr ntpd 8 916program. 917.It Li kern.osrelease ( Dv KERN_OSRELEASE ) 918The system release string. 919.It Li kern.osrevision ( Dv KERN_OSREV ) 920The system revision string. 921.It Li kern.ostype ( Dv KERN_OSTYPE ) 922The system type string. 923.\".It Li kern.panic_now 924.\" XXX: Undocumented. 925.It Li kern.pipe ( Dv KERN_PIPE ) 926Pipe settings. 927The third level names for the integer pipe settings is detailed below. 928The changeable column shows whether a process with appropriate 929privilege may change the value. 930.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 931.It Sy Third level name Ta Sy Type Ta Sy Changeable 932.It kern.pipe.kvasiz integer yes 933.It kern.pipe.maxbigpipes integer yes 934.It kern.pipe.maxkvasz integer yes 935.It kern.pipe.limitkva integer yes 936.It kern.pipe.nbigpipes integer yes 937.El 938.Pp 939The variables are as follows: 940.Bl -tag -width "123456" 941.It Li kern.pipe.kvasiz ( Dv KERN_PIPE_KVASIZ ) 942Amount of kernel memory consumed by pipe buffers. 943.It Li kern.pipe.maxbigpipes ( Dv KERN_PIPE_MAXBIGPIPES ) 944Maximum number of 945.Dq big 946pipes. 947.It Li kern.pipe.maxkvasz ( Dv KERN_PIPE_MAXKVASZ ) 948Maximum amount of kernel memory to be used for pipes. 949.It Li kern.pipe.limitkva ( Dv KERN_PIPE_LIMITKVA ) 950Limit for direct transfers via page loan. 951.It Li kern.pipe.nbigpipes ( Dv KERN_PIPE_NBIGPIPES ) 952Number of 953.Dq big 954pipes. 955.El 956.It Li kern.pool 957Provides statistics about the 958.Xr pool 9 959and 960.Xr pool_cache 9 961subsystems. 962.\" XXX: Undocumented .It Li kern.posix ( ? ) 963.\" This is a node in which the only variable is semmax. 964.It Li kern.posix1version ( Dv KERN_POSIX1 ) 965The version of ISO/IEC 9945 966.Pq St -p1003.1 967with which the system attempts to comply. 968.It Li kern.posix_aio 969The version of 970.St -p1003.1 971and its Asynchronous I/O option to which the system attempts to conform. 972.It Li kern.posix_barriers ( Dv KERN_POSIX_BARRIERS ) 973The version of 974.St -p1003.1 975and its 976Barriers 977option to which the system attempts to conform, 978otherwise\ 0. 979.It Li kern.posix_reader_writer_locks ( Dv KERN_POSIX_READER_WRITER_LOCKS ) 980The version of 981.St -p1003.1 982and its 983Read-Write Locks 984option to which the system attempts to conform, 985otherwise\ 0. 986.\".It Li kern.posix_sched 987.\" XXX: Undocumented. 988.It Li kern.posix_semaphores ( Dv KERN_POSIX_SEMAPHORES ) 989The version of 990.St -p1003.1 991and its 992Semaphores 993option to which the system attempts to conform, 994otherwise\ 0. 995.It Li kern.posix_spin_locks ( Dv KERN_POSIX_SPIN_LOCKS ) 996The version of 997.St -p1003.1 998and its 999Spin Locks 1000option to which the system attempts to conform, 1001otherwise\ 0. 1002.It Li kern.posix_threads ( Dv KERN_POSIX_THREADS ) 1003The version of 1004.St -p1003.1 1005and its 1006Threads 1007option to which the system attempts to conform, 1008otherwise\ 0. 1009.It Li kern.posix_timers ( Dv KERN_POSIX_TIMERS ) 1010The version of 1011.St -p1003.1 1012and its 1013Timers 1014option to which the system attempts to conform, 1015otherwise\ 0. 1016.It Li kern.proc ( Dv KERN_PROC ) 1017Return the entire process table, or a subset of it. 1018An array of 1019.Vt struct kinfo_proc 1020structures is returned, 1021whose size depends on the current number of such objects in the system. 1022The third and fourth level numeric names are as follows: 1023.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 1024.It Sy Third level name Ta Sy Fourth level is : 1025.It KERN_PROC_ALL None 1026.It KERN_PROC_GID A group ID 1027.It KERN_PROC_PID A process ID 1028.It KERN_PROC_PGRP A process group 1029.It KERN_PROC_RGID A real group ID 1030.It KERN_PROC_RUID A real user ID 1031.It KERN_PROC_SESSION A session ID 1032.It KERN_PROC_TTY A tty device 1033.It KERN_PROC_UID A user ID 1034.El 1035.It Li kern.proc2 ( Dv KERN_PROC2 ) 1036As for 1037.Dv KERN_PROC , 1038but an array of 1039.Vt struct kinfo_proc2 1040structures are returned. 1041The fifth level name is the size of the 1042.Vt struct kinfo_proc2 1043and the sixth level name is the number of structures to return. 1044.It Li kern.proc_args ( Dv KERN_PROC_ARGS ) 1045Return the argv or environment strings (or the number thereof) 1046of a process. 1047Multiple strings are returned separated by NUL characters. 1048The third level name is the process ID. 1049The fourth level name is as follows: 1050.Bl -column "KERN_PROG_PATHNAME" "The full pathname of the executable" -offset indent 1051.It Dv KERN_PROC_ARGV The argv strings 1052.It Dv KERN_PROC_ENV The environ strings 1053.It Dv KERN_PROC_NARGV The number of argv strings 1054.It Dv KERN_PROC_NENV The number of environ strings 1055.It Dv KERN_PROC_PATHNAME The full pathname of the executable 1056.It Dv KERN_PROC_CWD The current working directory 1057.El 1058.It Li kern.profiling ( Dv KERN_PROF ) 1059Return profiling information about the kernel. 1060If the kernel is not compiled for profiling, 1061attempts to retrieve any of the 1062.Dv KERN_PROF 1063values will fail with 1064.Er EOPNOTSUPP . 1065The third level names for the string and integer profiling information 1066is detailed below. 1067The changeable column shows whether a process with appropriate 1068privilege may change the value. 1069.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 1070.It Sy Third level name Ta Sy Type Ta Sy Changeable 1071.It kern.profiling.count u_short[\|] yes 1072.It kern.profiling.froms u_short[\|] yes 1073.It kern.profiling.gmonparam struct gmonparam no 1074.It kern.profiling.state integer yes 1075.It kern.profiling.tos struct tostruct yes 1076.El 1077.Pp 1078The variables are as follows: 1079.Bl -tag -width "123456" 1080.It Li kern.profiling.count ( Dv GPROF_COUNT ) 1081Array of statistical program counter counts. 1082.It Li kern.profiling.froms ( Dv GPROF_FROMS ) 1083Array indexed by program counter of call-from points. 1084.It Li kern.profiling.gmonparams ( Dv GPROF_GMONPARAM ) 1085Structure giving the sizes of the above arrays. 1086.It Li kern.profiling.state ( Dv GPROF_STATE ) 1087Profiling state. 1088If set to 1089.Dv GMON_PROF_ON , 1090starts profiling. 1091If set to 1092.Dv GMON_PROF_OFF , 1093stops profiling. 1094.It Li kern.profiling.tos ( Dv GPROF_TOS ) 1095Array of 1096.Vt struct tostruct 1097describing destination of calls and their counts. 1098.El 1099.\" .It Li kern.pset 1100.\" XXX: Undocumented. 1101.It Li kern.rawpartition ( Dv KERN_RAWPARTITION ) 1102The raw partition of a disk (a == 0). 1103.It Li kern.root_device ( Dv KERN_ROOT_DEVICE ) 1104The name of the root device (e.g., 1105.Dq wd0 ) . 1106.It Li kern.root_partition ( Dv KERN_ROOT_PARTITION ) 1107The root partition on the root device (a == 0). 1108.It Li kern.rtc_offset ( Dv KERN_RTC_OFFSET ) 1109Return the offset of real time clock from UTC in minutes. 1110.It Li kern.saved_ids ( Dv KERN_SAVED_IDS ) 1111Returns 1 if saved set-group and saved set-user ID is available. 1112.It Li kern.sbmax ( Dv KERN_SBMAX ) 1113Maximum socket buffer size in bytes. 1114.It Li kern.securelevel ( Dv KERN_SECURELVL ) 1115See 1116.Xr secmodel_securelevel 9 . 1117.It Li kern.sched ( dynamic ) 1118Influence the scheduling of LWPs, their priorisation and how they are 1119distributed on and moved between CPUs. 1120.Bl -column "kern.sched.balance_period" "integer" "Changeable" -offset indent 1121.It Sy Third level name Sy Type Sy Changeable 1122.It kern.sched.cacheht_time integer yes 1123.It kern.sched.balance_period integer yes 1124.It kern.sched.average_weight integer yes 1125.It kern.sched.min_catch integer yes 1126.It kern.sched.timesoftints integer yes 1127.It kern.sched.kpreempt_pri integer yes 1128.It kern.sched.upreempt_pri integer yes 1129.It kern.sched.maxts integer yes 1130.It kern.sched.mints integer yes 1131.It kern.sched.name string no 1132.It kern.sched.rtts integer no 1133.It kern.sched.pri_min integer no 1134.It kern.sched.pri_max integer no 1135.El 1136.Pp 1137The variables are as follows: 1138.Bl -tag -width "123456" 1139.It Li kern.sched.cacheht_time ( dynamic ) 1140Cache hotness time in which a LWP is kept on one particular CPU 1141and not moved to another CPU. 1142This reduces the overhead of flushing and reloading caches. 1143Defaults to 3ms. 1144Needs to be given in 1145.Dq hz 1146units, see 1147.Xr mstohz 9 . 1148.It Li kern.sched.balance_period ( dynamic ) 1149Interval at which the CPU queues are checked for re-balancing. 1150Defaults to 300ms. 1151Needs to be given in 1152.Dq hz 1153units, see 1154.Xr mstohz 9 . 1155.It Li kern.sched.average_weight ( dynamic ) 1156Can be used to influence how likely LWPs are to be migrated from 1157one CPU's queue of LWPs that are ready to run to a different, idle CPU. 1158The value gives the percentage for weighting the average count of 1159migratable threads from the past against the current number of 1160migratable threads. 1161A small value gives more weight to the past, a larger values more weight 1162on the current situation. 1163Defaults to 50 and must be between 0 and 100. 1164.It Li kern.sched.min_catch ( dynamic ) 1165Minimum count of migratable (runnable) threads for catching (stealing) 1166from another CPU. 1167Defaults to 1 but can be increased to decrease chance of thread 1168migration between CPUs. 1169.It Li kern.sched.timesoftints ( dynamic ) 1170Enable tracking of CPU time for soft interrupts 1171as part of a LWP's real execution time. 1172Set to a non-zero value to enable, 1173and see 1174.Xr ps 1 1175for printing CPU times. 1176.It Li kern.sched.kpreempt_pri ( dynamic ) 1177Minimum priority to trigger kernel preemption. 