1.\" $NetBSD: sysctl.7,v 1.47 2010/04/20 13:03:33 wiz Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd April 20, 2010 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Sh Top level names 72The top level names are defined with a CTL_ prefix in 73.In sys/sysctl.h , 74and are as follows. 75The next and subsequent levels down are found in the include files 76listed here, and described in separate sections below. 77.Bl -column security CTL_SECURITY "Next level names" "High kernel limits" 78.It Sy Name Constant Next level names Description 79.It kern CTL_KERN sys/sysctl.h High kernel limits 80.It vm CTL_VM uvm/uvm_param.h Virtual memory 81.It vfs CTL_VFS sys/mount.h Filesystem 82.It net CTL_NET sys/socket.h Networking 83.It debug CTL_DEBUG sys/sysctl.h Debugging 84.It hw CTL_HW sys/sysctl.h Generic CPU, I/O 85.It machdep CTL_MACHDEP sys/sysctl.h Machine dependent 86.It user CTL_USER sys/sysctl.h User-level 87.It ddb CTL_DDB sys/sysctl.h In-kernel debugger 88.It proc CTL_PROC sys/sysctl.h Per-process 89.It vendor CTL_VENDOR ? Vendor specific 90.It emul CTL_EMUL sys/sysctl.h Emulation settings 91.It security CTL_SECURITY sys/sysctl.h Security settings 92.El 93.Sh The debug.* subtree 94The debugging variables vary from system to system. 95A debugging variable may be added or deleted without need to recompile 96.Nm 97to know about it. 98Each time it runs, 99.Nm 100gets the list of debugging variables from the kernel and 101displays their current values. 102The system defines twenty 103.Va ( struct ctldebug ) 104variables named 105.Dv debug0 106through 107.Dv debug19 . 108They are declared as separate variables so that they can be 109individually initialized at the location of their associated variable. 110The loader prevents multiple use of the same variable by issuing errors 111if a variable is initialized in more than one place. 112For example, to export the variable 113.Dv dospecialcheck 114as a debugging variable, the following declaration would be used: 115.Pp 116.Bd -literal -offset indent -compact 117int dospecialcheck = 1; 118struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 119.Ed 120.Pp 121Note that the dynamic implementation of 122.Nm 123currently in use largely makes this particular 124.Nm 125interface obsolete. 126See 127.Xr sysctl 8 128.\" and 129.\" .Xr sysctl 9 130for more information. 131.Sh The vfs.* subtree 132A distinguished second level name, 133.Li vfs.generic ( VFS_GENERIC ) , 134is used to get general information about all filesystems. 135It has the following third level identifiers: 136.Bl -tag -width compact 137.It vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 138The highest valid filesystem type number. 139.It vfs.generic.conf ( VFS_CONF ) 140Returns configuration information about the file-system type given as a fourth 141level identifier. 142.El 143.Pp 144The remaining second level identifiers are the file-system names, identified 145by the type number returned by a 146.Xr statvfs 2 147call or from 148.Li vfs.generic.conf . 149The third level identifiers available for each filesystem 150are given in the header file that defines the mount 151argument structure for that filesystem. 152.Sh The hw.* subtree 153The string and integer information available for the 154.Li hw 155level is detailed below. 156The changeable column shows whether a process with appropriate 157privilege may change the value. 158.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 159.It Sy Second level name Type Changeable 160.It hw.alignbytes integer no 161.It hw.byteorder integer no 162.It hw.cnmagic string yes 163.It hw.disknames string no 164.It hw.diskstats struct no 165.It hw.machine string no 166.It hw.machine_arch string no 167.It hw.model string no 168.It hw.ncpu integer no 169.It hw.pagesize integer no 170.It hw.physmem integer no 171.It hw.physmem64 quad no 172.It hw.usermem integer no 173.It hw.usermem64 quad no 174.El 175.Pp 176.Bl -tag -width "123456" 177.It Li hw.alignbytes ( HW_ALIGNBYTES ) 178Alignment constraint for all possible data types. 179This shows the value 180.Dv ALIGNBYTES 181in 182.Pa /usr/include/machine/param.h , 183at the kernel compilation time. 184.It Li hw.byteorder ( HW_BYTEORDER ) 185The byteorder (4,321, or 1,234). 186.It Li hw.cnmagic ( HW_CNMAGIC ) 187The console magic key sequence. 188.It Li hw.disknames ( HW_DISKNAMES ) 189The list of (space separated) disk device names on the system. 190.It Li hw.iostatnames ( HW_IOSTATNAMES ) 191A space separated list of devices that will have I/O statistics 192collected on them. 193.It Li hw.iostats ( HW_IOSTATS ) 194Return statistical information on the NFS mounts, disk and tape 195devices on the system. 196An array of 197.Va struct io_sysctl 198structures is returned, 199whose size depends on the current number of such objects in the system. 200The third level name is the size of the 201.Va struct io_sysctl . 202The type of object can be determined by examining the 203.Va type 204element of 205.Va struct io_sysctl . 206Which can be 207.Dv IOSTAT_DISK 208(disk drive), 209.Dv IOSTAT_TAPE 210(tape drive), or 211.Dv IOSTAT_NFS 212(NFS mount). 213.It Li hw.machine ( HW_MACHINE ) 214The machine class. 215.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 216The machine CPU class. 217.It Li hw.model ( HW_MODEL ) 218The machine model. 219.It Li hw.ncpu ( HW_NCPU ) 220The number of CPUs. 221.It Li hw.pagesize ( HW_PAGESIZE ) 222The software page size. 223.It Li hw.physmem ( HW_PHYSMEM ) 224The bytes of physical memory as a 32-bit integer. 225.It Li hw.physmem64 ( HW_PHYSMEM64 ) 226The bytes of physical memory as a 64-bit integer. 227.It Li hw.usermem ( HW_USERMEM ) 228The bytes of non-kernel memory as a 32-bit integer. 229.It Li hw.usermem64 ( HW_USERMEM64 ) 230The bytes of non-kernel memory as a 64-bit integer. 231.El 232.Sh The kern.* subtree 233This subtree includes data generally related to the kernel. 234The string and integer information available for the 235.Li kern 236level is detailed below. 237The changeable column shows whether a process with appropriate 238privilege may change the value. 239.Bl -column "kern.posix_reader_writer_locks" \ 240"struct kinfo_drivers" "not applicable" 241.It Sy Second level name Type Changeable 242.It kern.arandom integer no 243.It kern.argmax integer no 244.It kern.boothowto integer no 245.It kern.boottime struct timeval no 246.\".It kern.bufq node not applicable 247.It kern.ccpu integer no 248.It kern.clockrate struct clockinfo no 249.It kern.consdev integer no 250.It kern.coredump node not applicable 251.It kern.cp_id struct no 252.It kern.cp_time uint64_t[\|] no 253.It kern.cryptodevallowsoft integer yes 254.It kern.defcorename string yes 255.It kern.detachall integer yes 256.It kern.domainname string yes 257.It kern.drivers struct kinfo_drivers no 258.It kern.dump_on_panic integer yes 259.It kern.file struct file no 260.It kern.forkfsleep integer yes 261.It kern.fscale integer no 262.It kern.fsync integer no 263.It kern.hardclock_ticks integer no 264.It kern.hostid integer yes 265.It kern.hostname string yes 266.It kern.iov_max integer no 267.It kern.ipc node not applicable 268.It kern.job_control integer no 269.It kern.labeloffset integer no 270.It kern.labelsector integer no 271.It kern.login_name_max integer no 272.It kern.logsigexit integer yes 273.It kern.mapped_files integer no 274.It kern.maxfiles integer yes 275.It kern.maxpartitions integer no 276.It kern.maxphys integer no 277.It kern.maxproc integer yes 278.It kern.maxptys integer yes 279.It kern.maxvnodes integer yes 280.It kern.mbuf node not applicable 281.It kern.memlock integer no 282.It kern.memlock_range integer no 283.It kern.memory_protection integer no 284.It kern.module node not applicable 285.It kern.monotonic_clock integer no 286.It kern.msgbuf integer no 287.It kern.msgbufsize integer no 288.It kern.ngroups integer no 289.\".It kern.no_sa_support integer yes 290.It kern.ntptime struct ntptimeval no 291.It kern.osrelease string no 292.It kern.osrevision integer no 293.It kern.ostype string no 294.\".It kern.panic_now integer yes 295.It kern.pipe node not applicable 296.\" .It kern.posix node not applicable 297.It kern.posix1version integer no 298.It kern.posix_barriers integer no 299.It kern.posix_reader_writer_locks integer no 300.\".It kern.posix_sched integer yes 301.It kern.posix_semaphores integer no 302.It kern.posix_spin_locks integer no 303.It kern.posix_threads integer no 304.It kern.posix_timers integer no 305.It kern.proc struct kinfo_proc no 306.It kern.proc2 struct kinfo_proc2 no 307.It kern.proc_args string no 308.It kern.profiling node not applicable 309.\".It kern.pset node not applicable 310.It kern.rawpartition integer no 311.It kern.root_device string no 312.It kern.root_partition integer no 313.It kern.rtc_offset integer yes 314.It kern.saved_ids integer no 315.It kern.sbmax integer yes 316.\".It kern.sched node not applicable 317.It kern.securelevel integer raise only 318.It kern.somaxkva integer yes 319.It kern.synchronized_io integer no 320.It kern.timecounter node not applicable 321.It kern.timex struct no 322.It kern.tkstat node not applicable 323.It kern.urandom integer no 324.It kern.usercrypto integer yes 325.It kern.userasymcrypto integer yes 326.It kern.veriexec node not applicable 327.It kern.version string no 328.It kern.vnode struct vnode no 329.El 330.Bl -tag -width "123456" 331.It Li kern.arandom 332This variable picks a random number each time it is queried. 333The used random number generator 334.Pq Tn RNG 335is based on 336.Xr arc4random 3 . 337.It Li kern.argmax ( KERN_ARGMAX ) 338The maximum bytes of argument to 339.Xr execve 2 . 340.It Li kern.boothowto 341Flags passed from the boot loader; see 342.Xr reboot 2 343for the meanings of the flags. 344.It Li kern.boottime ( KERN_BOOTTIME ) 345A 346.Va struct timeval 347structure is returned. 348This structure contains the time that the system was booted. 349.\" .It Li kern.bufq 350.\" XXX: Undocumented. 351.It Li kern.ccpu ( KERN_CCPU ) 352The scheduler exponential decay value. 353.It Li kern.clockrate ( KERN_CLOCKRATE ) 354A 355.Va struct clockinfo 356structure is returned. 357This structure contains the clock, statistics clock and profiling clock 358frequencies, the number of micro-seconds per hz tick, and the clock 359skew rate. 360Refer to 361.Xr hz 9 362for additional details. 363.It Li kern.consdev ( KERN_CONSDEV ) 364Console device. 365.It Li kern.coredump 366Settings related to set-id processes coredumps. 367By default, set-id processes do not dump core in situations where 368other processes would. 