1.\" $NetBSD: sysctl.7,v 1.36 2010/03/25 15:09:05 jruoho Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd February 21, 2010 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Sh Top level names 72The top level names are defined with a CTL_ prefix in 73.In sys/sysctl.h , 74and are as follows. 75The next and subsequent levels down are found in the include files 76listed here, and described in separate sections below. 77.Bl -column security CTL_SECURITY "Next level names" "High kernel limits" 78.It Sy Name Constant Next level names Description 79.It kern CTL_KERN sys/sysctl.h High kernel limits 80.It vm CTL_VM uvm/uvm_param.h Virtual memory 81.It vfs CTL_VFS sys/mount.h Filesystem 82.It net CTL_NET sys/socket.h Networking 83.It debug CTL_DEBUG sys/sysctl.h Debugging 84.It hw CTL_HW sys/sysctl.h Generic CPU, I/O 85.It machdep CTL_MACHDEP sys/sysctl.h Machine dependent 86.It user CTL_USER sys/sysctl.h User-level 87.It ddb CTL_DDB sys/sysctl.h In-kernel debugger 88.It proc CTL_PROC sys/sysctl.h Per-process 89.It vendor CTL_VENDOR ? Vendor specific 90.It emul CTL_EMUL sys/sysctl.h Emulation settings 91.It security CTL_SECURITY sys/sysctl.h Security settings 92.El 93.Sh The debug.* subtree 94The debugging variables vary from system to system. 95A debugging variable may be added or deleted without need to recompile 96.Nm 97to know about it. 98Each time it runs, 99.Nm 100gets the list of debugging variables from the kernel and 101displays their current values. 102The system defines twenty 103.Va ( struct ctldebug ) 104variables named 105.Dv debug0 106through 107.Dv debug19 . 108They are declared as separate variables so that they can be 109individually initialized at the location of their associated variable. 110The loader prevents multiple use of the same variable by issuing errors 111if a variable is initialized in more than one place. 112For example, to export the variable 113.Dv dospecialcheck 114as a debugging variable, the following declaration would be used: 115.Bd -literal -offset indent -compact 116int dospecialcheck = 1; 117struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 118.Ed 119.Pp 120Note that the dynamic implementation of 121.Nm 122currently in use largely makes this particular 123.Nm 124interface obsolete. 125See 126.Xr sysctl 8 127.\" and 128.\" .Xr sysctl 9 129for more information. 130.Sh The vfs.* subtree 131A distinguished second level name, 132.Li vfs.generic ( VFS_GENERIC ) , 133is used to get general information about all filesystems. 134It has the following third level identifiers: 135.Bl -tag -width compact 136.It vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 137The highest valid filesystem type number. 138.It vfs.generic.conf ( VFS_CONF ) 139Returns configuration information about the file-system type given as a fourth 140level identifier. 141.El 142.Pp 143The remaining second level identifiers are the file-system names, identified 144by the type number returned by a 145.Xr statvfs 2 146call or from 147.Li vfs.generic.conf . 148The third level identifiers available for each filesystem 149are given in the header file that defines the mount 150argument structure for that filesystem. 151.Sh The hw.* subtree 152The string and integer information available for the 153.Li hw 154level is detailed below. 155The changeable column shows whether a process with appropriate 156privilege may change the value. 157.Bl -column "hw.acpi.supported_states" "integer" "Changeable" -offset indent 158.It Sy Second level name Type Changeable 159.It hw.acpi.supported_states string no 160.It hw.alignbytes integer no 161.It hw.byteorder integer no 162.It hw.cnmagic string yes 163.It hw.disknames string no 164.It hw.diskstats struct no 165.It hw.machine string no 166.It hw.machine_arch string no 167.It hw.model string no 168.It hw.ncpu integer no 169.It hw.pagesize integer no 170.It hw.physmem integer no 171.It hw.physmem64 quad no 172.It hw.usermem integer no 173.It hw.usermem64 quad no 174.El 175.Pp 176.Bl -tag -width "123456" 177.It Li hw.acpi.supported_states 178List of possible 179.Tn ACPI 180sleep states. 181The list can contain the following values: 182.Bl -tag -width XS1X 183.It S0 184fully running 185.It S1 186power on suspend (CPU and hard disks are off) 187.It S2 188similar to S3, usually not implemented 189.It S3 190suspend-to-RAM 191.It S4 192suspend-to-disk (needs BIOS support) 193.It S5 194power off 195.El 196.It Li hw.alignbytes ( HW_ALIGNBYTES ) 197Alignment constraint for all possible data types. 198This shows the value 199.Dv ALIGNBYTES 200in 201.Pa /usr/include/machine/param.h , 202at the kernel compilation time. 203.It Li hw.byteorder ( HW_BYTEORDER ) 204The byteorder (4,321, or 1,234). 205.It Li hw.cnmagic ( HW_CNMAGIC ) 206The console magic key sequence. 207.It Li hw.disknames ( HW_DISKNAMES ) 208The list of (space separated) disk device names on the system. 209.It Li hw.iostatnames ( HW_IOSTATNAMES ) 210A space separated list of devices that will have I/O statistics 211collected on them. 212.It Li hw.iostats ( HW_IOSTATS ) 213Return statistical information on the NFS mounts, disk and tape 214devices on the system. 215An array of 216.Va struct io_sysctl 217structures is returned, 218whose size depends on the current number of such objects in the system. 219The third level name is the size of the 220.Va struct io_sysctl . 221The type of object can be determined by examining the 222.Va type 223element of 224.Va struct io_sysctl . 225Which can be 226.Dv IOSTAT_DISK 227(disk drive), 228.Dv IOSTAT_TAPE 229(tape drive), or 230.Dv IOSTAT_NFS 231(NFS mount). 232.It Li hw.machine ( HW_MACHINE ) 233The machine class. 234.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 235The machine CPU class. 236.It Li hw.model ( HW_MODEL ) 237The machine model. 238.It Li hw.ncpu ( HW_NCPU ) 239The number of CPUs. 240.It Li hw.pagesize ( HW_PAGESIZE ) 241The software page size. 242.It Li hw.physmem ( HW_PHYSMEM ) 243The bytes of physical memory as a 32-bit integer. 244.It Li hw.physmem64 ( HW_PHYSMEM64 ) 245The bytes of physical memory as a 64-bit integer. 246.It Li hw.usermem ( HW_USERMEM ) 247The bytes of non-kernel memory as a 32-bit integer. 248.It Li hw.usermem64 ( HW_USERMEM64 ) 249The bytes of non-kernel memory as a 64-bit integer. 250.El 251.Sh The kern.* subtree 252The string and integer information available for the 253.Li kern 254level is detailed below. 255The changeable column shows whether a process with appropriate 256privilege may change the value. 257The types of data currently available are process information, 258system vnodes, the open file entries, routing table entries, 259virtual memory statistics, load average history, and clock rate 260information. 261.Bl -column "kern.posix_reader_writer_locks" "struct kinfo_drivers" "not applicable" 262.It Sy Second level name Type Changeable 263.It kern.argmax integer no 264.It kern.autonicetime integer yes 265.It kern.autoniceval integer yes 266.It kern.boottime struct timeval no 267.It kern.bufq node not applicable 268.It kern.ccpu integer no 269.It kern.clockrate struct clockinfo no 270.It kern.consdev integer no 271.It kern.cp_id struct no 272.It kern.cp_time uint64_t[\|] no 273.It kern.defcorename string yes 274.It kern.domainname string yes 275.It kern.drivers struct kinfo_drivers no 276.It kern.file struct file no 277.It kern.forkfsleep integer yes 278.It kern.fscale integer no 279.It kern.fsync integer no 280.It kern.hardclock_ticks integer no 281.It kern.hostid integer yes 282.It kern.hostname string yes 283.It kern.iov_max integer no 284.It kern.job_control integer no 285.It kern.labeloffset integer no 286.It kern.labelsector integer no 287.It kern.login_name_max integer no 288.It kern.logsigexit integer yes 289.It kern.mapped_files integer no 290.It kern.maxfiles integer yes 291.It kern.maxpartitions integer no 292.It kern.maxphys integer no 293.It kern.maxproc integer yes 294.It kern.maxptys integer yes 295.It kern.maxvnodes integer yes 296.It kern.mbuf node not applicable 297.It kern.memlock integer no 298.It kern.memlock_range integer no 299.It kern.memory_protection integer no 300.It kern.monotonic_clock integer no 301.It kern.msgbuf integer no 302.It kern.msgbufsize integer no 303.It kern.ngroups integer no 304.It kern.ntptime struct ntptimeval no 305.It kern.osrelease string no 306.It kern.osrev integer no 307.It kern.ostype string no 308.It kern.pipe node not applicable 309.It kern.posix1 integer no 310.It kern.posix_barriers integer no 311.It kern.posix_reader_writer_locks integer no 312.It kern.posix_semaphores integer no 313.It kern.posix_spin_locks integer no 314.It kern.posix_threads integer no 315.It kern.posix_timers integer no 316.It kern.proc struct kinfo_proc no 317.It kern.proc2 struct kinfo_proc2 no 318.It kern.proc_args string no 319.It kern.prof node not applicable 320.It kern.rawpartition integer no 321.It kern.root_device string no 322.It kern.root_partition integer no 323.It kern.rtc_offset integer yes 324.It kern.saved_ids integer no 325.It kern.securelevel integer raise only 326.It kern.synchronized_io integer no 327.It kern.ipc node not applicable 328.It kern.timecounter node not applicable 329.It kern.timex struct no 330.It kern.tkstat node not applicable 331.It kern.urandom integer no 332.It kern.version string no 333.It kern.vnode struct vnode no 334.El 335.Bl -tag -width "123456" 336.It Li kern.argmax ( KERN_ARGMAX ) 337The maximum bytes of argument to 338.Xr execve 2 . 339.It Li kern.autonicetime ( KERN_AUTONICETIME ) 340The number of seconds of CPU-time a non-root process may accumulate before 341having its priority lowered from the default to the value of KERN_AUTONICEVAL. 342If set to 0, automatic lowering of priority is not performed, and if set to \-1 343all non-root processes are immediately lowered. 344.It Li kern.autoniceval ( KERN_AUTONICEVAL ) 345The priority assigned for automatically niced processes. 346.It Li kern.boothowto 347Flags passed from the boot loader; see 348.Xr reboot 2 349for the meanings of the flags. 