1178.It Li kern.sched.upreempt_pri ( dynamic ) 1179Minimum priority to trigger user preemption. 1180.It Li kern.sched.maxts ( dynamic ) 1181Scheduler specific maximal time quantum (in milliseconds). 1182Must be set to a value larger than 1183.Dq mints 1184and between 10 and 1185.Dq hz 1186as given by the 1187.Dv kern.clockrate 1188sysctl. 1189Provided by the M2 scheduler. 1190.It Li kern.sched.mints ( dynamic ) 1191Scheduler specific minimal time quantum (in milliseconds). 1192Must be set to a value smaller than 1193.Dq maxts 1194and between 1 and 1195.Dq hz 1196as given by the 1197.Dq kern.clockrate 1198sysctl. 1199Provided by the M2 scheduler. 1200.It Li kern.sched.name ( dynamic ) 1201Scheduler name. 1202Provided both by the M2 and the 4BSD scheduler. 1203.It Li kern.sched.rtts ( dynamic ) 1204Fixed scheduler specific round-robin time quantum in milliseconds. 1205Provided both by the M2 and the 4BSD scheduler. 1206.It Li kern.sched.pri_min ( dynamic ) 1207Minimal POSIX real-time priority. 1208See 1209.Xr sched 3 . 1210.It Li kern.sched.pri_max ( dynamic ) 1211Maximal POSIX real-time priority. 1212See 1213.Xr sched 3 . 1214.El 1215.It Li kern.sofixedbuf ( Dv KERN_SOFIXEDBUF ) 1216Prevent socket buffer autoscaling when a size is set with 1217.Dv SO_SNDBUF 1218or 1219.Dv SO_RCVBUF . 1220.It Li kern.somaxkva ( Dv KERN_SOMAXKVA ) 1221Maximum amount of kernel memory to be used for socket buffers in bytes. 1222.It Li kern.sooptions 1223Set the default socket option flags for 1224.Xr socket 2 1225creation. 1226See 1227.Xr setsockopt 2 1228for a list of supported flags. 1229.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO ) 1230Returns 1 if the 1231.St -p1003.1b-93 1232Synchronized I/O Option is available on this system, 1233otherwise\ 0. 1234.It Li kern.timecounter ( dynamic ) 1235Display and control the timecounter source of the system. 1236.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 1237.It Sy Third level name Ta Sy Type Ta Sy Changeable 1238.It kern.timecounter.choice string no 1239.It kern.timecounter.hardware string yes 1240.It kern.timecounter.timestepwarnings integer yes 1241.El 1242.Pp 1243The variables are as follows: 1244.Bl -tag -width "123456" 1245.It Li kern.timecounter.choice ( dynamic ) 1246The list of available timecounters with their quality and frequency. 1247.It Li kern.timecounter.hardware ( dynamic ) 1248The currently selected timecounter source. 1249.It Li kern.timecounter.timestepwarnings ( dynamic ) 1250If non-zero display a message each time the time is stepped. 1251.El 1252.It Li kern.timex ( Dv KERN_TIMEX ) 1253Not available. 1254.It Li kern.tkstat ( Dv KERN_TKSTAT ) 1255Return information about the number of characters sent and received 1256on ttys. 1257The third level names for the tty statistic variables are detailed below. 1258The changeable column shows whether a process 1259with appropriate privilege may change the value. 1260.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 1261.It Sy Third level name Ta Sy Type Ta Sy Changeable 1262.It kern.tkstat.cancc quad no 1263.It kern.tkstat.nin quad no 1264.It kern.tkstat.nout quad no 1265.It kern.tkstat.rawcc quad no 1266.El 1267.Pp 1268The variables are as follows: 1269.Bl -tag -width "123456" 1270.It Li kern.tkstat.cancc ( Dv KERN_TKSTAT_CANCC ) 1271The number of canonical input characters. 1272.It Li kern.tkstat.nin ( Dv KERN_TKSTAT_NIN ) 1273The total number of input characters. 1274.It Li kern.tkstat.nout ( Dv KERN_TKSTAT_NOUT ) 1275The total number of output characters. 1276.It Li kern.tkstat.rawcc ( Dv KERN_TKSTAT_RAWCC ) 1277The number of raw input characters. 1278.El 1279.It Li kern.tty 1280The third level names for the tty setup variables are detailed below. 1281The changeable column shows whether a process 1282with appropriate privilege may change the value. 1283.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent 1284.It Sy Third level name Ta Sy Type Ta Sy Changeable 1285.It kern.tty.qsize int yes 1286.El 1287.Pp 1288The variables are as follows: 1289.Bl -tag -width "123456" 1290.It Li kern.tty.qsize 1291Control/display the size of the default input and output queues selected 1292during tty creation. 1293Is converted to a power of two and its range is between 1294.Dv 1024 1295and 1296.Dv 65536 . 1297.El 1298.It Li kern.uidinfo 1299Resource usage for the current user. 1300.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent 1301.It Sy Third level name Ta Sy Type Ta Sy Changeable 1302.It kern.uidinfo.proccnt integer no 1303.It kern.uidinfo.lwpcnt integer no 1304.It kern.uidinfo.lockcnt integer no 1305.It kern.uidinfo.semcnt integer no 1306.It kern.uidinfo.sbsize integer no 1307.El 1308.Bl -tag -width "123456" 1309.It Li kern.uidinfo.proccnt 1310Returns the number of active processes for the current user. 1311.It Li kern.uidinfo.lwpcnt 1312Returns the number of active threads for the current user; the first thread 1313of each process is not counted. 1314.It Li kern.uidinfo.lockcnt 1315Number of locks held by the current user. 1316.It Li kern.uidinfo.semcnt 1317Number of semaphores held by the current user. 1318.It Li kern.uidinfo.sbsize 1319Number of bytes in socket buffers allocated to the current user. 1320.El 1321.It Li kern.urandom ( Dv KERN_URND ) 1322Random integer value. 1323.It Li kern.usercrypto 1324When enabled, allows userland to 1325.Xr open 2 1326the 1327.Pa /dev/crypto 1328special device, used by the 1329.Xr crypto 4 1330system. 1331.It Li kern.userasymcrypto 1332Enables or disables the use of software asymmetric crypto support in the 1333.Xr crypto 4 1334system. 1335.It Li kern.veriexec 1336Runtime information for 1337.Xr veriexec 8 . 1338.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent 1339.It Sy Third level name Ta Sy Type Ta Sy Changeable 1340.It kern.veriexec.algorithms string no 1341.It kern.veriexec.count node not applicable 1342.It kern.veriexec.strict integer yes 1343.It kern.veriexec.verbose integer yes 1344.El 1345.Bl -tag -width "123456" 1346.It Li kern.veriexec.algorithms 1347Returns a string with the supported algorithms in Veriexec. 1348.It Li kern.veriexec.count 1349Sub-nodes are added to this node as new mounts are monitored by Veriexec. 1350Each mount will be under its own 1351.No tableN 1352node. 1353Under each node there will be three variables, indicating the mount 1354point, the file system type, and the number of entries. 1355.It Li kern.veriexec.strict 1356Controls the strict level of Veriexec. 1357See 1358.Xr security 7 1359for more information on each level's implications. 1360.It Li kern.veriexec.verbose 1361Controls the verbosity level of Veriexec. 1362If 0, only the minimal 1363indication required will be given about what's happening - fingerprint 1364mismatches, removal of entries from the tables, modification of a 1365fingerprinted file. 1366If 1, more messages will be printed (ie., when a file with a valid 1367fingerprint is accessed). 1368Verbose level 2 is debug mode. 1369.El 1370.It Li kern.version ( Dv KERN_VERSION ) 1371The system version string. 1372.It Li kern.vnode ( Dv KERN_VNODE ) 1373Return the entire vnode table. 1374Note, the vnode table is not necessarily a consistent snapshot of 1375the system. 1376The returned data consists of an array whose size depends on the 1377current number of such objects in the system. 1378Each element of the array contains the kernel address of a vnode 1379.Vt struct vnode * 1380followed by the vnode itself 1381.Vt struct vnode . 1382.El 1383.Ss The machdep.* subtree 1384The set of variables defined is architecture dependent. 1385Most architectures define at least the following variables. 1386.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent 1387.It Sy Second level name Ta Sy Type Ta Sy Changeable 1388.It Li machdep.booted_kernel string no 1389.El 1390.\" XXX: Document the above. 1391.Ss The net.* subtree 1392The string and integer information available for the 1393.Li net 1394level is detailed below. 1395The changeable column shows whether a process with appropriate 1396privilege may change the value. 1397The second and third levels are typically the protocol family and 1398protocol number, though this is not always the case. 1399.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 1400.It Sy Second level name Ta Sy Type Ta Sy Changeable 1401.It net.route routing messages no 1402.It net.inet IPv4 values yes 1403.It net.inet6 IPv6 values yes 1404.It net.key IPsec key management values yes 1405.El 1406.Bl -tag -width "123456" 1407.It Li net.route ( Dv PF_ROUTE ) 1408.\" XXX really? 1409Return the entire routing table or a subset of it. 1410The data is returned as a sequence of routing messages (see 1411.Xr route 4 1412for the header file, format and meaning). 1413The length of each message is contained in the message header. 1414.Pp 1415The third level name is a protocol number, which is currently always\ 0. 1416The fourth level name is an address family, which may be set to 0 to 1417select all address families. 1418The fifth and sixth level names are as follows: 1419.Bl -column "Fifth level name" "Sixth level is:" -offset indent 1420.It Sy Fifth level name Ta Sy Sixth level is : 1421.It NET_RT_FLAGS rtflags 1422.It NET_RT_DUMP None 1423.It NET_RT_IFLIST None 1424.El 1425.It Li net.inet ( Dv PF_INET ) 1426Get or set various global information about the IPv4 1427.Pq Internet Protocol version 4 . 1428The third level name is the protocol. 1429The fourth level name is the variable name. 1430The currently defined protocols and names are: 1431.