369The settings in this node allows an administrator to change this 370behavior. 371.Pp 372The third level name is 373.Dv kern.coredump.setid 374and fourth level variables are described below. 375.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent 376.It Sy Fourth level name Type Changeable 377.It kern.coredump.setid.dump integer yes 378.It kern.coredump.setid.group integer yes 379.It kern.coredump.setid.mode integer yes 380.It kern.coredump.setid.owner integer yes 381.It kern.coredump.setid.path string yes 382.El 383.Bl -tag -width "123456" 384.It Li kern.coredump.setid.dump 385If non-zero, set-id processes will dump core. 386.It Li kern.coredump.setid.group 387The group-id for the set-id processes' coredump. 388.It Li kern.coredump.setid.mode 389The mode for the set-id processes' coredump. 390See 391.Xr chmod 1 . 392.It Li kern.coredump.setid.owner 393The user-id that will be used as the owner of the set-id processes' 394coredump. 395.It Li kern.coredump.setid.path 396The path to which set-id processes' coredumps will be saved to. 397Same syntax as kern.defcorename. 398.El 399.It Li kern.cp_id ( KERN_CP_ID ) 400Mapping of CPU number to CPU id. 401.It Li kern.cp_time ( KERN_CP_TIME ) 402Returns an array of CPUSTATES uint64_ts. 403This array contains the 404number of clock ticks spent in different CPU states. 405On multi-processor systems, the sum across all CPUs is returned unless 406appropriate space is given for one data set for each CPU. 407Data for a specific CPU can also be obtained by adding the number of the 408CPU at the end of the MIB, enlarging it by one. 409.It Li kern.cryptodevallowsoft 410This variable controls userland access to hardware versus software transforms 411in the 412.Xr crypto 4 413system. 414The available values are as follows: 415.Bl -tag -width XX0 -offset indent 416.It Dv \*[Lt] 0 417Always force userlevel requests to use software transforms. 418.It Dv = 0 419If present, use hardware and grant userlevel requests for 420non-accelerated transforms (handling the latter in software). 421.It Dv \*[Gt] 0 422Allow user requests only for transforms which are hardware-accelerated. 423.El 424.It Li kern.defcorename ( KERN_DEFCORENAME ) 425Default template for the name of core dump files (see also 426.Li proc.pid.corename 427in the per-process variables 428.Li proc.* , 429and 430.Xr core 5 431for format of this template). 432The default value is 433.Nm %n.core 434and can be changed with the kernel configuration option 435.Cd options DEFCORENAME 436(see 437.Xr options 4 438). 439.It Li kern.detachall 440Detach all devices at shutdown. 441.It Li kern.domainname ( KERN_DOMAINNAME ) 442Get or set the YP domain name. 443.It Li kern.drivers ( KERN_DRIVERS ) 444Return an array of 445.Va struct kinfo_drivers 446that contains the name and major device numbers of all the device drivers 447in the current kernel. 448The 449.Va d_name 450field is always a NUL terminated string. 451The 452.Va d_bmajor 453field will be set to \-1 if the driver doesn't have a block device. 454.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 455Perform a crash dump on system 456.Xr panic 9 . 457.It Li kern.file ( KERN_FILE ) 458Return the entire file table. 459The returned data consists of a single 460.Va struct filelist 461followed by an array of 462.Va struct file , 463whose size depends on the current number of such objects in the system. 464.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 465If 466.Xr fork 2 467system call fails due to limit on number of processes (either 468the global maxproc limit or user's one), wait for this many 469milliseconds before returning 470.Er EAGAIN 471error to process. 472Useful to keep heavily forking runaway processes in bay. 473Default zero (no sleep). 474Maximum is 20 seconds. 475.It Li kern.fscale ( KERN_FSCALE ) 476The kernel fixed-point scale factor. 477.It Li kern.fsync ( KERN_FSYNC ) 478Return 1 if the POSIX 1003.1b File Synchronization Option is available 479on this system, 480otherwise 0. 481.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 482Returns the number of 483.Xr hardclock 9 484ticks. 485.It Li kern.hostid ( KERN_HOSTID ) 486Get or set the host identifier. 487This is aimed to replace the legacy 488.Xr gethostid 3 489and 490.Xr sethostid 3 491system calls. 492.It Li kern.hostname ( KERN_HOSTNAME ) 493Get or set the 494.Xr hostname 1 . 495.It Li kern.iov_max ( KERN_IOV_MAX ) 496Return the maximum number of 497.Va iovec 498structures that a process has available for use with 499.Xr preadv 2 , 500.Xr pwritev 2 , 501.Xr readv 2 , 502.Xr recvmsg 2 , 503.Xr sendmsg 2 504and 505.Xr writev 2 . 506.It Li kern.ipc ( KERN_SYSVIPC ) 507Return information about the SysV IPC parameters. 508The third level names for the ipc variables are detailed below. 509.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 510.It Sy Third level name Type Changeable 511.It kern.ipc.sysvmsg integer no 512.It kern.ipc.sysvsem integer no 513.It kern.ipc.sysvshm integer no 514.It kern.ipc.sysvipc_info struct no 515.It kern.ipc.shmmax integer yes 516.It kern.ipc.shmmni integer yes 517.It kern.ipc.shmseg integer yes 518.It kern.ipc.shmmaxpgs integer yes 519.It kern.ipc.shm_use_phys integer yes 520.It kern.ipc.msgmni integer yes 521.It kern.ipc.msgseg integer yes 522.It kern.ipc.semmni integer yes 523.It kern.ipc.semmns integer yes 524.It kern.ipc.semmnu integer yes 525.El 526.Bl -tag -width "123456" 527.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 528Returns 1 if System V style message queue functionality is available 529on this system, 530otherwise 0. 531.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 532Returns 1 if System V style semaphore functionality is available 533on this system, 534otherwise 0. 535.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 536Returns 1 if System V style share memory functionality is available 537on this system, 538otherwise 0. 539.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 540Return System V style IPC configuration and run-time information. 541The fourth level name selects the System V style IPC facility. 542.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 543.It Sy Fourth level name Type 544.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 545.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 546.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 547.El 548.Pp 549.Bl -tag -width "123456" 550.It Li KERN_SYSVIPC_MSG_INFO 551Return information on the System V style message facility. 552The 553.Sy msg_sysctl_info 554structure is defined in 555.In sys/msg.h . 556.It Li KERN_SYSVIPC_SEM_INFO 557Return information on the System V style semaphore facility. 558The 559.Sy sem_sysctl_info 560structure is defined in 561.In sys/sem.h . 562.It Li KERN_SYSVIPC_SHM_INFO 563Return information on the System V style shared memory facility. 564The 565.Sy shm_sysctl_info 566structure is defined in 567.In sys/shm.h . 568.El 569.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 570Max shared memory segment size in bytes. 571.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 572Max number of shared memory identifiers. 573.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 574Max shared memory segments per process. 575.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 576Max amount of shared memory in pages. 577.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 578Locking of shared memory in physical memory. 579If 0, memory can be swapped 580out, otherwise it will be locked in physical memory. 581.It Li kern.ipc.msgmni 582Max number of message queue identifiers. 583.It Li kern.ipc.msgseg 584Max number of number of message segments. 585.It Li kern.ipc.semmni 586Max number of number of semaphore identifiers. 587.It Li kern.ipc.semmns 588Max number of number of semaphores in system. 589.It Li kern.ipc.semmnu 590Max number of undo structures in system. 591.El 592.It Li kern.job_control ( KERN_JOB_CONTROL ) 593Return 1 if job control is available on this system, otherwise 0. 594.It Li kern.labeloffset ( KERN_LABELOFFSET ) 595The offset within the sector specified by KERN_LABELSECTOR of the 596.Xr disklabel 5 . 597.It Li kern.labelsector ( KERN_LABELSECTOR ) 598The sector number containing the 599.Xr disklabel 5 . 600.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 601The size of the storage required for a login name, in bytes, 602including the terminating NUL. 603.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 604If this flag is non-zero, the kernel will 605.Xr log 9 606all process exits due to signals which create a 607.Xr core 5 608file, and whether the coredump was created. 609.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 610Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 611on this system, 612otherwise 0. 613.It Li kern.maxfiles ( KERN_MAXFILES ) 614The maximum number of open files that may be open in the system. 615.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 616The maximum number of partitions allowed per disk. 617.It Li kern.maxphys ( KERN_MAXPHYS ) 618Maximum raw I/O transfer size. 619.It Li kern.maxproc ( KERN_MAXPROC ) 620The maximum number of simultaneous processes the system will allow. 621.It Li kern.maxptys ( KERN_MAXPTYS ) 622The maximum number of pseudo terminals. 623This value can be both raised and lowered, though it cannot 624be set lower than number of currently used ptys. 625See also 626.Xr pty 4 . 627.It Li kern.maxvnodes ( KERN_MAXVNODES ) 628The maximum number of vnodes available on the system. 629This can only be raised. 630.It Li kern.mbuf ( KERN_MBUF ) 631Return information about the mbuf control variables. 632Mbufs are data structures which store network packets and other data 633structures in the networking code, see 634.Xr mbuf 9 . 635The third level names for the mbuf variables are detailed below. 636The changeable column shows whether a process with appropriate 637privilege may change the value. 638.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 639.It Sy Third level name Type Changeable 640.\" XXX Changeable? really? 641.It kern.mbuf.mblowat integer yes 642.It kern.mbuf.mclbytes integer yes 643.It kern.mbuf.mcllowat integer yes 644.It kern.mbuf.msize integer yes 645.It kern.mbuf.nmbclusters integer yes 646.El 647.Pp 648The variables are as follows: 649.Bl -tag -width "123456" 650.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 651The mbuf low water mark. 652.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 653The mbuf cluster size. 654.