1.\" $NetBSD: sysctl.7,v 1.166 2023/08/14 16:51:52 riastradh Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd May 29, 2023 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Ss Top level names 72The top level names are defined with a 73.Va CTL_ 74prefix in 75.In sys/sysctl.h , 76and are as follows. 77The next and subsequent levels down are found in the include files 78listed here, and described in separate sections below. 79.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits" 80.It Sy Name Ta Sy Constant Ta Sy Next level names Ta Sy Description 81.It kern Ta Dv CTL_KERN Ta In sys/sysctl.h Ta High kernel limits 82.It vm Ta Dv CTL_VM Ta In uvm/uvm_param.h Ta Virtual memory 83.It vfs Ta Dv CTL_VFS Ta In sys/mount.h Ta Filesystem 84.It net Ta Dv CTL_NET Ta In sys/socket.h Ta Networking 85.It debug Ta Dv CTL_DEBUG Ta In sys/sysctl.h Ta Debugging 86.It hw Ta Dv CTL_HW Ta In sys/sysctl.h Ta Generic CPU, I/O 87.It machdep Ta Dv CTL_MACHDEP Ta In sys/sysctl.h Ta Machine dependent 88.It user Ta Dv CTL_USER Ta In sys/sysctl.h Ta User-level 89.It ddb Ta Dv CTL_DDB Ta In sys/sysctl.h Ta In-kernel debugger 90.It proc Ta Dv CTL_PROC Ta In sys/sysctl.h Ta Per-process 91.It vendor Ta Dv CTL_VENDOR Ta ? Ta Vendor specific 92.It emul Ta Dv CTL_EMUL Ta In sys/sysctl.h Ta Emulation settings 93.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h Ta Security settings 94.El 95.Ss The debug.* subtree 96The debugging variables vary from system to system. 97A debugging variable may be added or deleted without need to recompile 98.Nm 99to know about it. 100Each time it runs, 101.Nm 102gets the list of debugging variables from the kernel and 103displays their current values. 104The system defines twenty 105.Vt ( struct ctldebug ) 106variables named 107.Dv debug0 108through 109.Dv debug19 . 110They are declared as separate variables so that they can be 111individually initialized at the location of their associated variable. 112The loader prevents multiple use of the same variable by issuing errors 113if a variable is initialized in more than one place. 114For example, to export the variable 115.Va dospecialcheck 116as a debugging variable, the following declaration would be used: 117.Pp 118.Bd -literal -offset indent -compact 119int dospecialcheck = 1; 120struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck }; 121.Ed 122.Pp 123Note that the dynamic implementation of 124.Nm 125currently in use largely makes this particular 126.Nm 127interface obsolete. 128See 129.Xr sysctl 8 130.\" and 131.\" .Xr sysctl 9 132for more information. 133.Ss The vfs.* subtree 134A distinguished second level name, 135.Li vfs.generic ( Dv VFS_GENERIC ) , 136is used to get general information about all file systems. 137It has the following third level identifiers: 138.Bl -tag -width "123456" 139.It Li vfs.generic.maxtypenum ( Dv VFS_MAXTYPENUM ) 140The highest valid file system type number. 141.It Li vfs.generic.conf ( Dv VFS_CONF ) 142Returns configuration information about the file system type given as a fourth 143level identifier. 144.It Li vfs.generic.usermount ( Dv VFS_USERMOUNT ) 145Controls whether users other than the super-user can mount file 146systems. 147Defaults to 148.Li 0 , 149so only the super-user can mount file systems. 150.Pp 151File systems mounted by unprivileged users must be mounted with the 152.Li nodev 153and 154.Li nosuid 155.Xr mount 8 156options. 157.It Li vfs.generic.magiclinks ( Dv VFS_MAGICLINKS ) 158Controls whether expansion of variables is going to be performed on 159pathnames or not. 160Defaults to 161.Li 0 , 162no variable expansion. 163Variables are of the form 164.Li @name 165and the variables supported are described in 166.Xr symlink 7 167under 168.Dq "MAGIC SYMLINKS" . 169.El 170.Pp 171A second level name for controlling the 172.Xr wapbl 4 173(Write Ahead Physical Block Logging file system journaling) 174capabilities with the following third level identifiers: 175.Bl -tag -width "123456" 176.It Li vfs.wapbl.flush_disk_cache 177Controls whether to attempt to flush the disk cache on each commit. 178It defaults to 1 and it should always be on to ensure integrity 179of file system metadata in the event of a power loss. 180For slow disks, turning it off can improve performance. 181.It Li vfs.wapbl.verbose_commit 182For each transaction log commit, print the number of bytes written 183and the time it took to commit as seconds.nanoseconds. 184.El 185.Pp 186The remaining second level identifiers are the file system names, identified 187by the type number returned by a 188.Xr statvfs 2 189call or from 190.Li vfs.generic.conf . 191.Pp 192The third level identifiers available for each file system 193are given in the header file that defines the mount 194argument structure for that file system. 195.Ss The hw.* subtree 196The string and integer information available for the 197.Li hw 198level is detailed below. 199The changeable column shows whether a process with appropriate 200privilege may change the value. 201.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 202.It Sy Second level name Ta Sy Type Ta Sy Changeable 203.It hw.alignbytes integer no 204.It hw.byteorder integer no 205.It hw.cnmagic string yes 206.It hw.disknames string no 207.It hw.diskstats struct no 208.It hw.machine string no 209.It hw.machine_arch string no 210.It hw.model string no 211.It hw.ncpu integer no 212.It hw.ncpuonline integer no 213.It hw.pagesize integer no 214.It hw.physmem integer no 215.It hw.physmem64 quad no 216.It hw.usermem integer no 217.It hw.usermem64 quad no 218.El 219.Bl -tag -width "123456" 220.It Li hw.alignbytes ( Dv HW_ALIGNBYTES ) 221Alignment constraint for all possible data types. 222This shows the value 223.Dv ALIGNBYTES 224in 225.In machine/param.h , 226at the kernel compilation time. 227.It Li hw.byteorder ( Dv HW_BYTEORDER ) 228The byteorder (4321, or 1234). 229.It Li hw.cnmagic ( Dv HW_CNMAGIC ) 230The console magic key sequence. 231.It Li hw.disknames ( Dv HW_DISKNAMES ) 232The list of (space separated) disk device names on the system. 233.It Li hw.iostatnames ( Dv HW_IOSTATNAMES ) 234A space separated list of devices that will have I/O statistics 235collected on them. 236.It Li hw.iostats ( Dv HW_IOSTATS ) 237Return statistical information on the NFS mounts, disk and tape 238devices on the system. 239An array of 240.Vt struct io_sysctl 241structures is returned, 242whose size depends on the current number of such objects in the system. 243The third level name is the size of the 244.Vt struct io_sysctl . 245The type of object can be determined by examining the 246.Va type 247element of 248.Vt struct io_sysctl . 249Which can be 250.Dv IOSTAT_DISK 251(disk drive), 252.Dv IOSTAT_TAPE 253(tape drive), or 254.Dv IOSTAT_NFS 255(NFS mount). 256.It Li hw.machine ( Dv HW_MACHINE ) 257The machine class. 258.It Li hw.machine_arch ( Dv HW_MACHINE_ARCH ) 259The machine CPU class. 260.It Li hw.model ( Dv HW_MODEL ) 261The machine model. 262.It Li hw.ncpu ( Dv HW_NCPU ) 263The number of CPUs configured. 264.It Li hw.ncpuonline ( Dv HW_NCPUONLINE ) 265The number of CPUs online. 266.It Li hw.pagesize ( Dv HW_PAGESIZE ) 267The software page size. 268.It Li hw.physmem ( Dv HW_PHYSMEM ) 269The bytes of physical memory as a 32-bit integer. 270.It Li hw.physmem64 ( Dv HW_PHYSMEM64 ) 271The bytes of physical memory as a 64-bit integer. 272.It Li hw.usermem ( Dv HW_USERMEM ) 273The bytes of non-kernel memory as a 32-bit integer. 274.It Li hw.usermem64 ( Dv HW_USERMEM64 ) 275The bytes of non-kernel memory as a 64-bit integer. 276.El 277.Ss The kern.* subtree 278This subtree includes data generally related to the kernel. 279The string and integer information available for the 280.Li kern 281level is detailed below. 282The changeable column shows whether a process with appropriate 283privilege may change the value. 284.Bl -column "kern.posix_reader_writer_locks" \ 285"struct kinfo_drivers" "not applicable" 286.It Sy Second level name Ta Sy Type Ta Sy Changeable 287.It kern.aio_listio_max integer yes 288.It kern.aio_max integer yes 289.It kern.arandom integer no 290.It kern.argmax integer no 291.It kern.boothowto integer no 292.It kern.boottime struct timespec no 293.It kern.buildinfo string no 294.\".It kern.bufq node not applicable 295.It kern.ccpu integer no 296.It kern.clockrate struct clockinfo no 297.It kern.consdev integer no 298.It kern.coredump node not applicable 299.It kern.cp_id struct no 300.It kern.cp_time uint64_t[\|] no 301.It kern.cryptodevallowsoft integer yes 302.It kern.defcorename string yes 303.It kern.detachall integer yes 304.It kern.domainname string yes 305.It kern.drivers struct kinfo_drivers no 306.It kern.dump_on_panic integer yes 307.It kern.expose_address integer yes 308.It kern.file struct file no 309.It kern.forkfsleep integer yes 310.It kern.fscale integer no 311.It kern.fsync integer no 312.It kern.hardclock_ticks integer no 313.It kern.heartbeat.max_period integer yes 314.It kern.hostid integer yes 315.It kern.hostname string yes 316.It kern.iov_max integer no 317.It kern.ipc node not applicable 318.It kern.job_control integer no 319.It kern.labeloffset integer no 320.It kern.labelsector integer no 321.It kern.login_name_max integer no 322.It kern.logsigexit integer yes 323.It kern.lwp struct kinfo_lwp yes 324.It kern.mapped_files integer no 325.It kern.maxfiles integer yes 326.It kern.maxlwp integer yes 327.It kern.maxpartitions integer no 328.It kern.maxphys integer no 329.It kern.maxproc integer yes 330.It kern.maxptys integer yes 331.It kern.maxvnodes integer yes 332.It kern.messages integer yes 333.It kern.mbuf node not applicable 334.It kern.memlock integer no 335.It kern.memlock_range integer no 336.It kern.memory_protection integer no 337.It kern.module node not applicable 338.It kern.monotonic_clock integer no 339.It kern.mqueue node not applicable 340.It kern.msgbuf integer no 341.It kern.msgbufsize integer no 342.It kern.ngroups integer no 343.\".It kern.no_sa_support integer yes 344.It kern.ntptime struct ntptimeval no 345.It kern.osrelease string no 346.It kern.osrevision integer no 347.It kern.ostype string no 348.\".It kern.panic_now integer yes 349.It kern.pipe node not applicable 350.It kern.pool struct pool_sysctl no 351.\" .It kern.posix node not applicable 352.It kern.posix1version integer no 353.It kern.posix_aio integer no 354.It kern.posix_barriers integer no 355.It kern.posix_reader_writer_locks integer no 356.\".It kern.posix_sched integer yes 357.It kern.posix_semaphores integer no 358.It kern.posix_spin_locks integer no 359.It kern.posix_threads integer no 360.It kern.posix_timers integer no 361.It kern.proc struct kinfo_proc no 362.It kern.proc2 struct kinfo_proc2 no 363.It kern.proc_args string no 364.It kern.profiling node not applicable 365.\".It kern.pset node not applicable 366.It kern.rawpartition integer no 367.It kern.root_device string no 368.It kern.root_partition integer no 369.It kern.rtc_offset integer yes 370.It kern.saved_ids integer no 371.It kern.sbmax integer yes 372.It kern.sched node not applicable 373.It kern.securelevel integer raise only 374.It kern.sofixedbuf boolean yes 375.It kern.somaxkva integer yes 376.It kern.sooptions integer yes 377.It kern.synchronized_io integer no 378.It kern.timecounter node not applicable 379.It kern.timex struct no 380.It kern.tkstat node not applicable 381.It kern.tty node not applicable 382.It kern.urandom integer no 383.It kern.usercrypto integer yes 384.It kern.userasymcrypto integer yes 385.It kern.veriexec node not applicable 386.It kern.version string no 387.It kern.vnode struct vnode no 388.El 389.Bl -tag -width "123456" 390.It Li kern.aio_listio_max 391The maximum number of asynchronous I/O operations in a single list 392I/O call. 393Like with all variables related to 394.Xr aio 3 , 395the variable may be created and removed dynamically 396upon loading or unloading the corresponding kernel module. 397.It Li kern.aio_max 398The maximum number of asynchronous I/O operations. 399.It Li kern.arandom ( Dv KERN_ARND ) 400Returns independent uniformly distributed bytes at random each time, as 401many as requested up to 256, derived from the system entropy pool; see 402.Xr rnd 4 . 403.Pp 404Reading 405.Li kern.arandom 406is equivalent to reading up to 256 bytes at a time from 407.Pa /dev/urandom : 408reading 409.Li kern.arandom 410never blocks, and once the system entropy pool has full entropy, output 411subsequently read from 412.Li kern.arandom 413is fit for use as cryptographic key material. 414For example, the 415.Xr arc4random 3 416library routine uses 417.Li kern.arandom 418internally to seed a cryptographic pseudorandom number generator. 419.It Li kern.argmax ( Dv KERN_ARGMAX ) 420The maximum bytes of argument to 421.Xr execve 2 . 422.It Li kern.boothowto 423Flags passed from the boot loader; see 424.Xr reboot 2 425for the meanings of the flags. 426.It Li kern.boottime ( Dv KERN_BOOTTIME ) 427A 428.Vt struct timespec 429structure is returned. 430This structure contains the time that the system was booted. 431That time is defined (for this purpose) to be the time at 432which the kernel first started accumulating clock ticks. 433.It Li kern.bufq 434This variable contains information on the 435.Xr bufq 9 436subsystem. 437Currently, the only third level name implemented is 438.Dv kern.bufq.strategies 439which provides a list of buffer queue strategies currently available. 440.It Li kern.buildinfo 441When the kernel is built, the build environment may optionally provide 442arbitrary information to be stored in this variable. 