350.It Li kern.boottime ( KERN_BOOTTIME ) 351A 352.Va struct timeval 353structure is returned. 354This structure contains the time that the system was booted. 355.It Li kern.ccpu ( KERN_CCPU ) 356The scheduler exponential decay value. 357.It Li kern.clockrate ( KERN_CLOCKRATE ) 358A 359.Va struct clockinfo 360structure is returned. 361This structure contains the clock, statistics clock and profiling clock 362frequencies, the number of micro-seconds per hz tick, and the clock 363skew rate. 364Refer to 365.Xr hz 9 366for additional details. 367.It Li kern.consdev ( KERN_CONSDEV ) 368Console device. 369.It Li kern.cp_id ( KERN_CP_ID ) 370Mapping of CPU number to CPU id. 371.It Li kern.cp_time ( KERN_CP_TIME ) 372Returns an array of CPUSTATES uint64_ts. 373This array contains the 374number of clock ticks spent in different CPU states. 375On multi-processor systems, the sum across all CPUs is returned unless 376appropriate space is given for one data set for each CPU. 377Data for a specific CPU can also be obtained by adding the number of the 378CPU at the end of the MIB, enlarging it by one. 379.It Li kern.defcorename ( KERN_DEFCORENAME ) 380Default template for the name of core dump files (see also 381.Li proc.pid.corename 382in the per-process variables 383.Li proc.* , 384and 385.Xr core 5 386for format of this template). 387The default value is 388.Nm %n.core 389and can be changed with the kernel configuration option 390.Cd options DEFCORENAME 391(see 392.Xr options 4 393). 394.It Li kern.domainname ( KERN_DOMAINNAME ) 395Get or set the YP domain name. 396.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 397Perform a crash dump on system panic. 398.It Li kern.drivers ( KERN_DRIVERS ) 399Return an array of 400.Va struct kinfo_drivers 401that contains the name and major device numbers of all the device drivers 402in the current kernel. 403The 404.Va d_name 405field is always a NUL terminated string. 406The 407.Va d_bmajor 408field will be set to \-1 if the driver doesn't have a block device. 409.It Li kern.file ( KERN_FILE ) 410Return the entire file table. 411The returned data consists of a single 412.Va struct filelist 413followed by an array of 414.Va struct file , 415whose size depends on the current number of such objects in the system. 416.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 417If 418.Xr fork 2 419system call fails due to limit on number of processes (either 420the global maxproc limit or user's one), wait for this many 421milliseconds before returning 422.Er EAGAIN 423error to process. 424Useful to keep heavily forking runaway processes in bay. 425Default zero (no sleep). 426Maximum is 20 seconds. 427.It Li kern.fscale ( KERN_FSCALE ) 428The kernel fixed-point scale factor. 429.It Li kern.fsync ( KERN_FSYNC ) 430Return 1 if the POSIX 1003.1b File Synchronization Option is available 431on this system, 432otherwise 0. 433.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 434Returns the number of 435.Xr hardclock 9 436ticks. 437.It Li kern.hostid ( KERN_HOSTID ) 438Get or set the host id. 439.It Li kern.hostname ( KERN_HOSTNAME ) 440Get or set the hostname. 441.It Li kern.iov_max ( KERN_IOV_MAX ) 442Return the maximum number of 443.Va iovec 444structures that a process has available for use with 445.Xr preadv 2 , 446.Xr pwritev 2 , 447.Xr readv 2 , 448.Xr recvmsg 2 , 449.Xr sendmsg 2 450and 451.Xr writev 2 . 452.It Li kern.job_control ( KERN_JOB_CONTROL ) 453Return 1 if job control is available on this system, otherwise 0. 454.It Li kern.labeloffset ( KERN_LABELOFFSET ) 455The offset within the sector specified by KERN_LABELSECTOR of the 456.Xr disklabel 5 . 457.It Li kern.labelsector ( KERN_LABELSECTOR ) 458The sector number containing the 459.Xr disklabel 5 . 460.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 461The size of the storage required for a login name, in bytes, 462including the terminating NUL. 463.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 464If this flag is non-zero, the kernel will 465.Xr log 9 466all process exits due to signals which create a 467.Xr core 5 468file, and whether the coredump was created. 469.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 470Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 471on this system, 472otherwise 0. 473.It Li kern.maxfiles ( KERN_MAXFILES ) 474The maximum number of open files that may be open in the system. 475.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 476The maximum number of partitions allowed per disk. 477.It Li kern.maxphys ( KERN_MAXPHYS ) 478Maximum raw I/O transfer size. 479.It Li kern.maxproc ( KERN_MAXPROC ) 480The maximum number of simultaneous processes the system will allow. 481.It Li kern.maxptys ( KERN_MAXPTYS ) 482The maximum number of pseudo terminals. 483This value can be both raised and lowered, though it cannot 484be set lower than number of currently used ptys. 485See also 486.Xr pty 4 . 487.It Li kern.maxvnodes ( KERN_MAXVNODES ) 488The maximum number of vnodes available on the system. 489This can only be raised. 490.It Li kern.mbuf ( KERN_MBUF ) 491Return information about the mbuf control variables. 492Mbufs are data structures which store network packets and other data 493structures in the networking code, see 494.Xr mbuf 9 . 495The third level names for the mbuf variables are detailed below. 496The changeable column shows whether a process with appropriate 497privilege may change the value. 498.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 499.It Sy Third level name Type Changeable 500.\" XXX Changeable? really? 501.It kern.mbuf.mblowat integer yes 502.It kern.mbuf.mclbytes integer yes 503.It kern.mbuf.mcllowat integer yes 504.It kern.mbuf.msize integer yes 505.It kern.mbuf.nmbclusters integer yes 506.El 507.Pp 508The variables are as follows: 509.Bl -tag -width "123456" 510.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 511The mbuf low water mark. 512.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 513The mbuf cluster size. 514.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 515The mbuf cluster low water mark. 516.It Li kern.mbuf.msize ( MBUF_MSIZE ) 517The mbuf base size. 518.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 519The limit on the number of mbuf clusters. 520The variable can only be increased, and only increased on machines with 521direct-mapped pool pages. 522.El 523.It Li kern.memlock ( KERN_MEMLOCK ) 524Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 525on this system, 526otherwise 0. 527.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 528Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 529on this system, 530otherwise 0. 531.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 532Returns 1 if the POSIX 1003.1b Memory Protection Option is available 533on this system, 534otherwise 0. 535.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 536Returns the standard version the implementation of the POSIX 1003.1b 537Monotonic Clock Option conforms to, 538otherwise 0. 539.It Li kern.msgbuf ( KERN_MSGBUF ) 540The kernel message buffer, rotated so that the head of the circular kernel 541message buffer is at the start of the returned data. 542The returned data may contain NUL bytes. 543.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 544The maximum number of characters that the kernel message buffer can hold. 545.It Li kern.ngroups ( KERN_NGROUPS ) 546The maximum number of supplemental groups. 547.It Li kern.ntptime ( KERN_NTPTIME ) 548A 549.Va struct ntptimeval 550structure is returned. 551This structure contains data used by the 552.Xr ntpd 8 553program. 554.It Li kern.osrelease ( KERN_OSRELEASE ) 555The system release string. 556.It Li kern.osrevision ( KERN_OSREV ) 557The system revision string. 558.It Li kern.ostype ( KERN_OSTYPE ) 559The system type string. 560.It Li kern.pipe ( KERN_PIPE ) 561Pipe settings. 562The third level names for the integer pipe settings is detailed below. 563The changeable column shows whether a process with appropriate 564privilege may change the value. 565.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 566.It Sy Third level name Type Changeable 567.It kern.pipe.kvasiz integer yes 568.It kern.pipe.maxbigpipes integer yes 569.It kern.pipe.maxkvasz integer yes 570.It kern.pipe.limitkva integer yes 571.It kern.pipe.nbigpipes integer yes 572.El 573.Pp 574The variables are as follows: 575.Bl -tag -width "123456" 576.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 577Amount of kernel memory consumed by pipe buffers. 578.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 579Maximum number of "big" pipes. 580.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 581Maximum amount of kernel memory to be used for pipes. 582.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 583Limit for direct transfers via page loan. 584.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 585Number of "big" pipes. 586.El 587.It Li kern.posix1version ( KERN_POSIX1 ) 588The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 589attempts to comply. 590.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 591The version of 592.St -p1003.1 593and its 594Barriers 595option to which the system attempts to conform, 596otherwise 0. 597.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 598The version of 599.St -p1003.1 600and its 601Read-Write Locks 602option to which the system attempts to conform, 603otherwise 0. 604.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 605The version of 606.St -p1003.1 607and its 608Semaphores 609option to which the system attempts to conform, 610otherwise 0. 611.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 612The version of 613.St -p1003.1 614and its 615Spin Locks 616option to which the system attempts to conform, 617otherwise 0. 618.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 619The version of 620.St -p1003.1 621and its 622Threads 623option to which the system attempts to conform, 624otherwise 0. 625.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 626The version of 627.St -p1003.1 628and its 629Timers 630option to which the system attempts to conform, 631otherwise 0. 