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent 1432.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable 1433.It arp nd_delay integer yes 1434.It arp nd_bmaxtries integer yes 1435.It arp nd_umaxtries integer yes 1436.It arp nd_basereachable integer yes 1437.It arp nd_retrans integer yes 1438.It arp nd_nud integer yes 1439.It arp nd_maxnudhint integer yes 1440.It arp log_movements integer yes 1441.It arp log_permanent_modify integer yes 1442.It arp log_unknown_network integer yes 1443.It arp log_wrong_iface integer yes 1444.It carp allow integer yes 1445.It carp preempt integer yes 1446.It carp log integer yes 1447.It carp arpbalance integer yes 1448.It icmp errppslimit integer yes 1449.It icmp maskrepl integer yes 1450.It icmp rediraccept integer yes 1451.It icmp redirtimeout integer yes 1452.It icmp bmcastecho integer yes 1453.It ip allowsrcrt integer yes 1454.It ip anonportalgo.selected string yes 1455.It ip anonportalgo.available string yes 1456.It ip anonportalgo.reserve struct yes 1457.It ip anonportmax integer yes 1458.It ip anonportmin integer yes 1459.It ip checkinterface integer yes 1460.It ip dad_count integer yes 1461.It ip directed-broadcast integer yes 1462.It ip do_loopback_cksum integer yes 1463.It ip forwarding integer yes 1464.It ip forwsrcrt integer yes 1465.It ip gifttl integer yes 1466.It ip grettl integer yes 1467.It ip hashsize integer yes 1468.It ip hostzerobroadcast integer yes 1469.It ip lowportmin integer yes 1470.It ip lowportmax integer yes 1471.It ip maxflows integer yes 1472.It ip maxfragpackets integer yes 1473.It ip mtudisc integer yes 1474.It ip mtudisctimeout integer yes 1475.It ip random_id integer yes 1476.It ip redirect integer yes 1477.It ip subnetsarelocal integer yes 1478.It ip ttl integer yes 1479.It tcp rfc1323 integer yes 1480.It tcp sendspace integer yes 1481.It tcp recvspace integer yes 1482.It tcp mssdflt integer yes 1483.It tcp syn_cache_limit integer yes 1484.It tcp syn_bucket_limit integer yes 1485.It tcp syn_cache_interval integer yes 1486.It tcp init_win integer yes 1487.It tcp init_win_local integer yes 1488.It tcp mss_ifmtu integer yes 1489.It tcp win_scale integer yes 1490.It tcp timestamps integer yes 1491.It tcp cwm integer yes 1492.It tcp cwm_burstsize integer yes 1493.It tcp ack_on_push integer yes 1494.It tcp keepidle integer yes 1495.It tcp keepintvl integer yes 1496.It tcp keepcnt integer yes 1497.It tcp slowhz integer no 1498.It tcp keepinit integer yes 1499.It tcp log_refused integer yes 1500.It tcp rstppslimit integer yes 1501.It tcp ident struct no 1502.It tcp drop struct no 1503.It tcp sack.enable integer yes 1504.It tcp sack.globalholes integer no 1505.It tcp sack.globalmaxholes integer yes 1506.It tcp sack.maxholes integer yes 1507.It tcp ecn.enable integer yes 1508.It tcp ecn.maxretries integer yes 1509.It tcp congctl.selected string yes 1510.It tcp congctl.available string yes 1511.It tcp abc.enable integer yes 1512.It tcp abc.aggressive integer yes 1513.It udp checksum integer yes 1514.It udp do_loopback_cksum integer yes 1515.It udp recvspace integer yes 1516.It udp sendspace integer yes 1517.El 1518.Pp 1519The variables are as follows: 1520.Bl -tag -width "123456" 1521.It Li arp.nd_delay 1522The delay in seconds before sending the first probe, 1523after it has been decided that the entry is stale. 1524.It Li arp.nd_bmaxtries 1525The maximum number of broadcasts send to discover the hardware address 1526claiming an IP address. 1527.It Li arp.nd_umaxtries 1528The maximum number of unicasts send to the hardware address to ensure 1529it still claims an IP address. 1530.It Li arp.nd_basereachable 1531The number of milliseconds the ARP entry is considered reachable before 1532probing reachability. 1533.It Li arp.nd_retrans 1534The number of milliseconds between ARP probes. 1535.It Li arp.nd_nud 1536If set to non-zero, perform Neighor Unreachability Detection. 1537.It Li arp.nd_maxnudhint 1538Neighbor discovery permits upper layer protocols to supply reachability 1539hints, to avoid unnecessary neighbor discovery exchanges. 1540The variable defines the number of consecutive hints the neighbor discovery 1541layer will take. 1542For example, by setting the variable to 3, neighbor discovery layer 1543will take 3 consecutive hints in maximum. 1544After receiving 3 hints, neighbor discovery layer will perform 1545normal neighbor discovery process. 1546.It Li carp.allow 1547If set to 0, incoming 1548.Xr carp 4 1549packets will not be processed. 1550If set to any other value, processing will occur. 1551Enabled by default. 1552.It Li carp.arpbalance 1553If set to any value other than 0, the ARP balancing functionality of 1554.Xr carp 4 1555is enabled. 1556When ARP requests are received for an IP address which is part of any virtual 1557host, carp will hash the source IP in the ARP request to select one of the 1558virtual hosts from the set of all the virtual hosts which have that IP address. 1559The master of that host will respond with the correct virtual MAC address. 1560Disabled by default. 1561.It Li carp.log 1562If set to any value other than 0, 1563.Xr carp 4 1564will log errors. 1565Disabled by default. 1566.It Li carp.preempt 1567If set to 0, 1568.Xr carp 4 1569will not attempt to become master if it is receiving advertisements from 1570another active master. 1571If set to any other value, carp will become master of the virtual host if it 1572believes it can send advertisements more frequently than the current master. 1573Disabled by default. 1574.It Li ip.allowsrcrt 1575If set to 1, the host accepts source routed packets. 1576.It Li ip.anonportalgo.available 1577The available RFC 6056 port randomization algorithms. 1578.It Li ip.anonportalgo.reserve 1579A bitmask of ports that will not be used during anonymous or privileged 1580port selection. 1581.It Li ip.anonportalgo.selected 1582The currently selected RFC 6056 port randomization algorithm; see 1583.Xr rfc6056 7 1584for details. 1585.It Li ip.anonportmax 1586The highest port number to use for TCP and UDP ephemeral port allocation. 1587This cannot be set to less than 1024 or greater than 65535, and must 1588be greater than 1589.Li ip.anonportmin . 1590.It Li ip.anonportmin 1591The lowest port number to use for TCP and UDP ephemeral port allocation. 1592This cannot be set to less than 1024 or greater than 65535. 1593.It Li ip.checkinterface 1594If set to non-zero, the host will reject packets addressed to it 1595that arrive on an interface not bound to that address. 1596Currently, this must be disabled if NAT is used to translate the 1597destination address to another local interface, or if addresses 1598are added to the loopback interface instead of the interface where 1599the packets for those packets are received. 1600.It Li ip.dad_count 1601The number of 1602.Xr arp 4 1603probes sent for Address Conflict Detection. 1604Set to 0 to disable this. 1605.It Li ip.directed-broadcast 1606If set to 1, enables directed broadcast behavior for the host. 1607.It Li ip.do_loopback_cksum 1608Perform IP checksum on loopback. 1609.It Li ip.forwarding 1610If set to 1, enables IP forwarding for the host, 1611meaning that the host is acting as a router. 1612.It Li ip.forwsrcrt 1613If set to 1, enables forwarding of source-routed packets for the host. 1614This value may only be changed if the kernel security level is less than 1. 1615.It Li ip.gifttl 1616The maximum time-to-live (hop count) value for an IPv4 packet generated by 1617.Xr gif 4 1618tunnel interface. 1619.It Li ip.grettl 1620The maximum time-to-live (hop count) value for an IPv4 packet generated by 1621.Xr gre 4 1622tunnel interface. 1623.It Li ip.hashsize 1624The size of IPv4 Fast Forward hash table. 1625This value must be a power of 2 (64, 256...). 1626A larger hash table size results in fewer collisions. 1627Also see 1628.Li ip.maxflows . 1629.It Li ip.hostzerobroadcast 1630All zeroes address is broadcast address. 1631.It Li ip.lowportmax 1632The highest port number to use for TCP and UDP reserved port allocation. 1633This cannot be set to less than 0 or greater than 1024, and must 1634be greater than 1635.Li ip.lowportmin . 1636.It Li ip.lowportmin 1637The lowest port number to use for TCP and UDP reserved port allocation. 1638This cannot be set to less than 0 or greater than 1024, and must 1639be smaller than 1640.Li ip.lowportmax . 1641.It Li ip.maxflows 1642IPv4 Fast Forwarding is enabled by default. 1643If set to 0, IPv4 Fast Forwarding is disabled. 1644.Li ip.maxflows 1645controls the maximum amount of flows which can be created. 1646The default value is 256. 1647.It Li ip.maxfragpackets 1648The maximum number of fragmented packets the node will accept. 16490 means that the node will not accept any fragmented packets. 1650\-1 means that the node will accept as many fragmented packets as it receives. 1651The flag is provided basically for avoiding possible DoS attacks. 1652.It Li ip.mtudisc 1653If set to 1, enables Path MTU Discovery (RFC 1191). 1654When Path MTU Discovery is enabled, the transmitted TCP segment 1655size will be determined by the advertised maximum segment size 1656(MSS) from the remote end, as constrained by the path MTU. 1657If MTU Discovery is disabled, the transmitted segment size will 1658never be greater than 1659.Li tcp.mssdflt 1660(the local maximum segment size). 1661.It Li ip.mtudisctimeout 1662The number of seconds in which a route added by the Path MTU 1663Discovery engine will time out. 1664When the route times out, the Path 1665MTU Discovery engine will attempt to probe a larger path MTU. 1666.It Li ip.random_id 1667Assign random ip_id values. 