443.It Li kern.ccpu ( Dv KERN_CCPU ) 444The scheduler exponential decay value. 445.It Li kern.clockrate ( Dv KERN_CLOCKRATE ) 446A 447.Vt struct clockinfo 448structure is returned. 449This structure contains the clock, statistics clock and profiling clock 450frequencies, the number of micro-seconds per hz tick, and the clock 451skew rate. 452Refer to 453.Xr hz 9 454for additional details. 455.It Li kern.consdev ( Dv KERN_CONSDEV ) 456Console device. 457.It Li kern.coredump 458Settings related to set-id processes coredumps. 459By default, set-id processes do not dump core in situations where 460other processes would. 461The settings in this node allows an administrator to change this 462behavior. 463.Pp 464The third level name is 465.Dv kern.coredump.setid 466and fourth level variables are described below. 467.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent 468.It Sy Fourth level name Ta Sy Type Ta Sy Changeable 469.It kern.coredump.setid.dump integer yes 470.It kern.coredump.setid.group integer yes 471.It kern.coredump.setid.mode integer yes 472.It kern.coredump.setid.owner integer yes 473.It kern.coredump.setid.path string yes 474.El 475.Bl -tag -width "123456" 476.It Li kern.coredump.setid.dump 477If non-zero, set-id processes will dump core. 478.It Li kern.coredump.setid.group 479The group-id for the set-id processes' coredump. 480.It Li kern.coredump.setid.mode 481The mode for the set-id processes' coredump. 482See 483.Xr chmod 1 . 484.It Li kern.coredump.setid.owner 485The user-id that will be used as the owner of the set-id processes' 486coredump. 487.It Li kern.coredump.setid.path 488The path to which set-id processes' coredumps will be saved to. 489Same syntax as kern.defcorename. 490.El 491.It Li kern.cp_id ( Dv KERN_CP_ID ) 492Mapping of CPU number to CPU id. 493.It Li kern.cp_time ( Dv KERN_CP_TIME ) 494Returns an array of 495.Dv CPUSTATES 496.Vt uint64_t Ns s . 497This array contains the 498number of clock ticks spent in different CPU states. 499On multi-processor systems, the sum across all CPUs is returned unless 500appropriate space is given for one data set for each CPU. 501Data for a specific CPU can also be obtained by adding the number of the 502CPU at the end of the MIB, enlarging it by one. 503.It Li kern.cryptodevallowsoft 504This variable controls userland access to hardware versus software transforms 505in the 506.Xr crypto 4 507system. 508The available values are as follows: 509.Bl -tag -width XX0 -offset indent 510.It Dv < 0 511Always force userlevel requests to use software transforms. 512.It Dv = 0 513If present, use hardware and grant userlevel requests for 514non-accelerated transforms (handling the latter in software). 515.It Dv > 0 516Allow user requests only for transforms which are hardware-accelerated. 517.El 518.It Li kern.defcorename ( Dv KERN_DEFCORENAME ) 519Default template for the name of core dump files (see also 520.Li proc.pid.corename 521in the per-process variables 522.Li proc.* , 523and 524.Xr core 5 525for format of this template). 526The default value is 527.Pa %n.core 528and can be changed with the kernel configuration option 529.Cd options DEFCORENAME 530(see 531.Xr options 4 532). 533.It Li kern.detachall 534Detach all devices at shutdown. 535.It Li kern.domainname ( Dv KERN_DOMAINNAME ) 536Get or set the YP domain name. 537.It Li kern.drivers ( Dv KERN_DRIVERS ) 538Return an array of 539.Vt struct kinfo_drivers 540that contains the name and major device numbers of all the device drivers 541in the current kernel. 542The 543.Va d_name 544field is always a NUL terminated string. 545The 546.Va d_bmajor 547field will be set to \-1 if the driver doesn't have a block device. 548.It Li kern.expose_address 549Expose kernel addresses in 550.Xr sysctl 3 551calls used by 552.Xr fstat 1 553and 554.Xr sockstat 1 . 555If it is set to 556.Dv 0 557access is not allowed. 558If it is set to 559.Dv 1 560then only processes that have opened 561.Pa /dev/kmem 562can have access. 563If it is set to 564.Dv 2 565every process is allowed. 566Defaults to 567.Dv 0 568for 569.Dv KASLR 570kernels 571and 572.Dv 1 573otherwise. 574Allowing general access renders KASLR ineffective; allowing only kmem 575accessing programs weakens KASLR if those programs can be subverted 576to leak the addresses. 577.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC ) 578Perform a crash dump on system 579.Xr panic 9 . 580.It Li kern.file ( Dv KERN_FILE ) 581Return the entire file table. 582The returned data consists of a single 583.Vt struct filelist 584followed by an array of 585.Vt struct file , 586whose size depends on the current number of such objects in the system. 587.It Li kern.forkfsleep ( Dv KERN_FORKFSLEEP ) 588If 589.Xr fork 2 590system call fails due to limit on number of processes (either 591the global maxproc limit or user's one), wait for this many 592milliseconds before returning 593.Er EAGAIN 594error to process. 595Useful to keep heavily forking runaway processes in bay. 596Default zero (no sleep). 597Maximum is 20 seconds. 598.It Li kern.fscale ( Dv KERN_FSCALE ) 599The kernel fixed-point scale factor. 600.It Li kern.fsync ( Dv KERN_FSYNC ) 601Return 1 if the 602.St -p1003.1b-93 603File Synchronization Option is available 604on this system, 605otherwise\ 0. 606.It Li kern.hardclock_ticks ( Dv KERN_HARDCLOCK_TICKS ) 607Returns the number of 608.Xr hardclock 9 609ticks. 610.It Li kern.heartbeat.max_period 611Time in seconds since the last 612.Cd options HEARTBEAT 613progress check has passed before it will trigger a panic. 614See 615.Xr options 4 . 616.It Li kern.hist 617This variable contains kernel history data if the kernel was 618configured for any of the options 619.Dv UVHMIST , 620.Dv USB_DEBUG , 621.Dv BIOHIST , 622or 623.Dv SCDEBUG . 624(See 625.Xr options 4 626for more details.) 627The third-level names correspond to each available history table. 628The values of the history tables are in an internal format, and can be 629decoded by the 630.Xr vmstat 1 631utility's 632.Fl U 633and 634.Fl u 635options; 636the 637.Fl l 638option can be used to see which tables are available. 639.It Li kern.hostid ( Dv KERN_HOSTID ) 640Get or set the host identifier. 641This is aimed to replace the legacy 642.Xr gethostid 3 643and 644.Xr sethostid 3 645system calls. 646.It Li kern.hostname ( Dv KERN_HOSTNAME ) 647Get or set the 648.Xr hostname 1 . 649.It Li kern.iov_max ( Dv KERN_IOV_MAX ) 650Return the maximum number of 651.Vt iovec 652structures that a process has available for use with 653.Xr preadv 2 , 654.Xr pwritev 2 , 655.Xr readv 2 , 656.Xr recvmsg 2 , 657.Xr sendmsg 2 658and 659.Xr writev 2 . 660.It Li kern.ipc ( Dv KERN_SYSVIPC ) 661Return information about the SysV IPC parameters. 662The third level names for the ipc variables are detailed below. 663.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 664.It Sy Third level name Ta Sy Type Ta Sy Changeable 665.It kern.ipc.sysvmsg integer no 666.It kern.ipc.sysvsem integer no 667.It kern.ipc.sysvshm integer no 668.It kern.ipc.sysvipc_info struct no 669.It kern.ipc.shmmax integer yes 670.It kern.ipc.shmmni integer yes 671.It kern.ipc.shmseg integer yes 672.It kern.ipc.shmmaxpgs integer yes 673.It kern.ipc.shm_use_phys integer yes 674.It kern.ipc.msgmni integer yes 675.It kern.ipc.msgseg integer yes 676.It kern.ipc.semmni integer yes 677.It kern.ipc.semmns integer yes 678.It kern.ipc.semmnu integer yes 679.El 680.Bl -tag -width "123456" 681.It Li kern.ipc.sysvmsg ( Dv KERN_SYSVIPC_MSG ) 682Returns 1 if System V style message queue functionality is available 683on this system, 684otherwise\ 0. 685.It Li kern.ipc.sysvsem ( Dv KERN_SYSVIPC_SEM ) 686Returns 1 if System V style semaphore functionality is available 687on this system, 688otherwise\ 0. 689.It Li kern.ipc.sysvshm ( Dv KERN_SYSVIPC_SHM ) 690Returns 1 if System V style share memory functionality is available 691on this system, 692otherwise\ 0. 693.It Li kern.ipc.sysvipc_info ( Dv KERN_SYSVIPC_INFO ) 694Return System V style IPC configuration and run-time information. 695The fourth level name selects the System V style IPC facility. 696.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 697.It Sy Fourth level name Ta Sy Type 698.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 699.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 700.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 701.El 702.Bl -tag -width "123456" 703.It Li KERN_SYSVIPC_MSG_INFO 704Return information on the System V style message facility. 705The 706.Sy msg_sysctl_info 707structure is defined in 708.In sys/msg.h . 709.It Li KERN_SYSVIPC_SEM_INFO 710Return information on the System V style semaphore facility. 711The 712.Sy sem_sysctl_info 713structure is defined in 714.In sys/sem.h . 715.It Li KERN_SYSVIPC_SHM_INFO 716Return information on the System V style shared memory facility. 717The 718.Sy shm_sysctl_info 719structure is defined in 720.In sys/shm.h . 721.El 722.It Li kern.ipc.shmmax ( Dv KERN_SYSVIPC_SHMMAX ) 723Max shared memory segment size in bytes. 724.It Li kern.ipc.shmmni ( Dv KERN_SYSVIPC_SHMMNI ) 725Max number of shared memory identifiers. 726.It Li kern.ipc.shmseg ( Dv KERN_SYSVIPC_SHMSEG ) 727Max shared memory segments per process. 728.It Li kern.ipc.shmmaxpgs ( Dv KERN_SYSVIPC_SHMMAXPGS ) 729Max amount of shared memory in pages. 730.It Li kern.ipc.shm_use_phys ( Dv KERN_SYSVIPC_SHMUSEPHYS ) 731Locking of shared memory in physical memory. 732If 0, memory can be swapped 733out, otherwise it will be locked in physical memory. 734.It Li kern.ipc.msgmni 735Max number of message queue identifiers. 736.It Li kern.ipc.msgseg 737Max number of number of message segments. 738.It Li kern.ipc.semmni 739Max number of number of semaphore identifiers. 740.It Li kern.ipc.semmns 741Max number of number of semaphores in system. 742.It Li kern.ipc.semmnu 743Max number of undo structures in system. 744.El 745.It Li kern.job_control ( Dv KERN_JOB_CONTROL ) 746Return 1 if job control is available on this system, otherwise\ 0. 747.It Li kern.labeloffset ( Dv KERN_LABELOFFSET ) 748The offset within the sector specified by 749.Dv KERN_LABELSECTOR 750of the 751.Xr disklabel 5 . 752.It Li kern.labelsector ( Dv KERN_LABELSECTOR ) 753The sector number containing the 754.Xr disklabel 5 . 755.It Li kern.login_name_max ( Dv KERN_LOGIN_NAME_MAX ) 756The size of the storage required for a login name, in bytes, 757including the terminating NUL. 758.It Li kern.logsigexit ( Dv KERN_LOGSIGEXIT ) 759If this flag is non-zero, the kernel will 760.Xr log 9 761all process exits due to signals which create a 762.Xr core 5 763file, and whether the coredump was created. 764.It Li kern.lwp ( Dv KERN_LWP ) 765Returns information about the current light-weight process. 766The 767.Sy kinfo_lwp 768structure is defined in 769.In sys/sysctl.h . 770.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES ) 771Returns 1 if the 772.St -p1003.1b-93 773Memory Mapped Files Option is available on this system, 774otherwise\ 0. 775.It Li kern.maxfiles ( Dv KERN_MAXFILES ) 776The maximum number of open files that may be open in the system. 777This also controls the maximum file locks per unprivileged user 778enforced by 779.Xr fcntl 2 780and 781.Xr flock 2 . 782.It Li kern.maxpartitions ( Dv KERN_MAXPARTITIONS ) 783The maximum number of partitions allowed per disk. 784.It Li kern.maxlwp 785The maximum number of Lightweight Processes (threads) the system allows 786per uid. 787.It Li kern.maxphys ( Dv KERN_MAXPHYS ) 788Maximum raw I/O transfer size. 789.It Li kern.maxproc ( Dv KERN_MAXPROC ) 790The maximum number of simultaneous processes the system will allow. 791.It Li kern.maxptys ( Dv KERN_MAXPTYS ) 792The maximum number of pseudo terminals. 793This value can be both raised and lowered, though it cannot 794be set lower than number of currently used ptys. 795See also 796.Xr pty 4 . 797.It Li kern.maxvnodes ( Dv KERN_MAXVNODES ) 798The maximum number of vnodes available on the system. 799This cannot be lowered below the number of currently active vnodes. 800.It Li kern.mbuf ( Dv KERN_MBUF ) 801Return information about the mbuf control variables. 802Mbufs are data structures which store network packets and other data 803structures in the networking code, see 804.Xr mbuf 9 . 805The third level names for the mbuf variables are detailed below. 806The changeable column shows whether a process with appropriate 807privilege may change the value. 808.Bl -column "kern.mbuf.nmbclusters_limit" "integer" "Changeable" -offset indent 809.It Sy Third level name Ta Sy Type Ta Sy Changeable 810.\" XXX Changeable? really? 811.It kern.mbuf.mblowat integer yes 812.It kern.mbuf.mclbytes integer yes 813.It kern.mbuf.mcllowat integer yes 814.It kern.mbuf.msize integer yes 815.It kern.mbuf.nmbclusters integer yes 816.It kern.mbuf.nmbclusters_limit integer no 817.El 818.Pp 819The variables are as follows: 820.Bl -tag -width "123456" 821.It Li kern.mbuf.mblowat ( Dv MBUF_MBLOWAT ) 822The mbuf low water mark. 823.It Li kern.mbuf.mclbytes ( Dv MBUF_MCLBYTES ) 824The mbuf cluster size. 825.It Li kern.mbuf.mcllowat ( Dv MBUF_MCLLOWAT ) 826The mbuf cluster low water mark. 827.It Li kern.mbuf.msize ( Dv MBUF_MSIZE ) 828The mbuf base size. 829.It Li kern.mbuf.nmbclusters ( Dv MBUF_NMBCLUSTERS ) 830The limit on the number of mbuf clusters. 831The variable can only be increased, and only increased on machines with 832direct-mapped pool pages. 833.It Li kern.mbuf.nmbclusters_limit ( Dv MBUF_NMBCLUSTERS_LIMIT ) 834The limit of nmbclusters. 835.El 836.It Li kern.memlock ( Dv KERN_MEMLOCK ) 837Returns 1 if the 838.St -p1003.1b-93 839Process Memory Locking Option is available on this system, 840otherwise\ 0. 