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 655The mbuf cluster low water mark. 656.It Li kern.mbuf.msize ( MBUF_MSIZE ) 657The mbuf base size. 658.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 659The limit on the number of mbuf clusters. 660The variable can only be increased, and only increased on machines with 661direct-mapped pool pages. 662.El 663.It Li kern.memlock ( KERN_MEMLOCK ) 664Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 665on this system, 666otherwise 0. 667.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 668Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 669on this system, 670otherwise 0. 671.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 672Returns 1 if the POSIX 1003.1b Memory Protection Option is available 673on this system, 674otherwise 0. 675.It Li kern.module 676Settings related to kernel modules. 677The third level names for the settings are described below. 678.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent 679.It Sy Third level name Type Changeable 680.It kern.module.autoload integer yes 681.It kern.module.verbose integer yes 682.El 683.Pp 684The variables are as follows: 685.Bl -tag -width "123456" 686.It Li kern.module.autoload 687A boolean that controls whether kernel modules are loaded automatically. 688See for example 689.Xr modstat 8 690for additional details. 691.It Li kern.module.verbose 692A boolean that enables or disables verbose 693debug messages related to kernel modules. 694.El 695.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 696Returns the standard version the implementation of the POSIX 1003.1b 697Monotonic Clock Option conforms to, 698otherwise 0. 699.It Li kern.msgbuf ( KERN_MSGBUF ) 700The kernel message buffer, rotated so that the head of the circular kernel 701message buffer is at the start of the returned data. 702The returned data may contain NUL bytes. 703.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 704The maximum number of characters that the kernel message buffer can hold. 705.It Li kern.ngroups ( KERN_NGROUPS ) 706The maximum number of supplemental groups. 707.\" .It Li kern.no_sa_support 708.\" XXX: Undocumented. 709.It Li kern.ntptime ( KERN_NTPTIME ) 710A 711.Va struct ntptimeval 712structure is returned. 713This structure contains data used by the 714.Xr ntpd 8 715program. 716.It Li kern.osrelease ( KERN_OSRELEASE ) 717The system release string. 718.It Li kern.osrevision ( KERN_OSREV ) 719The system revision string. 720.It Li kern.ostype ( KERN_OSTYPE ) 721The system type string. 722.\".It Li kern.panic_now 723.\" XXX: Undocumented. 724.It Li kern.pipe ( KERN_PIPE ) 725Pipe settings. 726The third level names for the integer pipe settings is detailed below. 727The changeable column shows whether a process with appropriate 728privilege may change the value. 729.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 730.It Sy Third level name Type Changeable 731.It kern.pipe.kvasiz integer yes 732.It kern.pipe.maxbigpipes integer yes 733.It kern.pipe.maxkvasz integer yes 734.It kern.pipe.limitkva integer yes 735.It kern.pipe.nbigpipes integer yes 736.El 737.Pp 738The variables are as follows: 739.Bl -tag -width "123456" 740.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 741Amount of kernel memory consumed by pipe buffers. 742.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 743Maximum number of "big" pipes. 744.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 745Maximum amount of kernel memory to be used for pipes. 746.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 747Limit for direct transfers via page loan. 748.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 749Number of "big" pipes. 750.El 751.\" XXX: Undocumented .It Li kern.posix ( ? ) 752.\" This is a node in which the only variable is semmax. 753.It Li kern.posix1version ( KERN_POSIX1 ) 754The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 755attempts to comply. 756.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 757The version of 758.St -p1003.1 759and its 760Barriers 761option to which the system attempts to conform, 762otherwise 0. 763.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 764The version of 765.St -p1003.1 766and its 767Read-Write Locks 768option to which the system attempts to conform, 769otherwise 0. 770.\".It Li kern.posix_sched 771.\" XXX: Undocumented. 772.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 773The version of 774.St -p1003.1 775and its 776Semaphores 777option to which the system attempts to conform, 778otherwise 0. 779.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 780The version of 781.St -p1003.1 782and its 783Spin Locks 784option to which the system attempts to conform, 785otherwise 0. 786.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 787The version of 788.St -p1003.1 789and its 790Threads 791option to which the system attempts to conform, 792otherwise 0. 793.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 794The version of 795.St -p1003.1 796and its 797Timers 798option to which the system attempts to conform, 799otherwise 0. 800.It Li kern.proc ( KERN_PROC ) 801Return the entire process table, or a subset of it. 802An array of 803.Va struct kinfo_proc 804structures is returned, 805whose size depends on the current number of such objects in the system. 806The third and fourth level numeric names are as follows: 807.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 808.It Sy Third level name Fourth level is: 809.It KERN_PROC_ALL None 810.It KERN_PROC_GID A group ID 811.It KERN_PROC_PID A process ID 812.It KERN_PROC_PGRP A process group 813.It KERN_PROC_RGID A real group ID 814.It KERN_PROC_RUID A real user ID 815.It KERN_PROC_SESSION A session ID 816.It KERN_PROC_TTY A tty device 817.It KERN_PROC_UID A user ID 818.El 819.It Li kern.proc2 ( KERN_PROC2 ) 820As for KERN_PROC, but an array of 821.Va struct kinfo_proc2 822structures are returned. 823The fifth level name is the size of the 824.Va struct kinfo_proc2 825and the sixth level name is the number of structures to return. 826.It Li kern.proc_args ( KERN_PROC_ARGS ) 827Return the argv or environment strings (or the number thereof) 828of a process. 829Multiple strings are returned separated by NUL characters. 830The third level name is the process ID. 831The fourth level name is as follows: 832.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent 833.It KERN_PROC_ARGV The argv strings 834.It KERN_PROC_ENV The environ strings 835.It KERN_PROC_NARGV The number of argv strings 836.It KERN_PROC_NENV The number of environ strings 837.El 838.It Li kern.profiling ( KERN_PROF ) 839Return profiling information about the kernel. 840If the kernel is not compiled for profiling, 841attempts to retrieve any of the KERN_PROF values will 842fail with 843.Er EOPNOTSUPP . 844The third level names for the string and integer profiling information 845is detailed below. 846The changeable column shows whether a process with appropriate 847privilege may change the value. 848.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 849.It Sy Third level name Type Changeable 850.It kern.profiling.count u_short[\|] yes 851.It kern.profiling.froms u_short[\|] yes 852.It kern.profiling.gmonparam struct gmonparam no 853.It kern.profiling.state integer yes 854.It kern.profiling.tos struct tostruct yes 855.El 856.Pp 857The variables are as follows: 858.Bl -tag -width "123456" 859.It Li kern.profiling.count ( GPROF_COUNT ) 860Array of statistical program counter counts. 861.It Li kern.profiling.froms ( GPROF_FROMS ) 862Array indexed by program counter of call-from points. 863.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 864Structure giving the sizes of the above arrays. 865.It Li kern.profiling.state ( GPROF_STATE ) 866Profiling state. 867If set to GMON_PROF_ON, starts profiling. 868If set to GMON_PROF_OFF, stops profiling. 869.It Li kern.profiling.tos ( GPROF_TOS ) 870Array of 871.Va struct tostruct 872describing destination of calls and their counts. 873.El 874.\" .It Li kern.pset 875.\" XXX: Undocumented. 876.It Li kern.rawpartition ( KERN_RAWPARTITION ) 877The raw partition of a disk (a == 0). 878.It Li kern.root_device ( KERN_ROOT_DEVICE ) 879The name of the root device (e.g., 880.Dq wd0 ) . 881.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 882The root partition on the root device (a == 0). 883.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 884Return the offset of real time clock from UTC in minutes. 885.It Li kern.saved_ids ( KERN_SAVED_IDS ) 886Returns 1 if saved set-group and saved set-user ID is available. 887.It Li kern.sbmax ( KERN_SBMAX ) 888Maximum socket buffer size. 889.\" XXX units? 890.It Li kern.securelevel ( KERN_SECURELVL ) 891See 892.Xr secmodel_securelevel 9 . 893.\" .It Li kern.sched 894.\" XXX: Undocumented. 895.It Li kern.somaxkva ( KERN_SOMAXKVA ) 896Maximum amount of kernel memory to be used for socket buffers. 897.\" XXX units? 898.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 899Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 900on this system, 901otherwise 0. 902.It Li kern.timecounter ( dynamic ) 903Display and control the timecounter source of the system. 904.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 905.It Sy Third level name Type Changeable 906.It kern.timecounter.choice string no 907.It kern.timecounter.hardware string yes 908.It kern.timecounter.timestepwarnings integer yes 909.El 910.Pp 911The variables are as follows: 912.Bl -tag -width "123456" 913.It Li kern.timecounter.choice ( dynamic ) 914The list of available timecounters with their quality and frequency. 915.It Li kern.timecounter.hardware ( dynamic ) 916The currently selected timecounter source. 917.It Li kern.timecounter.timestepwarnings ( dynamic ) 918If non-zero display a message each time the time is stepped. 919.El 920.It Li kern.timex ( KERN_TIMEX ) 921Not available. 922.It Li kern.tkstat ( KERN_TKSTAT ) 923Return information about the number of characters sent and received 924on ttys. 925The third level names for the tty statistic variables are detailed below. 926The changeable column shows whether a process 927with appropriate privilege may change the value. 928.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 929.It Sy Third level name Type Changeable 930.It kern.tkstat.cancc quad no 931.It kern.tkstat.nin quad no 932.It kern.tkstat.nout quad no 933.It kern.tkstat.rawcc quad no 934.El 935.Pp 936The variables are as follows: 937.Bl -tag -width "123456" 938.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 939The number of canonical input characters. 