1668.It Li ip.redirect 1669If set to 1, ICMP redirects may be sent by the host. 1670This option is ignored unless the host is routing IP packets, 1671and should normally be enabled on all systems. 1672.It Li ip.subnetsarelocal 1673If set to 1, subnets are to be considered local addresses. 1674.It Li ip.ttl 1675The maximum time-to-live (hop count) value for an IP packet sourced by 1676the system. 1677This value applies to normal transport protocols, not to ICMP. 1678.It Li icmp.errppslimit 1679The variable specifies the maximum number of outgoing ICMP error messages, 1680per second. 1681ICMP error messages that exceeded the value are subject to rate limitation 1682and will not go out from the node. 1683Negative value disables rate limitation. 1684.It Li icmp.maskrepl 1685If set to 1, ICMP network mask requests are to be answered. 1686.It Li icmp.rediraccept 1687If set to non-zero, the host will accept ICMP redirect packets. 1688Note that routers will never accept ICMP redirect packets, 1689and the variable is meaningful on IP hosts only. 1690.It Li icmp.redirtimeout 1691The variable specifies lifetime of routing entries generated by incoming 1692ICMP redirect. 1693This defaults to 600 seconds. 1694.It Li icmp.returndatabytes 1695Number of bytes to return in an ICMP error message. 1696.It Li icmp.bmcastecho 1697If set to 1, enables responding to ICMP echo or timestamp request to the 1698broadcast address. 1699.It Li tcp.ack_on_push 1700If set to 1, TCP is to immediately transmit an ACK upon reception of 1701a packet with PUSH set. 1702This can avoid losing a round trip time in some rare situations, 1703but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1704Use of this option is generally not recommended, but 1705the variable exists in case your configuration really needs it. 1706.It Li tcp.cwm 1707If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1708Monitoring algorithm. 1709This algorithm prevents line-rate bursts of packets that could 1710otherwise occur when data begins flowing on an idle TCP connection. 1711These line-rate bursts can contribute to network and router congestion. 1712This can be particularly useful on World Wide Web servers 1713which support HTTP/1.1, which has lingering connections. 1714.It Li tcp.cwm_burstsize 1715The Congestion Window Monitoring allowed burst size, in terms 1716of packet count. 1717.It Li tcp.delack_ticks 1718Number of ticks to delay sending an ACK. 1719.It Li tcp.do_loopback_cksum 1720Perform TCP checksum on loopback. 1721.It Li tcp.init_win 1722A value indicating the TCP initial congestion window. 1723The valid range 1724is 0 to 10 (maximum specified by RFC6928), 1725with a default of 4 (approximately 4K per RFC3390). 1726.It Li tcp.init_win_local 1727Like 1728.Li tcp.init_win , 1729but used when communicating with hosts on a local network. 1730.It Li tcp.keepcnt 1731Number of keepalive probes sent before declaring a connection dead. 1732If set to zero, there is no limit; 1733keepalives will be sent until some kind of 1734response is received from the peer. 1735.It Li tcp.keepidle 1736Time a connection must be idle before keepalives are sent (if keepalives 1737are enabled for the connection). 1738See also tcp.slowhz. 1739.It Li tcp.keepintvl 1740Time after a keepalive probe is sent until, in the absence of any response, 1741another probe is sent. 1742See also tcp.slowhz. 1743.It Li tcp.log_refused 1744If set to 1, refused TCP connections to the host will be logged. 1745.It Li tcp.keepinit 1746Timeout in seconds during connection establishment. 1747.It Li tcp.mss_ifmtu 1748If set to 1, TCP calculates the outgoing maximum segment size based on 1749the MTU of the appropriate interface. 1750If set to 0, it is calculated based on the greater of the MTU of the 1751interface, and the largest (non-loopback) interface MTU on the system. 1752.It Li tcp.mssdflt 1753The default maximum segment size both advertised to the peer 1754and to use when either the peer does not advertise a maximum segment size to 1755us during connection setup or Path MTU Discovery 1756.Li ( ip.mtudisc ) 1757is disabled. 1758Do not change this value unless you really know what you are doing. 1759.It Li tcp.recvspace 1760The default TCP receive buffer size. 1761.It Li tcp.rfc1323 1762If set to 1, enables RFC 1323 extensions to TCP. 1763.It Li tcp.rstppslimit 1764The variable specifies the maximum number of outgoing TCP RST packets, 1765per second. 1766TCP RST packet that exceeded the value are subject to rate limitation 1767and will not go out from the node. 1768Negative value disables rate limitation. 1769.It Li tcp.ident 1770Return the user ID of a connected socket pair. 1771(RFC1413 Identification Protocol lookups.) 1772.It Li tcp.drop 1773Drop a TCP socket pair connection. 1774.It Li tcp.sack.enable 1775If set to 1, enables RFC 2018 Selective ACKnowledgement. 1776.It Li tcp.sack.globalholes 1777Global number of TCP SACK holes. 1778.It Li tcp.sack.globalmaxholes 1779Global maximum number of TCP SACK holes. 1780.It Li tcp.sack.maxholes 1781Maximum number of TCP SACK holes allowed per connection. 1782.It Li tcp.ecn.enable 1783If set to 1, enables RFC 3168 Explicit Congestion Notification. 1784.It Li tcp.ecn.maxretries 1785Number of times to retry sending the ECN-setup packet. 1786.It Li tcp.sendspace 1787The default TCP send buffer size. 1788.It Li tcp.slowhz 1789The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1790of a clock that ticks tcp.slowhz times per second. 1791(That is, their values 1792must be divided by the tcp.slowhz value to get times in seconds.) 1793.It Li tcp.syn_bucket_limit 1794The maximum number of entries allowed per hash bucket in the TCP 1795compressed state engine. 1796.It Li tcp.syn_cache_limit 1797The maximum number of entries allowed in the TCP compressed state 1798engine. 1799.It Li tcp.timestamps 1800If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1801used for measuring TCP round trip times, are enabled. 1802.It Li tcp.win_scale 1803If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1804for increasing the TCP window size, are enabled. 1805.It Li tcp.congctl.available 1806The available TCP congestion control algorithms. 1807.It Li tcp.congctl.selected 1808The currently selected TCP congestion control algorithm. 1809.It Li tcp.abc.enable 1810If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1811If set to 0, use traditional Packet Counting. 1812.It Li tcp.abc.aggressive 1813Choose the L parameter found in RFC 3465. 1814L is the maximum cwnd increase for an ack during slow start. 1815If set to 1, use L=2*SMSS. 1816If set to 0, use L=1*SMSS. 1817It has no effect unless tcp.abc.enable is set to 1. 1818.It Li udp.checksum 1819If set to 1, UDP checksums are being computed. 1820Received non-zero UDP checksums are always checked. 1821Disabling UDP checksums is strongly discouraged. 1822.It Li udp.recvspace 1823The default UDP receive buffer size. 1824.It Li udp.sendspace 1825The default UDP send buffer size. 1826.El 1827.Pp 1828For variables net.*.ipsec, please refer to 1829.Xr ipsec 4 . 1830.It Li net.inet6 ( Dv PF_INET6 ) 1831Get or set various global information about the IPv6 1832.Pq Internet Protocol version 6 . 1833The third level name is the protocol. 1834The fourth level name is the variable name. 1835The currently defined protocols and names are: 1836.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent 1837.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable 1838.It icmp6 errppslimit integer yes 1839.It icmp6 mtudisc_hiwat integer yes 1840.It icmp6 mtudisc_lowat integer yes 1841.It icmp6 nd6_debug integer yes 1842.It icmp6 nd6_delay integer yes 1843.It icmp6 nd6_maxnudhint integer yes 1844.It icmp6 nd6_mmaxtries integer yes 1845.It icmp6 nd6_prune integer yes 1846.It icmp6 nd6_umaxtries integer yes 1847.It icmp6 nd6_useloopback integer yes 1848.It icmp6 nodeinfo integer yes 1849.It icmp6 rediraccept integer yes 1850.It icmp6 redirtimeout integer yes 1851.It ip6 accept_rtadv integer yes 1852.It ip6 addctlpolicy struct in6_addrpolicy no 1853.It ip6 anonportalgo.selected string yes 1854.It ip6 anonportalgo.available string yes 1855.It ip6 anonportalgo.reserve struct yes 1856.It ip6 anonportmax integer yes 1857.It ip6 anonportmin integer yes 1858.It ip6 auto_flowlabel integer yes 1859.It ip6 dad_count integer yes 1860.It ip6 defmcasthlim integer yes 1861.It ip6 forwarding integer yes 1862.It ip6 gifhlim integer yes 1863.It ip6 hashsize integer yes 1864.It ip6 hlim integer yes 1865.It ip6 hdrnestlimit integer yes 1866.It ip6 kame_version string no 1867.It ip6 keepfaith integer yes 1868.It ip6 log_interval integer yes 1869.It ip6 lowportmax integer yes 1870.It ip6 lowportmin integer yes 1871.It ip6 maxdynroutes integer yes 1872.It ip6 maxifprefixes integer yes 1873.It ip6 maxifdefrouters integer yes 1874.It ip6 maxflows integer yes 1875.It ip6 maxfragpackets integer yes 1876.It ip6 maxfrags integer yes 1877.It ip6 neighborgcthresh integer yes 1878.It ip6 redirect integer yes 1879.It ip6 rr_prune integer yes 1880.It ip6 use_deprecated integer yes 1881.It ip6 v6only integer yes 1882.It udp6 do_loopback_cksum integer yes 1883.It udp6 recvspace integer yes 1884.It udp6 sendspace integer yes 1885.El 1886.Pp 1887The variables are as follows: 1888.Bl -tag -width "123456" 1889.It Li ip6.accept_rtadv 1890If set to non-zero, the node will accept ICMPv6 router advertisement packets 1891and autoconfigures address prefixes and default routers. 