841.It Li kern.memlock_range ( Dv KERN_MEMLOCK_RANGE ) 842Returns 1 if the 843.St -p1003.1b-93 844Range Memory Locking Option is available on this system, 845otherwise\ 0. 846.It Li kern.memory_protection ( Dv KERN_MEMORY_PROTECTION ) 847Returns 1 if the 848.St -p1003.1b-93 849Memory Protection Option is available on this system, 850otherwise\ 0. 851.It Li kern.messages 852Kernel console message verbosity. 853See 854.Aq Pa sys/reboot.h 855.Bl -column "verbosity" "setting" -offset indent 856.It Sy Value Ta Sy Verbosity Ta Sy sys/reboot.h equivalent 857.It 0 Ta Silent Ta Sy AB_SILENT 858.It 1 Ta Quiet Ta Sy AB_QUIET 859.It 2 Ta Normal Ta Sy AB_NORMAL 860.It 3 Ta Verbose Ta Sy AB_VERBOSE 861.It 4 Ta Debug Ta Sy AB_DEBUG 862.El 863.It Li kern.module 864Settings related to kernel modules. 865The third level names for the settings are described below. 866.Bl -column "kern.module.autounload_unsafe" "integer" "Changeable" -offset indent 867.It Sy Third level name Ta Sy Type Ta Sy Changeable 868.It kern.module.autoload integer yes 869.It kern.module.autounload_unsafe integer yes 870.It kern.module.autotime integer yes 871.It kern.module.verbose boolean yes 872.El 873.Pp 874The variables are as follows: 875.Bl -tag -width 6n 876.It Li kern.module.autoload 877A boolean that controls whether kernel modules are loaded automatically. 878See 879.Xr module 7 880for details. 881.It Li kern.module.autounload_unsafe 882A boolean that controls whether the kernel will autounload modules that 883were automatically loaded and have not been audited for autounload. 884.Pp 885By default, only modules that have been audited will be autounloaded, 886and only if they were autoloaded to begin with. 887.It Li kern.module.autotime 888An integer that controls the delay before an attempt is made to 889automatically unload a module that was auto-loaded. 890Setting this value to zero disables the auto-unload function. 891.It Li kern.module.verbose 892A boolean that enables or disables verbose 893debug messages related to kernel modules. 894.El 895.It Li kern.monotonic_clock ( Dv KERN_MONOTONIC_CLOCK ) 896Returns the standard version the implementation of the 897.St -p1003.1b-93 898Monotonic Clock Option conforms to, 899otherwise\ 0. 900.It Li kern.mqueue 901Settings related to POSIX message queues; see 902.Xr mqueue 3 . 903This node is created dynamically when 904the corresponding kernel module is loaded. 905The third level names for the settings are described below. 906.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent 907.It Sy Third level name Ta Sy Type Ta Sy Changeable 908.It kern.mqueue.mq_open_max integer yes 909.It kern.mqueue.mq_prio_max integer yes 910.It kern.mqueue.mq_max_msgsize integer yes 911.It kern.mqueue.mq_def_maxmsg integer yes 912.It kern.mqueue.mq_max_maxmsg integer yes 913.El 914.Pp 915The variables are: 916.Bl -tag -width "123456" 917.It Li kern.mqueue.mq_open_max 918The maximum number of message queue descriptors any single process can open. 919.It Li kern.mqueue.mq_prio_max 920The maximum priority of a message. 921.It Li kern.mqueue.mq_max_msgsize 922The maximum size of a message in a message queue. 923.It Li kern.mqueue.mq_def_maxmsg 924The default maximum message count. 925.It Li kern.mqueue.mq_max_maxmsg 926The maximum number of messages in a message queue. 927.El 928.It Li kern.msgbuf ( Dv KERN_MSGBUF ) 929The kernel message buffer, rotated so that the head of the circular kernel 930message buffer is at the start of the returned data. 931The returned data may contain NUL bytes. 932.It Li kern.msgbufsize ( Dv KERN_MSGBUFSIZE ) 933The maximum number of characters that the kernel message buffer can hold. 934.It Li kern.ngroups ( Dv KERN_NGROUPS ) 935The maximum number of supplemental groups. 936.\" .It Li kern.no_sa_support 937.\" XXX: Undocumented. 938.It Li kern.ntptime ( Dv KERN_NTPTIME ) 939A 940.Vt struct ntptimeval 941structure is returned. 942This structure contains data used by the 943.Xr ntpd 8 944program. 945.It Li kern.osrelease ( Dv KERN_OSRELEASE ) 946The system release string. 947.It Li kern.osrevision ( Dv KERN_OSREV ) 948The system revision, expressed as an integer. 949.It Li kern.ostype ( Dv KERN_OSTYPE ) 950The system type string. 951.\".It Li kern.panic_now 952.\" XXX: Undocumented. 953.It Li kern.pipe ( Dv KERN_PIPE ) 954Pipe settings. 955The third level names for the integer pipe settings is detailed below. 956The changeable column shows whether a process with appropriate 957privilege may change the value. 958.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 959.It Sy Third level name Ta Sy Type Ta Sy Changeable 960.It kern.pipe.kvasiz integer yes 961.It kern.pipe.maxbigpipes integer yes 962.It kern.pipe.maxkvasz integer yes 963.It kern.pipe.limitkva integer yes 964.It kern.pipe.nbigpipes integer yes 965.El 966.Pp 967The variables are as follows: 968.Bl -tag -width "123456" 969.It Li kern.pipe.kvasiz ( Dv KERN_PIPE_KVASIZ ) 970Amount of kernel memory consumed by pipe buffers. 971.It Li kern.pipe.maxbigpipes ( Dv KERN_PIPE_MAXBIGPIPES ) 972Maximum number of 973.Dq big 974pipes. 975.It Li kern.pipe.maxkvasz ( Dv KERN_PIPE_MAXKVASZ ) 976Maximum amount of kernel memory to be used for pipes. 977.It Li kern.pipe.limitkva ( Dv KERN_PIPE_LIMITKVA ) 978Limit for direct transfers via page loan. 979.It Li kern.pipe.nbigpipes ( Dv KERN_PIPE_NBIGPIPES ) 980Number of 981.Dq big 982pipes. 983.El 984.It Li kern.pool 985Provides statistics about the 986.Xr pool 9 987and 988.Xr pool_cache 9 989subsystems. 990.\" XXX: Undocumented .It Li kern.posix ( ? ) 991.\" This is a node in which the only variable is semmax. 992.It Li kern.posix1version ( Dv KERN_POSIX1 ) 993The version of ISO/IEC 9945 994.Pq St -p1003.1 995with which the system attempts to comply. 996.It Li kern.posix_aio 997The version of 998.St -p1003.1 999and its Asynchronous I/O option to which the system attempts to conform. 1000.It Li kern.posix_barriers ( Dv KERN_POSIX_BARRIERS ) 1001The version of 1002.St -p1003.1 1003and its 1004Barriers 1005option to which the system attempts to conform, 1006otherwise\ 0. 1007.It Li kern.posix_reader_writer_locks ( Dv KERN_POSIX_READER_WRITER_LOCKS ) 1008The version of 1009.St -p1003.1 1010and its 1011Read-Write Locks 1012option to which the system attempts to conform, 1013otherwise\ 0. 1014.\".It Li kern.posix_sched 1015.\" XXX: Undocumented. 1016.It Li kern.posix_semaphores ( Dv KERN_POSIX_SEMAPHORES ) 1017The version of 1018.St -p1003.1 1019and its 1020Semaphores 1021option to which the system attempts to conform, 1022otherwise\ 0. 1023.It Li kern.posix_spin_locks ( Dv KERN_POSIX_SPIN_LOCKS ) 1024The version of 1025.St -p1003.1 1026and its 1027Spin Locks 1028option to which the system attempts to conform, 1029otherwise\ 0. 1030.It Li kern.posix_threads ( Dv KERN_POSIX_THREADS ) 1031The version of 1032.St -p1003.1 1033and its 1034Threads 1035option to which the system attempts to conform, 1036otherwise\ 0. 1037.It Li kern.posix_timers ( Dv KERN_POSIX_TIMERS ) 1038The version of 1039.St -p1003.1 1040and its 1041Timers 1042option to which the system attempts to conform, 1043otherwise\ 0. 1044.It Li kern.proc ( Dv KERN_PROC ) 1045Return the entire process table, or a subset of it. 1046An array of 1047.Vt struct kinfo_proc 1048structures is returned, 1049whose size depends on the current number of such objects in the system. 1050The third and fourth level numeric names are as follows: 1051.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 1052.It Sy Third level name Ta Sy Fourth level is : 1053.It KERN_PROC_ALL None 1054.It KERN_PROC_GID A group ID 1055.It KERN_PROC_PID A process ID 1056.It KERN_PROC_PGRP A process group 1057.It KERN_PROC_RGID A real group ID 1058.It KERN_PROC_RUID A real user ID 1059.It KERN_PROC_SESSION A session ID 1060.It KERN_PROC_TTY A tty device 1061.It KERN_PROC_UID A user ID 1062.El 1063.It Li kern.proc2 ( Dv KERN_PROC2 ) 1064As for 1065.Dv KERN_PROC , 1066but an array of 1067.Vt struct kinfo_proc2 1068structures are returned. 1069The fifth level name is the size of the 1070.Vt struct kinfo_proc2 1071and the sixth level name is the number of structures to return. 1072.It Li kern.proc_args ( Dv KERN_PROC_ARGS ) 1073Return the argv or environment strings (or the number thereof) 1074of a process. 1075Multiple strings are returned separated by NUL characters. 1076The third level name is the process ID. 1077The fourth level name is as follows: 1078.Bl -column "KERN_PROG_PATHNAME" "The full pathname of the executable" -offset indent 1079.It Dv KERN_PROC_ARGV The argv strings 1080.It Dv KERN_PROC_ENV The environ strings 1081.It Dv KERN_PROC_NARGV The number of argv strings 1082.It Dv KERN_PROC_NENV The number of environ strings 1083.It Dv KERN_PROC_PATHNAME The full pathname of the executable 1084.It Dv KERN_PROC_CWD The current working directory 1085.El 1086.It Li kern.profiling ( Dv KERN_PROF ) 1087Return profiling information about the kernel. 1088If the kernel is not compiled for profiling, 1089attempts to retrieve any of the 1090.Dv KERN_PROF 1091values will fail with 1092.Er EOPNOTSUPP . 1093The third level names for the string and integer profiling information 1094is detailed below. 1095The changeable column shows whether a process with appropriate 1096privilege may change the value. 1097.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 1098.It Sy Third level name Ta Sy Type Ta Sy Changeable 1099.It kern.profiling.count u_short[\|] yes 1100.It kern.profiling.froms u_short[\|] yes 1101.It kern.profiling.gmonparam struct gmonparam no 1102.It kern.profiling.state integer yes 1103.It kern.profiling.tos struct tostruct yes 1104.El 1105.Pp 1106The variables are as follows: 1107.Bl -tag -width "123456" 1108.It Li kern.profiling.count ( Dv GPROF_COUNT ) 1109Array of statistical program counter counts. 1110.It Li kern.profiling.froms ( Dv GPROF_FROMS ) 1111Array indexed by program counter of call-from points. 1112.It Li kern.profiling.gmonparams ( Dv GPROF_GMONPARAM ) 1113Structure giving the sizes of the above arrays. 1114.It Li kern.profiling.state ( Dv GPROF_STATE ) 1115Profiling state. 1116If set to 1117.Dv GMON_PROF_ON , 1118starts profiling. 1119If set to 1120.Dv GMON_PROF_OFF , 1121stops profiling. 1122.It Li kern.profiling.tos ( Dv GPROF_TOS ) 1123Array of 1124.Vt struct tostruct 1125describing destination of calls and their counts. 1126.El 1127.\" .It Li kern.pset 1128.\" XXX: Undocumented. 1129.It Li kern.rawpartition ( Dv KERN_RAWPARTITION ) 1130The raw partition of a disk (a == 0). 1131.It Li kern.root_device ( Dv KERN_ROOT_DEVICE ) 1132The name of the root device (e.g., 1133.Dq wd0 ) . 1134.It Li kern.root_partition ( Dv KERN_ROOT_PARTITION ) 1135The root partition on the root device (a == 0). 1136.It Li kern.rtc_offset ( Dv KERN_RTC_OFFSET ) 1137Return the offset of real time clock from UTC in minutes. 1138.It Li kern.saved_ids ( Dv KERN_SAVED_IDS ) 1139Returns 1 if saved set-group and saved set-user ID is available. 1140.It Li kern.sbmax ( Dv KERN_SBMAX ) 1141Maximum socket buffer size in bytes. 1142.It Li kern.securelevel ( Dv KERN_SECURELVL ) 1143See 1144.Xr secmodel_securelevel 9 . 1145.It Li kern.sched ( dynamic ) 1146Influence the scheduling of LWPs, their priorisation and how they are 1147distributed on and moved between CPUs. 1148.Bl -column "kern.sched.balance_period" "integer" "Changeable" -offset indent 1149.It Sy Third level name Sy Type Sy Changeable 1150.It kern.sched.cacheht_time integer yes 1151.It kern.sched.balance_period integer yes 1152.It kern.sched.average_weight integer yes 1153.It kern.sched.min_catch integer yes 1154.It kern.sched.timesoftints integer yes 1155.It kern.sched.kpreempt_pri integer yes 1156.It kern.sched.upreempt_pri integer yes 1157.It kern.sched.maxts integer yes 1158.It kern.sched.mints integer yes 1159.It kern.sched.name string no 1160.It kern.sched.rtts integer no 1161.It kern.sched.pri_min integer no 1162.It kern.sched.pri_max integer no 1163.El 1164.Pp 1165The variables are as follows: 1166.Bl -tag -width "123456" 1167.It Li kern.sched.cacheht_time ( dynamic ) 1168Cache hotness time in which a LWP is kept on one particular CPU 1169and not moved to another CPU. 1170This reduces the overhead of flushing and reloading caches. 1171Defaults to 3ms. 1172Needs to be given in 1173.Dq hz 1174units, see 1175.Xr mstohz 9 . 1176.It Li kern.sched.balance_period ( dynamic ) 1177Interval at which the CPU queues are checked for re-balancing. 1178Defaults to 300ms. 1179Needs to be given in 1180.Dq hz 1181units, see 1182.Xr mstohz 9 . 1183.It Li kern.sched.average_weight ( dynamic ) 1184Can be used to influence how likely LWPs are to be migrated from 1185one CPU's queue of LWPs that are ready to run to a different, idle CPU. 1186The value gives the percentage for weighting the average count of 1187migratable threads from the past against the current number of 1188migratable threads. 1189A small value gives more weight to the past, a larger values more weight 1190on the current situation. 1191Defaults to 50 and must be between 0 and 100. 1192.It Li kern.sched.min_catch ( dynamic ) 1193Minimum count of migratable (runnable) threads for catching (stealing) 1194from another CPU. 1195Defaults to 1 but can be increased to decrease chance of thread 1196migration between CPUs. 1197.It Li kern.sched.timesoftints ( dynamic ) 1198Enable tracking of CPU time for soft interrupts 1199as part of a LWP's real execution time. 1200Set to a non-zero value to enable, 1201and see 1202.Xr ps 1 1203for printing CPU times. 