940.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 941The total number of input characters. 942.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 943The total number of output characters. 944.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 945The number of raw input characters. 946.El 947.It Li kern.urandom ( KERN_URND ) 948Random integer value. 949.It Li kern.usercrypto 950When enabled, allows userland to 951.Xr open 2 952the 953.Pa /dev/crypto 954special device, used by the 955.Xr crypto 4 956system. 957.It Li kern.userasymcrypto 958Enables or disables the use of software asymmetric crypto support in the 959.Xr crypto 4 960system. 961.It Li kern.veriexec 962Runtime information for 963.Xr veriexec 8 . 964.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent 965.It Sy Third level name Type Changeable 966.It kern.veriexec.algorithms string no 967.It kern.veriexec.count node not applicable 968.It kern.veriexec.strict integer yes 969.It kern.veriexec.verbose integer yes 970.El 971.Bl -tag -width "123456" 972.It Li kern.veriexec.algorithms 973Returns a string with the supported algorithms in Veriexec. 974.It Li kern.veriexec.count 975Sub-nodes are added to this node as new mounts are monitored by Veriexec. 976Each mount will be under its own 977.No tableN 978node. 979Under each node there will be three variables, indicating the mount 980point, the file-system type, and the number of entries. 981.It Li kern.veriexec.strict 982Controls the strict level of Veriexec. 983See 984.Xr security 8 985for more information on each level's implications. 986.It Li kern.veriexec.verbose 987Controls the verbosity level of Veriexec. 988If 0, only the minimal 989indication required will be given about what's happening - fingerprint 990mismatches, removal of entries from the tables, modification of a 991fingerprinted file. 992If 1, more messages will be printed (ie., when a file with a valid 993fingerprint is accessed). 994Verbose level 2 is debug mode. 995.El 996.It Li kern.version ( KERN_VERSION ) 997The system version string. 998.It Li kern.vnode ( KERN_VNODE ) 999Return the entire vnode table. 1000Note, the vnode table is not necessarily a consistent snapshot of 1001the system. 1002The returned data consists of an array whose size depends on the 1003current number of such objects in the system. 1004Each element of the array contains the kernel address of a vnode 1005.Va struct vnode * 1006followed by the vnode itself 1007.Va struct vnode . 1008.\" XXX: Undocumented: kern.lwp: no children? 1009.El 1010.Sh The machdep.* subtree 1011The set of variables defined is architecture dependent. 1012Most architectures define at least the following variables. 1013.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent 1014.It Sy Second level name Type Changeable 1015.It Li machdep.booted_kernel string no 1016.El 1017.\" XXX: Document the above. 1018.Sh The net.* subtree 1019The string and integer information available for the 1020.Li net 1021level is detailed below. 1022The changeable column shows whether a process with appropriate 1023privilege may change the value. 1024The second and third levels are typically the protocol family and 1025protocol number, though this is not always the case. 1026.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 1027.It Sy Second level name Type Changeable 1028.It net.route routing messages no 1029.It net.inet IPv4 values yes 1030.It net.inet6 IPv6 values yes 1031.It net.key IPsec key management values yes 1032.El 1033.Pp 1034.Bl -tag -width "123456" 1035.It Li net.route ( PF_ROUTE ) 1036.\" XXX really? 1037Return the entire routing table or a subset of it. 1038The data is returned as a sequence of routing messages (see 1039.Xr route 4 1040for the header file, format and meaning). 1041The length of each message is contained in the message header. 1042.Pp 1043The third level name is a protocol number, which is currently always 0. 1044The fourth level name is an address family, which may be set to 0 to 1045select all address families. 1046The fifth and sixth level names are as follows: 1047.Bl -column "Fifth level name" "Sixth level is:" -offset indent 1048.It Sy Fifth level name Sixth level is: 1049.It NET_RT_FLAGS rtflags 1050.It NET_RT_DUMP None 1051.It NET_RT_IFLIST None 1052.El 1053.It Li net.inet ( PF_INET ) 1054Get or set various global information about the IPv4 1055.Pq Internet Protocol version 4 . 1056The third level name is the protocol. 1057The fourth level name is the variable name. 1058The currently defined protocols and names are: 1059.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n 1060.It Sy Protocol name Variable name Type Changeable 1061.It arp down integer yes 1062.It arp keep integer yes 1063.It arp prune integer yes 1064.It arp refresh integer yes 1065.It carp allow integer yes 1066.It carp preempt integer yes 1067.It carp log integer yes 1068.It carp arpbalance integer yes 1069.It icmp errppslimit integer yes 1070.It icmp maskrepl integer yes 1071.It icmp rediraccept integer yes 1072.It icmp redirtimeout integer yes 1073.It icmp bmcastecho integer yes 1074.It ip allowsrcrt integer yes 1075.It ip anonportmax integer yes 1076.It ip anonportmin integer yes 1077.It ip checkinterface integer yes 1078.It ip directed-broadcast integer yes 1079.It ip do_loopback_cksum integer yes 1080.It ip forwarding integer yes 1081.It ip forwsrcrt integer yes 1082.It ip gifttl integer yes 1083.It ip grettl integer yes 1084.It ip hashsize integer yes 1085.It ip hostzerobroadcast integer yes 1086.It ip lowportmin integer yes 1087.It ip lowportmax integer yes 1088.It ip maxflows integer yes 1089.It ip maxfragpackets integer yes 1090.It ip mtudisc integer yes 1091.It ip mtudisctimeout integer yes 1092.It ip random_id integer yes 1093.It ip redirect integer yes 1094.It ip subnetsarelocal integer yes 1095.It ip ttl integer yes 1096.It tcp rfc1323 integer yes 1097.It tcp sendspace integer yes 1098.It tcp recvspace integer yes 1099.It tcp mssdflt integer yes 1100.It tcp syn_cache_limit integer yes 1101.It tcp syn_bucket_limit integer yes 1102.It tcp syn_cache_interval integer yes 1103.It tcp init_win integer yes 1104.It tcp init_win_local integer yes 1105.It tcp mss_ifmtu integer yes 1106.It tcp win_scale integer yes 1107.It tcp timestamps integer yes 1108.It tcp compat_42 integer yes 1109.It tcp cwm integer yes 1110.It tcp cwm_burstsize integer yes 1111.It tcp ack_on_push integer yes 1112.It tcp keepidle integer yes 1113.It tcp keepintvl integer yes 1114.It tcp keepcnt integer yes 1115.It tcp slowhz integer no 1116.It tcp keepinit integer yes 1117.It tcp log_refused integer yes 1118.It tcp rstppslimit integer yes 1119.It tcp ident struct no 1120.It tcp drop struct no 1121.It tcp sack.enable integer yes 1122.It tcp sack.globalholes integer no 1123.It tcp sack.globalmaxholes integer yes 1124.It tcp sack.maxholes integer yes 1125.It tcp ecn.enable integer yes 1126.It tcp ecn.maxretries integer yes 1127.It tcp congctl.selected string yes 1128.It tcp congctl.available string yes 1129.It tcp abc.enable integer yes 1130.It tcp abc.aggressive integer yes 1131.It udp checksum integer yes 1132.It udp do_loopback_cksum integer yes 1133.It udp recvspace integer yes 1134.It udp sendspace integer yes 1135.El 1136.Pp 1137The variables are as follows: 1138.Bl -tag -width "123456" 1139.It Li arp.down 1140Failed ARP entry lifetime. 1141.It Li arp.keep 1142Valid ARP entry lifetime. 1143.It Li arp.prune 1144ARP cache pruning interval. 1145.It Li arp.refresh 1146ARP entry refresh interval. 1147.It Li carp.allow 1148If set to 0, incoming 1149.Xr carp 4 1150packets will not be processed. 1151If set to any other value, processing will occur. 1152Enabled by default. 1153.It Li carp.arpbalance 1154If set to any value other than 0, the ARP balancing functionality of 1155.Xr carp 4 1156is enabled. 1157When ARP requests are received for an IP address which is part of any virtual 1158host, carp will hash the source IP in the ARP request to select one of the 1159virtual hosts from the set of all the virtual hosts which have that IP address. 1160The master of that host will respond with the correct virtual MAC address. 1161Disabled by default. 1162.It Li carp.log 1163If set to any value other than 0, 1164.Xr carp 4 1165will log errors. 1166Disabled by default. 1167.It Li carp.preempt 1168If set to 0, 1169.Xr carp 4 1170will not attempt to become master if it is receiving advertisements from 1171another active master. 1172If set to any other value, carp will become master of the virtual host if it 1173believes it can send advertisements more frequently than the current master. 1174Disabled by default. 1175.It Li ip.allowsrcrt 1176If set to 1, the host accepts source routed packets. 1177.It Li ip.anonportmax 1178The highest port number to use for TCP and UDP ephemeral port allocation. 1179This cannot be set to less than 1024 or greater than 65535, and must 1180be greater than 1181.Li ip.anonportmin . 1182.It Li ip.anonportmin 1183The lowest port number to use for TCP and UDP ephemeral port allocation. 1184This cannot be set to less than 1024 or greater than 65535. 1185.It Li ip.checkinterface 1186If set to non-zero, the host will reject packets addressed to it 1187that arrive on an interface not bound to that address. 1188Currently, this must be disabled if ipnat is used to translate the 1189destination address to another local interface, or if addresses 1190are added to the loopback interface instead of the interface where 1191the packets for those packets are received. 1192.It Li ip.directed-broadcast 1193If set to 1, enables directed broadcast behavior for the host. 1194.It Li ip.do_loopback_cksum 1195Perform IP checksum on loopback. 1196.It Li ip.forwarding 1197If set to 1, enables IP forwarding for the host, 1198meaning that the host is acting as a router. 1199.It Li ip.forwsrcrt 1200If set to 1, enables forwarding of source-routed packets for the host. 1201This value may only be changed if the kernel security level is less than 1. 1202.It Li ip.gifttl 1203The maximum time-to-live (hop count) value for an IPv4 packet generated by 1204.Xr gif 4 1205tunnel interface. 1206.It Li ip.grettl 1207The maximum time-to-live (hop count) value for an IPv4 packet generated by 1208.Xr gre 4 1209tunnel interface. 1210.It Li ip.hashsize 1211The size of IPv4 Fast Forward hash table. 1212This value must be a power of 2 (64, 256...). 1213A larger hash table size results in fewer collisions. 1214Also see 1215.Li ip.maxflows . 1216.It Li ip.hostzerobroadcast 1217All zeroes address is broadcast address. 