1892The node must be a host 1893.Pq not a router 1894for the option to be meaningful. 1895.It Li ip6.anonportalgo.available 1896The available RFC 6056 port randomization algorithms. 1897.It Li ip6.anonportalgo.reserve 1898A bitmask of ports that will not be used during anonymous or privileged 1899port selection. 1900.It Li ip6.anonportalgo.selected 1901The currently selected RFC 6056 port randomization algorithm; see 1902.Xr rfc6056 7 1903for details. 1904.It Li ip6.anonportmax 1905The highest port number to use for TCP and UDP ephemeral port allocation. 1906This cannot be set to less than 1024 or greater than 65535, and must 1907be greater than 1908.Li ip6.anonportmin . 1909.It Li ip6.anonportmin 1910The lowest port number to use for TCP and UDP ephemeral port allocation. 1911This cannot be set to less than 1024 or greater than 65535. 1912.It Li ip6.auto_flowlabel 1913On connected transport protocol packets, 1914fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1915.It Li ip6.dad_count 1916The variable configures number of IPv6 DAD 1917.Pq duplicated address detection 1918probe packets. 1919The packets will be generated when IPv6 interface addresses are configured. 1920.It Li ip6.defmcasthlim 1921The default hop limit value for an IPv6 multicast packet sourced by the node. 1922This value applies to all the transport protocols on top of IPv6. 1923There are APIs to override the value, as documented in 1924.Xr ip6 4 . 1925.It Li ip6.forwarding 1926If set to 1, enables IPv6 forwarding for the node, 1927meaning that the node is acting as a router. 1928If set to 0, disables IPv6 forwarding for the node, 1929meaning that the node is acting as a host. 1930IPv6 specification defines node behavior for 1931.Dq router 1932case and 1933.Dq host 1934case quite differently, and changing this variable during operation 1935may cause serious trouble. 1936It is recommended to configure the variable at bootstrap time, 1937and bootstrap time only. 1938.It Li ip6.gifhlim 1939The maximum hop limit value for an IPv6 packet generated by 1940.Xr gif 4 1941tunnel interface. 1942.It Li ip6.hdrnestlimit 1943The number of IPv6 extension headers permitted on incoming IPv6 packets. 1944If set to 0, the node will accept as many extension headers as possible. 1945.It Li ip6.hashsize 1946The size of IPv6 Fast Forward hash table. 1947This value must be a power of 2 (64, 256, ...). 1948A larger hash table size results in fewer collisions. 1949Also see 1950.Li ip6.maxflows . 1951.It Li ip6.hlim 1952The default hop limit value for an IPv6 unicast packet sourced by the node. 1953This value applies to all the transport protocols on top of IPv6. 1954There are APIs to override the value, as documented in 1955.Xr ip6 4 . 1956.It Li ip6.kame_version 1957The string identifies the version of KAME IPv6 stack implemented in the kernel. 1958.It Li ip6.keepfaith 1959If set to non-zero, it enables 1960.Dq FAITH 1961TCP relay IPv6-to-IPv4 translator code in the kernel. 1962Refer 1963.Xr faith 4 1964and 1965.Xr faithd 8 1966for detail. 1967.It Li ip6.log_interval 1968The variable controls amount of logs generated by IPv6 packet 1969forwarding engine, by setting interval between log output 1970.Pq in seconds . 1971.It Li ip6.lowportmax 1972The highest port number to use for TCP and UDP reserved port allocation. 1973This cannot be set to less than 0 or greater than 1024, and must 1974be greater than 1975.Li ip6.lowportmin . 1976.It Li ip6.lowportmin 1977The lowest port number to use for TCP and UDP reserved port allocation. 1978This cannot be set to less than 0 or greater than 1024, and must 1979be smaller than 1980.Li ip6.lowportmax . 1981.It Li ip6.maxdynroutes 1982Maximum number of routes created by redirect. 1983Set it to negative to disable. 1984The default value is 4096. 1985.It Li ip6.maxifprefixes 1986Maximum number of prefixes created by route advertisements per interface. 1987Set it to negative to disable. 1988The default value is 16. 1989.It Li ip6.maxifdefrouters 16 1990Maximum number of default routers created by route advertisements per interface. 1991Set it to negative to disable. 1992The default value is 16. 1993.It Li ip6.maxflows 1994IPv6 Fast Forwarding is enabled by default. 1995If set to 0, IPv6 Fast Forwarding is disabled. 1996.Li ip6.maxflows 1997controls the maximum amount of flows which can be created. 1998The default value is 256. 1999.It Li ip6.maxfragpackets 2000The maximum number of fragmented packets the node will accept. 20010 means that the node will not accept any fragmented packets. 2002\-1 means that the node will accept as many fragmented packets as it receives. 2003The flag is provided basically for avoiding possible DoS attacks. 2004.It Li ip6.maxfrags 2005The maximum number of fragments the node will accept. 20060 means that the node will not accept any fragments. 2007\-1 means that the node will accept as many fragments as it receives. 2008The flag is provided basically for avoiding possible DoS attacks. 2009.It Li ip6.neighborgcthresh 2010Maximum number of entries in neighbor cache per interface. 2011Set to negative to disable. 2012The default value is 2048. 2013.It Li ip6.redirect 2014If set to 1, ICMPv6 redirects may be sent by the node. 2015This option is ignored unless the node is routing IP packets, 2016and should normally be enabled on all systems. 2017.It Li ip6.rr_prune 2018The variable specifies interval between IPv6 router renumbering prefix 2019babysitting, in seconds. 2020.It Li ip6.use_deprecated 2021The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 2022.It Li ip6.v6only 2023The variable specifies initial value for 2024.Dv IPV6_V6ONLY 2025socket option for 2026.Dv AF_INET6 2027socket. 2028Please refer to 2029.Xr ip6 4 2030for detail. 2031.It Li icmp6.errppslimit 2032The variable specifies the maximum number of outgoing ICMPv6 error messages, 2033per second. 2034ICMPv6 error messages that exceeded the value are subject to rate limitation 2035and will not go out from the node. 2036Negative value disables rate limitation. 2037.It Li icmp6.mtudisc_hiwat 2038.It Li icmp6.mtudisc_lowat 2039The variables define the maximum number of routing table entries, 2040created due to path MTU discovery 2041.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 2042When IPv6 path MTU discovery happens, we keep path MTU information into 2043the routing table. 2044If the number of routing table entries exceed the value, 2045the kernel will not attempt to keep the path MTU information. 2046.Li icmp6.mtudisc_hiwat 2047is used when we have verified ICMPv6 too big messages. 2048.Li icmp6.mtudisc_lowat 2049is used when we have unverified ICMPv6 too big messages. 2050Verification is performed by using address/port pairs kept in connected pcbs. 2051Negative value disables the upper limit. 2052.It Li icmp6.nd6_debug 2053If set to non-zero, kernel IPv6 neighbor discovery code will generate 2054debugging messages. 2055The debug outputs are useful to diagnose IPv6 interoperability issues. 2056The flag must be set to 0 for normal operation. 2057.It Li icmp6.nd6_delay 2058The variable specifies 2059.Dv DELAY_FIRST_PROBE_TIME 2060timing constant in IPv6 neighbor discovery specification 2061.Pq RFC 2461 , 2062in seconds. 2063.It Li icmp6.nd6_maxnudhint 2064Neighbor discovery permits upper layer protocols to supply reachability 2065hints, to avoid unnecessary neighbor discovery exchanges. 2066The variable defines the number of consecutive hints the neighbor discovery 2067layer will take. 2068For example, by setting the variable to 3, neighbor discovery layer 2069will take 3 consecutive hints in maximum. 2070After receiving 3 hints, neighbor discovery layer will perform 2071normal neighbor discovery process. 2072.It Li icmp6.nd6_mmaxtries 2073The variable specifies 2074.Dv MAX_MULTICAST_SOLICIT 2075constant in IPv6 neighbor discovery specification 2076.Pq RFC 2461 . 2077.It Li icmp6.nd6_prune 2078The variable specifies interval between IPv6 neighbor cache babysitting, 2079in seconds. 2080.It Li icmp6.nd6_umaxtries 2081The variable specifies 2082.Dv MAX_UNICAST_SOLICIT 2083constant in IPv6 neighbor discovery specification 2084.Pq RFC 2461 . 2085.It Li icmp6.nd6_useloopback 2086If set to non-zero, kernel IPv6 stack will use loopback interface for 2087local traffic. 2088.It Li icmp6.nodeinfo 2089The variable enables responses to ICMPv6 node information queries. 2090If you set the variable to 0, responses will not be generated for 2091ICMPv6 node information queries. 2092Since node information queries can have a security impact, it is 2093possible to fine tune which responses should be answered. 2094Two separate bits can be set. 2095.Bl -tag -width "12345" 2096.It 1 2097Respond to ICMPv6 FQDN queries, e.g. 2098.Li ping6 -w . 2099.It 2 2100Respond to ICMPv6 node addresses queries, e.g. 2101.Li ping6 -a . 2102.El 2103.It Li icmp6.rediraccept 2104If set to non-zero, the host will accept ICMPv6 redirect packets. 2105Note that IPv6 routers will never accept ICMPv6 redirect packets, 2106and the variable is meaningful on IPv6 hosts 2107.Pq non-router 2108only. 2109.It Li icmp6.redirtimeout 2110The variable specifies lifetime of routing entries generated by incoming 2111ICMPv6 redirect. 2112.It Li udp6.do_loopback_cksum 2113Perform UDP checksum on loopback. 2114.It Li udp6.recvspace 2115Default UDP receive buffer size. 2116.It Li udp6.sendspace 2117Default UDP send buffer size. 2118.El 2119.Pp 2120We reuse net.*.tcp for TCP over IPv6, 2121and therefore we do not have variables net.*.tcp6. 