1.\" $NetBSD: sysctl.7,v 1.165 2023/06/18 18:16:40 riastradh Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd May 29, 2023 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Ss Top level names 72The top level names are defined with a 73.Va CTL_ 74prefix in 75.In sys/sysctl.h , 76and are as follows. 77The next and subsequent levels down are found in the include files 78listed here, and described in separate sections below. 79.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits" 80.It Sy Name Ta Sy Constant Ta Sy Next level names Ta Sy Description 81.It kern Ta Dv CTL_KERN Ta In sys/sysctl.h Ta High kernel limits 82.It vm Ta Dv CTL_VM Ta In uvm/uvm_param.h Ta Virtual memory 83.It vfs Ta Dv CTL_VFS Ta In sys/mount.h Ta Filesystem 84.It net Ta Dv CTL_NET Ta In sys/socket.h Ta Networking 85.It debug Ta Dv CTL_DEBUG Ta In sys/sysctl.h Ta Debugging 86.It hw Ta Dv CTL_HW Ta In sys/sysctl.h Ta Generic CPU, I/O 87.It machdep Ta Dv CTL_MACHDEP Ta In sys/sysctl.h Ta Machine dependent 88.It user Ta Dv CTL_USER Ta In sys/sysctl.h Ta User-level 89.It ddb Ta Dv CTL_DDB Ta In sys/sysctl.h Ta In-kernel debugger 90.It proc Ta Dv CTL_PROC Ta In sys/sysctl.h Ta Per-process 91.It vendor Ta Dv CTL_VENDOR Ta ? Ta Vendor specific 92.It emul Ta Dv CTL_EMUL Ta In sys/sysctl.h Ta Emulation settings 93.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h Ta Security settings 94.El 95.Ss The debug.* subtree 96The debugging variables vary from system to system. 97A debugging variable may be added or deleted without need to recompile 98.Nm 99to know about it. 100Each time it runs, 101.Nm 102gets the list of debugging variables from the kernel and 103displays their current values. 104The system defines twenty 105.Vt ( struct ctldebug ) 106variables named 107.Dv debug0 108through 109.Dv debug19 . 110They are declared as separate variables so that they can be 111individually initialized at the location of their associated variable. 112The loader prevents multiple use of the same variable by issuing errors 113if a variable is initialized in more than one place. 114For example, to export the variable 115.Va dospecialcheck 116as a debugging variable, the following declaration would be used: 117.Pp 118.Bd -literal -offset indent -compact 119int dospecialcheck = 1; 120struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck }; 121.Ed 122.Pp 123Note that the dynamic implementation of 124.Nm 125currently in use largely makes this particular 126.Nm 127interface obsolete. 128See 129.Xr sysctl 8 130.\" and 131.\" .Xr sysctl 9 132for more information. 133.Ss The vfs.* subtree 134A distinguished second level name, 135.Li vfs.generic ( Dv VFS_GENERIC ) , 136is used to get general information about all file systems. 137It has the following third level identifiers: 138.Bl -tag -width "123456" 139.It Li vfs.generic.maxtypenum ( Dv VFS_MAXTYPENUM ) 140The highest valid file system type number. 141.It Li vfs.generic.conf ( Dv VFS_CONF ) 142Returns configuration information about the file system type given as a fourth 143level identifier. 144.It Li vfs.generic.usermount ( Dv VFS_USERMOUNT ) 145Controls whether users other than the super-user can mount file 146systems. 147Defaults to 148.Li 0 , 149so only the super-user can mount file systems. 150.Pp 151File systems mounted by unprivileged users must be mounted with the 152.Li nodev 153and 154.Li nosuid 155.Xr mount 8 156options. 157.It Li vfs.generic.magiclinks ( Dv VFS_MAGICLINKS ) 158Controls whether expansion of variables is going to be performed on 159pathnames or not. 160Defaults to 161.Li 0 , 162no variable expansion. 163Variables are of the form 164.Li @name 165and the variables supported are described in 166.Xr symlink 7 167under 168.Dq "MAGIC SYMLINKS" . 169.El 170.Pp 171A second level name for controlling the 172.Xr wapbl 4 173(Write Ahead Physical Block Logging file system journaling) 174capabilities with the following third level identifiers: 175.Bl -tag -width "123456" 176.It Li vfs.wapbl.flush_disk_cache 177Controls whether to attempt to flush the disk cache on each commit. 178It defaults to 1 and it should always be on to ensure integrity 179of file system metadata in the event of a power loss. 180For slow disks, turning it off can improve performance. 181.It Li vfs.wapbl.verbose_commit 182For each transaction log commit, print the number of bytes written 183and the time it took to commit as seconds.nanoseconds. 184.El 185.Pp 186The remaining second level identifiers are the file system names, identified 187by the type number returned by a 188.Xr statvfs 2 189call or from 190.Li vfs.generic.conf . 191.Pp 192The third level identifiers available for each file system 193are given in the header file that defines the mount 194argument structure for that file system. 195.Ss The hw.* subtree 196The string and integer information available for the 197.Li hw 198level is detailed below. 199The changeable column shows whether a process with appropriate 200privilege may change the value. 201.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 202.It Sy Second level name Ta Sy Type Ta Sy Changeable 203.It hw.alignbytes integer no 204.It hw.byteorder integer no 205.It hw.cnmagic string yes 206.It hw.disknames string no 207.It hw.diskstats struct no 208.It hw.machine string no 209.It hw.machine_arch string no 210.It hw.model string no 211.It hw.ncpu integer no 212.It hw.ncpuonline integer no 213.It hw.pagesize integer no 214.It hw.physmem integer no 215.It hw.physmem64 quad no 216.It hw.usermem integer no 217.It hw.usermem64 quad no 218.El 219.Bl -tag -width "123456" 220.It Li hw.alignbytes ( Dv HW_ALIGNBYTES ) 221Alignment constraint for all possible data types. 222This shows the value 223.Dv ALIGNBYTES 224in 225.In machine/param.h , 226at the kernel compilation time. 227.It Li hw.byteorder ( Dv HW_BYTEORDER ) 228The byteorder (4321, or 1234). 229.It Li hw.cnmagic ( Dv HW_CNMAGIC ) 230The console magic key sequence. 231.It Li hw.disknames ( Dv HW_DISKNAMES ) 232The list of (space separated) disk device names on the system. 233.It Li hw.iostatnames ( Dv HW_IOSTATNAMES ) 234A space separated list of devices that will have I/O statistics 235collected on them. 236.It Li hw.iostats ( Dv HW_IOSTATS ) 237Return statistical information on the NFS mounts, disk and tape 238devices on the system. 239An array of 240.Vt struct io_sysctl 241structures is returned, 242whose size depends on the current number of such objects in the system. 