1218.It Li ip.lowportmax 1219The highest port number to use for TCP and UDP reserved port allocation. 1220This cannot be set to less than 0 or greater than 1024, and must 1221be greater than 1222.Li ip.lowportmin . 1223.It Li ip.lowportmin 1224The lowest port number to use for TCP and UDP reserved port allocation. 1225This cannot be set to less than 0 or greater than 1024, and must 1226be smaller than 1227.Li ip.lowportmax . 1228.It Li ip.maxflows 1229IPv4 Fast Forwarding is enabled by default. 1230If set to 0, IPv4 Fast Forwarding is disabled. 1231.Li ip.maxflows 1232controls the maximum amount of flows which can be created. 1233The default value is 256. 1234.It Li ip.maxfragpackets 1235The maximum number of fragmented packets the node will accept. 12360 means that the node will not accept any fragmented packets. 1237\-1 means that the node will accept as many fragmented packets as it receives. 1238The flag is provided basically for avoiding possible DoS attacks. 1239.It Li ip.mtudisc 1240If set to 1, enables Path MTU Discovery (RFC 1191). 1241When Path MTU Discovery is enabled, the transmitted TCP segment 1242size will be determined by the advertised maximum segment size 1243(MSS) from the remote end, as constrained by the path MTU. 1244If MTU Discovery is disabled, the transmitted segment size will 1245never be greater than 1246.Li tcp.mssdflt 1247(the local maximum segment size). 1248.It Li ip.mtudisctimeout 1249The number of seconds in which a route added by the Path MTU 1250Discovery engine will time out. 1251When the route times out, the Path 1252MTU Discovery engine will attempt to probe a larger path MTU. 1253.It Li ip.random_id 1254Assign random ip_id values. 1255.It Li ip.redirect 1256If set to 1, ICMP redirects may be sent by the host. 1257This option is ignored unless the host is routing IP packets, 1258and should normally be enabled on all systems. 1259.It Li ip.subnetsarelocal 1260If set to 1, subnets are to be considered local addresses. 1261.It Li ip.ttl 1262The maximum time-to-live (hop count) value for an IP packet sourced by 1263the system. 1264This value applies to normal transport protocols, not to ICMP. 1265.It Li icmp.errppslimit 1266The variable specifies the maximum number of outgoing ICMP error messages, 1267per second. 1268ICMP error messages that exceeded the value are subject to rate limitation 1269and will not go out from the node. 1270Negative value disables rate limitation. 1271.It Li icmp.maskrepl 1272If set to 1, ICMP network mask requests are to be answered. 1273.It Li icmp.rediraccept 1274If set to non-zero, the host will accept ICMP redirect packets. 1275Note that routers will never accept ICMP redirect packets, 1276and the variable is meaningful on IP hosts only. 1277.It Li icmp.redirtimeout 1278The variable specifies lifetime of routing entries generated by incoming 1279ICMP redirect. 1280This defaults to 600 seconds. 1281.It Li icmp.returndatabytes 1282Number of bytes to return in an ICMP error message. 1283.It Li icmp.bmcastecho 1284If set to 1, enables responding to ICMP echo or timestamp request to the 1285broadcast address. 1286.It Li tcp.ack_on_push 1287If set to 1, TCP is to immediately transmit an ACK upon reception of 1288a packet with PUSH set. 1289This can avoid losing a round trip time in some rare situations, 1290but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1291Use of this option is generally not recommended, but 1292the variable exists in case your configuration really needs it. 1293.It Li tcp.compat_42 1294If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1295Use of this option is not recommended, although it may be 1296required in order to communicate with extremely old TCP implementations. 1297.It Li tcp.cwm 1298If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1299Monitoring algorithm. 1300This algorithm prevents line-rate bursts of packets that could 1301otherwise occur when data begins flowing on an idle TCP connection. 1302These line-rate bursts can contribute to network and router congestion. 1303This can be particularly useful on World Wide Web servers 1304which support HTTP/1.1, which has lingering connections. 1305.It Li tcp.cwm_burstsize 1306The Congestion Window Monitoring allowed burst size, in terms 1307of packet count. 1308.It Li tcp.delack_ticks 1309Number of ticks to delay sending an ACK. 1310.It Li tcp.do_loopback_cksum 1311Perform TCP checksum on loopback. 1312.It Li tcp.init_win 1313A value indicating the TCP initial congestion window. 1314If this value is 0, an auto-tuning algorithm designed to use an initial 1315window of approximately 4K bytes is in use. 1316Otherwise, this value indicates a fixed number of packets. 1317.It Li tcp.init_win_local 1318Like 1319.Li tcp.init_win , 1320but used when communicating with hosts on a local network. 1321.It Li tcp.keepcnt 1322Number of keepalive probes sent before declaring a connection dead. 1323If set to zero, there is no limit; 1324keepalives will be sent until some kind of 1325response is received from the peer. 1326.It Li tcp.keepidle 1327Time a connection must be idle before keepalives are sent (if keepalives 1328are enabled for the connection). 1329See also tcp.slowhz. 1330.It Li tcp.keepintvl 1331Time after a keepalive probe is sent until, in the absence of any response, 1332another probe is sent. 1333See also tcp.slowhz. 1334.It Li tcp.log_refused 1335If set to 1, refused TCP connections to the host will be logged. 1336.It Li tcp.keepinit 1337Timeout in seconds during connection establishment. 1338.It Li tcp.mss_ifmtu 1339If set to 1, TCP calculates the outgoing maximum segment size based on 1340the MTU of the appropriate interface. 1341If set to 0, it is calculated based on the greater of the MTU of the 1342interface, and the largest (non-loopback) interface MTU on the system. 1343.It Li tcp.mssdflt 1344The default maximum segment size both advertised to the peer 1345and to use when either the peer does not advertise a maximum segment size to 1346us during connection setup or Path MTU Discovery 1347.Li ( ip.mtudisc ) 1348is disabled. 1349Do not change this value unless you really know what you are doing. 1350.It Li tcp.recvspace 1351The default TCP receive buffer size. 1352.It Li tcp.rfc1323 1353If set to 1, enables RFC 1323 extensions to TCP. 1354.It Li tcp.rstppslimit 1355The variable specifies the maximum number of outgoing TCP RST packets, 1356per second. 1357TCP RST packet that exceeded the value are subject to rate limitation 1358and will not go out from the node. 1359Negative value disables rate limitation. 1360.It Li tcp.ident 1361Return the user ID of a connected socket pair. 1362(RFC1413 Identification Protocol lookups.) 1363.It Li tcp.drop 1364Drop a TCP socket pair connection. 1365.It Li tcp.sack.enable 1366If set to 1, enables RFC 2018 Selective ACKnowledgement. 1367.It Li tcp.sack.globalholes 1368Global number of TCP SACK holes. 1369.It Li tcp.sack.globalmaxholes 1370Global maximum number of TCP SACK holes. 1371.It Li tcp.sack.maxholes 1372Maximum number of TCP SACK holes allowed per connection. 1373.It Li tcp.ecn.enable 1374If set to 1, enables RFC 3168 Explicit Congestion Notification. 1375.It Li tcp.ecn.maxretries 1376Number of times to retry sending the ECN-setup packet. 1377.It Li tcp.sendspace 1378The default TCP send buffer size. 1379.It Li tcp.slowhz 1380The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1381of a clock that ticks tcp.slowhz times per second. 1382(That is, their values 1383must be divided by the tcp.slowhz value to get times in seconds.) 1384.It Li tcp.syn_bucket_limit 1385The maximum number of entries allowed per hash bucket in the TCP 1386compressed state engine. 1387.It Li tcp.syn_cache_limit 1388The maximum number of entries allowed in the TCP compressed state 1389engine. 1390.It Li tcp.timestamps 1391If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1392used for measuring TCP round trip times, are enabled. 1393.It Li tcp.win_scale 1394If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1395for increasing the TCP window size, are enabled. 1396.It Li tcp.congctl.available 1397The available TCP congestion control algorithms. 1398.It Li tcp.congctl.selected 1399The currently selected TCP congestion control algorithm. 1400.It Li tcp.abc.enable 1401If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1402If set to 0, use traditional Packet Counting. 1403.It Li tcp.abc.aggressive 1404Choose the L parameter found in RFC 3465. 1405L is the maximum cwnd increase for an ack during slow start. 1406If set to 1, use L=2*SMSS. 1407If set to 0, use L=1*SMSS. 1408It has no effect unless tcp.abc.enable is set to 1. 1409.It Li udp.checksum 1410If set to 1, UDP checksums are being computed. 1411Received non-zero UDP checksums are always checked. 1412Disabling UDP checksums is strongly discouraged. 1413.It Li udp.sendspace 1414The default UDP send buffer size. 1415.It Li udp.recvspace 1416The default UDP receive buffer size. 1417.El 1418.Pp 1419For variables net.*.ipsec, please refer to 1420.Xr ipsec 4 . 1421.It Li net.inet6 ( PF_INET6 ) 1422Get or set various global information about the IPv6 1423.Pq Internet Protocol version 6 . 1424The third level name is the protocol. 1425The fourth level name is the variable name. 1426The currently defined protocols and names are: 1427.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent 1428.It Sy Protocol name Variable name Type Changeable 1429.It icmp6 errppslimit integer yes 1430.It icmp6 mtudisc_hiwat integer yes 1431.It icmp6 mtudisc_lowat integer yes 1432.It icmp6 nd6_debug integer yes 1433.It icmp6 nd6_delay integer yes 1434.It icmp6 nd6_maxnudhint integer yes 1435.It icmp6 nd6_mmaxtries integer yes 1436.It icmp6 nd6_prune integer yes 1437.It icmp6 nd6_umaxtries integer yes 1438.It icmp6 nd6_useloopback integer yes 1439.It icmp6 nodeinfo integer yes 1440.It icmp6 rediraccept integer yes 1441.It icmp6 redirtimeout integer yes 1442.It ip6 accept_rtadv integer yes 1443.It ip6 anonportmax integer yes 1444.It ip6 anonportmin integer yes 1445.It ip6 auto_flowlabel integer yes 1446.It ip6 dad_count integer yes 1447.It ip6 defmcasthlim integer yes 1448.It ip6 forwarding integer yes 1449.It ip6 gifhlim integer yes 1450.It ip6 hashsize integer yes 1451.It ip6 hlim integer yes 1452.It ip6 hdrnestlimit integer yes 1453.It ip6 kame_version string no 1454.It ip6 keepfaith integer yes 1455.It ip6 log_interval integer yes 1456.It ip6 lowportmax integer yes 1457.It ip6 lowportmin integer yes 1458.It ip6 maxflows integer yes 1459.It ip6 maxfragpackets integer yes 1460.It ip6 maxfrags integer yes 1461.It ip6 redirect integer yes 1462.It ip6 rr_prune integer yes 1463.It ip6 use_deprecated integer yes 1464.It ip6 v6only integer yes 1465.It udp6 do_loopback_cksum integer yes 1466.It udp6 recvspace integer yes 1467.It udp6 sendspace integer yes 1468.El 1469.Pp 1470The variables are as follows: 1471.Bl -tag -width "123456" 1472.It Li ip6.accept_rtadv 1473If set to non-zero, the node will accept ICMPv6 router advertisement packets 1474and autoconfigures address prefixes and default routers. 