632.It Li kern.proc ( KERN_PROC ) 633Return the entire process table, or a subset of it. 634An array of 635.Va struct kinfo_proc 636structures is returned, 637whose size depends on the current number of such objects in the system. 638The third and fourth level numeric names are as follows: 639.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 640.It Sy Third level name Fourth level is: 641.It KERN_PROC_ALL None 642.It KERN_PROC_GID A group ID 643.It KERN_PROC_PID A process ID 644.It KERN_PROC_PGRP A process group 645.It KERN_PROC_RGID A real group ID 646.It KERN_PROC_RUID A real user ID 647.It KERN_PROC_SESSION A session ID 648.It KERN_PROC_TTY A tty device 649.It KERN_PROC_UID A user ID 650.El 651.It Li kern.proc2 ( KERN_PROC2 ) 652As for KERN_PROC, but an array of 653.Va struct kinfo_proc2 654structures are returned. 655The fifth level name is the size of the 656.Va struct kinfo_proc2 657and the sixth level name is the number of structures to return. 658.It Li kern.proc_args ( KERN_PROC_ARGS ) 659Return the argv or environment strings (or the number thereof) 660of a process. 661Multiple strings are returned separated by NUL characters. 662The third level name is the process ID. 663The fourth level name is as follows: 664.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent 665.It KERN_PROC_ARGV The argv strings 666.It KERN_PROC_ENV The environ strings 667.It KERN_PROC_NARGV The number of argv strings 668.It KERN_PROC_NENV The number of environ strings 669.El 670.It Li kern.profiling ( KERN_PROF ) 671Return profiling information about the kernel. 672If the kernel is not compiled for profiling, 673attempts to retrieve any of the KERN_PROF values will 674fail with 675.Er EOPNOTSUPP . 676The third level names for the string and integer profiling information 677is detailed below. 678The changeable column shows whether a process with appropriate 679privilege may change the value. 680.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 681.It Sy Third level name Type Changeable 682.It kern.profiling.count u_short[\|] yes 683.It kern.profiling.froms u_short[\|] yes 684.It kern.profiling.gmonparam struct gmonparam no 685.It kern.profiling.state integer yes 686.It kern.profiling.tos struct tostruct yes 687.El 688.Pp 689The variables are as follows: 690.Bl -tag -width "123456" 691.It Li kern.profiling.count ( GPROF_COUNT ) 692Array of statistical program counter counts. 693.It Li kern.profiling.froms ( GPROF_FROMS ) 694Array indexed by program counter of call-from points. 695.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 696Structure giving the sizes of the above arrays. 697.It Li kern.profiling.state ( GPROF_STATE ) 698Profiling state. 699If set to GMON_PROF_ON, starts profiling. 700If set to GMON_PROF_OFF, stops profiling. 701.It Li kern.profiling.tos ( GPROF_TOS ) 702Array of 703.Va struct tostruct 704describing destination of calls and their counts. 705.El 706.It Li kern.rawpartition ( KERN_RAWPARTITION ) 707The raw partition of a disk (a == 0). 708.It Li kern.root_device ( KERN_ROOT_DEVICE ) 709The name of the root device (e.g., 710.Dq wd0 ) . 711.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 712The root partition on the root device (a == 0). 713.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 714Return the offset of real time clock from UTC in minutes. 715.It Li kern.saved_ids ( KERN_SAVED_IDS ) 716Returns 1 if saved set-group and saved set-user ID is available. 717.It Li kern.sbmax ( KERN_SBMAX ) 718Maximum socket buffer size. 719.\" XXX units? 720.It Li kern.securelevel ( KERN_SECURELVL ) 721See 722.Xr secmodel_securelevel 9 . 723.It Li kern.somaxkva ( KERN_SOMAXKVA ) 724Maximum amount of kernel memory to be used for socket buffers. 725.\" XXX units? 726.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 727Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 728on this system, 729otherwise 0. 730.It Li kern.ipc ( KERN_SYSVIPC ) 731Return information about the SysV IPC parameters. 732The third level names for the ipc variables are detailed below. 733.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 734.It Sy Third level name Type Changeable 735.It kern.ipc.sysvmsg integer no 736.It kern.ipc.sysvsem integer no 737.It kern.ipc.sysvshm integer no 738.It kern.ipc.sysvipc_info struct no 739.It kern.ipc.shmmax integer yes 740.It kern.ipc.shmmni integer yes 741.It kern.ipc.shmseg integer yes 742.It kern.ipc.shmmaxpgs integer yes 743.It kern.ipc.shm_use_phys integer yes 744.It kern.ipc.msgmni integer yes 745.It kern.ipc.msgseg integer yes 746.It kern.ipc.semmni integer yes 747.It kern.ipc.semmns integer yes 748.It kern.ipc.semmnu integer yes 749.El 750.Bl -tag -width "123456" 751.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 752Returns 1 if System V style message queue functionality is available 753on this system, 754otherwise 0. 755.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 756Returns 1 if System V style semaphore functionality is available 757on this system, 758otherwise 0. 759.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 760Returns 1 if System V style share memory functionality is available 761on this system, 762otherwise 0. 763.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 764Return System V style IPC configuration and run-time information. 765The fourth level name selects the System V style IPC facility. 766.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 767.It Sy Fourth level name Type 768.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 769.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 770.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 771.El 772.Pp 773.Bl -tag -width "123456" 774.It Li KERN_SYSVIPC_MSG_INFO 775Return information on the System V style message facility. 776The 777.Sy msg_sysctl_info 778structure is defined in 779.In sys/msg.h . 780.It Li KERN_SYSVIPC_SEM_INFO 781Return information on the System V style semaphore facility. 782The 783.Sy sem_sysctl_info 784structure is defined in 785.In sys/sem.h . 786.It Li KERN_SYSVIPC_SHM_INFO 787Return information on the System V style shared memory facility. 788The 789.Sy shm_sysctl_info 790structure is defined in 791.In sys/shm.h . 792.El 793.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 794Max shared memory segment size in bytes. 795.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 796Max number of shared memory identifiers. 797.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 798Max shared memory segments per process. 799.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 800Max amount of shared memory in pages. 801.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 802Locking of shared memory in physical memory. 803If 0, memory can be swapped 804out, otherwise it will be locked in physical memory. 805.It Li kern.ipc.msgmni 806Max number of message queue identifiers. 807.It Li kern.ipc.msgseg 808Max number of number of message segments. 809.It Li kern.ipc.semmni 810Max number of number of semaphore identifiers. 811.It Li kern.ipc.semmns 812Max number of number of semaphores in system. 813.It Li kern.ipc.semmnu 814Max number of undo structures in system. 815.El 816.It Li kern.timecounter ( dynamic ) 817Display and control the timecounter source of the system. 818.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 819.It Sy Third level name Type Changeable 820.It kern.timecounter.choice string no 821.It kern.timecounter.hardware string yes 822.It kern.timecounter.timestepwarnings integer yes 823.El 824.Pp 825The variables are as follows: 826.Bl -tag -width "123456" 827.It Li kern.timecounter.choice ( dynamic ) 828The list of available timecounters with their quality and frequency. 829.It Li kern.timecounter.hardware ( dynamic ) 830The currently selected timecounter source. 831.It Li kern.timecounter.timestepwarnings ( dynamic ) 832If non-zero display a message each time the time is stepped. 833.El 834.It Li kern.timex ( KERN_TIMEX ) 835Not available. 836.It Li kern.tkstat ( KERN_TKSTAT ) 837Return information about the number of characters sent and received 838on ttys. 839The third level names for the tty statistic variables are detailed below. 840The changeable column shows whether a process 841with appropriate privilege may change the value. 842.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 843.It Sy Third level name Type Changeable 844.It kern.tkstat.cancc quad no 845.It kern.tkstat.nin quad no 846.It kern.tkstat.nout quad no 847.It kern.tkstat.rawcc quad no 848.El 849.Pp 850The variables are as follows: 851.Bl -tag -width "123456" 852.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 853The number of canonical input characters. 854.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 855The total number of input characters. 856.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 857The total number of output characters. 858.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 859The number of raw input characters. 860.El 861.It Li kern.urandom ( KERN_URND ) 862Random integer value. 863.It Li kern.veriexec 864Tunings for Verixec. 865.Bl -tag -width "123456" 866.It Li kern.veriexec.algorithms 867Returns a string with the supported algorithms in Veriexec. 868.It Li kern.veriexec.count 869Sub-nodes are added to this node as new mounts are monitored by Veriexec. 870Each mount will be under its own 871.No tableN 872node. 873Under each node there will be three variables, indicating the mount 874point, the file-system type, and the number of entries. 875.It Li kern.veriexec.strict 876Controls the strict level of Veriexec. 877See 878.Xr security 8 879for more information on each level's implications. 880.It Li kern.veriexec.verbose 881Controls the verbosity level of Veriexec. 882If 0, only the minimal 883indication required will be given about what's happening - fingerprint 884mismatches, removal of entries from the tables, modification of a 885fingerprinted file. 886If 1, more messages will be printed (ie., when a file with a valid 887fingerprint is accessed). 