1204.It Li kern.sched.kpreempt_pri ( dynamic ) 1205Minimum priority to trigger kernel preemption. 1206.It Li kern.sched.upreempt_pri ( dynamic ) 1207Minimum priority to trigger user preemption. 1208.It Li kern.sched.maxts ( dynamic ) 1209Scheduler specific maximal time quantum (in milliseconds). 1210Must be set to a value larger than 1211.Dq mints 1212and between 10 and 1213.Dq hz 1214as given by the 1215.Dv kern.clockrate 1216sysctl. 1217Provided by the M2 scheduler. 1218.It Li kern.sched.mints ( dynamic ) 1219Scheduler specific minimal time quantum (in milliseconds). 1220Must be set to a value smaller than 1221.Dq maxts 1222and between 1 and 1223.Dq hz 1224as given by the 1225.Dq kern.clockrate 1226sysctl. 1227Provided by the M2 scheduler. 1228.It Li kern.sched.name ( dynamic ) 1229Scheduler name. 1230Provided both by the M2 and the 4BSD scheduler. 1231.It Li kern.sched.rtts ( dynamic ) 1232Fixed scheduler specific round-robin time quantum in milliseconds. 1233Provided both by the M2 and the 4BSD scheduler. 1234.It Li kern.sched.pri_min ( dynamic ) 1235Minimal POSIX real-time priority. 1236See 1237.Xr sched 3 . 1238.It Li kern.sched.pri_max ( dynamic ) 1239Maximal POSIX real-time priority. 1240See 1241.Xr sched 3 . 1242.El 1243.It Li kern.sofixedbuf ( Dv KERN_SOFIXEDBUF ) 1244Prevent socket buffer autoscaling when a size is set with 1245.Dv SO_SNDBUF 1246or 1247.Dv SO_RCVBUF . 1248.It Li kern.somaxkva ( Dv KERN_SOMAXKVA ) 1249Maximum amount of kernel memory to be used for socket buffers in bytes. 1250.It Li kern.sooptions 1251Set the default socket option flags for 1252.Xr socket 2 1253creation. 1254See 1255.Xr setsockopt 2 1256for a list of supported flags. 1257.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO ) 1258Returns 1 if the 1259.St -p1003.1b-93 1260Synchronized I/O Option is available on this system, 1261otherwise\ 0. 1262.It Li kern.timecounter ( dynamic ) 1263Display and control the timecounter source of the system. 1264.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 1265.It Sy Third level name Ta Sy Type Ta Sy Changeable 1266.It kern.timecounter.choice string no 1267.It kern.timecounter.hardware string yes 1268.It kern.timecounter.timestepwarnings integer yes 1269.El 1270.Pp 1271The variables are as follows: 1272.Bl -tag -width "123456" 1273.It Li kern.timecounter.choice ( dynamic ) 1274The list of available timecounters with their quality and frequency. 1275.It Li kern.timecounter.hardware ( dynamic ) 1276The currently selected timecounter source. 1277.It Li kern.timecounter.timestepwarnings ( dynamic ) 1278If non-zero display a message each time the time is stepped. 1279.El 1280.It Li kern.timex ( Dv KERN_TIMEX ) 1281Not available. 1282.It Li kern.tkstat ( Dv KERN_TKSTAT ) 1283Return information about the number of characters sent and received 1284on ttys. 1285The third level names for the tty statistic variables are detailed below. 1286The changeable column shows whether a process 1287with appropriate privilege may change the value. 1288.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 1289.It Sy Third level name Ta Sy Type Ta Sy Changeable 1290.It kern.tkstat.cancc quad no 1291.It kern.tkstat.nin quad no 1292.It kern.tkstat.nout quad no 1293.It kern.tkstat.rawcc quad no 1294.El 1295.Pp 1296The variables are as follows: 1297.Bl -tag -width "123456" 1298.It Li kern.tkstat.cancc ( Dv KERN_TKSTAT_CANCC ) 1299The number of canonical input characters. 1300.It Li kern.tkstat.nin ( Dv KERN_TKSTAT_NIN ) 1301The total number of input characters. 1302.It Li kern.tkstat.nout ( Dv KERN_TKSTAT_NOUT ) 1303The total number of output characters. 1304.It Li kern.tkstat.rawcc ( Dv KERN_TKSTAT_RAWCC ) 1305The number of raw input characters. 1306.El 1307.It Li kern.tty 1308The third level names for the tty setup variables are detailed below. 1309The changeable column shows whether a process 1310with appropriate privilege may change the value. 1311.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent 1312.It Sy Third level name Ta Sy Type Ta Sy Changeable 1313.It kern.tty.qsize int yes 1314.El 1315.Pp 1316The variables are as follows: 1317.Bl -tag -width "123456" 1318.It Li kern.tty.qsize 1319Control/display the size of the default input and output queues selected 1320during tty creation. 1321Is converted to a power of two and its range is between 1322.Dv 1024 1323and 1324.Dv 65536 . 1325.El 1326.It Li kern.uidinfo 1327Resource usage for the current user. 1328.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent 1329.It Sy Third level name Ta Sy Type Ta Sy Changeable 1330.It kern.uidinfo.proccnt integer no 1331.It kern.uidinfo.lwpcnt integer no 1332.It kern.uidinfo.lockcnt integer no 1333.It kern.uidinfo.semcnt integer no 1334.It kern.uidinfo.sbsize integer no 1335.El 1336.Bl -tag -width "123456" 1337.It Li kern.uidinfo.proccnt 1338Returns the number of active processes for the current user. 1339.It Li kern.uidinfo.lwpcnt 1340Returns the number of active threads for the current user; the first thread 1341of each process is not counted. 1342.It Li kern.uidinfo.lockcnt 1343Number of locks held by the current user. 1344.It Li kern.uidinfo.semcnt 1345Number of semaphores held by the current user. 1346.It Li kern.uidinfo.sbsize 1347Number of bytes in socket buffers allocated to the current user. 1348.El 1349.It Li kern.urandom ( Dv KERN_URND ) 1350Random integer value. 1351.It Li kern.usercrypto 1352When enabled, allows userland to 1353.Xr open 2 1354the 1355.Pa /dev/crypto 1356special device, used by the 1357.Xr crypto 4 1358system. 1359.It Li kern.userasymcrypto 1360Enables or disables the use of software asymmetric crypto support in the 1361.Xr crypto 4 1362system. 1363.It Li kern.veriexec 1364Runtime information for 1365.Xr veriexec 8 . 1366.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent 1367.It Sy Third level name Ta Sy Type Ta Sy Changeable 1368.It kern.veriexec.algorithms string no 1369.It kern.veriexec.count node not applicable 1370.It kern.veriexec.strict integer yes 1371.It kern.veriexec.verbose integer yes 1372.El 1373.Bl -tag -width "123456" 1374.It Li kern.veriexec.algorithms 1375Returns a string with the supported algorithms in Veriexec. 1376.It Li kern.veriexec.count 1377Sub-nodes are added to this node as new mounts are monitored by Veriexec. 1378Each mount will be under its own 1379.No tableN 1380node. 1381Under each node there will be three variables, indicating the mount 1382point, the file system type, and the number of entries. 1383.It Li kern.veriexec.strict 1384Controls the strict level of Veriexec. 1385See 1386.Xr security 7 1387for more information on each level's implications. 1388.It Li kern.veriexec.verbose 1389Controls the verbosity level of Veriexec. 1390If 0, only the minimal 1391indication required will be given about what's happening - fingerprint 1392mismatches, removal of entries from the tables, modification of a 1393fingerprinted file. 1394If 1, more messages will be printed (ie., when a file with a valid 1395fingerprint is accessed). 1396Verbose level 2 is debug mode. 1397.El 1398.It Li kern.version ( Dv KERN_VERSION ) 1399The system version string. 1400.It Li kern.vnode ( Dv KERN_VNODE ) 1401Return the entire vnode table. 1402Note, the vnode table is not necessarily a consistent snapshot of 1403the system. 1404The returned data consists of an array whose size depends on the 1405current number of such objects in the system. 1406Each element of the array contains the kernel address of a vnode 1407.Vt struct vnode * 1408followed by the vnode itself 1409.Vt struct vnode . 1410.El 1411.Ss The machdep.* subtree 1412The set of variables defined is architecture dependent. 1413Most architectures define at least the following variables. 1414.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent 1415.It Sy Second level name Ta Sy Type Ta Sy Changeable 1416.It Li machdep.booted_kernel string no 1417.El 1418.\" XXX: Document the above. 1419.Ss The net.* subtree 1420The string and integer information available for the 1421.Li net 1422level is detailed below. 1423The changeable column shows whether a process with appropriate 1424privilege may change the value. 1425The second and third levels are typically the protocol family and 1426protocol number, though this is not always the case. 1427.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 1428.It Sy Second level name Ta Sy Type Ta Sy Changeable 1429.It net.route routing messages no 1430.It net.inet IPv4 values yes 1431.It net.inet6 IPv6 values yes 1432.It net.key IPsec key management values yes 1433.El 1434.Bl -tag -width "123456" 1435.It Li net.route ( Dv PF_ROUTE ) 1436.\" XXX really? 1437Return the entire routing table or a subset of it. 1438The data is returned as a sequence of routing messages (see 1439.Xr route 4 1440for the header file, format and meaning). 1441The length of each message is contained in the message header. 1442.Pp 1443The third level name is a protocol number, which is currently always\ 0. 1444The fourth level name is an address family, which may be set to 0 to 1445select all address families. 1446The fifth and sixth level names are as follows: 1447.Bl -column "Fifth level name" "Sixth level is:" -offset indent 1448.It Sy Fifth level name Ta Sy Sixth level is : 1449.It NET_RT_FLAGS rtflags 1450.It NET_RT_DUMP None 1451.It NET_RT_IFLIST None 1452.El 1453.It Li net.inet ( Dv PF_INET ) 1454Get or set various global information about the IPv4 1455.Pq Internet Protocol version 4 . 1456The third level name is the protocol. 1457The fourth level name is the variable name. 1458The currently defined protocols and names are: 1459.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent 1460.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable 1461.It arp nd_delay integer yes 1462.It arp nd_bmaxtries integer yes 1463.It arp nd_umaxtries integer yes 1464.It arp nd_basereachable integer yes 1465.It arp nd_retrans integer yes 1466.It arp nd_nud integer yes 1467.It arp nd_maxnudhint integer yes 1468.It arp log_movements integer yes 1469.It arp log_permanent_modify integer yes 1470.It arp log_unknown_network integer yes 1471.It arp log_wrong_iface integer yes 1472.It carp allow integer yes 1473.It carp preempt integer yes 1474.It carp log integer yes 1475.It carp arpbalance integer yes 1476.It icmp errppslimit integer yes 1477.It icmp maskrepl integer yes 1478.It icmp rediraccept integer yes 1479.It icmp redirtimeout integer yes 1480.It icmp bmcastecho integer yes 1481.It icmp dynamic_rt_msg boolean yes 1482.It ip allowsrcrt integer yes 1483.It ip anonportalgo.selected string yes 1484.It ip anonportalgo.available string yes 1485.It ip anonportalgo.reserve struct yes 1486.It ip anonportmax integer yes 1487.It ip anonportmin integer yes 1488.It ip checkinterface integer yes 1489.It ip dad_count integer yes 1490.It ip directed-broadcast integer yes 1491.It ip do_loopback_cksum integer yes 1492.It ip forwarding integer yes 1493.It ip forwsrcrt integer yes 1494.It ip gifttl integer yes 1495.It ip grettl integer yes 1496.It ip hashsize integer yes 1497.It ip hostzerobroadcast integer yes 1498.It ip lowportmin integer yes 1499.It ip lowportmax integer yes 1500.It ip maxflows integer yes 1501.It ip maxfragpackets integer yes 1502.It ip mtudisc integer yes 1503.It ip mtudisctimeout integer yes 1504.It ip random_id integer yes 1505.It ip redirect integer yes 1506.It ip subnetsarelocal integer yes 1507.It ip ttl integer yes 1508.It tcp rfc1323 integer yes 1509.It tcp sendspace integer yes 1510.It tcp recvspace integer yes 1511.It tcp mssdflt integer yes 1512.It tcp syn_cache_limit integer yes 1513.It tcp syn_bucket_limit integer yes 1514.It tcp syn_cache_interval integer yes 1515.It tcp init_win integer yes 1516.It tcp init_win_local integer yes 1517.It tcp mss_ifmtu integer yes 1518.It tcp win_scale integer yes 1519.It tcp timestamps integer yes 1520.It tcp cwm integer yes 1521.It tcp cwm_burstsize integer yes 1522.It tcp ack_on_push integer yes 1523.It tcp keepidle integer yes 1524.It tcp keepintvl integer yes 1525.It tcp keepcnt integer yes 1526.It tcp slowhz integer no 1527.It tcp keepinit integer yes 1528.It tcp log_refused integer yes 1529.It tcp rstppslimit integer yes 1530.It tcp ident struct no 1531.It tcp drop struct no 1532.It tcp sack.enable integer yes 1533.It tcp sack.globalholes integer no 1534.It tcp sack.globalmaxholes integer yes 1535.It tcp sack.maxholes integer yes 1536.It tcp ecn.enable integer yes 1537.It tcp ecn.maxretries integer yes 1538.It tcp congctl.selected string yes 1539.It tcp congctl.available string yes 1540.It tcp abc.enable integer yes 1541.It tcp abc.aggressive integer yes 1542.It udp checksum integer yes 1543.It udp do_loopback_cksum integer yes 1544.It udp recvspace integer yes 1545.It udp sendspace integer yes 1546.El 1547.Pp 1548The variables are as follows: 1549.Bl -tag -width "123456" 1550.It Li arp.nd_delay 1551The delay in seconds before sending the first probe, 1552after it has been decided that the entry is stale. 1553.It Li arp.nd_bmaxtries 1554The maximum number of broadcasts send to discover the hardware address 1555claiming an IP address. 1556.It Li arp.nd_umaxtries 1557The maximum number of unicasts send to the hardware address to ensure 1558it still claims an IP address. 1559.It Li arp.nd_basereachable 1560The number of milliseconds the ARP entry is considered reachable before 1561probing reachability. 1562.It Li arp.nd_retrans 1563The number of milliseconds between ARP probes. 1564.It Li arp.nd_nud 1565If set to non-zero, perform Neighor Unreachability Detection. 