1475The node must be a host 1476.Pq not a router 1477for the option to be meaningful. 1478.It Li ip6.anonportmax 1479The highest port number to use for TCP and UDP ephemeral port allocation. 1480This cannot be set to less than 1024 or greater than 65535, and must 1481be greater than 1482.Li ip6.anonportmin . 1483.It Li ip6.anonportmin 1484The lowest port number to use for TCP and UDP ephemeral port allocation. 1485This cannot be set to less than 1024 or greater than 65535. 1486.It Li ip6.auto_flowlabel 1487On connected transport protocol packets, 1488fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1489.It Li ip6.dad_count 1490The variable configures number of IPv6 DAD 1491.Pq duplicated address detection 1492probe packets. 1493The packets will be generated when IPv6 interface addresses are configured. 1494.It Li ip6.defmcasthlim 1495The default hop limit value for an IPv6 multicast packet sourced by the node. 1496This value applies to all the transport protocols on top of IPv6. 1497There are APIs to override the value, as documented in 1498.Xr ip6 4 . 1499.It Li ip6.forwarding 1500If set to 1, enables IPv6 forwarding for the node, 1501meaning that the node is acting as a router. 1502If set to 0, disables IPv6 forwarding for the node, 1503meaning that the node is acting as a host. 1504IPv6 specification defines node behavior for 1505.Dq router 1506case and 1507.Dq host 1508case quite differently, and changing this variable during operation 1509may cause serious trouble. 1510It is recommended to configure the variable at bootstrap time, 1511and bootstrap time only. 1512.It Li ip6.gifhlim 1513The maximum hop limit value for an IPv6 packet generated by 1514.Xr gif 4 1515tunnel interface. 1516.It Li ip6.hdrnestlimit 1517The number of IPv6 extension headers permitted on incoming IPv6 packets. 1518If set to 0, the node will accept as many extension headers as possible. 1519.It Li ip6.hashsize 1520The size of IPv6 Fast Forward hash table. 1521This value must be a power of 2 (64, 256...). 1522A larger hash table size results in fewer collisions. 1523Also see 1524.Li ip6.maxflows . 1525.It Li ip6.hlim 1526The default hop limit value for an IPv6 unicast packet sourced by the node. 1527This value applies to all the transport protocols on top of IPv6. 1528There are APIs to override the value, as documented in 1529.Xr ip6 4 . 1530.It Li ip6.kame_version 1531The string identifies the version of KAME IPv6 stack implemented in the kernel. 1532.It Li ip6.keepfaith 1533If set to non-zero, it enables 1534.Dq FAITH 1535TCP relay IPv6-to-IPv4 translator code in the kernel. 1536Refer 1537.Xr faith 4 1538and 1539.Xr faithd 8 1540for detail. 1541.It Li ip6.log_interval 1542The variable controls amount of logs generated by IPv6 packet 1543forwarding engine, by setting interval between log output 1544.Pq in seconds . 1545.It Li ip6.lowportmax 1546The highest port number to use for TCP and UDP reserved port allocation. 1547This cannot be set to less than 0 or greater than 1024, and must 1548be greater than 1549.Li ip6.lowportmin . 1550.It Li ip6.lowportmin 1551The lowest port number to use for TCP and UDP reserved port allocation. 1552This cannot be set to less than 0 or greater than 1024, and must 1553be smaller than 1554.Li ip6.lowportmax . 1555.It Li ip6.maxflows 1556IPv6 Fast Forwarding is enabled by default. 1557If set to 0, IPv6 Fast Forwarding is disabled. 1558.Li ip6.maxflows 1559controls the maximum amount of flows which can be created. 1560The default value is 256. 1561.It Li ip6.maxfragpackets 1562The maximum number of fragmented packets the node will accept. 15630 means that the node will not accept any fragmented packets. 1564\-1 means that the node will accept as many fragmented packets as it receives. 1565The flag is provided basically for avoiding possible DoS attacks. 1566.It Li ip6.maxfrags 1567The maximum number of fragments the node will accept. 15680 means that the node will not accept any fragments. 1569\-1 means that the node will accept as many fragments as it receives. 1570The flag is provided basically for avoiding possible DoS attacks. 1571.It Li ip6.redirect 1572If set to 1, ICMPv6 redirects may be sent by the node. 1573This option is ignored unless the node is routing IP packets, 1574and should normally be enabled on all systems. 1575.It Li ip6.rr_prune 1576The variable specifies interval between IPv6 router renumbering prefix 1577babysitting, in seconds. 1578.It Li ip6.use_deprecated 1579The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1580.It Li ip6.v6only 1581The variable specifies initial value for 1582.Dv IPV6_V6ONLY 1583socket option for 1584.Dv AF_INET6 1585socket. 1586Please refer to 1587.Xr ip6 4 1588for detail. 1589.It Li icmp6.errppslimit 1590The variable specifies the maximum number of outgoing ICMPv6 error messages, 1591per second. 1592ICMPv6 error messages that exceeded the value are subject to rate limitation 1593and will not go out from the node. 1594Negative value disables rate limitation. 1595.It Li icmp6.mtudisc_hiwat 1596.It Li icmp6.mtudisc_lowat 1597The variables define the maximum number of routing table entries, 1598created due to path MTU discovery 1599.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1600When IPv6 path MTU discovery happens, we keep path MTU information into 1601the routing table. 1602If the number of routing table entries exceed the value, 1603the kernel will not attempt to keep the path MTU information. 1604.Li icmp6.mtudisc_hiwat 1605is used when we have verified ICMPv6 too big messages. 1606.Li icmp6.mtudisc_lowat 1607is used when we have unverified ICMPv6 too big messages. 1608Verification is performed by using address/port pairs kept in connected pcbs. 1609Negative value disables the upper limit. 1610.It Li icmp6.nd6_debug 1611If set to non-zero, kernel IPv6 neighbor discovery code will generate 1612debugging messages. 1613The debug outputs are useful to diagnose IPv6 interoperability issues. 1614The flag must be set to 0 for normal operation. 1615.It Li icmp6.nd6_delay 1616The variable specifies 1617.Dv DELAY_FIRST_PROBE_TIME 1618timing constant in IPv6 neighbor discovery specification 1619.Pq RFC 2461 , 1620in seconds. 1621.It Li icmp6.nd6_maxnudhint 1622IPv6 neighbor discovery permits upper layer protocols to supply reachability 1623hints, to avoid unnecessary neighbor discovery exchanges. 1624The variable defines the number of consecutive hints the neighbor discovery 1625layer will take. 1626For example, by setting the variable to 3, neighbor discovery layer 1627will take 3 consecutive hints in maximum. 1628After receiving 3 hints, neighbor discovery layer will perform 1629normal neighbor discovery process. 1630.It Li icmp6.nd6_mmaxtries 1631The variable specifies 1632.Dv MAX_MULTICAST_SOLICIT 1633constant in IPv6 neighbor discovery specification 1634.Pq RFC 2461 . 1635.It Li icmp6.nd6_prune 1636The variable specifies interval between IPv6 neighbor cache babysitting, 1637in seconds. 1638.It Li icmp6.nd6_umaxtries 1639The variable specifies 1640.Dv MAX_UNICAST_SOLICIT 1641constant in IPv6 neighbor discovery specification 1642.Pq RFC 2461 . 1643.It Li icmp6.nd6_useloopback 1644If set to non-zero, kernel IPv6 stack will use loopback interface for 1645local traffic. 1646.It Li icmp6.nodeinfo 1647The variable enables responses to ICMPv6 node information queries. 1648If you set the variable to 0, responses will not be generated for 1649ICMPv6 node information queries. 1650Since node information queries can have a security impact, it is 1651possible to fine tune which responses should be answered. 1652Two separate bits can be set. 1653.Bl -tag -width "12345" 1654.It 1 1655Respond to ICMPv6 FQDN queries, e.g. 1656.Li ping6 -w . 1657.It 2 1658Respond to ICMPv6 node addresses queries, e.g. 1659.Li ping6 -a . 1660.El 1661.It Li icmp6.rediraccept 1662If set to non-zero, the host will accept ICMPv6 redirect packets. 1663Note that IPv6 routers will never accept ICMPv6 redirect packets, 1664and the variable is meaningful on IPv6 hosts 1665.Pq non-router 1666only. 1667.It Li icmp6.redirtimeout 1668The variable specifies lifetime of routing entries generated by incoming 1669ICMPv6 redirect. 1670.It Li udp6.do_loopback_cksum 1671Perform UDP checksum on loopback. 1672.It Li udp6.recvspace 1673Default UDP receive buffer size. 1674.It Li udp6.sendspace 1675Default UDP send buffer size. 1676.El 1677.Pp 1678We reuse net.*.tcp for 1679.Tn TCP 1680over 1681.Tn IPv6 , 1682and therefore we do not have variables net.*.tcp6. 1683Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1684Please refer to 1685.Li PF_INET 1686section above. 1687For variables net.*.ipsec6, please refer to 1688.Xr ipsec 4 . 1689.It Li net.key ( PF_KEY ) 1690Get or set various global information about the IPsec key management. 1691The third level name is the variable name. 1692The currently defined variable and names are: 1693.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 1694.It Sy Variable name Type Changeable 1695.It debug integer yes 1696.It spi_try integer yes 1697.It spi_min_value integer yes 1698.It spi_max_value integer yes 1699.It larval_lifetime integer yes 1700.It blockacq_count integer yes 1701.It blockacq_lifetime integer yes 1702.It esp_keymin integer yes 1703.It esp_auth integer yes 1704.It ah_keymin integer yes 1705.El 1706.Pp 1707The variables are as follows: 1708.Bl -tag -width "123456" 1709.It Li debug 1710Turn on debugging message from within the kernel. 1711The value is a bitmap, as defined in 1712.Pa /usr/include/netkey/key_debug.h . 1713.It Li spi_try 1714The number of times the kernel will try to obtain an unique SPI 1715when it generates it from random number generator. 1716.It Li spi_min_value 1717Minimum SPI value when generating it within the kernel. 1718.It Li spi_max_value 1719Maximum SPI value when generating it within the kernel. 1720.It Li larval_lifetime 1721Lifetime for LARVAL SAD entries, in seconds. 