888Verbose level 2 is debug mode. 889.El 890.It Li kern.version ( KERN_VERSION ) 891The system version string. 892.It Li kern.vnode ( KERN_VNODE ) 893Return the entire vnode table. 894Note, the vnode table is not necessarily a consistent snapshot of 895the system. 896The returned data consists of an array whose size depends on the 897current number of such objects in the system. 898Each element of the array contains the kernel address of a vnode 899.Va struct vnode * 900followed by the vnode itself 901.Va struct vnode . 902.It Li kern.coredump.setid 903Settings related to set-id processes coredumps. 904By default, set-id processes do not dump core in situations where 905other processes would. 906The settings in this node allows an administrator to change this 907behavior. 908.Pp 909.Bl -tag -width "123456" 910.It Li kern.coredump.setid.dump 911If non-zero, set-id processes will dump core. 912.It Li kern.coredump.setid.group 913The group-id for the set-id processes' coredump. 914.It Li kern.coredump.setid.mode 915The mode for the set-id processes' coredump. 916See 917.Xr chmod 1 . 918.It Li kern.coredump.setid.owner 919The user-id that will be used as the owner of the set-id processes' 920coredump. 921.It Li kern.coredump.setid.path 922The path to which set-id processes' coredumps will be saved to. 923Same syntax as kern.defcorename. 924.El 925.\" XXX kern.lwp 926.El 927.Sh The machdep.* subtree 928The set of variables defined is architecture dependent. 929Most architectures define at least the following variables. 930.Bl -column "Second level name" "Type" "Changeable" -offset indent 931.It Sy Second level name Type Changeable 932.It Li CPU_CONSDEV dev_t no 933.El 934.Sh The net.* subtree 935The string and integer information available for the 936.Li net 937level is detailed below. 938The changeable column shows whether a process with appropriate 939privilege may change the value. 940The second and third levels are typically the protocol family and 941protocol number, though this is not always the case. 942.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 943.It Sy Second level name Type Changeable 944.It net.route routing messages no 945.It net.inet IPv4 values yes 946.It net.inet6 IPv6 values yes 947.It net.key IPsec key management values yes 948.El 949.Pp 950.Bl -tag -width "123456" 951.It Li net.route ( PF_ROUTE ) 952.\" XXX really? 953Return the entire routing table or a subset of it. 954The data is returned as a sequence of routing messages (see 955.Xr route 4 956for the header file, format and meaning). 957The length of each message is contained in the message header. 958.Pp 959The third level name is a protocol number, which is currently always 0. 960The fourth level name is an address family, which may be set to 0 to 961select all address families. 962The fifth and sixth level names are as follows: 963.Bl -column "Fifth level name" "Sixth level is:" -offset indent 964.It Sy Fifth level name Sixth level is: 965.It NET_RT_FLAGS rtflags 966.It NET_RT_DUMP None 967.It NET_RT_IFLIST None 968.El 969.It Li net.inet ( PF_INET ) 970Get or set various global information about the IPv4 971.Pq Internet Protocol version 4 . 972The third level name is the protocol. 973The fourth level name is the variable name. 974The currently defined protocols and names are: 975.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n 976.It Sy Protocol name Variable name Type Changeable 977.It arp down integer yes 978.It arp keep integer yes 979.It arp prune integer yes 980.It arp refresh integer yes 981.It carp allow integer yes 982.It carp preempt integer yes 983.It carp log integer yes 984.It carp arpbalance integer yes 985.It icmp errppslimit integer yes 986.It icmp maskrepl integer yes 987.It icmp rediraccept integer yes 988.It icmp redirtimeout integer yes 989.It icmp bmcastecho integer yes 990.It ip allowsrcrt integer yes 991.It ip anonportmax integer yes 992.It ip anonportmin integer yes 993.It ip checkinterface integer yes 994.It ip directed-broadcast integer yes 995.It ip do_loopback_cksum integer yes 996.It ip forwarding integer yes 997.It ip forwsrcrt integer yes 998.It ip gifttl integer yes 999.It ip grettl integer yes 1000.It ip hashsize integer yes 1001.It ip hostzerobroadcast integer yes 1002.It ip lowportmin integer yes 1003.It ip lowportmax integer yes 1004.It ip maxflows integer yes 1005.It ip maxfragpackets integer yes 1006.It ip mtudisc integer yes 1007.It ip mtudisctimeout integer yes 1008.It ip random_id integer yes 1009.It ip redirect integer yes 1010.It ip subnetsarelocal integer yes 1011.It ip ttl integer yes 1012.It tcp rfc1323 integer yes 1013.It tcp sendspace integer yes 1014.It tcp recvspace integer yes 1015.It tcp mssdflt integer yes 1016.It tcp syn_cache_limit integer yes 1017.It tcp syn_bucket_limit integer yes 1018.It tcp syn_cache_interval integer yes 1019.It tcp init_win integer yes 1020.It tcp init_win_local integer yes 1021.It tcp mss_ifmtu integer yes 1022.It tcp win_scale integer yes 1023.It tcp timestamps integer yes 1024.It tcp compat_42 integer yes 1025.It tcp cwm integer yes 1026.It tcp cwm_burstsize integer yes 1027.It tcp ack_on_push integer yes 1028.It tcp keepidle integer yes 1029.It tcp keepintvl integer yes 1030.It tcp keepcnt integer yes 1031.It tcp slowhz integer no 1032.It tcp keepinit integer yes 1033.It tcp log_refused integer yes 1034.It tcp rstppslimit integer yes 1035.It tcp ident struct no 1036.It tcp drop struct no 1037.It tcp sack.enable integer yes 1038.It tcp sack.globalholes integer no 1039.It tcp sack.globalmaxholes integer yes 1040.It tcp sack.maxholes integer yes 1041.It tcp ecn.enable integer yes 1042.It tcp ecn.maxretries integer yes 1043.It tcp congctl.selected string yes 1044.It tcp congctl.available string yes 1045.It tcp abc.enable integer yes 1046.It tcp abc.aggressive integer yes 1047.It udp checksum integer yes 1048.It udp do_loopback_cksum integer yes 1049.It udp recvspace integer yes 1050.It udp sendspace integer yes 1051.El 1052.Pp 1053The variables are as follows: 1054.Bl -tag -width "123456" 1055.It Li arp.down 1056Failed ARP entry lifetime. 1057.It Li arp.keep 1058Valid ARP entry lifetime. 1059.It Li arp.prune 1060ARP cache pruning interval. 1061.It Li arp.refresh 1062ARP entry refresh interval. 1063.It Li carp.allow 1064If set to 0, incoming 1065.Xr carp 4 1066packets will not be processed. 1067If set to any other value, processing will occur. 1068Enabled by default. 1069.It Li carp.arpbalance 1070If set to any value other than 0, the ARP balancing functionality of 1071.Xr carp 4 1072is enabled. 1073When ARP requests are received for an IP address which is part of any virtual 1074host, carp will hash the source IP in the ARP request to select one of the 1075virtual hosts from the set of all the virtual hosts which have that IP address. 1076The master of that host will respond with the correct virtual MAC address. 1077Disabled by default. 1078.It Li carp.log 1079If set to any value other than 0, 1080.Xr carp 4 1081will log errors. 1082Disabled by default. 1083.It Li carp.preempt 1084If set to 0, 1085.Xr carp 4 1086will not attempt to become master if it is receiving advertisements from 1087another active master. 1088If set to any other value, carp will become master of the virtual host if it 1089believes it can send advertisements more frequently than the current master. 1090Disabled by default. 1091.It Li ip.allowsrcrt 1092If set to 1, the host accepts source routed packets. 1093.It Li ip.anonportmax 1094The highest port number to use for TCP and UDP ephemeral port allocation. 1095This cannot be set to less than 1024 or greater than 65535, and must 1096be greater than 1097.Li ip.anonportmin . 1098.It Li ip.anonportmin 1099The lowest port number to use for TCP and UDP ephemeral port allocation. 1100This cannot be set to less than 1024 or greater than 65535. 1101.It Li ip.checkinterface 1102If set to non-zero, the host will reject packets addressed to it 1103that arrive on an interface not bound to that address. 1104Currently, this must be disabled if ipnat is used to translate the 1105destination address to another local interface, or if addresses 1106are added to the loopback interface instead of the interface where 1107the packets for those packets are received. 1108.It Li ip.directed-broadcast 1109If set to 1, enables directed broadcast behavior for the host. 1110.It Li ip.do_loopback_cksum 1111Perform IP checksum on loopback. 1112.It Li ip.forwarding 1113If set to 1, enables IP forwarding for the host, 1114meaning that the host is acting as a router. 1115.It Li ip.forwsrcrt 1116If set to 1, enables forwarding of source-routed packets for the host. 1117This value may only be changed if the kernel security level is less than 1. 1118.It Li ip.gifttl 1119The maximum time-to-live (hop count) value for an IPv4 packet generated by 1120.Xr gif 4 1121tunnel interface. 1122.It Li ip.grettl 1123The maximum time-to-live (hop count) value for an IPv4 packet generated by 1124.Xr gre 4 1125tunnel interface. 1126.It Li ip.hashsize 1127The size of IPv4 Fast Forward hash table. 1128This value must be a power of 2 (64, 256...). 1129A larger hash table size results in fewer collisions. 1130Also see 1131.Li ip.maxflows . 1132.It Li ip.hostzerobroadcast 1133All zeroes address is broadcast address. 1134.It Li ip.lowportmax 1135The highest port number to use for TCP and UDP reserved port allocation. 1136This cannot be set to less than 0 or greater than 1024, and must 1137be greater than 1138.Li ip.lowportmin . 1139.It Li ip.lowportmin 1140The lowest port number to use for TCP and UDP reserved port allocation. 1141This cannot be set to less than 0 or greater than 1024, and must 1142be smaller than 1143.Li ip.lowportmax . 1144.It Li ip.maxflows 1145IPv4 Fast Forwarding is enabled by default. 1146If set to 0, IPv4 Fast Forwarding is disabled. 1147.Li ip.maxflows 1148controls the maximum amount of flows which can be created. 1149The default value is 256. 