1566.It Li arp.nd_maxnudhint 1567Neighbor discovery permits upper layer protocols to supply reachability 1568hints, to avoid unnecessary neighbor discovery exchanges. 1569The variable defines the number of consecutive hints the neighbor discovery 1570layer will take. 1571For example, by setting the variable to 3, neighbor discovery layer 1572will take 3 consecutive hints in maximum. 1573After receiving 3 hints, neighbor discovery layer will perform 1574normal neighbor discovery process. 1575.It Li carp.allow 1576If set to 0, incoming 1577.Xr carp 4 1578packets will not be processed. 1579If set to any other value, processing will occur. 1580Enabled by default. 1581.It Li carp.arpbalance 1582If set to any value other than 0, the ARP balancing functionality of 1583.Xr carp 4 1584is enabled. 1585When ARP requests are received for an IP address which is part of any virtual 1586host, carp will hash the source IP in the ARP request to select one of the 1587virtual hosts from the set of all the virtual hosts which have that IP address. 1588The master of that host will respond with the correct virtual MAC address. 1589Disabled by default. 1590.It Li carp.log 1591If set to any value other than 0, 1592.Xr carp 4 1593will log errors. 1594Disabled by default. 1595.It Li carp.preempt 1596If set to 0, 1597.Xr carp 4 1598will not attempt to become master if it is receiving advertisements from 1599another active master. 1600If set to any other value, carp will become master of the virtual host if it 1601believes it can send advertisements more frequently than the current master. 1602Disabled by default. 1603.It Li ip.allowsrcrt 1604If set to 1, the host accepts source routed packets. 1605.It Li ip.anonportalgo.available 1606The available RFC 6056 port randomization algorithms. 1607.It Li ip.anonportalgo.reserve 1608A bitmask of ports that will not be used during anonymous or privileged 1609port selection. 1610.It Li ip.anonportalgo.selected 1611The currently selected RFC 6056 port randomization algorithm; see 1612.Xr rfc6056 7 1613for details. 1614.It Li ip.anonportmax 1615The highest port number to use for TCP and UDP ephemeral port allocation. 1616This cannot be set to less than 1024 or greater than 65535, and must 1617be greater than 1618.Li ip.anonportmin . 1619.It Li ip.anonportmin 1620The lowest port number to use for TCP and UDP ephemeral port allocation. 1621This cannot be set to less than 1024 or greater than 65535. 1622.It Li ip.checkinterface 1623If set to non-zero, the host will reject packets addressed to it 1624that arrive on an interface not bound to that address. 1625Currently, this must be disabled if NAT is used to translate the 1626destination address to another local interface, or if addresses 1627are added to the loopback interface instead of the interface where 1628the packets for those packets are received. 1629.It Li ip.dad_count 1630The number of 1631.Xr arp 4 1632probes sent for Address Conflict Detection. 1633Set to 0 to disable this. 1634.It Li ip.directed-broadcast 1635If set to 1, enables directed broadcast behavior for the host. 1636.It Li ip.do_loopback_cksum 1637Perform IP checksum on loopback. 1638.It Li ip.forwarding 1639If set to 1, enables IP forwarding for the host, 1640meaning that the host is acting as a router. 1641.It Li ip.forwsrcrt 1642If set to 1, enables forwarding of source-routed packets for the host. 1643This value may only be changed if the kernel security level is less than 1. 1644.It Li ip.gifttl 1645The maximum time-to-live (hop count) value for an IPv4 packet generated by 1646.Xr gif 4 1647tunnel interface. 1648.It Li ip.grettl 1649The maximum time-to-live (hop count) value for an IPv4 packet generated by 1650.Xr gre 4 1651tunnel interface. 1652.It Li ip.hashsize 1653The size of IPv4 Fast Forward hash table. 1654This value must be a power of 2 (64, 256...). 1655A larger hash table size results in fewer collisions. 1656Also see 1657.Li ip.maxflows . 1658.It Li ip.hostzerobroadcast 1659All zeroes address is broadcast address. 1660.It Li ip.lowportmax 1661The highest port number to use for TCP and UDP reserved port allocation. 1662This cannot be set to less than 0 or greater than 1024, and must 1663be greater than 1664.Li ip.lowportmin . 1665.It Li ip.lowportmin 1666The lowest port number to use for TCP and UDP reserved port allocation. 1667This cannot be set to less than 0 or greater than 1024, and must 1668be smaller than 1669.Li ip.lowportmax . 1670.It Li ip.maxflows 1671IPv4 Fast Forwarding is enabled by default. 1672If set to 0, IPv4 Fast Forwarding is disabled. 1673.Li ip.maxflows 1674controls the maximum amount of flows which can be created. 1675The default value is 256. 1676.It Li ip.maxfragpackets 1677The maximum number of fragmented packets the node will accept. 16780 means that the node will not accept any fragmented packets. 1679\-1 means that the node will accept as many fragmented packets as it receives. 1680The flag is provided basically for avoiding possible DoS attacks. 1681.It Li ip.mtudisc 1682If set to 1, enables Path MTU Discovery (RFC 1191). 1683When Path MTU Discovery is enabled, the transmitted TCP segment 1684size will be determined by the advertised maximum segment size 1685(MSS) from the remote end, as constrained by the path MTU. 1686If MTU Discovery is disabled, the transmitted segment size will 1687never be greater than 1688.Li tcp.mssdflt 1689(the local maximum segment size). 1690.It Li ip.mtudisctimeout 1691The number of seconds in which a route added by the Path MTU 1692Discovery engine will time out. 1693When the route times out, the Path 1694MTU Discovery engine will attempt to probe a larger path MTU. 1695.It Li ip.random_id 1696Assign random ip_id values. 1697.It Li ip.redirect 1698If set to 1, ICMP redirects may be sent by the host. 1699This option is ignored unless the host is routing IP packets, 1700and should normally be enabled on all systems. 1701.It Li ip.subnetsarelocal 1702If set to 1, subnets are to be considered local addresses. 1703.It Li ip.ttl 1704The maximum time-to-live (hop count) value for an IP packet sourced by 1705the system. 1706This value applies to normal transport protocols, not to ICMP. 1707.It Li icmp.errppslimit 1708The variable specifies the maximum number of outgoing ICMP error messages, 1709per second. 1710ICMP error messages that exceeded the value are subject to rate limitation 1711and will not go out from the node. 1712Negative value disables rate limitation. 1713.It Li icmp.maskrepl 1714If set to 1, ICMP network mask requests are to be answered. 1715.It Li icmp.rediraccept 1716If set to non-zero, the host will accept ICMP redirect packets. 1717Note that routers will never accept ICMP redirect packets, 1718and the variable is meaningful on IP hosts only. 1719.It Li icmp.redirtimeout 1720The variable specifies lifetime of routing entries generated by incoming 1721ICMP redirect. 1722This defaults to 600 seconds. 1723.It Li icmp.returndatabytes 1724Number of bytes to return in an ICMP error message. 1725.It Li icmp.bmcastecho 1726If set to 1, enables responding to ICMP echo or timestamp request to the 1727broadcast address. 1728.It Li icmp.dynamic_rt_msg 1729A boolean that the kernel sends routing message for RTM_DYNAMIC or not. 1730If set to true, sends such routing message. 1731.It Li tcp.ack_on_push 1732If set to 1, TCP is to immediately transmit an ACK upon reception of 1733a packet with PUSH set. 1734This can avoid losing a round trip time in some rare situations, 1735but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1736Use of this option is generally not recommended, but 1737the variable exists in case your configuration really needs it. 1738.It Li tcp.cwm 1739If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1740Monitoring algorithm. 1741This algorithm prevents line-rate bursts of packets that could 1742otherwise occur when data begins flowing on an idle TCP connection. 1743These line-rate bursts can contribute to network and router congestion. 1744This can be particularly useful on World Wide Web servers 1745which support HTTP/1.1, which has lingering connections. 1746.It Li tcp.cwm_burstsize 1747The Congestion Window Monitoring allowed burst size, in terms 1748of packet count. 1749.It Li tcp.delack_ticks 1750Number of ticks to delay sending an ACK. 1751.It Li tcp.do_loopback_cksum 1752Perform TCP checksum on loopback. 1753.It Li tcp.init_win 1754A value indicating the TCP initial congestion window. 1755The valid range 1756is 0 to 10 (maximum specified by RFC6928), 1757with a default of 4 (approximately 4K per RFC3390). 1758.It Li tcp.init_win_local 1759Like 1760.Li tcp.init_win , 1761but used when communicating with hosts on a local network. 1762.It Li tcp.keepcnt 1763Number of keepalive probes sent before declaring a connection dead. 1764If set to zero, there is no limit; 1765keepalives will be sent until some kind of 1766response is received from the peer. 1767.It Li tcp.keepidle 1768Time a connection must be idle before keepalives are sent (if keepalives 1769are enabled for the connection). 1770See also tcp.slowhz. 1771.It Li tcp.keepintvl 1772Time after a keepalive probe is sent until, in the absence of any response, 1773another probe is sent. 1774See also tcp.slowhz. 1775.It Li tcp.log_refused 1776If set to 1, refused TCP connections to the host will be logged. 1777.It Li tcp.keepinit 1778Timeout in seconds during connection establishment. 1779.It Li tcp.mss_ifmtu 1780If set to 1, TCP calculates the outgoing maximum segment size based on 1781the MTU of the appropriate interface. 1782If set to 0, it is calculated based on the greater of the MTU of the 1783interface, and the largest (non-loopback) interface MTU on the system. 1784.It Li tcp.mssdflt 1785The default maximum segment size both advertised to the peer 1786and to use when either the peer does not advertise a maximum segment size to 1787us during connection setup or Path MTU Discovery 1788.Li ( ip.mtudisc ) 1789is disabled. 1790Do not change this value unless you really know what you are doing. 1791.It Li tcp.recvspace 1792The default TCP receive buffer size. 1793.It Li tcp.rfc1323 1794If set to 1, enables RFC 1323 extensions to TCP. 1795.It Li tcp.rstppslimit 1796The variable specifies the maximum number of outgoing TCP RST packets, 1797per second. 1798TCP RST packet that exceeded the value are subject to rate limitation 1799and will not go out from the node. 1800Negative value disables rate limitation. 1801.It Li tcp.ident 1802Return the user ID of a connected socket pair. 1803(RFC1413 Identification Protocol lookups.) 1804.It Li tcp.drop 1805Drop a TCP socket pair connection. 1806.It Li tcp.sack.enable 1807If set to 1, enables RFC 2018 Selective ACKnowledgement. 1808.It Li tcp.sack.globalholes 1809Global number of TCP SACK holes. 1810.It Li tcp.sack.globalmaxholes 1811Global maximum number of TCP SACK holes. 1812.It Li tcp.sack.maxholes 1813Maximum number of TCP SACK holes allowed per connection. 1814.It Li tcp.ecn.enable 1815If set to 1, enables RFC 3168 Explicit Congestion Notification. 1816.It Li tcp.ecn.maxretries 1817Number of times to retry sending the ECN-setup packet. 1818.It Li tcp.sendspace 1819The default TCP send buffer size. 1820.It Li tcp.slowhz 1821The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1822of a clock that ticks tcp.slowhz times per second. 1823(That is, their values 1824must be divided by the tcp.slowhz value to get times in seconds.) 1825.It Li tcp.syn_bucket_limit 1826The maximum number of entries allowed per hash bucket in the TCP 1827compressed state engine. 1828.It Li tcp.syn_cache_limit 1829The maximum number of entries allowed in the TCP compressed state 1830engine. 1831.It Li tcp.timestamps 1832If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1833used for measuring TCP round trip times, are enabled. 1834.It Li tcp.win_scale 1835If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1836for increasing the TCP window size, are enabled. 1837.It Li tcp.congctl.available 1838The available TCP congestion control algorithms. 1839.It Li tcp.congctl.selected 1840The currently selected TCP congestion control algorithm. 1841.It Li tcp.abc.enable 1842If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1843If set to 0, use traditional Packet Counting. 1844.It Li tcp.abc.aggressive 1845Choose the L parameter found in RFC 3465. 1846L is the maximum cwnd increase for an ack during slow start. 1847If set to 1, use L=2*SMSS. 1848If set to 0, use L=1*SMSS. 1849It has no effect unless tcp.abc.enable is set to 1. 1850.It Li udp.checksum 1851If set to 1, UDP checksums are being computed. 1852Received non-zero UDP checksums are always checked. 1853Disabling UDP checksums is strongly discouraged. 1854.It Li udp.recvspace 1855The default UDP receive buffer size. 1856.It Li udp.sendspace 1857The default UDP send buffer size. 1858.El 1859.Pp 1860For variables net.*.ipsec, please refer to 1861.Xr ipsec 4 . 1862.It Li net.inet6 ( Dv PF_INET6 ) 1863Get or set various global information about the IPv6 1864.Pq Internet Protocol version 6 . 1865The third level name is the protocol. 1866The fourth level name is the variable name. 1867The currently defined protocols and names are: 1868.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent 1869.