2122Variables net.inet6.udp6 have identical meaning to net.inet.udp. 2123Please refer to 2124.Li PF_INET 2125section above. 2126For variables net.*.ipsec6, please refer to 2127.Xr ipsec 4 . 2128.It Li net.key ( Dv PF_KEY ) 2129Get or set various global information about the IPsec key management. 2130The third level name is the variable name. 2131The currently defined variable and names are: 2132.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 2133.It Sy Variable Type Ta Sy Changeable 2134.It debug integer yes 2135.It enabled integer yes 2136.It used integer no 2137.It spi_try integer yes 2138.It spi_min_value integer yes 2139.It spi_max_value integer yes 2140.It larval_lifetime integer yes 2141.It blockacq_count integer yes 2142.It blockacq_lifetime integer yes 2143.It esp_keymin integer yes 2144.It esp_auth integer yes 2145.It ah_keymin integer yes 2146.El 2147The variables are as follows: 2148.Bl -tag -width "123456" 2149.It Li debug 2150Turn on debugging message from within the kernel. 2151The value is a bitmap, as defined in 2152.In netipsec/key_debug.h . 2153.It Li enabled 2154Control processing of IPsec control messages. 2155.Bl -tag -width indent 2156.It 0 2157Never allow IPsec processing 2158.It 1 2159Allow IPsec processing when SPD policies are present. 2160.It 2 2161Force IPsec processing even when SPD policies are not present. 2162.El 2163.It Li used 2164Based on if IPsec is enabled, and SPD rule existence, show if 2165IPsec is being used. 2166Note that currently once IPsec is being used, it cannot be disabled. 2167.It Li spi_try 2168The number of times the kernel will try to obtain an unique SPI 2169when it generates it from random number generator. 2170.It Li spi_min_value 2171Minimum SPI value when generating it within the kernel. 2172.It Li spi_max_value 2173Maximum SPI value when generating it within the kernel. 2174.It Li larval_lifetime 2175Lifetime for LARVAL SAD entries, in seconds. 2176.It Li blockacq_count 2177Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 2178It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 2179key management daemon. 2180.It Li blockacq_lifetime 2181Lifetime of ACQUIRE PF_KEY message. 2182.It Li esp_keymin 2183Minimum ESP key length, in bits. 2184The value is used when the kernel creates proposal payload 2185on ACQUIRE PF_KEY message. 2186.It Li esp_auth 2187Whether ESP authentication should be used or not. 2188Non-zero value indicates that ESP authentication should be used. 2189The value is used when the kernel creates proposal payload 2190on ACQUIRE PF_KEY message. 2191.It Li ah_keymin 2192Minimum AH key length, in bits, 2193The value is used when the kernel creates proposal payload 2194on ACQUIRE PF_KEY message. 2195.El 2196.It Li net.local ( Dv PF_LOCAL ) 2197Get or set various global information about 2198.Dv AF_LOCAL 2199type sockets. 2200For some variables, the third level name is the variable name: 2201.Bl -column "Variable" "integer" "Changeable" -offset indent 2202.It Sy Variable Type Ta Sy Changeable 2203.It inflight integer no 2204.It deferred integer no 2205.El 2206The variables are as follows: 2207.Bl -tag -width "123456" 2208.It Li inflight 2209The number of file descriptors currently passed between processes, 2210.Qq in flight . 2211.It Li deferred 2212The number of file descriptors passed between processes that have been 2213deferred for cleanup by a kernel task. 2214.El 2215.Pp 2216Other variables are specific to a socket type: 2217.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent 2218.It Sy "Socket Type" Sy Variable Type Ta Sy Changeable 2219.It dgram pcblist struct no 2220.It dgram recvspace integer yes 2221.It dgram sendspace integer yes 2222.It seqpacket pcblist struct no 2223.It stream pcblist struct no 2224.It stream recvspace integer yes 2225.It stream sendspace integer yes 2226.El 2227The variables are as follows: 2228.Bl -tag -width "123456" 2229.It Li dgram.pcblist 2230The Protocol Control Block list structure for datagram sockets. 2231Parsed by 2232.Xr netstat 1 2233or 2234.Xr sockstat 1 . 2235.It Li dgram.recvspace 2236The default datagram receive buffer size. 2237.It Li dgram.sendspace 2238The default datagram send buffer size. 2239.It Li seqpacket.pcblist 2240The Protocol Control Block list structure for Sequential Packet sockets. 2241Parsed by 2242.Xr netstat 1 2243or 2244.Xr sockstat 1 . 2245.It Li stream.pcblist 2246The Protocol Control Block list structure for stream sockets. 2247Parsed by 2248.Xr netstat 1 2249or 2250.Xr sockstat 1 . 2251.It Li stream.recvspace 2252The default stream receive buffer size. 2253.It Li stream.sendspace 2254The default stream send buffer size. 2255.El 2256.El 2257.Ss The proc.* subtree 2258The string and integer information available for the 2259.Li proc 2260level is detailed below. 2261The changeable column shows whether a process with appropriate 2262privilege may change the value. 2263These values are per-process, 2264and as such may change from one process to another. 2265When a process is created, 2266the default values are inherited from its parent. 2267When a set-user-ID or set-group-ID binary is executed, the 2268value of PROC_PID_CORENAME is reset to the system default value. 2269The second level name is either the magic value PROC_CURPROC, which 2270points to the current process, or the PID of the target process. 2271.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 2272.It Sy Third level name Ta Sy Type Ta Sy Changeable 2273.It proc.pid.corename string yes 2274.It proc.pid.rlimit node not applicable 2275.It proc.pid.stopfork int yes 2276.It proc.pid.stopexec int yes 2277.It proc.pid.stopexit int yes 2278.It proc.pid.paxflags int no 2279.El 2280.Bl -tag -width "123456" 2281.It Li proc.pid.corename ( Dv PROC_PID_CORENAME ) 2282The template used for the core dump file name (see 2283.Xr core 5 2284for details). 2285The base name must either be 2286.Pa core 2287or end with the suffix 2288.Pa .core 2289(the super-user may set arbitrary names). 2290By default it points to 2291.Dv KERN_DEFCORENAME . 2292.It Li proc.pid.rlimit ( Dv PROC_PID_LIMIT ) 2293Return resources limits, as defined for the 2294.Xr getrlimit 2 2295and 2296.Xr setrlimit 2 2297system calls. 2298The fourth level name is one of: 2299.Bl -tag -width "123456" 2300.It Li proc.pid.rlimit.cputime ( Dv PROC_PID_LIMIT_CPU ) 2301The maximum amount of CPU time (in seconds) to be used by each process. 2302.It Li proc.pid.rlimit.filesize ( Dv PROC_PID_LIMIT_FSIZE ) 2303The largest size (in bytes) file that may be created. 2304.It Li proc.pid.rlimit.datasize ( Dv PROC_PID_LIMIT_DATA ) 2305The maximum size (in bytes) of the data segment for a process; 2306this defines how far a program may extend its break with the 2307.Xr sbrk 2 2308system call. 2309.It Li proc.pid.rlimit.stacksize ( Dv PROC_PID_LIMIT_STACK ) 2310The maximum size (in bytes) of the stack segment for a process; 2311this defines how far a program's stack segment may be extended. 2312Stack extension is performed automatically by the system. 2313.It Li proc.pid.rlimit.coredumpsize ( Dv PROC_PID_LIMIT_CORE ) 2314The largest size (in bytes) 2315.Pa core 2316file that may be created. 2317.It Li proc.pid.rlimit.memoryuse ( Dv PROC_PID_LIMIT_RSS ) 2318The maximum size (in bytes) to which a process's resident set size may 2319grow. 2320This imposes a limit on the amount of physical memory to be given to 2321a process; if memory is tight, the system will prefer to take memory 2322from processes that are exceeding their declared resident set size. 2323.It Li proc.pid.rlimit.memorylocked ( Dv PROC_PID_LIMIT_MEMLOCK ) 2324The maximum size (in bytes) which a process may lock into memory 2325using the 2326.Xr mlock 2 2327function. 2328.It Li proc.pid.rlimit.maxproc ( Dv PROC_PID_LIMIT_NPROC ) 2329The maximum number of simultaneous processes for this user id. 2330.It Li proc.pid.rlimit.descriptors ( Dv PROC_PID_LIMIT_NOFILE ) 2331The maximum number of open files for this process. 2332.It Li proc.pid.rlimit.sbsize ( Dv PROC_PID_LIMIT_SBSIZE ) 2333The maximum size (in bytes) of the socket buffers 2334set by the 2335.Xr setsockopt 2 2336.Dv SO_RCVBUF 2337and 2338.Dv SO_SNDBUF 2339options. 2340.It Li proc.pid.rlimit.vmemoryuse ( Dv PROC_PID_LIMIT_AS ) 2341The maximum size (in bytes) which a process can obtain. 2342.It Li proc.pid.rlimit.maxlwp ( Dv PROC_PID_LIMIT_NTHR ) 2343The maximum number of threads that cen be created and running at one time in 2344the process. 2345The first thread of each process is not counted against this. 2346.El 2347.Pp 2348The fifth level name is one of 2349.Li soft ( Dv PROC_PID_LIMIT_TYPE_SOFT ) 2350or 2351.Li hard ( Dv PROC_PID_LIMIT_TYPE_HARD ) , 2352to select respectively the soft or hard limit. 2353Both are of type integer. 2354.It Li proc.pid.stopfork ( Dv PROC_PID_STOPFORK ) 2355If non zero, the process' children will be stopped after 2356.Xr fork 2 2357calls. 2358The children are created in the SSTOP state and are never scheduled 2359for running before being stopped. 2360This feature enables attaching to a process with a debugger such as 2361.Xr gdb 1 2362before the process has the opportunity to actually do anything. 2363.Pp 2364This value is inherited by the process's children, and it also 2365applies to emulation specific system calls that fork a new process, such as 2366.Fn sproc 2367or 2368.Fn clone . 2369.It Li proc.pid.stopexec ( Dv PROC_PID_STOPEXEC ) 2370If non zero, the process will be stopped on the next 2371.Xr exec 3 2372call. 2373The process created by 2374.Xr exec 3 2375is created in the SSTOP state and is never scheduled for running 2376before being stopped. 