1150.It Li ip.maxfragpackets 1151The maximum number of fragmented packets the node will accept. 11520 means that the node will not accept any fragmented packets. 1153\-1 means that the node will accept as many fragmented packets as it receives. 1154The flag is provided basically for avoiding possible DoS attacks. 1155.It Li ip.mtudisc 1156If set to 1, enables Path MTU Discovery (RFC 1191). 1157When Path MTU Discovery is enabled, the transmitted TCP segment 1158size will be determined by the advertised maximum segment size 1159(MSS) from the remote end, as constrained by the path MTU. 1160If MTU Discovery is disabled, the transmitted segment size will 1161never be greater than 1162.Li tcp.mssdflt 1163(the local maximum segment size). 1164.It Li ip.mtudisctimeout 1165The number of seconds in which a route added by the Path MTU 1166Discovery engine will time out. 1167When the route times out, the Path 1168MTU Discovery engine will attempt to probe a larger path MTU. 1169.It Li ip.random_id 1170Assign random ip_id values. 1171.It Li ip.redirect 1172If set to 1, ICMP redirects may be sent by the host. 1173This option is ignored unless the host is routing IP packets, 1174and should normally be enabled on all systems. 1175.It Li ip.subnetsarelocal 1176If set to 1, subnets are to be considered local addresses. 1177.It Li ip.ttl 1178The maximum time-to-live (hop count) value for an IP packet sourced by 1179the system. 1180This value applies to normal transport protocols, not to ICMP. 1181.It Li icmp.errppslimit 1182The variable specifies the maximum number of outgoing ICMP error messages, 1183per second. 1184ICMP error messages that exceeded the value are subject to rate limitation 1185and will not go out from the node. 1186Negative value disables rate limitation. 1187.It Li icmp.maskrepl 1188If set to 1, ICMP network mask requests are to be answered. 1189.It Li icmp.rediraccept 1190If set to non-zero, the host will accept ICMP redirect packets. 1191Note that routers will never accept ICMP redirect packets, 1192and the variable is meaningful on IP hosts only. 1193.It Li icmp.redirtimeout 1194The variable specifies lifetime of routing entries generated by incoming 1195ICMP redirect. 1196This defaults to 600 seconds. 1197.It Li icmp.returndatabytes 1198Number of bytes to return in an ICMP error message. 1199.It Li icmp.bmcastecho 1200If set to 1, enables responding to ICMP echo or timestamp request to the 1201broadcast address. 1202.It Li tcp.ack_on_push 1203If set to 1, TCP is to immediately transmit an ACK upon reception of 1204a packet with PUSH set. 1205This can avoid losing a round trip time in some rare situations, 1206but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1207Use of this option is generally not recommended, but 1208the variable exists in case your configuration really needs it. 1209.It Li tcp.compat_42 1210If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1211Use of this option is not recommended, although it may be 1212required in order to communicate with extremely old TCP implementations. 1213.It Li tcp.cwm 1214If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1215Monitoring algorithm. 1216This algorithm prevents line-rate bursts of packets that could 1217otherwise occur when data begins flowing on an idle TCP connection. 1218These line-rate bursts can contribute to network and router congestion. 1219This can be particularly useful on World Wide Web servers 1220which support HTTP/1.1, which has lingering connections. 1221.It Li tcp.cwm_burstsize 1222The Congestion Window Monitoring allowed burst size, in terms 1223of packet count. 1224.It Li tcp.delack_ticks 1225Number of ticks to delay sending an ACK. 1226.It Li tcp.do_loopback_cksum 1227Perform TCP checksum on loopback. 1228.It Li tcp.init_win 1229A value indicating the TCP initial congestion window. 1230If this value is 0, an auto-tuning algorithm designed to use an initial 1231window of approximately 4K bytes is in use. 1232Otherwise, this value indicates a fixed number of packets. 1233.It Li tcp.init_win_local 1234Like 1235.Li tcp.init_win , 1236but used when communicating with hosts on a local network. 1237.It Li tcp.keepcnt 1238Number of keepalive probes sent before declaring a connection dead. 1239If set to zero, there is no limit; 1240keepalives will be sent until some kind of 1241response is received from the peer. 1242.It Li tcp.keepidle 1243Time a connection must be idle before keepalives are sent (if keepalives 1244are enabled for the connection). 1245See also tcp.slowhz. 1246.It Li tcp.keepintvl 1247Time after a keepalive probe is sent until, in the absence of any response, 1248another probe is sent. 1249See also tcp.slowhz. 1250.It Li tcp.log_refused 1251If set to 1, refused TCP connections to the host will be logged. 1252.It Li tcp.keepinit 1253Timeout in seconds during connection establishment. 1254.It Li tcp.mss_ifmtu 1255If set to 1, TCP calculates the outgoing maximum segment size based on 1256the MTU of the appropriate interface. 1257If set to 0, it is calculated based on the greater of the MTU of the 1258interface, and the largest (non-loopback) interface MTU on the system. 1259.It Li tcp.mssdflt 1260The default maximum segment size both advertised to the peer 1261and to use when either the peer does not advertise a maximum segment size to 1262us during connection setup or Path MTU Discovery 1263.Li ( ip.mtudisc ) 1264is disabled. 1265Do not change this value unless you really know what you are doing. 1266.It Li tcp.recvspace 1267The default TCP receive buffer size. 1268.It Li tcp.rfc1323 1269If set to 1, enables RFC 1323 extensions to TCP. 1270.It Li tcp.rstppslimit 1271The variable specifies the maximum number of outgoing TCP RST packets, 1272per second. 1273TCP RST packet that exceeded the value are subject to rate limitation 1274and will not go out from the node. 1275Negative value disables rate limitation. 1276.It Li tcp.ident 1277Return the user ID of a connected socket pair. 1278(RFC1413 Identification Protocol lookups.) 1279.It Li tcp.drop 1280Drop a TCP socket pair connection. 1281.It Li tcp.sack.enable 1282If set to 1, enables RFC 2018 Selective ACKnowledgement. 1283.It Li tcp.sack.globalholes 1284Global number of TCP SACK holes. 1285.It Li tcp.sack.globalmaxholes 1286Global maximum number of TCP SACK holes. 1287.It Li tcp.sack.maxholes 1288Maximum number of TCP SACK holes allowed per connection. 1289.It Li tcp.ecn.enable 1290If set to 1, enables RFC 3168 Explicit Congestion Notification. 1291.It Li tcp.ecn.maxretries 1292Number of times to retry sending the ECN-setup packet. 1293.It Li tcp.sendspace 1294The default TCP send buffer size. 1295.It Li tcp.slowhz 1296The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1297of a clock that ticks tcp.slowhz times per second. 1298(That is, their values 1299must be divided by the tcp.slowhz value to get times in seconds.) 1300.It Li tcp.syn_bucket_limit 1301The maximum number of entries allowed per hash bucket in the TCP 1302compressed state engine. 1303.It Li tcp.syn_cache_limit 1304The maximum number of entries allowed in the TCP compressed state 1305engine. 1306.It Li tcp.timestamps 1307If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1308used for measuring TCP round trip times, are enabled. 1309.It Li tcp.win_scale 1310If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1311for increasing the TCP window size, are enabled. 1312.It Li tcp.congctl.available 1313The available TCP congestion control algorithms. 1314.It Li tcp.congctl.selected 1315The currently selected TCP congestion control algorithm. 1316.It Li tcp.abc.enable 1317If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1318If set to 0, use traditional Packet Counting. 1319.It Li tcp.abc.aggressive 1320Choose the L parameter found in RFC 3465. 1321L is the maximum cwnd increase for an ack during slow start. 1322If set to 1, use L=2*SMSS. 1323If set to 0, use L=1*SMSS. 1324It has no effect unless tcp.abc.enable is set to 1. 1325.It Li udp.checksum 1326If set to 1, UDP checksums are being computed. 1327Received non-zero UDP checksums are always checked. 1328Disabling UDP checksums is strongly discouraged. 1329.It Li udp.sendspace 1330The default UDP send buffer size. 1331.It Li udp.recvspace 1332The default UDP receive buffer size. 1333.El 1334.Pp 1335For variables net.*.ipsec, please refer to 1336.Xr ipsec 4 . 1337.It Li net.inet6 ( PF_INET6 ) 1338Get or set various global information about the IPv6 1339.Pq Internet Protocol version 6 . 1340The third level name is the protocol. 1341The fourth level name is the variable name. 1342The currently defined protocols and names are: 1343.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent 1344.It Sy Protocol name Variable name Type Changeable 1345.It icmp6 errppslimit integer yes 1346.It icmp6 mtudisc_hiwat integer yes 1347.It icmp6 mtudisc_lowat integer yes 1348.It icmp6 nd6_debug integer yes 1349.It icmp6 nd6_delay integer yes 1350.It icmp6 nd6_maxnudhint integer yes 1351.It icmp6 nd6_mmaxtries integer yes 1352.It icmp6 nd6_prune integer yes 1353.It icmp6 nd6_umaxtries integer yes 1354.It icmp6 nd6_useloopback integer yes 1355.It icmp6 nodeinfo integer yes 1356.It icmp6 rediraccept integer yes 1357.It icmp6 redirtimeout integer yes 1358.It ip6 accept_rtadv integer yes 1359.It ip6 anonportmax integer yes 1360.It ip6 anonportmin integer yes 1361.It ip6 auto_flowlabel integer yes 1362.It ip6 dad_count integer yes 1363.It ip6 defmcasthlim integer yes 1364.It ip6 forwarding integer yes 1365.It ip6 gifhlim integer yes 1366.It ip6 hashsize integer yes 1367.It ip6 hlim integer yes 1368.It ip6 hdrnestlimit integer yes 1369.It ip6 kame_version string no 1370.It ip6 keepfaith integer yes 1371.It ip6 log_interval integer yes 1372.It ip6 lowportmax integer yes 1373.It ip6 lowportmin integer yes 1374.It ip6 maxflows integer yes 1375.It ip6 maxfragpackets integer yes 1376.It ip6 maxfrags integer yes 1377.It ip6 redirect integer yes 1378.It ip6 rr_prune integer yes 1379.It ip6 use_deprecated integer yes 1380.It ip6 v6only integer yes 1381.It udp6 do_loopback_cksum integer yes 1382.It udp6 recvspace integer yes 1383.It udp6 sendspace integer yes 1384.El 1385.Pp 1386The variables are as follows: 1387.Bl -tag -width "123456" 1388.It Li ip6.accept_rtadv 1389If set to non-zero, the node will accept ICMPv6 router advertisement packets 1390and autoconfigures address prefixes and default routers. 