1722.It Li blockacq_count 1723Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1724It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1725key management daemon. 1726.It Li blockacq_lifetime 1727Lifetime of ACQUIRE PF_KEY message. 1728.It Li esp_keymin 1729Minimum ESP key length, in bits. 1730The value is used when the kernel creates proposal payload 1731on ACQUIRE PF_KEY message. 1732.It Li esp_auth 1733Whether ESP authentication should be used or not. 1734Non-zero value indicates that ESP authentication should be used. 1735The value is used when the kernel creates proposal payload 1736on ACQUIRE PF_KEY message. 1737.It Li ah_keymin 1738Minimum AH key length, in bits, 1739The value is used when the kernel creates proposal payload 1740on ACQUIRE PF_KEY message. 1741.El 1742.El 1743.Sh The proc.* subtree 1744The string and integer information available for the 1745.Li proc 1746level is detailed below. 1747The changeable column shows whether a process with appropriate 1748privilege may change the value. 1749These values are per-process, 1750and as such may change from one process to another. 1751When a process is created, 1752the default values are inherited from its parent. 1753When a set-user-ID or set-group-ID binary is executed, the 1754value of PROC_PID_CORENAME is reset to the system default value. 1755The second level name is either the magic value PROC_CURPROC, which 1756points to the current process, or the PID of the target process. 1757.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 1758.It Sy Third level name Type Changeable 1759.It proc.pid.corename string yes 1760.It proc.pid.rlimit node not applicable 1761.It proc.pid.stopfork int yes 1762.It proc.pid.stopexec int yes 1763.It proc.pid.stopexit int yes 1764.El 1765.Bl -tag -width "123456" 1766.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1767The template used for the core dump file name (see 1768.Xr core 5 1769for details). 1770The base name must either be 1771.Nm core 1772or end with the suffix ``.core'' (the super-user may set arbitrary names). 1773By default it points to KERN_DEFCORENAME. 1774.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1775Return resources limits, as defined for the 1776.Xr getrlimit 2 1777and 1778.Xr setrlimit 2 1779system calls. 1780The fourth level name is one of: 1781.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1782.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1783The maximum amount of CPU time (in seconds) to be used by each process. 1784.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1785The largest size (in bytes) file that may be created. 1786.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1787The maximum size (in bytes) of the data segment for a process; 1788this defines how far a program may extend its break with the 1789.Xr sbrk 2 1790system call. 1791.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1792The maximum size (in bytes) of the stack segment for a process; 1793this defines how far a program's stack segment may be extended. 1794Stack extension is performed automatically by the system. 1795.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1796The largest size (in bytes) 1797.Pa core 1798file that may be created. 1799.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1800The maximum size (in bytes) to which a process's resident set size may 1801grow. 1802This imposes a limit on the amount of physical memory to be given to 1803a process; if memory is tight, the system will prefer to take memory 1804from processes that are exceeding their declared resident set size. 1805.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1806The maximum size (in bytes) which a process may lock into memory 1807using the 1808.Xr mlock 2 1809function. 1810.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1811The maximum number of simultaneous processes for this user id. 1812.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1813The maximum number of open files for this process. 1814.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) 1815The maximum size (in bytes) of the socket buffers 1816set by the 1817.Xr setsockopt 2 1818.Dv SO_RCVBUF 1819and 1820.Dv SO_SNDBUF 1821options. 1822.El 1823.Pp 1824The fifth level name is one of 1825.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or 1826.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1827to select respectively the soft or hard limit. 1828Both are of type integer. 1829.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1830If non zero, the process' children will be stopped after 1831.Xr fork 2 1832calls. 1833The children is created in the SSTOP state and is never scheduled 1834for running before being stopped. 1835This feature helps attaching a process with a debugger such as 1836.Xr gdb 1 1837before it had the opportunity to actually do anything. 1838.Pp 1839This value is inherited by the process's children, and it also 1840apply to emulation specific system calls that fork a new process, such as 1841.Fn sproc 1842or 1843.Fn clone . 1844.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1845If non zero, the process will be stopped on next 1846.Xr exec 3 1847call. 1848The process created by 1849.Xr exec 3 1850is created in the SSTOP state and is never scheduled for running 1851before being stopped. 1852This feature helps attaching a process with a debugger such as 1853.Xr gdb 1 1854before it had the opportunity to actually do anything. 1855.Pp 1856This value is inherited by the process's children. 1857.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1858If non zero, the process will be stopped on when it has cause to exit, 1859either by way of calling 1860.Xr exit 3 , 1861.Xr _exit 2 , 1862or by the receipt of a specific signal. 1863The process is stopped before any of its resources or vm space is 1864released allowing examination of the termination state of a process 1865before it disappears. 1866This feature can be used to examine the final conditions of the 1867process's vmspace via 1868.Xr pmap 1 1869or its resource settings with 1870.Xr sysctl 8 1871before it disappears. 1872.Pp 1873This value is also inherited by the process's children. 1874.El 1875.Sh The user.* subtree ( CTL_USER ) 1876The string and integer information available for the 1877.Li user 1878level is detailed below. 1879The changeable column shows whether a process with appropriate 1880privilege may change the value. 1881.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 1882.It Sy Second level name Type Changeable 1883.It user.atexit_max integer no 1884.It user.bc_base_max integer no 1885.It user.bc_dim_max integer no 1886.It user.bc_scale_max integer no 1887.It user.bc_string_max integer no 1888.It user.coll_weights_max integer no 1889.It user.cs_path string no 1890.It user.expr_nest_max integer no 1891.It user.line_max integer no 1892.It user.posix2_c_bind integer no 1893.It user.posix2_c_dev integer no 1894.It user.posix2_char_term integer no 1895.It user.posix2_fort_dev integer no 1896.It user.posix2_fort_run integer no 1897.It user.posix2_localedef integer no 1898.It user.posix2_sw_dev integer no 1899.It user.posix2_upe integer no 1900.It user.posix2_version integer no 1901.It user.re_dup_max integer no 1902.It user.stream_max integer no 1903.It user.stream_max integer no 1904.It user.tzname_max integer no 1905.El 1906.Bl -tag -width "123456" 1907.It Li user.atexit_max ( USER_ATEXIT_MAX ) 1908The maximum number of functions that may be registered with 1909.Xr atexit 3 . 1910.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 1911The maximum ibase/obase values in the 1912.Xr bc 1 1913utility. 1914.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 1915The maximum array size in the 1916.Xr bc 1 1917utility. 1918.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 1919The maximum scale value in the 1920.Xr bc 1 1921utility. 1922.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 1923The maximum string length in the 1924.Xr bc 1 1925utility. 1926.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 1927The maximum number of weights that can be assigned to any entry of 1928the LC_COLLATE order keyword in the locale definition file. 1929.It Li user.cs_path ( USER_CS_PATH ) 1930Return a value for the 1931.Ev PATH 1932environment variable that finds all the standard utilities. 1933.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 1934The maximum number of expressions that can be nested within 1935parenthesis by the 1936.Xr expr 1 1937utility. 1938.It Li user.line_max ( USER_LINE_MAX ) 1939The maximum length in bytes of a text-processing utility's input 1940line. 1941.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 1942Return 1 if the system supports at least one terminal type capable of 1943all operations described in POSIX 1003.2, otherwise 0. 1944.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 1945Return 1 if the system's C-language development facilities support the 1946C-Language Bindings Option, otherwise 0. 1947.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 1948Return 1 if the system supports the C-Language Development Utilities Option, 1949otherwise 0. 1950.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 1951Return 1 if the system supports the FORTRAN Development Utilities Option, 1952otherwise 0. 1953.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 1954Return 1 if the system supports the FORTRAN Runtime Utilities Option, 1955otherwise 0. 1956.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 1957Return 1 if the system supports the creation of locales, otherwise 0. 1958.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 1959Return 1 if the system supports the Software Development Utilities Option, 1960otherwise 0. 1961.It Li user.posix2_upe ( USER_POSIX2_UPE ) 1962Return 1 if the system supports the User Portability Utilities Option, 1963otherwise 0. 1964.It Li user.posix2_version ( USER_POSIX2_VERSION ) 1965The version of POSIX 1003.2 with which the system attempts to comply. 1966.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 1967The maximum number of repeated occurrences of a regular expression 1968permitted when using interval notation. 1969.It Li user.stream_max ( USER_STREAM_MAX ) 1970The minimum maximum number of streams that a process may have open 1971at any one time. 1972.It Li user.tzname_max ( USER_TZNAME_MAX ) 1973The minimum maximum number of types supported for the name of a 1974timezone. 1975.El 1976.Sh The vm.* subtree ( CTL_VM ) 1977The string and integer information available for the 1978.Li vm 1979level is detailed below. 