243The third level name is the size of the 244.Vt struct io_sysctl . 245The type of object can be determined by examining the 246.Va type 247element of 248.Vt struct io_sysctl . 249Which can be 250.Dv IOSTAT_DISK 251(disk drive), 252.Dv IOSTAT_TAPE 253(tape drive), or 254.Dv IOSTAT_NFS 255(NFS mount). 256.It Li hw.machine ( Dv HW_MACHINE ) 257The machine class. 258.It Li hw.machine_arch ( Dv HW_MACHINE_ARCH ) 259The machine CPU class. 260.It Li hw.model ( Dv HW_MODEL ) 261The machine model. 262.It Li hw.ncpu ( Dv HW_NCPU ) 263The number of CPUs configured. 264.It Li hw.ncpuonline ( Dv HW_NCPUONLINE ) 265The number of CPUs online. 266.It Li hw.pagesize ( Dv HW_PAGESIZE ) 267The software page size. 268.It Li hw.physmem ( Dv HW_PHYSMEM ) 269The bytes of physical memory as a 32-bit integer. 270.It Li hw.physmem64 ( Dv HW_PHYSMEM64 ) 271The bytes of physical memory as a 64-bit integer. 272.It Li hw.usermem ( Dv HW_USERMEM ) 273The bytes of non-kernel memory as a 32-bit integer. 274.It Li hw.usermem64 ( Dv HW_USERMEM64 ) 275The bytes of non-kernel memory as a 64-bit integer. 276.El 277.Ss The kern.* subtree 278This subtree includes data generally related to the kernel. 279The string and integer information available for the 280.Li kern 281level is detailed below. 282The changeable column shows whether a process with appropriate 283privilege may change the value. 284.Bl -column "kern.posix_reader_writer_locks" \ 285"struct kinfo_drivers" "not applicable" 286.It Sy Second level name Ta Sy Type Ta Sy Changeable 287.It kern.aio_listio_max integer yes 288.It kern.aio_max integer yes 289.It kern.arandom integer no 290.It kern.argmax integer no 291.It kern.boothowto integer no 292.It kern.boottime struct timespec no 293.It kern.buildinfo string no 294.\".It kern.bufq node not applicable 295.It kern.ccpu integer no 296.It kern.clockrate struct clockinfo no 297.It kern.consdev integer no 298.It kern.coredump node not applicable 299.It kern.cp_id struct no 300.It kern.cp_time uint64_t[\|] no 301.It kern.cryptodevallowsoft integer yes 302.It kern.defcorename string yes 303.It kern.detachall integer yes 304.It kern.domainname string yes 305.It kern.drivers struct kinfo_drivers no 306.It kern.dump_on_panic integer yes 307.It kern.expose_address integer yes 308.It kern.file struct file no 309.It kern.forkfsleep integer yes 310.It kern.fscale integer no 311.It kern.fsync integer no 312.It kern.hardclock_ticks integer no 313.It kern.hostid integer yes 314.It kern.hostname string yes 315.It kern.iov_max integer no 316.It kern.ipc node not applicable 317.It kern.job_control integer no 318.It kern.labeloffset integer no 319.It kern.labelsector integer no 320.It kern.login_name_max integer no 321.It kern.logsigexit integer yes 322.It kern.lwp struct kinfo_lwp yes 323.It kern.mapped_files integer no 324.It kern.maxfiles integer yes 325.It kern.maxlwp integer yes 326.It kern.maxpartitions integer no 327.It kern.maxphys integer no 328.It kern.maxproc integer yes 329.It kern.maxptys integer yes 330.It kern.maxvnodes integer yes 331.It kern.messages integer yes 332.It kern.mbuf node not applicable 333.It kern.memlock integer no 334.It kern.memlock_range integer no 335.It kern.memory_protection integer no 336.It kern.module node not applicable 337.It kern.monotonic_clock integer no 338.It kern.mqueue node not applicable 339.It kern.msgbuf integer no 340.It kern.msgbufsize integer no 341.It kern.ngroups integer no 342.\".It kern.no_sa_support integer yes 343.It kern.ntptime struct ntptimeval no 344.It kern.osrelease string no 345.It kern.osrevision integer no 346.It kern.ostype string no 347.\".It kern.panic_now integer yes 348.It kern.pipe node not applicable 349.It kern.pool struct pool_sysctl no 350.\" .It kern.posix node not applicable 351.It kern.posix1version integer no 352.It kern.posix_aio integer no 353.It kern.posix_barriers integer no 354.It kern.posix_reader_writer_locks integer no 355.\".It kern.posix_sched integer yes 356.It kern.posix_semaphores integer no 357.It kern.posix_spin_locks integer no 358.It kern.posix_threads integer no 359.It kern.posix_timers integer no 360.It kern.proc struct kinfo_proc no 361.It kern.proc2 struct kinfo_proc2 no 362.It kern.proc_args string no 363.It kern.profiling node not applicable 364.\".It kern.pset node not applicable 365.It kern.rawpartition integer no 366.It kern.root_device string no 367.It kern.root_partition integer no 368.It kern.rtc_offset integer yes 369.It kern.saved_ids integer no 370.It kern.sbmax integer yes 371.It kern.sched node not applicable 372.It kern.securelevel integer raise only 373.It kern.sofixedbuf boolean yes 374.It kern.somaxkva integer yes 375.It kern.sooptions integer yes 376.It kern.synchronized_io integer no 377.It kern.timecounter node not applicable 378.It kern.timex struct no 379.It kern.tkstat node not applicable 380.It kern.tty node not applicable 381.It kern.urandom integer no 382.It kern.usercrypto integer yes 383.It kern.userasymcrypto integer yes 384.It kern.veriexec node not applicable 385.It kern.version string no 386.It kern.vnode struct vnode no 387.El 388.Bl -tag -width "123456" 389.It Li kern.aio_listio_max 390The maximum number of asynchronous I/O operations in a single list 391I/O call. 392Like with all variables related to 393.Xr aio 3 , 394the variable may be created and removed dynamically 395upon loading or unloading the corresponding kernel module. 396.It Li kern.aio_max 397The maximum number of asynchronous I/O operations. 398.It Li kern.arandom ( Dv KERN_ARND ) 399Returns independent uniformly distributed bytes at random each time, as 400many as requested up to 256, derived from the system entropy pool; see 401.Xr rnd 4 . 402.Pp 403Reading 404.Li kern.arandom 405is equivalent to reading up to 256 bytes at a time from 406.Pa /dev/urandom : 407reading 408.Li kern.arandom 409never blocks, and once the system entropy pool has full entropy, output 410subsequently read from 411.Li kern.arandom 412is fit for use as cryptographic key material. 413For example, the 414.Xr arc4random 3 415library routine uses 416.Li kern.arandom 417internally to seed a cryptographic pseudorandom number generator. 418.It Li kern.argmax ( Dv KERN_ARGMAX ) 419The maximum bytes of argument to 420.Xr execve 2 . 421.It Li kern.boothowto 422Flags passed from the boot loader; see 423.Xr reboot 2 424for the meanings of the flags. 425.It Li kern.boottime ( Dv KERN_BOOTTIME ) 426A 427.Vt struct timespec 428structure is returned. 