1391The node must be a host 1392.Pq not a router 1393for the option to be meaningful. 1394.It Li ip6.anonportmax 1395The highest port number to use for TCP and UDP ephemeral port allocation. 1396This cannot be set to less than 1024 or greater than 65535, and must 1397be greater than 1398.Li ip6.anonportmin . 1399.It Li ip6.anonportmin 1400The lowest port number to use for TCP and UDP ephemeral port allocation. 1401This cannot be set to less than 1024 or greater than 65535. 1402.It Li ip6.auto_flowlabel 1403On connected transport protocol packets, 1404fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1405.It Li ip6.dad_count 1406The variable configures number of IPv6 DAD 1407.Pq duplicated address detection 1408probe packets. 1409The packets will be generated when IPv6 interface addresses are configured. 1410.It Li ip6.defmcasthlim 1411The default hop limit value for an IPv6 multicast packet sourced by the node. 1412This value applies to all the transport protocols on top of IPv6. 1413There are APIs to override the value, as documented in 1414.Xr ip6 4 . 1415.It Li ip6.forwarding 1416If set to 1, enables IPv6 forwarding for the node, 1417meaning that the node is acting as a router. 1418If set to 0, disables IPv6 forwarding for the node, 1419meaning that the node is acting as a host. 1420IPv6 specification defines node behavior for 1421.Dq router 1422case and 1423.Dq host 1424case quite differently, and changing this variable during operation 1425may cause serious trouble. 1426It is recommended to configure the variable at bootstrap time, 1427and bootstrap time only. 1428.It Li ip6.gifhlim 1429The maximum hop limit value for an IPv6 packet generated by 1430.Xr gif 4 1431tunnel interface. 1432.It Li ip6.hdrnestlimit 1433The number of IPv6 extension headers permitted on incoming IPv6 packets. 1434If set to 0, the node will accept as many extension headers as possible. 1435.It Li ip6.hashsize 1436The size of IPv6 Fast Forward hash table. 1437This value must be a power of 2 (64, 256...). 1438A larger hash table size results in fewer collisions. 1439Also see 1440.Li ip6.maxflows . 1441.It Li ip6.hlim 1442The default hop limit value for an IPv6 unicast packet sourced by the node. 1443This value applies to all the transport protocols on top of IPv6. 1444There are APIs to override the value, as documented in 1445.Xr ip6 4 . 1446.It Li ip6.kame_version 1447The string identifies the version of KAME IPv6 stack implemented in the kernel. 1448.It Li ip6.keepfaith 1449If set to non-zero, it enables 1450.Dq FAITH 1451TCP relay IPv6-to-IPv4 translator code in the kernel. 1452Refer 1453.Xr faith 4 1454and 1455.Xr faithd 8 1456for detail. 1457.It Li ip6.log_interval 1458The variable controls amount of logs generated by IPv6 packet 1459forwarding engine, by setting interval between log output 1460.Pq in seconds . 1461.It Li ip6.lowportmax 1462The highest port number to use for TCP and UDP reserved port allocation. 1463This cannot be set to less than 0 or greater than 1024, and must 1464be greater than 1465.Li ip6.lowportmin . 1466.It Li ip6.lowportmin 1467The lowest port number to use for TCP and UDP reserved port allocation. 1468This cannot be set to less than 0 or greater than 1024, and must 1469be smaller than 1470.Li ip6.lowportmax . 1471.It Li ip6.maxflows 1472IPv6 Fast Forwarding is enabled by default. 1473If set to 0, IPv6 Fast Forwarding is disabled. 1474.Li ip6.maxflows 1475controls the maximum amount of flows which can be created. 1476The default value is 256. 1477.It Li ip6.maxfragpackets 1478The maximum number of fragmented packets the node will accept. 14790 means that the node will not accept any fragmented packets. 1480\-1 means that the node will accept as many fragmented packets as it receives. 1481The flag is provided basically for avoiding possible DoS attacks. 1482.It Li ip6.maxfrags 1483The maximum number of fragments the node will accept. 14840 means that the node will not accept any fragments. 1485\-1 means that the node will accept as many fragments as it receives. 1486The flag is provided basically for avoiding possible DoS attacks. 1487.It Li ip6.redirect 1488If set to 1, ICMPv6 redirects may be sent by the node. 1489This option is ignored unless the node is routing IP packets, 1490and should normally be enabled on all systems. 1491.It Li ip6.rr_prune 1492The variable specifies interval between IPv6 router renumbering prefix 1493babysitting, in seconds. 1494.It Li ip6.use_deprecated 1495The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1496.It Li ip6.v6only 1497The variable specifies initial value for 1498.Dv IPV6_V6ONLY 1499socket option for 1500.Dv AF_INET6 1501socket. 1502Please refer to 1503.Xr ip6 4 1504for detail. 1505.It Li icmp6.errppslimit 1506The variable specifies the maximum number of outgoing ICMPv6 error messages, 1507per second. 1508ICMPv6 error messages that exceeded the value are subject to rate limitation 1509and will not go out from the node. 1510Negative value disables rate limitation. 1511.It Li icmp6.mtudisc_hiwat 1512.It Li icmp6.mtudisc_lowat 1513The variables define the maximum number of routing table entries, 1514created due to path MTU discovery 1515.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1516When IPv6 path MTU discovery happens, we keep path MTU information into 1517the routing table. 1518If the number of routing table entries exceed the value, 1519the kernel will not attempt to keep the path MTU information. 1520.Li icmp6.mtudisc_hiwat 1521is used when we have verified ICMPv6 too big messages. 1522.Li icmp6.mtudisc_lowat 1523is used when we have unverified ICMPv6 too big messages. 1524Verification is performed by using address/port pairs kept in connected pcbs. 1525Negative value disables the upper limit. 1526.It Li icmp6.nd6_debug 1527If set to non-zero, kernel IPv6 neighbor discovery code will generate 1528debugging messages. 1529The debug outputs are useful to diagnose IPv6 interoperability issues. 1530The flag must be set to 0 for normal operation. 1531.It Li icmp6.nd6_delay 1532The variable specifies 1533.Dv DELAY_FIRST_PROBE_TIME 1534timing constant in IPv6 neighbor discovery specification 1535.Pq RFC 2461 , 1536in seconds. 1537.It Li icmp6.nd6_maxnudhint 1538IPv6 neighbor discovery permits upper layer protocols to supply reachability 1539hints, to avoid unnecessary neighbor discovery exchanges. 1540The variable defines the number of consecutive hints the neighbor discovery 1541layer will take. 1542For example, by setting the variable to 3, neighbor discovery layer 1543will take 3 consecutive hints in maximum. 1544After receiving 3 hints, neighbor discovery layer will perform 1545normal neighbor discovery process. 1546.It Li icmp6.nd6_mmaxtries 1547The variable specifies 1548.Dv MAX_MULTICAST_SOLICIT 1549constant in IPv6 neighbor discovery specification 1550.Pq RFC 2461 . 1551.It Li icmp6.nd6_prune 1552The variable specifies interval between IPv6 neighbor cache babysitting, 1553in seconds. 1554.It Li icmp6.nd6_umaxtries 1555The variable specifies 1556.Dv MAX_UNICAST_SOLICIT 1557constant in IPv6 neighbor discovery specification 1558.Pq RFC 2461 . 1559.It Li icmp6.nd6_useloopback 1560If set to non-zero, kernel IPv6 stack will use loopback interface for 1561local traffic. 1562.It Li icmp6.nodeinfo 1563The variable enables responses to ICMPv6 node information queries. 1564If you set the variable to 0, responses will not be generated for 1565ICMPv6 node information queries. 1566Since node information queries can have a security impact, it is 1567possible to fine tune which responses should be answered. 1568Two separate bits can be set. 1569.Bl -tag -width "12345" 1570.It 1 1571Respond to ICMPv6 FQDN queries, e.g. 1572.Li ping6 -w . 1573.It 2 1574Respond to ICMPv6 node addresses queries, e.g. 1575.Li ping6 -a . 1576.El 1577.It Li icmp6.rediraccept 1578If set to non-zero, the host will accept ICMPv6 redirect packets. 1579Note that IPv6 routers will never accept ICMPv6 redirect packets, 1580and the variable is meaningful on IPv6 hosts 1581.Pq non-router 1582only. 1583.It Li icmp6.redirtimeout 1584The variable specifies lifetime of routing entries generated by incoming 1585ICMPv6 redirect. 1586.It Li udp6.do_loopback_cksum 1587Perform UDP checksum on loopback. 1588.It Li udp6.recvspace 1589Default UDP receive buffer size. 1590.It Li udp6.sendspace 1591Default UDP send buffer size. 1592.El 1593.Pp 1594We reuse net.*.tcp for 1595.Tn TCP 1596over 1597.Tn IPv6 , 1598and therefore we do not have variables net.*.tcp6. 1599Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1600Please refer to 1601.Li PF_INET 1602section above. 1603For variables net.*.ipsec6, please refer to 1604.Xr ipsec 4 . 1605.It Li net.key ( PF_KEY ) 1606Get or set various global information about the IPsec key management. 1607The third level name is the variable name. 1608The currently defined variable and names are: 1609.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 1610.It Sy Variable name Type Changeable 1611.It debug integer yes 1612.It spi_try integer yes 1613.It spi_min_value integer yes 1614.It spi_max_value integer yes 1615.It larval_lifetime integer yes 1616.It blockacq_count integer yes 1617.It blockacq_lifetime integer yes 1618.It esp_keymin integer yes 1619.It esp_auth integer yes 1620.It ah_keymin integer yes 1621.El 1622.Pp 1623The variables are as follows: 1624.Bl -tag -width "123456" 1625.It Li debug 1626Turn on debugging message from within the kernel. 1627The value is a bitmap, as defined in 1628.Pa /usr/include/netkey/key_debug.h . 1629.It Li spi_try 1630The number of times the kernel will try to obtain an unique SPI 1631when it generates it from random number generator. 