2377This feature enables attaching to a process with a debugger such as 2378.Xr gdb 1 2379before the process has the opportunity to actually do anything. 2380.Pp 2381This value is inherited by the process's children. 2382.It Li proc.pid.stopexit ( Dv PROC_PID_STOPEXIT ) 2383If non zero, the process will be stopped when it has cause to exit, 2384either by way of calling 2385.Xr exit 3 , 2386.Xr _exit 2 , 2387or by the receipt of a specific signal. 2388The process is stopped before any of its resources or vm space is 2389released allowing examination of the termination state of the process 2390before it disappears. 2391This feature can be used to examine the final conditions of the 2392process's vmspace via 2393.Xr pmap 1 2394or its resource settings with 2395.Xr sysctl 8 2396before it disappears. 2397.Pp 2398This value is also inherited by the process's children. 2399.It Li proc.pid.paxflags ( Dv PROC_PID_PAXFLAGS ) 2400This read-only variable returns the current value of the process's pax 2401flags (see 2402.Xr paxctl 8 ) . 2403.El 2404.Ss The user.* subtree ( Dv CTL_USER ) 2405The string and integer information available for the 2406.Li user 2407level is detailed below. 2408The changeable column shows whether a process with appropriate 2409privilege may change the value. 2410.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 2411.It Sy Second level name Ta Sy Type Ta Sy Changeable 2412.It user.atexit_max integer no 2413.It user.bc_base_max integer no 2414.It user.bc_dim_max integer no 2415.It user.bc_scale_max integer no 2416.It user.bc_string_max integer no 2417.It user.coll_weights_max integer no 2418.It user.cs_path string no 2419.It user.expr_nest_max integer no 2420.It user.line_max integer no 2421.It user.posix2_c_bind integer no 2422.It user.posix2_c_dev integer no 2423.It user.posix2_char_term integer no 2424.It user.posix2_fort_dev integer no 2425.It user.posix2_fort_run integer no 2426.It user.posix2_localedef integer no 2427.It user.posix2_sw_dev integer no 2428.It user.posix2_upe integer no 2429.It user.posix2_version integer no 2430.It user.re_dup_max integer no 2431.It user.stream_max integer no 2432.It user.stream_max integer no 2433.It user.tzname_max integer no 2434.El 2435.Bl -tag -width "123456" 2436.It Li user.atexit_max ( Dv USER_ATEXIT_MAX ) 2437The maximum number of functions that may be registered with 2438.Xr atexit 3 . 2439.It Li user.bc_base_max ( Dv USER_BC_BASE_MAX ) 2440The maximum ibase/obase values in the 2441.Xr bc 1 2442utility. 2443.It Li user.bc_dim_max ( Dv USER_BC_DIM_MAX ) 2444The maximum array size in the 2445.Xr bc 1 2446utility. 2447.It Li user.bc_scale_max ( Dv USER_BC_SCALE_MAX ) 2448The maximum scale value in the 2449.Xr bc 1 2450utility. 2451.It Li user.bc_string_max ( Dv USER_BC_STRING_MAX ) 2452The maximum string length in the 2453.Xr bc 1 2454utility. 2455.It Li user.coll_weights_max ( Dv USER_COLL_WEIGHTS_MAX ) 2456The maximum number of weights that can be assigned to any entry of 2457the LC_COLLATE order keyword in the locale definition file. 2458.It Li user.cs_path ( USER_CS_PATH ) 2459Return a value for the 2460.Ev PATH 2461environment variable that finds all the standard utilities. 2462.It Li user.expr_nest_max ( Dv USER_EXPR_NEST_MAX ) 2463The maximum number of expressions that can be nested within 2464parenthesis by the 2465.Xr expr 1 2466utility. 2467.It Li user.line_max ( Dv USER_LINE_MAX ) 2468The maximum length in bytes of a text-processing utility's input 2469line. 2470.It Li user.posix2_char_term ( Dv USER_POSIX2_CHAR_TERM ) 2471Return 1 if the system supports at least one terminal type capable of 2472all operations described in 2473.St -p1003.2 , 2474otherwise\ 0. 2475.It Li user.posix2_c_bind ( Dv USER_POSIX2_C_BIND ) 2476Return 1 if the system's C-language development facilities support the 2477C-Language Bindings Option, otherwise\ 0. 2478.It Li user.posix2_c_dev ( Dv USER_POSIX2_C_DEV ) 2479Return 1 if the system supports the C-Language Development Utilities Option, 2480otherwise\ 0. 2481.It Li user.posix2_fort_dev ( Dv USER_POSIX2_FORT_DEV ) 2482Return 1 if the system supports the FORTRAN Development Utilities Option, 2483otherwise\ 0. 2484.It Li user.posix2_fort_run ( Dv USER_POSIX2_FORT_RUN ) 2485Return 1 if the system supports the FORTRAN Runtime Utilities Option, 2486otherwise\ 0. 2487.It Li user.posix2_localedef ( Dv USER_POSIX2_LOCALEDEF ) 2488Return 1 if the system supports the creation of locales, otherwise\ 0. 2489.It Li user.posix2_sw_dev ( Dv USER_POSIX2_SW_DEV ) 2490Return 1 if the system supports the Software Development Utilities Option, 2491otherwise\ 0. 2492.It Li user.posix2_upe ( Dv USER_POSIX2_UPE ) 2493Return 1 if the system supports the User Portability Utilities Option, 2494otherwise\ 0. 2495.It Li user.posix2_version ( Dv USER_POSIX2_VERSION ) 2496The version of 2497.St -p1003.2 2498with which the system attempts to comply. 2499.It Li user.re_dup_max ( Dv USER_RE_DUP_MAX ) 2500The maximum number of repeated occurrences of a regular expression 2501permitted when using interval notation. 2502.It Li user.stream_max ( Dv USER_STREAM_MAX ) 2503The minimum maximum number of streams that a process may have open 2504at any one time. 2505.It Li user.tzname_max ( Dv USER_TZNAME_MAX ) 2506The minimum maximum number of types supported for the name of a 2507timezone. 2508.El 2509.Ss The vm.* subtree ( Dv CTL_VM ) 2510The string and integer information available for the 2511.Li vm 2512level is detailed below. 2513The changeable column shows whether a process with appropriate 2514privilege may change the value. 2515.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 2516.It Sy Second level name Ta Sy Type Ta Sy Changeable 2517.It vm.anonmax int yes 2518.It vm.anonmin int yes 2519.It vm.bufcache int yes 2520.It vm.bufmem int no 2521.It vm.bufmem_hiwater int yes 2522.It vm.bufmem_lowater int yes 2523.It vm.execmax int yes 2524.It vm.execmin int yes 2525.It vm.filemax int yes 2526.It vm.filemin int yes 2527.It vm.loadavg struct loadavg no 2528.It vm.maxslp int no 2529.It vm.nkmempages int no 2530.It vm.uspace int no 2531.It vm.uvmexp struct uvmexp no 2532.It vm.uvmexp2 struct uvmexp_sysctl no 2533.It vm.vmmeter struct vmtotal no 2534.It vm.proc.map struct kinfo_vmentry no 2535.It vm.guard_size unsigned int no 2536.It vm.thread_guard_size unsigned int yes 2537.It vm.swap_encrypt bool yes 2538.El 2539.Bl -tag -width "123456" 2540.It Li vm.anonmax ( Dv VM_ANONMAX ) 2541The percentage of physical memory which will be reclaimed 2542from other types of memory usage to store anonymous application data. 2543.It Li vm.anonmin ( Dv VM_ANONMIN ) 2544The percentage of physical memory which will be always be available for 2545anonymous application data. 2546.It Li vm.bufcache ( Dv VM_BUFCACHE ) 2547The percentage of physical memory which will be available 2548for the buffer cache. 2549.It Li vm.bufmem ( Dv VM_BUFMEM ) 2550The amount of kernel memory that is being used by the buffer cache. 2551.It Li vm.bufmem_lowater ( Dv VM_BUFMEM_LOWATER ) 2552The minimum amount of kernel memory to reserve for the 2553buffer cache. 2554.It Li vm.bufmem_hiwater ( Dv VM_BUFMEM_HIWATER ) 2555The maximum amount of kernel memory to be used for the 2556buffer cache. 2557.It Li vm.execmax ( Dv VM_EXECMAX ) 2558The percentage of physical memory which will be reclaimed 2559from other types of memory usage to store cached executable data. 2560.It Li vm.execmin ( Dv VM_EXECMIN ) 2561The percentage of physical memory which will be always be available for 2562cached executable data. 2563.It Li vm.filemax ( Dv VM_FILEMAX ) 2564The percentage of physical memory which will be reclaimed 2565from other types of memory usage to store cached file data. 2566.It Li vm.filemin ( Dv VM_FILEMIN ) 2567The percentage of physical memory which will be always be available for 2568cached file data. 2569.It Li vm.loadavg ( Dv VM_LOADAVG ) 2570Return the load average history. 2571The returned data consists of a 2572.Vt struct loadavg . 2573.It Li vm.maxslp ( Dv VM_MAXSLP ) 2574The value of the maxslp kernel global variable. 2575.It Li vm.vmmeter ( Dv VM_METER ) 2576Return system wide virtual memory statistics. 2577The returned data consists of a 2578.Vt struct vmtotal . 2579.It vm.user_va0_disable 2580A flag which controls whether user processes can map virtual address\ 0. 2581.It Li vm.proc.map ( Dv VM_PROC ) 2582The third level is 2583.Dv VM_PROC_MAP , 2584the fourth is the pid of the process to display the vm object entries for, and 2585the fifth is the size of 2586.Vt struct kinfo_vmentry . 2587Returns an array of 2588.Vt struct kinfo_vmentry 2589objects. 2590.It Li vm.ubc_direct Bq Sy "EXPERIMENTAL" Ns No , default off 2591Use direct map for UBC I/O, avoiding need to map and unmap buffer memory. 2592Speeds up operation for fast I/O devices like NVMe, especially 2593on multi-CPU systems. 2594Only available on some architectures. 2595.It Li vm.uspace ( Dv VM_USPACE ) 2596The number of bytes allocated for each kernel stack. 2597.It Li vm.uvmexp ( Dv VM_UVMEXP ) 2598Return system wide virtual memory statistics. 2599The returned data consists of a 2600.Vt struct uvmexp . 2601.It Li vm.uvmexp2 ( Dv VM_UVMEXP2 ) 2602Return system wide virtual memory statistics. 2603The returned data consists of a 2604.Vt struct uvmexp_sysctl . 2605.It Li vm.guard_size 2606Return system wide guard size for the main thread of a program. 2607.It Li vm.thread_guard_size 2608Return system wide default size for the guard area of all other threads 2609of a program. 