429This structure contains the time that the system was booted. 430That time is defined (for this purpose) to be the time at 431which the kernel first started accumulating clock ticks. 432.It Li kern.bufq 433This variable contains information on the 434.Xr bufq 9 435subsystem. 436Currently, the only third level name implemented is 437.Dv kern.bufq.strategies 438which provides a list of buffer queue strategies currently available. 439.It Li kern.buildinfo 440When the kernel is built, the build environment may optionally provide 441arbitrary information to be stored in this variable. 442.It Li kern.ccpu ( Dv KERN_CCPU ) 443The scheduler exponential decay value. 444.It Li kern.clockrate ( Dv KERN_CLOCKRATE ) 445A 446.Vt struct clockinfo 447structure is returned. 448This structure contains the clock, statistics clock and profiling clock 449frequencies, the number of micro-seconds per hz tick, and the clock 450skew rate. 451Refer to 452.Xr hz 9 453for additional details. 454.It Li kern.consdev ( Dv KERN_CONSDEV ) 455Console device. 456.It Li kern.coredump 457Settings related to set-id processes coredumps. 458By default, set-id processes do not dump core in situations where 459other processes would. 460The settings in this node allows an administrator to change this 461behavior. 462.Pp 463The third level name is 464.Dv kern.coredump.setid 465and fourth level variables are described below. 466.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent 467.It Sy Fourth level name Ta Sy Type Ta Sy Changeable 468.It kern.coredump.setid.dump integer yes 469.It kern.coredump.setid.group integer yes 470.It kern.coredump.setid.mode integer yes 471.It kern.coredump.setid.owner integer yes 472.It kern.coredump.setid.path string yes 473.El 474.Bl -tag -width "123456" 475.It Li kern.coredump.setid.dump 476If non-zero, set-id processes will dump core. 477.It Li kern.coredump.setid.group 478The group-id for the set-id processes' coredump. 479.It Li kern.coredump.setid.mode 480The mode for the set-id processes' coredump. 481See 482.Xr chmod 1 . 483.It Li kern.coredump.setid.owner 484The user-id that will be used as the owner of the set-id processes' 485coredump. 486.It Li kern.coredump.setid.path 487The path to which set-id processes' coredumps will be saved to. 488Same syntax as kern.defcorename. 489.El 490.It Li kern.cp_id ( Dv KERN_CP_ID ) 491Mapping of CPU number to CPU id. 492.It Li kern.cp_time ( Dv KERN_CP_TIME ) 493Returns an array of 494.Dv CPUSTATES 495.Vt uint64_t Ns s . 496This array contains the 497number of clock ticks spent in different CPU states. 498On multi-processor systems, the sum across all CPUs is returned unless 499appropriate space is given for one data set for each CPU. 500Data for a specific CPU can also be obtained by adding the number of the 501CPU at the end of the MIB, enlarging it by one. 502.It Li kern.cryptodevallowsoft 503This variable controls userland access to hardware versus software transforms 504in the 505.Xr crypto 4 506system. 507The available values are as follows: 508.Bl -tag -width XX0 -offset indent 509.It Dv < 0 510Always force userlevel requests to use software transforms. 511.It Dv = 0 512If present, use hardware and grant userlevel requests for 513non-accelerated transforms (handling the latter in software). 514.It Dv > 0 515Allow user requests only for transforms which are hardware-accelerated. 516.El 517.It Li kern.defcorename ( Dv KERN_DEFCORENAME ) 518Default template for the name of core dump files (see also 519.Li proc.pid.corename 520in the per-process variables 521.Li proc.* , 522and 523.Xr core 5 524for format of this template). 525The default value is 526.Pa %n.core 527and can be changed with the kernel configuration option 528.Cd options DEFCORENAME 529(see 530.Xr options 4 531). 532.It Li kern.detachall 533Detach all devices at shutdown. 534.It Li kern.domainname ( Dv KERN_DOMAINNAME ) 535Get or set the YP domain name. 536.It Li kern.drivers ( Dv KERN_DRIVERS ) 537Return an array of 538.Vt struct kinfo_drivers 539that contains the name and major device numbers of all the device drivers 540in the current kernel. 541The 542.Va d_name 543field is always a NUL terminated string. 544The 545.Va d_bmajor 546field will be set to \-1 if the driver doesn't have a block device. 547.It Li kern.expose_address 548Expose kernel addresses in 549.Xr sysctl 3 550calls used by 551.Xr fstat 1 552and 553.Xr sockstat 1 . 554If it is set to 555.Dv 0 556access is not allowed. 557If it is set to 558.Dv 1 559then only processes that have opened 560.Pa /dev/kmem 561can have access. 562If it is set to 563.Dv 2 564every process is allowed. 565Defaults to 566.Dv 0 567for 568.Dv KASLR 569kernels 570and 571.Dv 1 572otherwise. 573Allowing general access renders KASLR ineffective; allowing only kmem 574accessing programs weakens KASLR if those programs can be subverted 575to leak the addresses. 576.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC ) 577Perform a crash dump on system 578.Xr panic 9 . 579.It Li kern.file ( Dv KERN_FILE ) 580Return the entire file table. 581The returned data consists of a single 582.Vt struct filelist 583followed by an array of 584.Vt struct file , 585whose size depends on the current number of such objects in the system. 586.It Li kern.forkfsleep ( Dv KERN_FORKFSLEEP ) 587If 588.Xr fork 2 589system call fails due to limit on number of processes (either 590the global maxproc limit or user's one), wait for this many 591milliseconds before returning 592.Er EAGAIN 593error to process. 594Useful to keep heavily forking runaway processes in bay. 595Default zero (no sleep). 596Maximum is 20 seconds. 597.It Li kern.fscale ( Dv KERN_FSCALE ) 598The kernel fixed-point scale factor. 599.It Li kern.fsync ( Dv KERN_FSYNC ) 600Return 1 if the 601.St -p1003.1b-93 602File Synchronization Option is available 603on this system, 604otherwise\ 0. 605.It Li kern.hardclock_ticks ( Dv KERN_HARDCLOCK_TICKS ) 606Returns the number of 607.Xr hardclock 9 608ticks. 609.It Li kern.hist 610This variable contains kernel history data if the kernel was 611configured for any of the options 612.Dv UVHMIST , 613.Dv USB_DEBUG , 614.Dv BIOHIST , 615or 616.Dv SCDEBUG . 617(See 618.Xr options 4 619for more details.) 620The third-level names correspond to each available history table. 