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable 1870.It icmp6 errppslimit integer yes 1871.It icmp6 mtudisc_hiwat integer yes 1872.It icmp6 mtudisc_lowat integer yes 1873.It icmp6 nd6_debug integer yes 1874.It icmp6 nd6_delay integer yes 1875.It icmp6 nd6_maxnudhint integer yes 1876.It icmp6 nd6_mmaxtries integer yes 1877.It icmp6 nd6_prune integer yes 1878.It icmp6 nd6_umaxtries integer yes 1879.It icmp6 nd6_useloopback integer yes 1880.It icmp6 nodeinfo integer yes 1881.It icmp6 rediraccept integer yes 1882.It icmp6 redirtimeout integer yes 1883.It icmp6 reflect_pmtu boolean yes 1884.It icmp6 dynamic_rt_msg boolean yes 1885.It ip6 accept_rtadv integer yes 1886.It ip6 addctlpolicy struct in6_addrpolicy no 1887.It ip6 anonportalgo.selected string yes 1888.It ip6 anonportalgo.available string yes 1889.It ip6 anonportalgo.reserve struct yes 1890.It ip6 anonportmax integer yes 1891.It ip6 anonportmin integer yes 1892.It ip6 auto_flowlabel integer yes 1893.It ip6 dad_count integer yes 1894.It ip6 defmcasthlim integer yes 1895.It ip6 forwarding integer yes 1896.It ip6 gifhlim integer yes 1897.It ip6 hashsize integer yes 1898.It ip6 hlim integer yes 1899.It ip6 hdrnestlimit integer yes 1900.It ip6 kame_version string no 1901.It ip6 keepfaith integer yes 1902.It ip6 log_interval integer yes 1903.It ip6 lowportmax integer yes 1904.It ip6 lowportmin integer yes 1905.It ip6 maxdynroutes integer yes 1906.It ip6 maxifprefixes integer yes 1907.It ip6 maxifdefrouters integer yes 1908.It ip6 maxflows integer yes 1909.It ip6 maxfragpackets integer yes 1910.It ip6 maxfrags integer yes 1911.It ip6 neighborgcthresh integer yes 1912.It ip6 param_rt_msg integer yes 1913.It ip6 redirect integer yes 1914.It ip6 rr_prune integer yes 1915.It ip6 use_deprecated integer yes 1916.It ip6 v6only integer yes 1917.It udp6 do_loopback_cksum integer yes 1918.It udp6 recvspace integer yes 1919.It udp6 sendspace integer yes 1920.El 1921.Pp 1922The variables are as follows: 1923.Bl -tag -width "123456" 1924.It Li ip6.accept_rtadv 1925If set to non-zero, the node will accept ICMPv6 router advertisement packets 1926and autoconfigures address prefixes and default routers. 1927The node must be a host 1928.Pq not a router 1929for the option to be meaningful. 1930.It Li ip6.anonportalgo.available 1931The available RFC 6056 port randomization algorithms. 1932.It Li ip6.anonportalgo.reserve 1933A bitmask of ports that will not be used during anonymous or privileged 1934port selection. 1935.It Li ip6.anonportalgo.selected 1936The currently selected RFC 6056 port randomization algorithm; see 1937.Xr rfc6056 7 1938for details. 1939.It Li ip6.anonportmax 1940The highest port number to use for TCP and UDP ephemeral port allocation. 1941This cannot be set to less than 1024 or greater than 65535, and must 1942be greater than 1943.Li ip6.anonportmin . 1944.It Li ip6.anonportmin 1945The lowest port number to use for TCP and UDP ephemeral port allocation. 1946This cannot be set to less than 1024 or greater than 65535. 1947.It Li ip6.auto_flowlabel 1948On connected transport protocol packets, 1949fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1950.It Li ip6.dad_count 1951The variable configures number of IPv6 DAD 1952.Pq duplicated address detection 1953probe packets. 1954The packets will be generated when IPv6 interface addresses are configured. 1955.It Li ip6.defmcasthlim 1956The default hop limit value for an IPv6 multicast packet sourced by the node. 1957This value applies to all the transport protocols on top of IPv6. 1958There are APIs to override the value, as documented in 1959.Xr ip6 4 . 1960.It Li ip6.forwarding 1961If set to 1, enables IPv6 forwarding for the node, 1962meaning that the node is acting as a router. 1963If set to 0, disables IPv6 forwarding for the node, 1964meaning that the node is acting as a host. 1965IPv6 specification defines node behavior for 1966.Dq router 1967case and 1968.Dq host 1969case quite differently, and changing this variable during operation 1970may cause serious trouble. 1971It is recommended to configure the variable at bootstrap time, 1972and bootstrap time only. 1973.It Li ip6.gifhlim 1974The maximum hop limit value for an IPv6 packet generated by 1975.Xr gif 4 1976tunnel interface. 1977.It Li ip6.hdrnestlimit 1978The number of IPv6 extension headers permitted on incoming IPv6 packets. 1979If set to 0, the node will accept as many extension headers as possible. 1980.It Li ip6.hashsize 1981The size of IPv6 Fast Forward hash table. 1982This value must be a power of 2 (64, 256, ...). 1983A larger hash table size results in fewer collisions. 1984Also see 1985.Li ip6.maxflows . 1986.It Li ip6.hlim 1987The default hop limit value for an IPv6 unicast packet sourced by the node. 1988This value applies to all the transport protocols on top of IPv6. 1989There are APIs to override the value, as documented in 1990.Xr ip6 4 . 1991.It Li ip6.kame_version 1992The string identifies the version of KAME IPv6 stack implemented in the kernel. 1993.It Li ip6.keepfaith 1994If set to non-zero, it enables 1995.Dq FAITH 1996TCP relay IPv6-to-IPv4 translator code in the kernel. 1997Refer 1998.Xr faith 4 1999and 2000.Xr faithd 8 2001for detail. 2002.It Li ip6.log_interval 2003The variable controls amount of logs generated by IPv6 packet 2004forwarding engine, by setting interval between log output 2005.Pq in seconds . 2006.It Li ip6.lowportmax 2007The highest port number to use for TCP and UDP reserved port allocation. 2008This cannot be set to less than 0 or greater than 1024, and must 2009be greater than 2010.Li ip6.lowportmin . 2011.It Li ip6.lowportmin 2012The lowest port number to use for TCP and UDP reserved port allocation. 2013This cannot be set to less than 0 or greater than 1024, and must 2014be smaller than 2015.Li ip6.lowportmax . 2016.It Li ip6.maxdynroutes 2017Maximum number of routes created by redirect. 2018Set it to negative to disable. 2019The default value is 4096. 2020.It Li ip6.maxifprefixes 2021Maximum number of prefixes created by route advertisements per interface. 2022Set it to negative to disable. 2023The default value is 16. 2024.It Li ip6.maxifdefrouters 16 2025Maximum number of default routers created by route advertisements per interface. 2026Set it to negative to disable. 2027The default value is 16. 2028.It Li ip6.maxflows 2029IPv6 Fast Forwarding is enabled by default. 2030If set to 0, IPv6 Fast Forwarding is disabled. 2031.Li ip6.maxflows 2032controls the maximum amount of flows which can be created. 2033The default value is 256. 2034.It Li ip6.maxfragpackets 2035The maximum number of fragmented packets the node will accept. 20360 means that the node will not accept any fragmented packets. 2037\-1 means that the node will accept as many fragmented packets as it receives. 2038The flag is provided basically for avoiding possible DoS attacks. 2039.It Li ip6.maxfrags 2040The maximum number of fragments the node will accept. 20410 means that the node will not accept any fragments. 2042\-1 means that the node will accept as many fragments as it receives. 2043The flag is provided basically for avoiding possible DoS attacks. 2044.It Li ip6.neighborgcthresh 2045Maximum number of entries in neighbor cache per interface. 2046Set to negative to disable. 2047The default value is 2048. 2048.It Li ip6.param_rt_msg 2049If set to 0, parameter changing routing message is suppressed. 2050If set to 1, parameter changing routing message is sent by RTM_NEWADDR. 2051Other values are undefined yet. 2052.It Li ip6.redirect 2053If set to 1, ICMPv6 redirects may be sent by the node. 2054This option is ignored unless the node is routing IP packets, 2055and should normally be enabled on all systems. 2056.It Li ip6.rr_prune 2057The variable specifies interval between IPv6 router renumbering prefix 2058babysitting, in seconds. 2059.It Li ip6.use_deprecated 2060The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 2061.It Li ip6.v6only 2062The variable specifies initial value for 2063.Dv IPV6_V6ONLY 2064socket option for 2065.Dv AF_INET6 2066socket. 2067Please refer to 2068.Xr ip6 4 2069for detail. 2070.It Li icmp6.errppslimit 2071The variable specifies the maximum number of outgoing ICMPv6 error messages, 2072per second. 2073ICMPv6 error messages that exceeded the value are subject to rate limitation 2074and will not go out from the node. 2075Negative value disables rate limitation. 2076.It Li icmp6.mtudisc_hiwat 2077.It Li icmp6.mtudisc_lowat 2078The variables define the maximum number of routing table entries, 2079created due to path MTU discovery 2080.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 2081When IPv6 path MTU discovery happens, we keep path MTU information into 2082the routing table. 2083If the number of routing table entries exceed the value, 2084the kernel will not attempt to keep the path MTU information. 2085.Li icmp6.mtudisc_hiwat 2086is used when we have verified ICMPv6 too big messages. 2087.Li icmp6.mtudisc_lowat 2088is used when we have unverified ICMPv6 too big messages. 2089Verification is performed by using address/port pairs kept in connected pcbs. 2090Negative value disables the upper limit. 2091.It Li icmp6.nd6_debug 2092If set to non-zero, kernel IPv6 neighbor discovery code will generate 2093debugging messages. 2094The debug outputs are useful to diagnose IPv6 interoperability issues. 2095The flag must be set to 0 for normal operation. 2096.It Li icmp6.nd6_delay 2097The variable specifies 2098.Dv DELAY_FIRST_PROBE_TIME 2099timing constant in IPv6 neighbor discovery specification 2100.Pq RFC 2461 , 2101in seconds. 2102.It Li icmp6.nd6_maxnudhint 2103Neighbor discovery permits upper layer protocols to supply reachability 2104hints, to avoid unnecessary neighbor discovery exchanges. 2105The variable defines the number of consecutive hints the neighbor discovery 2106layer will take. 2107For example, by setting the variable to 3, neighbor discovery layer 2108will take 3 consecutive hints in maximum. 2109After receiving 3 hints, neighbor discovery layer will perform 2110normal neighbor discovery process. 2111.It Li icmp6.nd6_mmaxtries 2112The variable specifies 2113.Dv MAX_MULTICAST_SOLICIT 2114constant in IPv6 neighbor discovery specification 2115.Pq RFC 2461 . 2116.It Li icmp6.nd6_prune 2117The variable specifies interval between IPv6 neighbor cache babysitting, 2118in seconds. 2119.It Li icmp6.nd6_umaxtries 2120The variable specifies 2121.Dv MAX_UNICAST_SOLICIT 2122constant in IPv6 neighbor discovery specification 2123.Pq RFC 2461 . 2124.It Li icmp6.nd6_useloopback 2125If set to non-zero, kernel IPv6 stack will use loopback interface for 2126local traffic. 2127.It Li icmp6.nodeinfo 2128The variable enables responses to ICMPv6 node information queries. 2129If you set the variable to 0, responses will not be generated for 2130ICMPv6 node information queries. 2131Since node information queries can have a security impact, it is 2132possible to fine tune which responses should be answered. 2133Two separate bits can be set. 2134.Bl -tag -width "12345" 2135.It 1 2136Respond to ICMPv6 FQDN queries, e.g. 2137.Li ping6 -w . 2138.It 2 2139Respond to ICMPv6 node addresses queries, e.g. 2140.Li ping6 -a . 2141.El 2142.It Li icmp6.rediraccept 2143If set to non-zero, the host will accept ICMPv6 redirect packets. 2144Note that IPv6 routers will never accept ICMPv6 redirect packets, 2145and the variable is meaningful on IPv6 hosts 2146.Pq non-router 2147only. 2148.It Li icmp6.redirtimeout 2149The variable specifies lifetime of routing entries generated by incoming 2150ICMPv6 redirect. 2151.It Li icmp6.reflect_pmtu 2152A boolean that icmpv6 reflecting uses path MTU discovery or not. 2153When not, icmpv6 reflecting uses IPV6_MINMTU. 2154.It Li icmp6.dynamic_rt_msg 2155A boolean that the kernel sends routing message for RTM_DYNAMIC or not. 2156If set to true, sends such routing message. 2157.It Li udp6.do_loopback_cksum 2158Perform UDP checksum on loopback. 2159.It Li udp6.recvspace 2160Default UDP receive buffer size. 2161.It Li udp6.sendspace 2162Default UDP send buffer size. 2163.El 2164.Pp 2165We reuse net.*.tcp for TCP over IPv6, 2166and therefore we do not have variables net.*.tcp6. 2167Variables net.inet6.udp6 have identical meaning to net.inet.udp. 2168Please refer to 2169.Li PF_INET 2170section above. 2171For variables net.*.ipsec6, please refer to 2172.Xr ipsec 4 . 2173.It Li net.key ( Dv PF_KEY ) 2174Get or set various global information about the IPsec key management. 2175The third level name is the variable name. 2176The currently defined variable and names are: 2177.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 2178.It Sy Variable Type Ta Sy Changeable 2179.It debug integer yes 2180.It enabled integer yes 2181.It used integer no 2182.It spi_try integer yes 2183.It spi_min_value integer yes 2184.It spi_max_value integer yes 2185.It larval_lifetime integer yes 2186.It blockacq_count integer yes 2187.It blockacq_lifetime integer yes 2188.It esp_keymin integer yes 2189.It esp_auth integer yes 2190.It ah_keymin integer yes 2191.It allow_different_idtype boolean yes 2192.El 2193The variables are as follows: 2194.Bl -tag -width "123456" 2195.It Li debug 2196Turn on debugging message from within the kernel. 2197The value is a bitmap, as defined in 2198.In netipsec/key_debug.h . 2199.It Li enabled 2200Control processing of IPsec control messages. 2201.Bl -tag -width indent 2202.It 0 2203Never allow IPsec processing 2204.It 1 2205Allow IPsec processing when SPD policies are present. 2206.It 2 2207Force IPsec processing even when SPD policies are not present. 2208.El 2209.It Li used 2210Based on if IPsec is enabled, and SPD rule existence, show if 2211IPsec is being used. 2212Note that currently once IPsec is being used, it cannot be disabled. 2213.It Li spi_try 2214The number of times the kernel will try to obtain an unique SPI 2215when it generates it from random number generator. 