2610.It Li vm.swap_encrypt 2611If true, encrypt data while swapped out to disk. 2612.Pp 2613Each swap device maintains an independent AES-256 key, generated when 2614the first page is swapped to that device. 2615Each page is swapped independently using AES-CBC, with an 2616initialization vector chosen by the encryption under the AES-256 key of 2617the little-endian swap slot number padded to 128 bits with zeros. 2618(This is essentially the 2619.Xr cgd 4 2620.Sq encblkno1 2621method.) 2622.Pp 2623Changes to 2624.Li vm.swap_encrypt 2625only affect pages of swap newly written out. 2626To force encrypting or decrypting all existing swap, or to rekey 2627previously encrypted swap, you can remove the swap devices and re-add 2628them with 2629.Xr swapctl 8 , 2630with the caveat that whatever pages were already written to disk 2631unencrypted or encrypted with a compromised key may still be written to 2632disk afterward. 2633.El 2634.Ss The ddb.* subtree ( Dv CTL_DDB ) 2635The information available for the 2636.Li ddb 2637level is detailed below. 2638The changeable column shows whether a process with appropriate 2639privilege may change the value. 2640.Bl -column "Second level name" "integer" "Changeable" -offset indent 2641.It Sy Second level name Ta Sy Type Ta Sy Changeable 2642.It ddb.commandonenter string yes 2643.It ddb.dumpstack integer yes 2644.It ddb.fromconsole integer yes 2645.It ddb.lines integer yes 2646.It ddb.maxoff integer yes 2647.It ddb.maxwidth integer yes 2648.It ddb.onpanic integer yes 2649.It ddb.panicstackframes integer yes 2650.It ddb.radix integer yes 2651.It ddb.tabstops integer yes 2652.It ddb.tee_msgbuf integer yes 2653.El 2654.Bl -tag -width "123456" 2655.It Li ddb.commandonenter 2656If not empty, the string is used as the DDB command to be executed each time 2657DDB is entered. 2658.It Li ddb.dumpstack 2659A value of 1 causes a stack trace to be printed on entering ddb from a panic. 2660A value of 0 disables this behaviour. 2661The default value is 1. 2662.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE ) 2663If not zero, DDB may be entered by sending a break on a serial 2664console or by a special key sequence on a graphics console. 2665.It Li ddb.lines ( Dv DDBCTL_LINES ) 2666Number of display lines. 2667.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF ) 2668The maximum symbol offset. 2669.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH ) 2670The maximum output line width. 2671.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC ) 2672If greater than zero, DDB will be entered if the kernel panics. 2673A value of 1 causes the system to enter DDB on panic. 2674A value of 0 causes the kernel to attempt to print a stack trace, then 2675reboot, while a value of \-1 means neither a stack trace will be printed 2676nor DDB entered. 2677.It Li ddb.panicstackframes 2678Number of stack frames to display on panic. 2679Useful to avoid scrolling away the interesting frames on a glass tty. 2680Default value is 2681.Dv 65535 2682(all frames), useful value around 2683.Dv 10 . 2684.It Li ddb.radix ( Dv DDBCTL_RADIX ) 2685The input and output radix. 2686.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS ) 2687Tab width. 2688.It Li ddb.tee_msgbuf 2689If not zero, DDB will output also to the kernel message buffer. 2690.El 2691.Pp 2692Some of these MIB 2693nodes are also available as variables from within the debugger. 2694See 2695.Xr ddb 4 2696for more details. 2697.Ss The security.* subtree ( Dv CTL_SECURITY ) 2698The 2699.Li security 2700level contains various security-related settings for 2701the system. 2702The available second level names are: 2703.Bl -column "Second level name" "integer" "Changeable" -offset indent 2704.It Sy Second level name Ta Sy Type Ta Sy Changeable 2705.It Li security.curtain integer yes 2706.It Li security.models node not applicable 2707.It Li security.pax node not applicable 2708.El 2709.Pp 2710Available settings are detailed below. 2711.Bl -tag -width "123456" 2712.It Li security.curtain 2713If non-zero, will filter return objects according to the user ID 2714requesting information about them, preventing users from 2715accessing any objects they do not own. 2716.Pp 2717At the moment, it affects 2718.Xr ps 1 , 2719.Xr netstat 1 2720(for 2721.Dv PF_INET , 2722.Dv PF_INET6 , 2723and 2724.Dv PF_UNIX 2725PCBs), and 2726.Xr w 1 . 2727.It Li security.models 2728.Nx 2729supports pluggable security models. 2730Every security model used, whether if loaded as a module or built with the system, 2731is required to add an entry to this node with at least one element, 2732.Dq name , 2733indicating the name of the security model. 2734.Pp 2735In addition to the name, any settings and other information private to the 2736security model will be available under this node. 2737See 2738.Xr secmodel 9 2739for more information. 2740.It Li security.pax 2741Settings for PaX \(em exploit mitigation features. 2742For more information on any of the PaX features, please see 2743.Xr paxctl 8 2744and 2745.Xr security 7 . 2746The available third and fourth level names are: 2747.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ 2748-offset 2n 2749.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable 2750.It Li security.pax.aslr.enabled integer yes 2751.\".It Li security.pax.aslr.exec_len integer yes 2752.It Li security.pax.aslr.global integer yes 2753.\".It Li security.pax.aslr.mmap_len integer yes 2754.\".It Li security.pax.aslr.stack_len integer yes 2755.It Li security.pax.mprotect.enabled integer yes 2756.It Li security.pax.mprotect.global integer yes 2757.It Li security.pax.mprotect.ptrace integer yes 2758.It Li security.pax.segvguard.enabled integer yes 2759.It Li security.pax.segvguard.expiry_timeout integer yes 2760.It Li security.pax.segvguard.global integer yes 2761.It Li security.pax.segvguard.max_crashes integer yes 2762.It Li security.pax.segvguard.suspend_timeout integer yes 2763.El 2764.Bl -tag -width "123456" 2765.It Li security.pax.aslr.enabled 2766Enable PaX ASLR (Address Space Layout Randomization). 2767.Pp 2768The value of this 2769knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2770explicit enable. 2771.\".It Li security.pax.aslr.exec_len 2772.\" XXX: Undocumented. 2773.It Li security.pax.aslr.global 2774Specifies the default global policy for programs without an 2775explicit enable/disable flag. 2776.Pp 2777When non-zero, all programs will get PaX ASLR, except those exempted with 2778.Xr paxctl 8 . 2779Otherwise, all programs will not get PaX ASLR, except those specifically 2780marked as such with 2781.Xr paxctl 8 . 2782.\".It Li security.pax.aslr.mmap_len 2783.\" XXX: Undocumented. 2784.\" .It Li security.pax.aslr.stack_len 2785.\" XXX: Undocumented. 2786.It Li security.pax.mprotect.enabled 2787Enable PaX MPROTECT restrictions. 2788.Pp 2789These are 2790.Xr mprotect 2 2791restrictions to better enforce a W^X policy. 2792The value of this 2793knob must be non-zero for PaX MPROTECT to be enabled, even if a 2794program is set to explicit enable. 2795.It Li security.pax.mprotect.global 2796Specifies the default global policy for programs without an 2797explicit enable/disable flag. 2798.Pp 2799When non-zero, all programs will get the PaX MPROTECT restrictions, 2800except those exempted with 2801.Xr paxctl 8 . 2802Otherwise, all programs will not get the PaX MPROTECT restrictions, 2803except those specifically marked as such with 2804.Xr paxctl 8 . 2805.It Li security.pax.mprotect.ptrace 2806This variable allows 2807.Xr ptrace 2 2808to override PaX MPROTECT permissions. 2809It can have the following values: 2810.Bl -tag -width XX -compact 2811.It 0 2812Does not let override any permissions. 2813.It 1 2814Disables PaX MPROTECT from processes that start executing while traced (default). 2815.It 2 2816Bypasses PaX MPROTECT for all processes being traced. 2817.El 2818.It Li security.pax.segvguard.enabled 2819Enable PaX Segvguard. 2820.Pp 2821PaX Segvguard can detect and prevent certain exploitation attempts, where 2822an attacker may try for example to brute-force function return addresses 2823of respawning daemons. 2824.Pp 2825.Em Note : 2826The 2827.Nx 2828interface and implementation of the Segvguard is still experimental, and may 2829change in future releases. 2830.It Li security.pax.segvguard.expiry_timeout 2831If the max number was not reached within this timeout (in seconds), the entry 2832will expire. 2833.It Li security.pax.segvguard.global 2834Specifies the default global policy for programs without an 2835explicit enable/disable flag. 2836.Pp 2837When non-zero, all programs will get the PaX Segvguard, 2838except those exempted with 2839.Xr paxctl 8 . 2840Otherwise, no program will get the PaX Segvguard restrictions, 2841except those specifically marked as such with 2842.Xr paxctl 8 . 2843.It Li security.pax.segvguard.max_crashes 2844The maximum number of segfaults a program can receive before suspension. 2845.It Li security.pax.segvguard.suspend_timeout 2846Number of seconds to suspend a user from running a faulting program when the 2847limit was exceeded. 2848.El 2849.El 2850.Ss The vendor.* subtree ( Dv CTL_VENDOR ) 2851The 2852.Li vendor 2853toplevel name is reserved to be used by vendors who wish to 2854have their own private MIB tree. 2855Intended use is to store values under 2856.Dq vendor.<yourname>.* . 2857.Sh SEE ALSO 2858.Xr sysctl 3 , 2859.Xr ipsec 4 , 2860.Xr tcp 4 , 2861.Xr security 7 , 2862.Xr sysctl 8 2863.Sh HISTORY 2864The 2865.Nm 2866variables first appeared in 2867.Bx 4.4 . 2868