621The values of the history tables are in an internal format, and can be 622decoded by the 623.Xr vmstat 1 624utility's 625.Fl U 626and 627.Fl u 628options; 629the 630.Fl l 631option can be used to see which tables are available. 632.It Li kern.hostid ( Dv KERN_HOSTID ) 633Get or set the host identifier. 634This is aimed to replace the legacy 635.Xr gethostid 3 636and 637.Xr sethostid 3 638system calls. 639.It Li kern.hostname ( Dv KERN_HOSTNAME ) 640Get or set the 641.Xr hostname 1 . 642.It Li kern.iov_max ( Dv KERN_IOV_MAX ) 643Return the maximum number of 644.Vt iovec 645structures that a process has available for use with 646.Xr preadv 2 , 647.Xr pwritev 2 , 648.Xr readv 2 , 649.Xr recvmsg 2 , 650.Xr sendmsg 2 651and 652.Xr writev 2 . 653.It Li kern.ipc ( Dv KERN_SYSVIPC ) 654Return information about the SysV IPC parameters. 655The third level names for the ipc variables are detailed below. 656.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 657.It Sy Third level name Ta Sy Type Ta Sy Changeable 658.It kern.ipc.sysvmsg integer no 659.It kern.ipc.sysvsem integer no 660.It kern.ipc.sysvshm integer no 661.It kern.ipc.sysvipc_info struct no 662.It kern.ipc.shmmax integer yes 663.It kern.ipc.shmmni integer yes 664.It kern.ipc.shmseg integer yes 665.It kern.ipc.shmmaxpgs integer yes 666.It kern.ipc.shm_use_phys integer yes 667.It kern.ipc.msgmni integer yes 668.It kern.ipc.msgseg integer yes 669.It kern.ipc.semmni integer yes 670.It kern.ipc.semmns integer yes 671.It kern.ipc.semmnu integer yes 672.El 673.Bl -tag -width "123456" 674.It Li kern.ipc.sysvmsg ( Dv KERN_SYSVIPC_MSG ) 675Returns 1 if System V style message queue functionality is available 676on this system, 677otherwise\ 0. 678.It Li kern.ipc.sysvsem ( Dv KERN_SYSVIPC_SEM ) 679Returns 1 if System V style semaphore functionality is available 680on this system, 681otherwise\ 0. 682.It Li kern.ipc.sysvshm ( Dv KERN_SYSVIPC_SHM ) 683Returns 1 if System V style share memory functionality is available 684on this system, 685otherwise\ 0. 686.It Li kern.ipc.sysvipc_info ( Dv KERN_SYSVIPC_INFO ) 687Return System V style IPC configuration and run-time information. 688The fourth level name selects the System V style IPC facility. 689.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 690.It Sy Fourth level name Ta Sy Type 691.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 692.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 693.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 694.El 695.Bl -tag -width "123456" 696.It Li KERN_SYSVIPC_MSG_INFO 697Return information on the System V style message facility. 698The 699.Sy msg_sysctl_info 700structure is defined in 701.In sys/msg.h . 702.It Li KERN_SYSVIPC_SEM_INFO 703Return information on the System V style semaphore facility. 704The 705.Sy sem_sysctl_info 706structure is defined in 707.In sys/sem.h . 708.It Li KERN_SYSVIPC_SHM_INFO 709Return information on the System V style shared memory facility. 710The 711.Sy shm_sysctl_info 712structure is defined in 713.In sys/shm.h . 714.El 715.It Li kern.ipc.shmmax ( Dv KERN_SYSVIPC_SHMMAX ) 716Max shared memory segment size in bytes. 717.It Li kern.ipc.shmmni ( Dv KERN_SYSVIPC_SHMMNI ) 718Max number of shared memory identifiers. 719.It Li kern.ipc.shmseg ( Dv KERN_SYSVIPC_SHMSEG ) 720Max shared memory segments per process. 721.It Li kern.ipc.shmmaxpgs ( Dv KERN_SYSVIPC_SHMMAXPGS ) 722Max amount of shared memory in pages. 723.It Li kern.ipc.shm_use_phys ( Dv KERN_SYSVIPC_SHMUSEPHYS ) 724Locking of shared memory in physical memory. 725If 0, memory can be swapped 726out, otherwise it will be locked in physical memory. 727.It Li kern.ipc.msgmni 728Max number of message queue identifiers. 729.It Li kern.ipc.msgseg 730Max number of number of message segments. 731.It Li kern.ipc.semmni 732Max number of number of semaphore identifiers. 733.It Li kern.ipc.semmns 734Max number of number of semaphores in system. 735.It Li kern.ipc.semmnu 736Max number of undo structures in system. 737.El 738.It Li kern.job_control ( Dv KERN_JOB_CONTROL ) 739Return 1 if job control is available on this system, otherwise\ 0. 740.It Li kern.labeloffset ( Dv KERN_LABELOFFSET ) 741The offset within the sector specified by 742.Dv KERN_LABELSECTOR 743of the 744.Xr disklabel 5 . 745.It Li kern.labelsector ( Dv KERN_LABELSECTOR ) 746The sector number containing the 747.Xr disklabel 5 . 748.It Li kern.login_name_max ( Dv KERN_LOGIN_NAME_MAX ) 749The size of the storage required for a login name, in bytes, 750including the terminating NUL. 751.It Li kern.logsigexit ( Dv KERN_LOGSIGEXIT ) 752If this flag is non-zero, the kernel will 753.Xr log 9 754all process exits due to signals which create a 755.Xr core 5 756file, and whether the coredump was created. 757.It Li kern.lwp ( Dv KERN_LWP ) 758Returns information about the current light-weight process. 759The 760.Sy kinfo_lwp 761structure is defined in 762.In sys/sysctl.h . 763.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES ) 764Returns 1 if the 765.St -p1003.1b-93 766Memory Mapped Files Option is available on this system, 767otherwise\ 0. 768.It Li kern.maxfiles ( Dv KERN_MAXFILES ) 769The maximum number of open files that may be open in the system. 770This also controls the maximum file locks per unprivileged user 771enforced by 772.Xr fcntl 2 773and 774.Xr flock 2 . 775.It Li kern.maxpartitions ( Dv KERN_MAXPARTITIONS ) 776The maximum number of partitions allowed per disk. 777.It Li kern.maxlwp 778The maximum number of Lightweight Processes (threads) the system allows 779per uid. 780.It Li kern.maxphys ( Dv KERN_MAXPHYS ) 781Maximum raw I/O transfer size. 782.It Li kern.maxproc ( Dv KERN_MAXPROC ) 783The maximum number of simultaneous processes the system will allow. 784.It Li kern.maxptys ( Dv KERN_MAXPTYS ) 785The maximum number of pseudo terminals. 786This value can be both raised and lowered, though it cannot 787be set lower than number of currently used ptys. 788See also 789.Xr pty 4 . 790.It Li kern.maxvnodes ( Dv KERN_MAXVNODES ) 791The maximum number of vnodes available on the system. 792This cannot be lowered below the number of currently active vnodes. 793.It Li kern.mbuf ( Dv KERN_MBUF ) 794Return information about the mbuf control variables. 795Mbufs are data structures which store network packets and other data 796structures in the networking code, see 797.Xr mbuf 9 . 798The third level names for the mbuf variables are detailed below. 799The changeable column shows whether a process with appropriate 800privilege may change the value. 