1980The changeable column shows whether a process with appropriate 1981privilege may change the value. 1982.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 1983.It Sy Second level name Type Changeable 1984.It vm.anonmax int yes 1985.It vm.anonmin int yes 1986.It vm.bufcache int yes 1987.It vm.bufmem int no 1988.It vm.bufmem_hiwater int yes 1989.It vm.bufmem_lowater int yes 1990.It vm.execmax int yes 1991.It vm.execmin int yes 1992.It vm.filemax int yes 1993.It vm.filemin int yes 1994.It vm.loadavg struct loadavg no 1995.It vm.maxslp int no 1996.It vm.nkmempages int no 1997.It vm.uspace int no 1998.It vm.uvmexp struct uvmexp no 1999.It vm.uvmexp2 struct uvmexp_sysctl no 2000.It vm.vmmeter struct vmtotal no 2001.El 2002.Pp 2003.Bl -tag -width "123456" 2004.It Li vm.anonmax ( VM_ANONMAX ) 2005The percentage of physical memory which will be reclaimed 2006from other types of memory usage to store anonymous application data. 2007.It Li vm.anonmin ( VM_ANONMIN ) 2008The percentage of physical memory which will be always be available for 2009anonymous application data. 2010.It Li vm.bufcache ( VM_BUFCACHE ) 2011The percentage of physical memory which will be available 2012for the buffer cache. 2013.It Li vm.bufmem ( VM_BUFMEM ) 2014The amount of kernel memory that is being used by the buffer cache. 2015.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 2016The minimum amount of kernel memory to reserve for the 2017buffer cache. 2018.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 2019The maximum amount of kernel memory to be used for the 2020buffer cache. 2021.It Li vm.execmax ( VM_EXECMAX ) 2022The percentage of physical memory which will be reclaimed 2023from other types of memory usage to store cached executable data. 2024.It Li vm.execmin ( VM_EXECMIN ) 2025The percentage of physical memory which will be always be available for 2026cached executable data. 2027.It Li vm.filemax ( VM_FILEMAX ) 2028The percentage of physical memory which will be reclaimed 2029from other types of memory usage to store cached file data. 2030.It Li vm.filemin ( VM_FILEMIN ) 2031The percentage of physical memory which will be always be available for 2032cached file data. 2033.It Li vm.loadavg ( VM_LOADAVG ) 2034Return the load average history. 2035The returned data consists of a 2036.Va struct loadavg . 2037.It Li vm.maxslp ( VM_MAXSLP ) 2038The value of the maxslp kernel global variable. 2039.It Li vm.vmmeter ( VM_METER ) 2040Return system wide virtual memory statistics. 2041The returned data consists of a 2042.Va struct vmtotal . 2043.It vm.user_va0_disable 2044A flag which controls whether user processes can map virtual address 0. 2045.It Li vm.uspace ( VM_USPACE ) 2046The number of bytes allocated for each kernel stack. 2047.It Li vm.uvmexp ( VM_UVMEXP ) 2048Return system wide virtual memory statistics. 2049The returned data consists of a 2050.Va struct uvmexp . 2051.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 2052Return system wide virtual memory statistics. 2053The returned data consists of a 2054.Va struct uvmexp_sysctl . 2055.\" XXX vm.idlezero 2056.El 2057.Sh The ddb.* subtree ( CTL_DDB ) 2058The information available for the 2059.Li ddb 2060level is detailed below. 2061The changeable column shows whether a process with appropriate 2062privilege may change the value. 2063.\" XXX sort 2064.Bl -column "Second level name" "integer" "Changeable" -offset indent 2065.It Sy Second level name Type Changeable 2066.It ddb.radix integer yes 2067.It ddb.maxoff integer yes 2068.It ddb.maxwidth integer yes 2069.It ddb.lines integer yes 2070.It ddb.tabstops integer yes 2071.It ddb.onpanic integer yes 2072.It ddb.fromconsole integer yes 2073.It ddb.tee_msgbuf integer yes 2074.It ddb.commandonenter string yes 2075.El 2076.Pp 2077.Bl -tag -width "123456" 2078.It Li ddb.radix ( DDBCTL_RADIX ) 2079The input and output radix. 2080.It Li ddb.maxoff ( DDBCTL_MAXOFF ) 2081The maximum symbol offset. 2082.It Li ddb.maxwidth ( DDBCTL_MAXWIDTH ) 2083The maximum output line width. 2084.It Li ddb.lines ( DDBCTL_LINES ) 2085Number of display lines. 2086.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) 2087Tab width. 2088.It Li ddb.onpanic ( DDBCTL_ONPANIC ) 2089If non-zero, DDB will be entered if the kernel panics. 2090.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) 2091If not zero, DDB may be entered by sending a break on a serial 2092console or by a special key sequence on a graphics console. 2093.It Li ddb.tee_msgbuf 2094If not zero, DDB will output also to the kernel message buffer. 2095.It Li ddb.commandonenter 2096If not empty, a command to be executed on each enter to the 2097.Tn DDB . 2098.\" 2099.\" XXX: (a) ddb.commandonenter is missing in ddb(4); 2100.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. 2101.El 2102.Pp 2103Some of these 2104.Tn MIB 2105nodes are also available as variables from within the debugger. 2106See 2107.Xr ddb 4 2108for more details. 2109.Sh The security.* subtree ( CTL_SECURITY ) 2110The 2111.Li security 2112level contains various security-related settings for 2113the system. 2114The available second level names are: 2115.Bl -column "Second level name" "integer" "Changeable" -offset indent 2116.It Sy Second level name Type Changeable 2117.It Li security.curtain integer yes 2118.It Li security.models node not applicable 2119.It Li security.pax node not applicable 2120.El 2121.Pp 2122Available settings are detailed below. 2123.Pp 2124.Bl -tag -width "123456" 2125.It Li security.curtain 2126If non-zero, will filter return objects according to the user 2127.Tn ID 2128requesting information about them, preventing from users any 2129access to objects they do not own. 2130.Pp 2131At the moment, it affects 2132.Xr ps 1 , 2133.Xr netstat 1 2134(for 2135.Dv PF_INET , 2136.Dv PF_INET6 , 2137and 2138.Dv PF_UNIX 2139PCBs), and 2140.Xr w 1 . 2141.It Li security.models 2142.Nx 2143supports pluggable security models. 2144Every security model used, whether if loaded as a module or built with the system, 2145is required to add an entry to this node with at least one element, 2146.Dq name , 2147indicating the name of the security model. 2148.Pp 2149In addition to the name, any settings and other information private to the 2150security model will be available under this node. 2151See 2152.Xr secmodel 9 2153for more information. 2154.It Li security.pax 2155Settings for PaX -- exploit mitigation features. 2156For more information on any of the PaX features, please see 2157.Xr paxctl 8 2158and 2159.Xr security 8 . 2160The available third and fourth level names are: 2161.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ 2162-offset 2n 2163.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable 2164.It Li security.pax.aslr.enabled integer yes 2165.\".It Li security.pax.aslr.exec_len integer yes 2166.It Li security.pax.aslr.global integer yes 2167.\".It Li security.pax.aslr.mmap_len integer yes 2168.\".It Li security.pax.aslr.stack_len integer yes 2169.It Li security.pax.mprotect.enabled integer yes 2170.It Li security.pax.mprotect.global integer yes 2171.It Li security.pax.segvguard.enabled integer yes 2172.It Li security.pax.segvguard.expiry_timeout integer yes 2173.It Li security.pax.segvguard.global integer yes 2174.It Li security.pax.segvguard.max_crashes integer yes 2175.It Li security.pax.segvguard.suspend_timeout integer yes 2176.El 2177.Pp 2178.Bl -tag -width "123456" 2179.It Li security.pax.aslr.enabled 2180Enable PaX ASLR (Address Space Layout Randomization). 2181.Pp 2182The value of this 2183knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2184explicit enable. 2185.\".It Li security.pax.aslr.exec_len 2186.\" XXX: Undocumented. 2187.It Li security.pax.aslr.global 2188Specifies the default global policy for programs without an 2189explicit enable/disable flag. 2190.Pp 2191When non-zero, all programs will get PaX ASLR, except those exempted with 2192.Xr paxctl 8 . 2193Otherwise, all programs will not get PaX ASLR, except those specifically 2194marked as such with 2195.Xr paxctl 8 . 2196.\".It Li security.pax.aslr.mmap_len 2197.\" XXX: Undocumented. 2198.\" .It Li security.pax.aslr.stack_len 2199.\" XXX: Undocumented. 2200.It Li security.pax.mprotect.enabled 2201Enable PaX MPROTECT restrictions. 2202.Pp 2203These are 2204.Xr mprotect 2 2205restrictions to better enforce a W^X policy. 2206The value of this 2207knob must be non-zero for PaX MPROTECT to be enabled, even if a 2208program is set to explicit enable. 2209.It Li security.pax.mprotect.global 2210Specifies the default global policy for programs without an 2211explicit enable/disable flag. 2212.Pp 2213When non-zero, all programs will get the PaX MPROTECT restrictions, 2214except those exempted with 2215.Xr paxctl 8 . 2216Otherwise, all programs will not get the PaX MPROTECT restrictions, 2217except those specifically marked as such with 2218.Xr paxctl 8 . 2219.It Li security.pax.segvguard.enabled 2220Enable PaX Segvguard. 2221.Pp 2222PaX Segvguard can detect and prevent certain exploitation attempts, where 2223an attacker may try for example to brute-force function return addresses 2224of respawning daemons. 2225.Pp 2226.Em Note : 2227The 2228.Nx 2229interface and implementation of the Segvguard is still experimental, and may 2230change in future releases. 2231.It Li security.pax.segvguard.expiry_timeout 2232If the max number was not reached within this timeout (in seconds), the entry 2233will expire. 2234.It Li security.pax.segvguard.global 2235Specifies the default global policy for programs without an 2236explicit enable/disable flag. 2237.Pp 2238When non-zero, all programs will get the PaX Segvguard, 2239except those exempted with 2240.Xr paxctl 8 . 2241Otherwise, no program will get the PaX Segvguard restrictions, 2242except those specifically marked as such with 2243.Xr paxctl 8 . 2244.It Li security.pax.segvguard.max_crashes 2245The maximum number of segfaults a program can receive before suspension. 2246.It Li security.pax.segvguard.suspend_timeout 2247Number of seconds to suspend a user from running a faulting program when the 2248limit was exceeded. 2249.El 2250.El 2251.Sh The vendor.* subtree ( CTL_VENDOR ) 2252The 2253.Li vendor 2254toplevel name is reserved to be used by vendors who wish to 2255have their own private MIB tree. 2256Intended use is to store values under 2257.Dq vendor.\*[Lt]yourname\*[Gt].* . 2258.Sh SEE ALSO 2259.Xr sysctl 3 , 2260.Xr ipsec 4 , 2261.Xr tcp 4 , 2262.Xr security 8 , 2263.Xr sysctl 8 2264.Sh HISTORY 2265The 2266.Nm 2267variables first appeared in 2268.Bx 4.4 . 2269