2216.It Li spi_min_value 2217Minimum SPI value when generating it within the kernel. 2218.It Li spi_max_value 2219Maximum SPI value when generating it within the kernel. 2220.It Li larval_lifetime 2221Lifetime for LARVAL SAD entries, in seconds. 2222.It Li blockacq_count 2223Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 2224It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 2225key management daemon. 2226.It Li blockacq_lifetime 2227Lifetime of ACQUIRE PF_KEY message. 2228.It Li esp_keymin 2229Minimum ESP key length, in bits. 2230The value is used when the kernel creates proposal payload 2231on ACQUIRE PF_KEY message. 2232.It Li esp_auth 2233Whether ESP authentication should be used or not. 2234Non-zero value indicates that ESP authentication should be used. 2235The value is used when the kernel creates proposal payload 2236on ACQUIRE PF_KEY message. 2237.It Li ah_keymin 2238Minimum AH key length, in bits, 2239The value is used when the kernel creates proposal payload 2240on ACQUIRE PF_KEY message. 2241.It Li allow_different_idtype 2242A boolean that allow or disallow different identifier types 2243on IDii and IDir. 2244Allowing that can improve interconnectivity to some VPN appliances. 2245.El 2246.It Li net.local ( Dv PF_LOCAL ) 2247Get or set various global information about 2248.Dv AF_LOCAL 2249type sockets. 2250For some variables, the third level name is the variable name: 2251.Bl -column "Variable" "integer" "Changeable" -offset indent 2252.It Sy Variable Type Ta Sy Changeable 2253.It inflight integer no 2254.It deferred integer no 2255.El 2256The variables are as follows: 2257.Bl -tag -width "123456" 2258.It Li inflight 2259The number of file descriptors currently passed between processes, 2260.Qq in flight . 2261.It Li deferred 2262The number of file descriptors passed between processes that have been 2263deferred for cleanup by a kernel task. 2264.El 2265.Pp 2266Other variables are specific to a socket type: 2267.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent 2268.It Sy "Socket Type" Sy Variable Type Ta Sy Changeable 2269.It dgram pcblist struct no 2270.It dgram recvspace integer yes 2271.It dgram sendspace integer yes 2272.It seqpacket pcblist struct no 2273.It stream pcblist struct no 2274.It stream recvspace integer yes 2275.It stream sendspace integer yes 2276.El 2277The variables are as follows: 2278.Bl -tag -width "123456" 2279.It Li dgram.pcblist 2280The Protocol Control Block list structure for datagram sockets. 2281Parsed by 2282.Xr netstat 1 2283or 2284.Xr sockstat 1 . 2285.It Li dgram.recvspace 2286The default datagram receive buffer size. 2287.It Li dgram.sendspace 2288The default datagram send buffer size. 2289.It Li seqpacket.pcblist 2290The Protocol Control Block list structure for Sequential Packet sockets. 2291Parsed by 2292.Xr netstat 1 2293or 2294.Xr sockstat 1 . 2295.It Li stream.pcblist 2296The Protocol Control Block list structure for stream sockets. 2297Parsed by 2298.Xr netstat 1 2299or 2300.Xr sockstat 1 . 2301.It Li stream.recvspace 2302The default stream receive buffer size. 2303.It Li stream.sendspace 2304The default stream send buffer size. 2305.El 2306.El 2307.Ss The proc.* subtree 2308The string and integer information available for the 2309.Li proc 2310level is detailed below. 2311The changeable column shows whether a process with appropriate 2312privilege may change the value. 2313These values are per-process, 2314and as such may change from one process to another. 2315When a process is created, 2316the default values are inherited from its parent. 2317When a set-user-ID or set-group-ID binary is executed, the 2318value of PROC_PID_CORENAME is reset to the system default value. 2319The second level name is either the magic value PROC_CURPROC, which 2320points to the current process, or the PID of the target process. 2321.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 2322.It Sy Third level name Ta Sy Type Ta Sy Changeable 2323.It proc.pid.corename string yes 2324.It proc.pid.rlimit node not applicable 2325.It proc.pid.stopfork int yes 2326.It proc.pid.stopexec int yes 2327.It proc.pid.stopexit int yes 2328.It proc.pid.paxflags int no 2329.El 2330.Bl -tag -width "123456" 2331.It Li proc.pid.corename ( Dv PROC_PID_CORENAME ) 2332The template used for the core dump file name (see 2333.Xr core 5 2334for details). 2335The base name must either be 2336.Pa core 2337or end with the suffix 2338.Pa .core 2339(the super-user may set arbitrary names). 2340By default it points to 2341.Dv KERN_DEFCORENAME . 2342.It Li proc.pid.rlimit ( Dv PROC_PID_LIMIT ) 2343Return resources limits, as defined for the 2344.Xr getrlimit 2 2345and 2346.Xr setrlimit 2 2347system calls. 2348The fourth level name is one of: 2349.Bl -tag -width "123456" 2350.It Li proc.pid.rlimit.cputime ( Dv PROC_PID_LIMIT_CPU ) 2351The maximum amount of CPU time (in seconds) to be used by each process. 2352.It Li proc.pid.rlimit.filesize ( Dv PROC_PID_LIMIT_FSIZE ) 2353The largest size (in bytes) file that may be created. 2354.It Li proc.pid.rlimit.datasize ( Dv PROC_PID_LIMIT_DATA ) 2355The maximum size (in bytes) of the data segment for a process; 2356this defines how far a program may extend its break with the 2357.Xr sbrk 2 2358system call. 2359.It Li proc.pid.rlimit.stacksize ( Dv PROC_PID_LIMIT_STACK ) 2360The maximum size (in bytes) of the stack segment for a process; 2361this defines how far a program's stack segment may be extended. 2362Stack extension is performed automatically by the system. 2363.It Li proc.pid.rlimit.coredumpsize ( Dv PROC_PID_LIMIT_CORE ) 2364The largest size (in bytes) 2365.Pa core 2366file that may be created. 2367.It Li proc.pid.rlimit.memoryuse ( Dv PROC_PID_LIMIT_RSS ) 2368The maximum size (in bytes) to which a process's resident set size may 2369grow. 2370This imposes a limit on the amount of physical memory to be given to 2371a process; if memory is tight, the system will prefer to take memory 2372from processes that are exceeding their declared resident set size. 2373.It Li proc.pid.rlimit.memorylocked ( Dv PROC_PID_LIMIT_MEMLOCK ) 2374The maximum size (in bytes) which a process may lock into memory 2375using the 2376.Xr mlock 2 2377function. 2378.It Li proc.pid.rlimit.maxproc ( Dv PROC_PID_LIMIT_NPROC ) 2379The maximum number of simultaneous processes for this user id. 2380.It Li proc.pid.rlimit.descriptors ( Dv PROC_PID_LIMIT_NOFILE ) 2381The maximum number of open files for this process. 2382.It Li proc.pid.rlimit.sbsize ( Dv PROC_PID_LIMIT_SBSIZE ) 2383The maximum size (in bytes) of the socket buffers 2384set by the 2385.Xr setsockopt 2 2386.Dv SO_RCVBUF 2387and 2388.Dv SO_SNDBUF 2389options. 2390.It Li proc.pid.rlimit.vmemoryuse ( Dv PROC_PID_LIMIT_AS ) 2391The maximum size (in bytes) which a process can obtain. 2392.It Li proc.pid.rlimit.maxlwp ( Dv PROC_PID_LIMIT_NTHR ) 2393The maximum number of threads that cen be created and running at one time in 2394the process. 2395The first thread of each process is not counted against this. 2396.El 2397.Pp 2398The fifth level name is one of 2399.Li soft ( Dv PROC_PID_LIMIT_TYPE_SOFT ) 2400or 2401.Li hard ( Dv PROC_PID_LIMIT_TYPE_HARD ) , 2402to select respectively the soft or hard limit. 2403Both are of type integer. 2404.It Li proc.pid.stopfork ( Dv PROC_PID_STOPFORK ) 2405If non zero, the process' children will be stopped after 2406.Xr fork 2 2407calls. 2408The children are created in the SSTOP state and are never scheduled 2409for running before being stopped. 2410This feature enables attaching to a process with a debugger such as 2411.Xr gdb 1 2412before the process has the opportunity to actually do anything. 2413.Pp 2414This value is inherited by the process's children, and it also 2415applies to emulation specific system calls that fork a new process, such as 2416.Fn sproc 2417or 2418.Fn clone . 2419.It Li proc.pid.stopexec ( Dv PROC_PID_STOPEXEC ) 2420If non zero, the process will be stopped on the next 2421.Xr exec 3 2422call. 2423The process created by 2424.Xr exec 3 2425is created in the SSTOP state and is never scheduled for running 2426before being stopped. 2427This feature enables attaching to a process with a debugger such as 2428.Xr gdb 1 2429before the process has the opportunity to actually do anything. 2430.Pp 2431This value is inherited by the process's children. 2432.It Li proc.pid.stopexit ( Dv PROC_PID_STOPEXIT ) 2433If non zero, the process will be stopped when it has cause to exit, 2434either by way of calling 2435.Xr exit 3 , 2436.Xr _exit 2 , 2437or by the receipt of a specific signal. 2438The process is stopped before any of its resources or vm space is 2439released allowing examination of the termination state of the process 2440before it disappears. 2441This feature can be used to examine the final conditions of the 2442process's vmspace via 2443.Xr pmap 1 2444or its resource settings with 2445.Xr sysctl 8 2446before it disappears. 2447.Pp 2448This value is also inherited by the process's children. 2449.It Li proc.pid.paxflags ( Dv PROC_PID_PAXFLAGS ) 2450This read-only variable returns the current value of the process's pax 2451flags (see 2452.Xr paxctl 8 ) . 2453.El 2454.Ss The user.* subtree ( Dv CTL_USER ) 2455The string and integer information available for the 2456.Li user 2457level is detailed below. 2458The changeable column shows whether a process with appropriate 2459privilege may change the value. 2460.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 2461.It Sy Second level name Ta Sy Type Ta Sy Changeable 2462.It user.atexit_max integer no 2463.It user.bc_base_max integer no 2464.It user.bc_dim_max integer no 2465.It user.bc_scale_max integer no 2466.It user.bc_string_max integer no 2467.It user.coll_weights_max integer no 2468.It user.cs_path string no 2469.It user.expr_nest_max integer no 2470.It user.line_max integer no 2471.It user.posix2_c_bind integer no 2472.It user.posix2_c_dev integer no 2473.It user.posix2_char_term integer no 2474.It user.posix2_fort_dev integer no 2475.It user.posix2_fort_run integer no 2476.It user.posix2_localedef integer no 2477.It user.posix2_sw_dev integer no 2478.It user.posix2_upe integer no 2479.It user.posix2_version integer no 2480.It user.re_dup_max integer no 2481.It user.stream_max integer no 2482.It user.stream_max integer no 2483.It user.tzname_max integer no 2484.El 2485.Bl -tag -width "123456" 2486.It Li user.atexit_max ( Dv USER_ATEXIT_MAX ) 2487The maximum number of functions that may be registered with 2488.Xr atexit 3 . 2489.It Li user.bc_base_max ( Dv USER_BC_BASE_MAX ) 2490The maximum ibase/obase values in the 2491.Xr bc 1 2492utility. 2493.It Li user.bc_dim_max ( Dv USER_BC_DIM_MAX ) 2494The maximum array size in the 2495.Xr bc 1 2496utility. 2497.It Li user.bc_scale_max ( Dv USER_BC_SCALE_MAX ) 2498The maximum scale value in the 2499.Xr bc 1 2500utility. 2501.It Li user.bc_string_max ( Dv USER_BC_STRING_MAX ) 2502The maximum string length in the 2503.Xr bc 1 2504utility. 2505.It Li user.coll_weights_max ( Dv USER_COLL_WEIGHTS_MAX ) 2506The maximum number of weights that can be assigned to any entry of 2507the LC_COLLATE order keyword in the locale definition file. 2508.It Li user.cs_path ( USER_CS_PATH ) 2509Return a value for the 2510.Ev PATH 2511environment variable that finds all the standard utilities. 2512.It Li user.expr_nest_max ( Dv USER_EXPR_NEST_MAX ) 2513The maximum number of expressions that can be nested within 2514parenthesis by the 2515.Xr expr 1 2516utility. 2517.It Li user.line_max ( Dv USER_LINE_MAX ) 2518The maximum length in bytes of a text-processing utility's input 2519line. 2520.It Li user.posix2_char_term ( Dv USER_POSIX2_CHAR_TERM ) 2521Return 1 if the system supports at least one terminal type capable of 2522all operations described in 2523.St -p1003.2 , 2524otherwise\ 0. 2525.It Li user.posix2_c_bind ( Dv USER_POSIX2_C_BIND ) 2526Return 1 if the system's C-language development facilities support the 2527C-Language Bindings Option, otherwise\ 0. 2528.It Li user.posix2_c_dev ( Dv USER_POSIX2_C_DEV ) 2529Return 1 if the system supports the C-Language Development Utilities Option, 2530otherwise\ 0. 2531.It Li user.posix2_fort_dev ( Dv USER_POSIX2_FORT_DEV ) 2532Return 1 if the system supports the FORTRAN Development Utilities Option, 2533otherwise\ 0. 2534.It Li user.posix2_fort_run ( Dv USER_POSIX2_FORT_RUN ) 2535Return 1 if the system supports the FORTRAN Runtime Utilities Option, 2536otherwise\ 0. 2537.It Li user.posix2_localedef ( Dv USER_POSIX2_LOCALEDEF ) 2538Return 1 if the system supports the creation of locales, otherwise\ 0. 2539.It Li user.posix2_sw_dev ( Dv USER_POSIX2_SW_DEV ) 2540Return 1 if the system supports the Software Development Utilities Option, 2541otherwise\ 0. 2542.It Li user.posix2_upe ( Dv USER_POSIX2_UPE ) 2543Return 1 if the system supports the User Portability Utilities Option, 2544otherwise\ 0. 2545.It Li user.posix2_version ( Dv USER_POSIX2_VERSION ) 2546The version of 2547.St -p1003.2 2548with which the system attempts to comply. 2549.It Li user.re_dup_max ( Dv USER_RE_DUP_MAX ) 2550The maximum number of repeated occurrences of a regular expression 2551permitted when using interval notation. 2552.It Li user.stream_max ( Dv USER_STREAM_MAX ) 2553The minimum maximum number of streams that a process may have open 2554at any one time. 2555.It Li user.tzname_max ( Dv USER_TZNAME_MAX ) 2556The minimum maximum number of types supported for the name of a 2557timezone. 2558.El 2559.Ss The vm.* subtree ( Dv CTL_VM ) 2560The string and integer information available for the 2561.Li vm 2562level is detailed below. 