801.Bl -column "kern.mbuf.nmbclusters_limit" "integer" "Changeable" -offset indent 802.It Sy Third level name Ta Sy Type Ta Sy Changeable 803.\" XXX Changeable? really? 804.It kern.mbuf.mblowat integer yes 805.It kern.mbuf.mclbytes integer yes 806.It kern.mbuf.mcllowat integer yes 807.It kern.mbuf.msize integer yes 808.It kern.mbuf.nmbclusters integer yes 809.It kern.mbuf.nmbclusters_limit integer no 810.El 811.Pp 812The variables are as follows: 813.Bl -tag -width "123456" 814.It Li kern.mbuf.mblowat ( Dv MBUF_MBLOWAT ) 815The mbuf low water mark. 816.It Li kern.mbuf.mclbytes ( Dv MBUF_MCLBYTES ) 817The mbuf cluster size. 818.It Li kern.mbuf.mcllowat ( Dv MBUF_MCLLOWAT ) 819The mbuf cluster low water mark. 820.It Li kern.mbuf.msize ( Dv MBUF_MSIZE ) 821The mbuf base size. 822.It Li kern.mbuf.nmbclusters ( Dv MBUF_NMBCLUSTERS ) 823The limit on the number of mbuf clusters. 824The variable can only be increased, and only increased on machines with 825direct-mapped pool pages. 826.It Li kern.mbuf.nmbclusters_limit ( Dv MBUF_NMBCLUSTERS_LIMIT ) 827The limit of nmbclusters. 828.El 829.It Li kern.memlock ( Dv KERN_MEMLOCK ) 830Returns 1 if the 831.St -p1003.1b-93 832Process Memory Locking Option is available on this system, 833otherwise\ 0. 834.It Li kern.memlock_range ( Dv KERN_MEMLOCK_RANGE ) 835Returns 1 if the 836.St -p1003.1b-93 837Range Memory Locking Option is available on this system, 838otherwise\ 0. 839.It Li kern.memory_protection ( Dv KERN_MEMORY_PROTECTION ) 840Returns 1 if the 841.St -p1003.1b-93 842Memory Protection Option is available on this system, 843otherwise\ 0. 844.It Li kern.messages 845Kernel console message verbosity. 846See 847.Aq Pa sys/reboot.h 848.Bl -column "verbosity" "setting" -offset indent 849.It Sy Value Ta Sy Verbosity Ta Sy sys/reboot.h equivalent 850.It 0 Ta Silent Ta Sy AB_SILENT 851.It 1 Ta Quiet Ta Sy AB_QUIET 852.It 2 Ta Normal Ta Sy AB_NORMAL 853.It 3 Ta Verbose Ta Sy AB_VERBOSE 854.It 4 Ta Debug Ta Sy AB_DEBUG 855.El 856.It Li kern.module 857Settings related to kernel modules. 858The third level names for the settings are described below. 859.Bl -column "kern.module.autounload_unsafe" "integer" "Changeable" -offset indent 860.It Sy Third level name Ta Sy Type Ta Sy Changeable 861.It kern.module.autoload integer yes 862.It kern.module.autounload_unsafe integer yes 863.It kern.module.autotime integer yes 864.It kern.module.verbose boolean yes 865.El 866.Pp 867The variables are as follows: 868.Bl -tag -width 6n 869.It Li kern.module.autoload 870A boolean that controls whether kernel modules are loaded automatically. 871See 872.Xr module 7 873for details. 874.It Li kern.module.autounload_unsafe 875A boolean that controls whether the kernel will autounload modules that 876were automatically loaded and have not been audited for autounload. 877.Pp 878By default, only modules that have been audited will be autounloaded, 879and only if they were autoloaded to begin with. 880.It Li kern.module.autotime 881An integer that controls the delay before an attempt is made to 882automatically unload a module that was auto-loaded. 883Setting this value to zero disables the auto-unload function. 884.It Li kern.module.verbose 885A boolean that enables or disables verbose 886debug messages related to kernel modules. 887.El 888.It Li kern.monotonic_clock ( Dv KERN_MONOTONIC_CLOCK ) 889Returns the standard version the implementation of the 890.St -p1003.1b-93 891Monotonic Clock Option conforms to, 892otherwise\ 0. 893.It Li kern.mqueue 894Settings related to POSIX message queues; see 895.Xr mqueue 3 . 896This node is created dynamically when 897the corresponding kernel module is loaded. 898The third level names for the settings are described below. 899.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent 900.It Sy Third level name Ta Sy Type Ta Sy Changeable 901.It kern.mqueue.mq_open_max integer yes 902.It kern.mqueue.mq_prio_max integer yes 903.It kern.mqueue.mq_max_msgsize integer yes 904.It kern.mqueue.mq_def_maxmsg integer yes 905.It kern.mqueue.mq_max_maxmsg integer yes 906.El 907.Pp 908The variables are: 909.Bl -tag -width "123456" 910.It Li kern.mqueue.mq_open_max 911The maximum number of message queue descriptors any single process can open. 912.It Li kern.mqueue.mq_prio_max 913The maximum priority of a message. 914.It Li kern.mqueue.mq_max_msgsize 915The maximum size of a message in a message queue. 916.It Li kern.mqueue.mq_def_maxmsg 917The default maximum message count. 918.It Li kern.mqueue.mq_max_maxmsg 919The maximum number of messages in a message queue. 920.El 921.It Li kern.msgbuf ( Dv KERN_MSGBUF ) 922The kernel message buffer, rotated so that the head of the circular kernel 923message buffer is at the start of the returned data. 924The returned data may contain NUL bytes. 925.It Li kern.msgbufsize ( Dv KERN_MSGBUFSIZE ) 926The maximum number of characters that the kernel message buffer can hold. 927.It Li kern.ngroups ( Dv KERN_NGROUPS ) 928The maximum number of supplemental groups. 929.\" .It Li kern.no_sa_support 930.\" XXX: Undocumented. 931.It Li kern.ntptime ( Dv KERN_NTPTIME ) 932A 933.Vt struct ntptimeval 934structure is returned. 935This structure contains data used by the 936.Xr ntpd 8 937program. 938.It Li kern.osrelease ( Dv KERN_OSRELEASE ) 939The system release string. 940.It Li kern.osrevision ( Dv KERN_OSREV ) 941The system revision, expressed as an integer. 942.It Li kern.ostype ( Dv KERN_OSTYPE ) 943The system type string. 944.\".It Li kern.panic_now 945.\" XXX: Undocumented. 946.It Li kern.pipe ( Dv KERN_PIPE ) 947Pipe settings. 948The third level names for the integer pipe settings is detailed below. 949The changeable column shows whether a process with appropriate 950privilege may change the value. 951.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 952.It Sy Third level name Ta Sy Type Ta Sy Changeable 953.It kern.pipe.kvasiz integer yes 954.It kern.pipe.maxbigpipes integer yes 955.It kern.pipe.maxkvasz integer yes 956.It kern.pipe.limitkva integer yes 957.It kern.pipe.nbigpipes integer yes 958.El 959.Pp 960The variables are as follows: 961.Bl -tag -width "123456" 962.It Li kern.pipe.kvasiz ( Dv KERN_PIPE_KVASIZ ) 963Amount of kernel memory consumed by pipe buffers. 964.It Li kern.pipe.maxbigpipes ( Dv KERN_PIPE_MAXBIGPIPES ) 965Maximum number of 966.Dq big 967pipes. 968.It Li kern.pipe.maxkvasz ( Dv KERN_PIPE_MAXKVASZ ) 969Maximum amount of kernel memory to be used for pipes. 