1632.It Li spi_min_value 1633Minimum SPI value when generating it within the kernel. 1634.It Li spi_max_value 1635Maximum SPI value when generating it within the kernel. 1636.It Li larval_lifetime 1637Lifetime for LARVAL SAD entries, in seconds. 1638.It Li blockacq_count 1639Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1640It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1641key management daemon. 1642.It Li blockacq_lifetime 1643Lifetime of ACQUIRE PF_KEY message. 1644.It Li esp_keymin 1645Minimum ESP key length, in bits. 1646The value is used when the kernel creates proposal payload 1647on ACQUIRE PF_KEY message. 1648.It Li esp_auth 1649Whether ESP authentication should be used or not. 1650Non-zero value indicates that ESP authentication should be used. 1651The value is used when the kernel creates proposal payload 1652on ACQUIRE PF_KEY message. 1653.It Li ah_keymin 1654Minimum AH key length, in bits, 1655The value is used when the kernel creates proposal payload 1656on ACQUIRE PF_KEY message. 1657.El 1658.El 1659.Sh The proc.* subtree 1660The string and integer information available for the 1661.Li proc 1662level is detailed below. 1663The changeable column shows whether a process with appropriate 1664privilege may change the value. 1665These values are per-process, 1666and as such may change from one process to another. 1667When a process is created, 1668the default values are inherited from its parent. 1669When a set-user-ID or set-group-ID binary is executed, the 1670value of PROC_PID_CORENAME is reset to the system default value. 1671The second level name is either the magic value PROC_CURPROC, which 1672points to the current process, or the PID of the target process. 1673.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 1674.It Sy Third level name Type Changeable 1675.It proc.pid.corename string yes 1676.It proc.pid.rlimit node not applicable 1677.It proc.pid.stopfork int yes 1678.It proc.pid.stopexec int yes 1679.It proc.pid.stopexit int yes 1680.El 1681.Bl -tag -width "123456" 1682.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1683The template used for the core dump file name (see 1684.Xr core 5 1685for details). 1686The base name must either be 1687.Nm core 1688or end with the suffix ``.core'' (the super-user may set arbitrary names). 1689By default it points to KERN_DEFCORENAME. 1690.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1691Return resources limits, as defined for the 1692.Xr getrlimit 2 1693and 1694.Xr setrlimit 2 1695system calls. 1696The fourth level name is one of: 1697.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1698.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1699The maximum amount of CPU time (in seconds) to be used by each process. 1700.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1701The largest size (in bytes) file that may be created. 1702.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1703The maximum size (in bytes) of the data segment for a process; 1704this defines how far a program may extend its break with the 1705.Xr sbrk 2 1706system call. 1707.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1708The maximum size (in bytes) of the stack segment for a process; 1709this defines how far a program's stack segment may be extended. 1710Stack extension is performed automatically by the system. 1711.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1712The largest size (in bytes) 1713.Pa core 1714file that may be created. 1715.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1716The maximum size (in bytes) to which a process's resident set size may 1717grow. 1718This imposes a limit on the amount of physical memory to be given to 1719a process; if memory is tight, the system will prefer to take memory 1720from processes that are exceeding their declared resident set size. 1721.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1722The maximum size (in bytes) which a process may lock into memory 1723using the 1724.Xr mlock 2 1725function. 1726.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1727The maximum number of simultaneous processes for this user id. 1728.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1729The maximum number of open files for this process. 1730.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) 1731The maximum size (in bytes) of the socket buffers 1732set by the 1733.Xr setsockopt 2 1734.Dv SO_RCVBUF 1735and 1736.Dv SO_SNDBUF 1737options. 1738.El 1739.Pp 1740The fifth level name is one of 1741.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or 1742.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1743to select respectively the soft or hard limit. 1744Both are of type integer. 1745.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1746If non zero, the process' children will be stopped after 1747.Xr fork 2 1748calls. 1749The children is created in the SSTOP state and is never scheduled 1750for running before being stopped. 1751This feature helps attaching a process with a debugger such as 1752.Xr gdb 1 1753before it had the opportunity to actually do anything. 1754.Pp 1755This value is inherited by the process's children, and it also 1756apply to emulation specific system calls that fork a new process, such as 1757.Fn sproc 1758or 1759.Fn clone . 1760.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1761If non zero, the process will be stopped on next 1762.Xr exec 3 1763call. 1764The process created by 1765.Xr exec 3 1766is created in the SSTOP state and is never scheduled for running 1767before being stopped. 1768This feature helps attaching a process with a debugger such as 1769.Xr gdb 1 1770before it had the opportunity to actually do anything. 1771.Pp 1772This value is inherited by the process's children. 1773.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1774If non zero, the process will be stopped on when it has cause to exit, 1775either by way of calling 1776.Xr exit 3 , 1777.Xr _exit 2 , 1778or by the receipt of a specific signal. 1779The process is stopped before any of its resources or vm space is 1780released allowing examination of the termination state of a process 1781before it disappears. 1782This feature can be used to examine the final conditions of the 1783process's vmspace via 1784.Xr pmap 1 1785or its resource settings with 1786.Xr sysctl 8 1787before it disappears. 1788.Pp 1789This value is also inherited by the process's children. 1790.El 1791.Sh The user.* subtree ( CTL_USER ) 1792The string and integer information available for the 1793.Li user 1794level is detailed below. 1795The changeable column shows whether a process with appropriate 1796privilege may change the value. 1797.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 1798.It Sy Second level name Type Changeable 1799.It user.atexit_max integer no 1800.It user.bc_base_max integer no 1801.It user.bc_dim_max integer no 1802.It user.bc_scale_max integer no 1803.It user.bc_string_max integer no 1804.It user.coll_weights_max integer no 1805.It user.cs_path string no 1806.It user.expr_nest_max integer no 1807.It user.line_max integer no 1808.It user.posix2_c_bind integer no 1809.It user.posix2_c_dev integer no 1810.It user.posix2_char_term integer no 1811.It user.posix2_fort_dev integer no 1812.It user.posix2_fort_run integer no 1813.It user.posix2_localedef integer no 1814.It user.posix2_sw_dev integer no 1815.It user.posix2_upe integer no 1816.It user.posix2_version integer no 1817.It user.re_dup_max integer no 1818.It user.stream_max integer no 1819.It user.stream_max integer no 1820.It user.tzname_max integer no 1821.El 1822.Bl -tag -width "123456" 1823.It Li user.atexit_max ( USER_ATEXIT_MAX ) 1824The maximum number of functions that may be registered with 1825.Xr atexit 3 . 1826.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 1827The maximum ibase/obase values in the 1828.Xr bc 1 1829utility. 1830.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 1831The maximum array size in the 1832.Xr bc 1 1833utility. 1834.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 1835The maximum scale value in the 1836.Xr bc 1 1837utility. 1838.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 1839The maximum string length in the 1840.Xr bc 1 1841utility. 1842.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 1843The maximum number of weights that can be assigned to any entry of 1844the LC_COLLATE order keyword in the locale definition file. 1845.It Li user.cs_path ( USER_CS_PATH ) 1846Return a value for the 1847.Ev PATH 1848environment variable that finds all the standard utilities. 1849.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 1850The maximum number of expressions that can be nested within 1851parenthesis by the 1852.Xr expr 1 1853utility. 1854.It Li user.line_max ( USER_LINE_MAX ) 1855The maximum length in bytes of a text-processing utility's input 1856line. 1857.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 1858Return 1 if the system supports at least one terminal type capable of 1859all operations described in POSIX 1003.2, otherwise 0. 1860.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 1861Return 1 if the system's C-language development facilities support the 1862C-Language Bindings Option, otherwise 0. 1863.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 1864Return 1 if the system supports the C-Language Development Utilities Option, 1865otherwise 0. 1866.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 1867Return 1 if the system supports the FORTRAN Development Utilities Option, 1868otherwise 0. 1869.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 1870Return 1 if the system supports the FORTRAN Runtime Utilities Option, 1871otherwise 0. 1872.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 1873Return 1 if the system supports the creation of locales, otherwise 0. 1874.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 1875Return 1 if the system supports the Software Development Utilities Option, 1876otherwise 0. 