2563The changeable column shows whether a process with appropriate 2564privilege may change the value. 2565.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 2566.It Sy Second level name Ta Sy Type Ta Sy Changeable 2567.It vm.anonmax int yes 2568.It vm.anonmin int yes 2569.It vm.bufcache int yes 2570.It vm.bufmem int no 2571.It vm.bufmem_hiwater int yes 2572.It vm.bufmem_lowater int yes 2573.It vm.execmax int yes 2574.It vm.execmin int yes 2575.It vm.filemax int yes 2576.It vm.filemin int yes 2577.It vm.loadavg struct loadavg no 2578.It vm.maxslp int no 2579.It vm.nkmempages int no 2580.It vm.uspace int no 2581.It vm.uvmexp struct uvmexp no 2582.It vm.uvmexp2 struct uvmexp_sysctl no 2583.It vm.vmmeter struct vmtotal no 2584.It vm.proc.map struct kinfo_vmentry no 2585.It vm.guard_size unsigned int no 2586.It vm.thread_guard_size unsigned int yes 2587.It vm.swap_encrypt bool yes 2588.El 2589.Bl -tag -width "123456" 2590.It Li vm.anonmax ( Dv VM_ANONMAX ) 2591The percentage of physical memory which will be reclaimed 2592from other types of memory usage to store anonymous application data. 2593.It Li vm.anonmin ( Dv VM_ANONMIN ) 2594The percentage of physical memory which will be always be available for 2595anonymous application data. 2596.It Li vm.bufcache ( Dv VM_BUFCACHE ) 2597The percentage of physical memory which will be available 2598for the buffer cache. 2599.It Li vm.bufmem ( Dv VM_BUFMEM ) 2600The amount of kernel memory that is being used by the buffer cache. 2601.It Li vm.bufmem_lowater ( Dv VM_BUFMEM_LOWATER ) 2602The minimum amount of kernel memory to reserve for the 2603buffer cache. 2604.It Li vm.bufmem_hiwater ( Dv VM_BUFMEM_HIWATER ) 2605The maximum amount of kernel memory to be used for the 2606buffer cache. 2607.It Li vm.execmax ( Dv VM_EXECMAX ) 2608The percentage of physical memory which will be reclaimed 2609from other types of memory usage to store cached executable data. 2610.It Li vm.execmin ( Dv VM_EXECMIN ) 2611The percentage of physical memory which will be always be available for 2612cached executable data. 2613.It Li vm.filemax ( Dv VM_FILEMAX ) 2614The percentage of physical memory which will be reclaimed 2615from other types of memory usage to store cached file data. 2616.It Li vm.filemin ( Dv VM_FILEMIN ) 2617The percentage of physical memory which will be always be available for 2618cached file data. 2619.It Li vm.loadavg ( Dv VM_LOADAVG ) 2620Return the load average history. 2621The returned data consists of a 2622.Vt struct loadavg . 2623.It Li vm.maxslp ( Dv VM_MAXSLP ) 2624The value of the maxslp kernel global variable. 2625.It Li vm.vmmeter ( Dv VM_METER ) 2626Return system wide virtual memory statistics. 2627The returned data consists of a 2628.Vt struct vmtotal . 2629.It vm.user_va0_disable 2630A flag which controls whether user processes can map virtual address\ 0. 2631.It Li vm.proc.map ( Dv VM_PROC ) 2632The third level is 2633.Dv VM_PROC_MAP , 2634the fourth is the pid of the process to display the vm object entries for, and 2635the fifth is the size of 2636.Vt struct kinfo_vmentry . 2637Returns an array of 2638.Vt struct kinfo_vmentry 2639objects. 2640.It Li vm.ubc_direct Bq Sy "EXPERIMENTAL" Ns No , default off 2641Use direct map for UBC I/O, avoiding need to map and unmap buffer memory. 2642Speeds up operation for fast I/O devices like NVMe, especially 2643on multi-CPU systems. 2644Only available on some architectures. 2645.It Li vm.uspace ( Dv VM_USPACE ) 2646The number of bytes allocated for each kernel stack. 2647.It Li vm.uvmexp ( Dv VM_UVMEXP ) 2648Return system wide virtual memory statistics. 2649The returned data consists of a 2650.Vt struct uvmexp . 2651.It Li vm.uvmexp2 ( Dv VM_UVMEXP2 ) 2652Return system wide virtual memory statistics. 2653The returned data consists of a 2654.Vt struct uvmexp_sysctl . 2655.It Li vm.guard_size 2656Return system wide guard size for the main thread of a program. 2657.It Li vm.thread_guard_size 2658Return system wide default size for the guard area of all other threads 2659of a program. 2660.It Li vm.swap_encrypt 2661If true, encrypt data while swapped out to disk. 2662.Pp 2663Each swap device maintains an independent AES-256 key, generated when 2664the first page is swapped to that device. 2665Each page is swapped independently using AES-CBC, with an 2666initialization vector chosen by the encryption under the AES-256 key of 2667the little-endian swap slot number padded to 128 bits with zeros. 2668(This is essentially the 2669.Xr cgd 4 2670.Sq encblkno1 2671method.) 2672.Pp 2673Changes to 2674.Li vm.swap_encrypt 2675only affect pages of swap newly written out. 2676To force encrypting or decrypting all existing swap, or to rekey 2677previously encrypted swap, you can remove the swap devices and re-add 2678them with 2679.Xr swapctl 8 , 2680with the caveat that whatever pages were already written to disk 2681unencrypted or encrypted with a compromised key may still be written to 2682disk afterward. 2683.El 2684.Ss The ddb.* subtree ( Dv CTL_DDB ) 2685The information available for the 2686.Li ddb 2687level is detailed below. 2688The changeable column shows whether a process with appropriate 2689privilege may change the value. 2690.Bl -column "Second level name" "integer" "Changeable" -offset indent 2691.It Sy Second level name Ta Sy Type Ta Sy Changeable 2692.It ddb.commandonenter string yes 2693.It ddb.dumpstack integer yes 2694.It ddb.fromconsole integer yes 2695.It ddb.lines integer yes 2696.It ddb.maxoff integer yes 2697.It ddb.maxwidth integer yes 2698.It ddb.onpanic integer yes 2699.It ddb.panicstackframes integer yes 2700.It ddb.radix integer yes 2701.It ddb.tabstops integer yes 2702.It ddb.tee_msgbuf integer yes 2703.El 2704.Bl -tag -width "123456" 2705.It Li ddb.commandonenter 2706If not empty, the string is used as the DDB command to be executed each time 2707DDB is entered. 2708.It Li ddb.dumpstack 2709A value of 1 causes a stack trace to be printed on entering ddb from a panic. 2710A value of 0 disables this behaviour. 2711The default value is 1. 2712.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE ) 2713If not zero, DDB may be entered by sending a break on a serial 2714console or by a special key sequence on a graphics console. 2715.It Li ddb.lines ( Dv DDBCTL_LINES ) 2716Number of display lines. 2717.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF ) 2718The maximum symbol offset. 2719.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH ) 2720The maximum output line width. 2721.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC ) 2722If greater than zero, DDB will be entered if the kernel panics. 2723A value of 1 causes the system to enter DDB on panic. 2724A value of 0 causes the kernel to attempt to print a stack trace, then 2725reboot, while a value of \-1 means neither a stack trace will be printed 2726nor DDB entered. 2727.It Li ddb.panicstackframes 2728Number of stack frames to display on panic. 2729Useful to avoid scrolling away the interesting frames on a glass tty. 2730Default value is 2731.Dv 65535 2732(all frames), useful value around 2733.Dv 10 . 2734.It Li ddb.radix ( Dv DDBCTL_RADIX ) 2735The input and output radix. 2736.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS ) 2737Tab width. 2738.It Li ddb.tee_msgbuf 2739If not zero, DDB will output also to the kernel message buffer. 2740.El 2741.Pp 2742Some of these MIB 2743nodes are also available as variables from within the debugger. 2744See 2745.Xr ddb 4 2746for more details. 2747.Ss The security.* subtree ( Dv CTL_SECURITY ) 2748The 2749.Li security 2750level contains various security-related settings for 2751the system. 2752The available second level names are: 2753.Bl -column "Second level name" "integer" "Changeable" -offset indent 2754.It Sy Second level name Ta Sy Type Ta Sy Changeable 2755.It Li security.curtain integer yes 2756.It Li security.models node not applicable 2757.It Li security.pax node not applicable 2758.El 2759.Pp 2760Available settings are detailed below. 2761.Bl -tag -width "123456" 2762.It Li security.curtain 2763If non-zero, will filter return objects according to the user ID 2764requesting information about them, preventing users from 2765accessing any objects they do not own. 2766.Pp 2767At the moment, it affects 2768.Xr ps 1 , 2769.Xr netstat 1 2770(for 2771.Dv PF_INET , 2772.Dv PF_INET6 , 2773and 2774.Dv PF_UNIX 2775PCBs), and 2776.Xr w 1 . 2777.It Li security.models 2778.Nx 2779supports pluggable security models. 2780Every security model used, whether if loaded as a module or built with the system, 2781is required to add an entry to this node with at least one element, 2782.Dq name , 2783indicating the name of the security model. 2784.Pp 2785In addition to the name, any settings and other information private to the 2786security model will be available under this node. 2787See 2788.Xr secmodel 9 2789for more information. 2790.It Li security.pax 2791Settings for PaX \(em exploit mitigation features. 2792For more information on any of the PaX features, please see 2793.Xr paxctl 8 2794and 2795.Xr security 7 . 2796The available third and fourth level names are: 2797.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ 2798-offset 2n 2799.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable 2800.It Li security.pax.aslr.enabled integer yes 2801.\".It Li security.pax.aslr.exec_len integer yes 2802.It Li security.pax.aslr.global integer yes 2803.\".It Li security.pax.aslr.mmap_len integer yes 2804.\".It Li security.pax.aslr.stack_len integer yes 2805.It Li security.pax.mprotect.enabled integer yes 2806.It Li security.pax.mprotect.global integer yes 2807.It Li security.pax.mprotect.ptrace integer yes 2808.It Li security.pax.segvguard.enabled integer yes 2809.It Li security.pax.segvguard.expiry_timeout integer yes 2810.It Li security.pax.segvguard.global integer yes 2811.It Li security.pax.segvguard.max_crashes integer yes 2812.It Li security.pax.segvguard.suspend_timeout integer yes 2813.El 2814.Bl -tag -width "123456" 2815.It Li security.pax.aslr.enabled 2816Enable PaX ASLR (Address Space Layout Randomization). 2817.Pp 2818The value of this 2819knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2820explicit enable. 2821.\".It Li security.pax.aslr.exec_len 2822.\" XXX: Undocumented. 2823.It Li security.pax.aslr.global 2824Specifies the default global policy for programs without an 2825explicit enable/disable flag. 2826.Pp 2827When non-zero, all programs will get PaX ASLR, except those exempted with 2828.Xr paxctl 8 . 2829Otherwise, all programs will not get PaX ASLR, except those specifically 2830marked as such with 2831.Xr paxctl 8 . 2832.\".It Li security.pax.aslr.mmap_len 2833.\" XXX: Undocumented. 2834.\" .It Li security.pax.aslr.stack_len 2835.\" XXX: Undocumented. 2836.It Li security.pax.mprotect.enabled 2837Enable PaX MPROTECT restrictions. 2838.Pp 2839These are 2840.Xr mprotect 2 2841restrictions to better enforce a W^X policy. 2842The value of this 2843knob must be non-zero for PaX MPROTECT to be enabled, even if a 2844program is set to explicit enable. 2845.It Li security.pax.mprotect.global 2846Specifies the default global policy for programs without an 2847explicit enable/disable flag. 2848.Pp 2849When non-zero, all programs will get the PaX MPROTECT restrictions, 2850except those exempted with 2851.Xr paxctl 8 . 2852Otherwise, all programs will not get the PaX MPROTECT restrictions, 2853except those specifically marked as such with 2854.Xr paxctl 8 . 2855.It Li security.pax.mprotect.ptrace 2856This variable allows 2857.Xr ptrace 2 2858to override PaX MPROTECT permissions. 2859It can have the following values: 2860.Bl -tag -width XX -compact 2861.It 0 2862Does not let override any permissions. 2863.It 1 2864Disables PaX MPROTECT from processes that start executing while traced (default). 2865.It 2 2866Bypasses PaX MPROTECT for all processes being traced. 2867.El 2868.It Li security.pax.segvguard.enabled 2869Enable PaX Segvguard. 2870.Pp 2871PaX Segvguard can detect and prevent certain exploitation attempts, where 2872an attacker may try for example to brute-force function return addresses 2873of respawning daemons. 2874.Pp 2875.Em Note : 2876The 2877.Nx 2878interface and implementation of the Segvguard is still experimental, and may 2879change in future releases. 2880.It Li security.pax.segvguard.expiry_timeout 2881If the max number was not reached within this timeout (in seconds), the entry 2882will expire. 2883.It Li security.pax.segvguard.global 2884Specifies the default global policy for programs without an 2885explicit enable/disable flag. 2886.Pp 2887When non-zero, all programs will get the PaX Segvguard, 2888except those exempted with 2889.Xr paxctl 8 . 2890Otherwise, no program will get the PaX Segvguard restrictions, 2891except those specifically marked as such with 2892.Xr paxctl 8 . 2893.It Li security.pax.segvguard.max_crashes 2894The maximum number of segfaults a program can receive before suspension. 2895.It Li security.pax.segvguard.suspend_timeout 2896Number of seconds to suspend a user from running a faulting program when the 2897limit was exceeded. 2898.El 2899.El 2900.Ss The vendor.* subtree ( Dv CTL_VENDOR ) 2901The 2902.Li vendor 2903toplevel name is reserved to be used by vendors who wish to 2904have their own private MIB tree. 2905Intended use is to store values under 2906.Dq vendor.<yourname>.* . 2907.Sh SEE ALSO 2908.Xr sysctl 3 , 2909.Xr ipsec 4 , 2910.Xr tcp 4 , 2911.Xr security 7 , 2912.Xr sysctl 8 2913.Sh HISTORY 2914The 2915.Nm 2916variables first appeared in 2917.Bx 4.4 . 2918