970.It Li kern.pipe.limitkva ( Dv KERN_PIPE_LIMITKVA ) 971Limit for direct transfers via page loan. 972.It Li kern.pipe.nbigpipes ( Dv KERN_PIPE_NBIGPIPES ) 973Number of 974.Dq big 975pipes. 976.El 977.It Li kern.pool 978Provides statistics about the 979.Xr pool 9 980and 981.Xr pool_cache 9 982subsystems. 983.\" XXX: Undocumented .It Li kern.posix ( ? ) 984.\" This is a node in which the only variable is semmax. 985.It Li kern.posix1version ( Dv KERN_POSIX1 ) 986The version of ISO/IEC 9945 987.Pq St -p1003.1 988with which the system attempts to comply. 989.It Li kern.posix_aio 990The version of 991.St -p1003.1 992and its Asynchronous I/O option to which the system attempts to conform. 993.It Li kern.posix_barriers ( Dv KERN_POSIX_BARRIERS ) 994The version of 995.St -p1003.1 996and its 997Barriers 998option to which the system attempts to conform, 999otherwise\ 0. 1000.It Li kern.posix_reader_writer_locks ( Dv KERN_POSIX_READER_WRITER_LOCKS ) 1001The version of 1002.St -p1003.1 1003and its 1004Read-Write Locks 1005option to which the system attempts to conform, 1006otherwise\ 0. 1007.\".It Li kern.posix_sched 1008.\" XXX: Undocumented. 1009.It Li kern.posix_semaphores ( Dv KERN_POSIX_SEMAPHORES ) 1010The version of 1011.St -p1003.1 1012and its 1013Semaphores 1014option to which the system attempts to conform, 1015otherwise\ 0. 1016.It Li kern.posix_spin_locks ( Dv KERN_POSIX_SPIN_LOCKS ) 1017The version of 1018.St -p1003.1 1019and its 1020Spin Locks 1021option to which the system attempts to conform, 1022otherwise\ 0. 1023.It Li kern.posix_threads ( Dv KERN_POSIX_THREADS ) 1024The version of 1025.St -p1003.1 1026and its 1027Threads 1028option to which the system attempts to conform, 1029otherwise\ 0. 1030.It Li kern.posix_timers ( Dv KERN_POSIX_TIMERS ) 1031The version of 1032.St -p1003.1 1033and its 1034Timers 1035option to which the system attempts to conform, 1036otherwise\ 0. 1037.It Li kern.proc ( Dv KERN_PROC ) 1038Return the entire process table, or a subset of it. 1039An array of 1040.Vt struct kinfo_proc 1041structures is returned, 1042whose size depends on the current number of such objects in the system. 1043The third and fourth level numeric names are as follows: 1044.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 1045.It Sy Third level name Ta Sy Fourth level is : 1046.It KERN_PROC_ALL None 1047.It KERN_PROC_GID A group ID 1048.It KERN_PROC_PID A process ID 1049.It KERN_PROC_PGRP A process group 1050.It KERN_PROC_RGID A real group ID 1051.It KERN_PROC_RUID A real user ID 1052.It KERN_PROC_SESSION A session ID 1053.It KERN_PROC_TTY A tty device 1054.It KERN_PROC_UID A user ID 1055.El 1056.It Li kern.proc2 ( Dv KERN_PROC2 ) 1057As for 1058.Dv KERN_PROC , 1059but an array of 1060.Vt struct kinfo_proc2 1061structures are returned. 1062The fifth level name is the size of the 1063.Vt struct kinfo_proc2 1064and the sixth level name is the number of structures to return. 1065.It Li kern.proc_args ( Dv KERN_PROC_ARGS ) 1066Return the argv or environment strings (or the number thereof) 1067of a process. 1068Multiple strings are returned separated by NUL characters. 1069The third level name is the process ID. 1070The fourth level name is as follows: 1071.Bl -column "KERN_PROG_PATHNAME" "The full pathname of the executable" -offset indent 1072.It Dv KERN_PROC_ARGV The argv strings 1073.It Dv KERN_PROC_ENV The environ strings 1074.It Dv KERN_PROC_NARGV The number of argv strings 1075.It Dv KERN_PROC_NENV The number of environ strings 1076.It Dv KERN_PROC_PATHNAME The full pathname of the executable 1077.It Dv KERN_PROC_CWD The current working directory 1078.El 1079.It Li kern.profiling ( Dv KERN_PROF ) 1080Return profiling information about the kernel. 1081If the kernel is not compiled for profiling, 1082attempts to retrieve any of the 1083.Dv KERN_PROF 1084values will fail with 1085.Er EOPNOTSUPP . 1086The third level names for the string and integer profiling information 1087is detailed below. 1088The changeable column shows whether a process with appropriate 1089privilege may change the value. 1090.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 1091.It Sy Third level name Ta Sy Type Ta Sy Changeable 1092.It kern.profiling.count u_short[\|] yes 1093.It kern.profiling.froms u_short[\|] yes 1094.It kern.profiling.gmonparam struct gmonparam no 1095.It kern.profiling.state integer yes 1096.It kern.profiling.tos struct tostruct yes 1097.El 1098.Pp 1099The variables are as follows: 1100.Bl -tag -width "123456" 1101.It Li kern.profiling.count ( Dv GPROF_COUNT ) 1102Array of statistical program counter counts. 1103.It Li kern.profiling.froms ( Dv GPROF_FROMS ) 1104Array indexed by program counter of call-from points. 1105.It Li kern.profiling.gmonparams ( Dv GPROF_GMONPARAM ) 1106Structure giving the sizes of the above arrays. 1107.It Li kern.profiling.state ( Dv GPROF_STATE ) 1108Profiling state. 1109If set to 1110.Dv GMON_PROF_ON , 1111starts profiling. 1112If set to 1113.Dv GMON_PROF_OFF , 1114stops profiling. 1115.It Li kern.profiling.tos ( Dv GPROF_TOS ) 1116Array of 1117.Vt struct tostruct 1118describing destination of calls and their counts. 1119.El 1120.\" .It Li kern.pset 1121.\" XXX: Undocumented. 1122.It Li kern.rawpartition ( Dv KERN_RAWPARTITION ) 1123The raw partition of a disk (a == 0). 1124.It Li kern.root_device ( Dv KERN_ROOT_DEVICE ) 1125The name of the root device (e.g., 1126.Dq wd0 ) . 1127.It Li kern.root_partition ( Dv KERN_ROOT_PARTITION ) 1128The root partition on the root device (a == 0). 1129.It Li kern.rtc_offset ( Dv KERN_RTC_OFFSET ) 1130Return the offset of real time clock from UTC in minutes. 1131.It Li kern.saved_ids ( Dv KERN_SAVED_IDS ) 1132Returns 1 if saved set-group and saved set-user ID is available. 1133.It Li kern.sbmax ( Dv KERN_SBMAX ) 1134Maximum socket buffer size in bytes. 1135.It Li kern.securelevel ( Dv KERN_SECURELVL ) 1136See 1137.Xr secmodel_securelevel 9 . 