1877.It Li user.posix2_upe ( USER_POSIX2_UPE ) 1878Return 1 if the system supports the User Portability Utilities Option, 1879otherwise 0. 1880.It Li user.posix2_version ( USER_POSIX2_VERSION ) 1881The version of POSIX 1003.2 with which the system attempts to comply. 1882.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 1883The maximum number of repeated occurrences of a regular expression 1884permitted when using interval notation. 1885.It Li user.stream_max ( USER_STREAM_MAX ) 1886The minimum maximum number of streams that a process may have open 1887at any one time. 1888.It Li user.tzname_max ( USER_TZNAME_MAX ) 1889The minimum maximum number of types supported for the name of a 1890timezone. 1891.El 1892.Sh The vm.* subtree ( CTL_VM ) 1893The string and integer information available for the 1894.Li vm 1895level is detailed below. 1896The changeable column shows whether a process with appropriate 1897privilege may change the value. 1898.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 1899.It Sy Second level name Type Changeable 1900.It vm.anonmax int yes 1901.It vm.anonmin int yes 1902.It vm.bufcache int yes 1903.It vm.bufmem int no 1904.It vm.bufmem_hiwater int yes 1905.It vm.bufmem_lowater int yes 1906.It vm.execmax int yes 1907.It vm.execmin int yes 1908.It vm.filemax int yes 1909.It vm.filemin int yes 1910.It vm.loadavg struct loadavg no 1911.It vm.maxslp int no 1912.It vm.nkmempages int no 1913.It vm.uspace int no 1914.It vm.uvmexp struct uvmexp no 1915.It vm.uvmexp2 struct uvmexp_sysctl no 1916.It vm.vmmeter struct vmtotal no 1917.El 1918.Pp 1919.Bl -tag -width "123456" 1920.It Li vm.anonmax ( VM_ANONMAX ) 1921The percentage of physical memory which will be reclaimed 1922from other types of memory usage to store anonymous application data. 1923.It Li vm.anonmin ( VM_ANONMIN ) 1924The percentage of physical memory which will be always be available for 1925anonymous application data. 1926.It Li vm.bufcache ( VM_BUFCACHE ) 1927The percentage of physical memory which will be available 1928for the buffer cache. 1929.It Li vm.bufmem ( VM_BUFMEM ) 1930The amount of kernel memory that is being used by the buffer cache. 1931.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 1932The minimum amount of kernel memory to reserve for the 1933buffer cache. 1934.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 1935The maximum amount of kernel memory to be used for the 1936buffer cache. 1937.It Li vm.execmax ( VM_EXECMAX ) 1938The percentage of physical memory which will be reclaimed 1939from other types of memory usage to store cached executable data. 1940.It Li vm.execmin ( VM_EXECMIN ) 1941The percentage of physical memory which will be always be available for 1942cached executable data. 1943.It Li vm.filemax ( VM_FILEMAX ) 1944The percentage of physical memory which will be reclaimed 1945from other types of memory usage to store cached file data. 1946.It Li vm.filemin ( VM_FILEMIN ) 1947The percentage of physical memory which will be always be available for 1948cached file data. 1949.It Li vm.loadavg ( VM_LOADAVG ) 1950Return the load average history. 1951The returned data consists of a 1952.Va struct loadavg . 1953.It Li vm.maxslp ( VM_MAXSLP ) 1954The value of the maxslp kernel global variable. 1955.It Li vm.vmmeter ( VM_METER ) 1956Return system wide virtual memory statistics. 1957The returned data consists of a 1958.Va struct vmtotal . 1959.It vm.user_va0_disable 1960A flag which controls whether user processes can map virtual address 0. 1961.It Li vm.uspace ( VM_USPACE ) 1962The number of bytes allocated for each kernel stack. 1963.It Li vm.uvmexp ( VM_UVMEXP ) 1964Return system wide virtual memory statistics. 1965The returned data consists of a 1966.Va struct uvmexp . 1967.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 1968Return system wide virtual memory statistics. 1969The returned data consists of a 1970.Va struct uvmexp_sysctl . 1971.\" XXX vm.idlezero 1972.El 1973.Sh The ddb.* subtree ( CTL_DDB ) 1974The information available for the 1975.Li ddb 1976level is detailed below. 1977The changeable column shows whether a process with appropriate 1978privilege may change the value. 1979.\" XXX sort 1980.Bl -column "Second level name" "integer" "Changeable" -offset indent 1981.It Sy Second level name Type Changeable 1982.It ddb.radix integer yes 1983.It ddb.maxoff integer yes 1984.It ddb.maxwidth integer yes 1985.It ddb.lines integer yes 1986.It ddb.tabstops integer yes 1987.It ddb.onpanic integer yes 1988.It ddb.fromconsole integer yes 1989.It ddb.tee_msgbuf integer yes 1990.It ddb.commandonenter string yes 1991.El 1992.Pp 1993.Bl -tag -width "123456" 1994.It Li ddb.radix ( DDBCTL_RADIX ) 1995The input and output radix. 1996.It Li ddb.maxoff ( DDBCTL_MAXOFF ) 1997The maximum symbol offset. 1998.It Li ddb.maxwidth ( DDBCTL_MAXWIDTH ) 1999The maximum output line width. 2000.It Li ddb.lines ( DDBCTL_LINES ) 2001Number of display lines. 2002.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) 2003Tab width. 2004.It Li ddb.onpanic ( DDBCTL_ONPANIC ) 2005If non-zero, DDB will be entered if the kernel panics. 2006.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) 2007If not zero, DDB may be entered by sending a break on a serial 2008console or by a special key sequence on a graphics console. 2009.It Li ddb.tee_msgbuf 2010If not zero, DDB will output also to the kernel message buffer. 2011.It Li ddb.commandonenter 2012If not empty, a command to be executed on each enter to the 2013.Tn DDB . 2014.\" 2015.\" XXX: (a) ddb.commandonenter is missing in ddb(4); 2016.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. 2017.El 2018.Pp 2019Some of these 2020.Tn MIB 2021nodes are also available as variables from within the debugger. 2022See 2023.Xr ddb 4 2024for more details. 2025.Sh The security.* subtree ( CTL_SECURITY ) 2026The 2027.Li security 2028level contains various security-related settings for 2029the system. 2030Available settings are detailed below. 2031.Pp 2032.Bl -tag -width "123456" 2033.It Li security.curtain 2034If non-zero, will filter return objects according to the user-id 2035requesting information about them, preventing from users any 2036access to objects they don't own. 2037.Pp 2038At the moment, it affects 2039.Xr ps 1 , 2040.Xr netstat 1 2041(for 2042.Dv PF_INET , 2043.Dv PF_INET6 , 2044and 2045.Dv PF_UNIX 2046PCBs), and 2047.Xr w 1 . 2048.It Li security.models 2049.Nx 2050supports pluggable security models. 2051Every security model used, whether if loaded as a module or built with the system, 2052is required to add an entry to this node with at least one element, 2053.Dq name , 2054indicating the name of the security model. 2055.Pp 2056In addition to the name, any settings and other information private to the 2057security model will be available under this node. 2058See 2059.Xr secmodel 9 2060for more information. 2061.It Li security.pax 2062Settings for PaX -- exploit mitigation features. 2063For more information on any of the PaX features, please see 2064.Xr paxctl 8 2065and 2066.Xr security 8 . 2067.Pp 2068.Bl -tag -width "123456" 2069.It Li security.pax.aslr.enable 2070Enable PaX ASLR (Address Space Layout Randomization). 2071.Pp 2072The value of this 2073knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2074explicit enable. 2075.It Li security.pax.aslr.global 2076Specifies the default global policy for programs without an 2077explicit enable/disable flag. 2078.Pp 2079When non-zero, all programs will get PaX ASLR, except those exempted with 2080.Xr paxctl 8 . 2081Otherwise, all programs will not get PaX ASLR, except those specifically 2082marked as such with 2083.Xr paxctl 8 . 2084.It Li security.pax.mprotect.enable 2085Enable PaX MPROTECT restrictions. 2086.Pp 2087These are 2088.Xr mprotect 2 2089restrictions to better enforce a W^X policy. 2090The value of this 2091knob must be non-zero for PaX MPROTECT to be enabled, even if a 2092program is set to explicit enable. 2093.It Li security.pax.mprotect.global 2094Specifies the default global policy for programs without an 2095explicit enable/disable flag. 2096.Pp 2097When non-zero, all programs will get the PaX MPROTECT restrictions, 2098except those exempted with 2099.Xr paxctl 8 . 2100Otherwise, all programs will not get the PaX MPROTECT restrictions, 2101except those specifically marked as such with 2102.Xr paxctl 8 . 2103.It Li security.pax.segvguard.enable 2104Enable PaX Segvguard. 2105.Pp 2106PaX Segvguard can detect and prevent certain exploitation attempts, where 2107an attacker may try for example to brute-force function return addresses 2108of respawning daemons. 2109.Pp 2110.Em Note : 2111The 2112.Nx 2113interface and implementation of the Segvguard is still experimental, and may 2114change in future releases. 2115.It Li security.pax.segvguard.global 2116Specifies the default global policy for programs without an 2117explicit enable/disable flag. 2118.Pp 2119When non-zero, all programs will get the PaX Segvguard, 2120except those exempted with 2121.Xr paxctl 8 . 2122Otherwise, no program will get the PaX Segvguard restrictions, 2123except those specifically marked as such with 2124.Xr paxctl 8 . 2125.It Li security.pax.segvguard.expiry_timeout 2126If the max number was not reached within this timeout (in seconds), the entry 2127will expire. 2128.It Li security.pax.segvguard.suspend_timeout 2129Number of seconds to suspend a user from running a faulting program when the 2130limit was exceeded. 2131.It Li security.pax.segvguard.max_crashes 2132Max number of segfaults a program can receive before suspension. 2133.El 2134.El 2135.Sh The vendor.* subtree ( CTL_VENDOR ) 2136The 2137.Li vendor 2138toplevel name is reserved to be used by vendors who wish to 2139have their own private MIB tree. 2140Intended use is to store values under 2141.Dq vendor.\*[Lt]yourname\*[Gt].* . 2142.Sh SEE ALSO 2143.Xr sysctl 3 , 2144.Xr ipsec 4 , 2145.Xr tcp 4 , 2146.Xr security 8 , 2147.Xr sysctl 8 2148.Sh HISTORY 2149The 2150.Nm 2151variables first appeared in 2152.Bx 4.4 . 2153