1138.It Li kern.sched ( dynamic ) 1139Influence the scheduling of LWPs, their priorisation and how they are 1140distributed on and moved between CPUs. 1141.Bl -column "kern.sched.balance_period" "integer" "Changeable" -offset indent 1142.It Sy Third level name Sy Type Sy Changeable 1143.It kern.sched.cacheht_time integer yes 1144.It kern.sched.balance_period integer yes 1145.It kern.sched.average_weight integer yes 1146.It kern.sched.min_catch integer yes 1147.It kern.sched.timesoftints integer yes 1148.It kern.sched.kpreempt_pri integer yes 1149.It kern.sched.upreempt_pri integer yes 1150.It kern.sched.maxts integer yes 1151.It kern.sched.mints integer yes 1152.It kern.sched.name string no 1153.It kern.sched.rtts integer no 1154.It kern.sched.pri_min integer no 1155.It kern.sched.pri_max integer no 1156.El 1157.Pp 1158The variables are as follows: 1159.Bl -tag -width "123456" 1160.It Li kern.sched.cacheht_time ( dynamic ) 1161Cache hotness time in which a LWP is kept on one particular CPU 1162and not moved to another CPU. 1163This reduces the overhead of flushing and reloading caches. 1164Defaults to 3ms. 1165Needs to be given in 1166.Dq hz 1167units, see 1168.Xr mstohz 9 . 1169.It Li kern.sched.balance_period ( dynamic ) 1170Interval at which the CPU queues are checked for re-balancing. 1171Defaults to 300ms. 1172Needs to be given in 1173.Dq hz 1174units, see 1175.Xr mstohz 9 . 1176.It Li kern.sched.average_weight ( dynamic ) 1177Can be used to influence how likely LWPs are to be migrated from 1178one CPU's queue of LWPs that are ready to run to a different, idle CPU. 1179The value gives the percentage for weighting the average count of 1180migratable threads from the past against the current number of 1181migratable threads. 1182A small value gives more weight to the past, a larger values more weight 1183on the current situation. 1184Defaults to 50 and must be between 0 and 100. 1185.It Li kern.sched.min_catch ( dynamic ) 1186Minimum count of migratable (runnable) threads for catching (stealing) 1187from another CPU. 1188Defaults to 1 but can be increased to decrease chance of thread 1189migration between CPUs. 1190.It Li kern.sched.timesoftints ( dynamic ) 1191Enable tracking of CPU time for soft interrupts 1192as part of a LWP's real execution time. 1193Set to a non-zero value to enable, 1194and see 1195.Xr ps 1 1196for printing CPU times. 1197.It Li kern.sched.kpreempt_pri ( dynamic ) 1198Minimum priority to trigger kernel preemption. 1199.It Li kern.sched.upreempt_pri ( dynamic ) 1200Minimum priority to trigger user preemption. 1201.It Li kern.sched.maxts ( dynamic ) 1202Scheduler specific maximal time quantum (in milliseconds). 1203Must be set to a value larger than 1204.Dq mints 1205and between 10 and 1206.Dq hz 1207as given by the 1208.Dv kern.clockrate 1209sysctl. 1210Provided by the M2 scheduler. 1211.It Li kern.sched.mints ( dynamic ) 1212Scheduler specific minimal time quantum (in milliseconds). 1213Must be set to a value smaller than 1214.Dq maxts 1215and between 1 and 1216.Dq hz 1217as given by the 1218.Dq kern.clockrate 1219sysctl. 1220Provided by the M2 scheduler. 1221.It Li kern.sched.name ( dynamic ) 1222Scheduler name. 1223Provided both by the M2 and the 4BSD scheduler. 1224.It Li kern.sched.rtts ( dynamic ) 1225Fixed scheduler specific round-robin time quantum in milliseconds. 1226Provided both by the M2 and the 4BSD scheduler. 1227.It Li kern.sched.pri_min ( dynamic ) 1228Minimal POSIX real-time priority. 1229See 1230.Xr sched 3 . 1231.It Li kern.sched.pri_max ( dynamic ) 1232Maximal POSIX real-time priority. 1233See 1234.Xr sched 3 . 1235.El 1236.It Li kern.sofixedbuf ( Dv KERN_SOFIXEDBUF ) 1237Prevent socket buffer autoscaling when a size is set with 1238.Dv SO_SNDBUF 1239or 1240.Dv SO_RCVBUF . 1241.It Li kern.somaxkva ( Dv KERN_SOMAXKVA ) 1242Maximum amount of kernel memory to be used for socket buffers in bytes. 1243.It Li kern.sooptions 1244Set the default socket option flags for 1245.Xr socket 2 1246creation. 1247See 1248.Xr setsockopt 2 1249for a list of supported flags. 1250.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO ) 1251Returns 1 if the 1252.St -p1003.1b-93 1253Synchronized I/O Option is available on this system, 1254otherwise\ 0. 1255.It Li kern.timecounter ( dynamic ) 1256Display and control the timecounter source of the system. 1257.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 1258.It Sy Third level name Ta Sy Type Ta Sy Changeable 1259.It kern.timecounter.choice string no 1260.It kern.timecounter.hardware string yes 1261.It kern.timecounter.timestepwarnings integer yes 1262.El 1263.Pp 1264The variables are as follows: 1265.Bl -tag -width "123456" 1266.It Li kern.timecounter.choice ( dynamic ) 1267The list of available timecounters with their quality and frequency. 1268.It Li kern.timecounter.hardware ( dynamic ) 1269The currently selected timecounter source. 1270.It Li kern.timecounter.timestepwarnings ( dynamic ) 1271If non-zero display a message each time the time is stepped. 1272.El 1273.It Li kern.timex ( Dv KERN_TIMEX ) 1274Not available. 1275.It Li kern.tkstat ( Dv KERN_TKSTAT ) 1276Return information about the number of characters sent and received 1277on ttys. 1278The third level names for the tty statistic variables are detailed below. 1279The changeable column shows whether a process 1280with appropriate privilege may change the value. 1281.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 1282.It Sy Third level name Ta Sy Type Ta Sy Changeable 1283.It kern.tkstat.cancc quad no 1284.It kern.tkstat.nin quad no 1285.It kern.tkstat.nout quad no 1286.It kern.tkstat.rawcc quad no 1287.El 1288.Pp 1289The variables are as follows: 1290.Bl -tag -width "123456" 1291.It Li kern.tkstat.cancc ( Dv KERN_TKSTAT_CANCC ) 1292The number of canonical input characters. 1293.It Li kern.tkstat.nin ( Dv KERN_TKSTAT_NIN ) 1294The total number of input characters. 1295.It Li kern.tkstat.nout ( Dv KERN_TKSTAT_NOUT ) 1296The total number of output characters. 1297.It Li kern.tkstat.rawcc ( Dv KERN_TKSTAT_RAWCC ) 1298The number of raw input characters. 1299.El 1300.It Li kern.tty 1301The third level names for the tty setup variables are detailed below. 1302The changeable column shows whether a process 1303with appropriate privilege may change the value. 1304.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent 1305.It Sy Third level name Ta Sy Type Ta Sy Changeable 1306.It kern.tty.qsize int yes 1307.El 1308.Pp 1309The variables are as follows: 1310.Bl -tag -width "123456" 1311.It Li kern.tty.qsize 1312Control/display the size of the default input and output queues selected 1313during tty creation. 1314Is converted to a power of two and its range is between 1315.Dv 1024 1316and 1317.Dv 65536 . 1318.El 1319.It Li kern.uidinfo 1320Resource usage for the current user. 1321.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent 1322.It Sy Third level name Ta Sy Type Ta Sy Changeable 1323.It kern.uidinfo.proccnt integer no 1324.It kern.uidinfo.lwpcnt integer no 1325.It kern.uidinfo.lockcnt integer no 1326.It kern.uidinfo.semcnt integer no 1327.It kern.uidinfo.sbsize integer no 1328.El 1329.Bl -tag -width "123456" 1330.It Li kern.uidinfo.proccnt 1331Returns the number of active processes for the current user. 1332.It Li kern.uidinfo.lwpcnt 1333Returns the number of active threads for the current user; the first thread 1334of each process is not counted. 1335.It Li kern.uidinfo.lockcnt 1336Number of locks held by the current user. 1337.It Li kern.uidinfo.semcnt 1338Number of semaphores held by the current user. 1339.It Li kern.uidinfo.sbsize 1340Number of bytes in socket buffers allocated to the current user. 1341.El 1342.It Li kern.urandom ( Dv KERN_URND ) 1343Random integer value. 1344.It Li kern.usercrypto 1345When enabled, allows userland to 1346.Xr open 2 1347the 1348.Pa /dev/crypto 1349special device, used by the 1350.Xr crypto 4 1351system. 1352.It Li kern.userasymcrypto 1353Enables or disables the use of software asymmetric crypto support in the 1354.Xr crypto 4 1355system. 1356.It Li kern.veriexec 1357Runtime information for 1358.Xr veriexec 8 . 1359.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent 1360.It Sy Third level name Ta Sy Type Ta Sy Changeable 1361.It kern.veriexec.algorithms string no 1362.It kern.veriexec.count node not applicable 1363.It kern.veriexec.strict integer yes 1364.It kern.veriexec.verbose integer yes 1365.El 1366.Bl -tag -width "123456" 1367.It Li kern.veriexec.algorithms 1368Returns a string with the supported algorithms in Veriexec. 1369.It Li kern.veriexec.count 1370Sub-nodes are added to this node as new mounts are monitored by Veriexec. 1371Each mount will be under its own 1372.No tableN 1373node. 1374Under each node there will be three variables, indicating the mount 1375point, the file system type, and the number of entries. 1376.It Li kern.veriexec.strict 1377Controls the strict level of Veriexec. 1378See 1379.Xr security 7 1380for more information on each level's implications. 1381.It Li kern.veriexec.verbose 1382Controls the verbosity level of Veriexec. 1383If 0, only the minimal 1384indication required will be given about what's happening - fingerprint 1385mismatches, removal of entries from the tables, modification of a 1386fingerprinted file. 1387If 1, more messages will be printed (ie., when a file with a valid 1388fingerprint is accessed). 1389Verbose level 2 is debug mode. 1390.El 1391.It Li kern.version ( Dv KERN_VERSION ) 1392The system version string. 1393.It Li kern.vnode ( Dv KERN_VNODE ) 1394Return the entire vnode table. 1395Note, the vnode table is not necessarily a consistent snapshot of 1396the system. 1397The returned data consists of an array whose size depends on the 1398current number of such objects in the system. 1399Each element of the array contains the kernel address of a vnode 1400.Vt struct vnode * 1401followed by the vnode itself 1402.Vt struct vnode . 1403.El 1404.Ss The machdep.* subtree 1405The set of variables defined is architecture dependent. 1406Most architectures define at least the following variables. 1407.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent 1408.It Sy Second level name Ta Sy Type Ta Sy Changeable 1409.It Li machdep.booted_kernel string no 1410.El 1411.\" XXX: Document the above. 1412.Ss The net.* subtree 1413The string and integer information available for the 1414.Li net 1415level is detailed below. 1416The changeable column shows whether a process with appropriate 1417privilege may change the value. 1418The second and third levels are typically the protocol family and 1419protocol number, though this is not always the case. 1420.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 1421.It Sy Second level name Ta Sy Type Ta Sy Changeable 1422.It net.route routing messages no 1423.It net.inet IPv4 values yes 1424.It net.inet6 IPv6 values yes 1425.It net.key IPsec key management values yes 1426.El 1427.Bl -tag -width "123456" 1428.It Li net.route ( Dv PF_ROUTE ) 1429.\" XXX really? 1430Return the entire routing table or a subset of it. 1431The data is returned as a sequence of routing messages (see 1432.Xr route 4 1433for the header file, format and meaning). 1434The length of each message is contained in the message header. 1435.Pp 1436The third level name is a protocol number, which is currently always\ 0. 1437The fourth level name is an address family, which may be set to 0 to 1438select all address families. 1439The fifth and sixth level names are as follows: 1440.Bl -column "Fifth level name" "Sixth level is:" -offset indent 1441.It Sy Fifth level name Ta Sy Sixth level is : 1442.It NET_RT_FLAGS rtflags 1443.It NET_RT_DUMP None 1444.It NET_RT_IFLIST None 1445.El 1446.It Li net.inet ( Dv PF_INET ) 1447Get or set various global information about the IPv4 1448.Pq Internet Protocol version 4 . 1449The third level name is the protocol. 1450The fourth level name is the variable name. 1451The currently defined protocols and names are: 1452.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent 1453.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable 1454.It arp nd_delay integer yes 1455.It arp nd_bmaxtries integer yes 1456.It arp nd_umaxtries integer yes 1457.It arp nd_basereachable integer yes 1458.It arp nd_retrans integer yes 1459.It arp nd_nud integer yes 1460.It arp nd_maxnudhint integer yes 1461.It arp log_movements integer yes 1462.It arp log_permanent_modify integer yes 1463.It arp log_unknown_network integer yes 1464.It arp log_wrong_iface integer yes 1465.It carp allow integer yes 1466.It carp preempt integer yes 1467.It carp log integer yes 1468.It carp arpbalance integer yes 1469.It icmp errppslimit integer yes 1470.It icmp maskrepl integer yes 1471.It icmp rediraccept integer yes 1472.It icmp redirtimeout integer yes 1473.It icmp bmcastecho integer yes 1474.It icmp dynamic_rt_msg boolean yes 1475.It ip allowsrcrt integer yes 1476.It ip anonportalgo.selected string yes 1477.It ip anonportalgo.available string yes 1478.It ip anonportalgo.reserve struct yes 1479.It ip anonportmax integer yes 1480.It ip anonportmin integer yes 1481.It ip checkinterface integer yes 1482.It ip dad_count integer yes 1483.It ip directed-broadcast integer yes 1484.It ip do_loopback_cksum integer yes 1485.It ip forwarding integer yes 1486.It ip forwsrcrt integer yes 1487.It ip gifttl integer yes 1488.It ip grettl integer yes 1489.It ip hashsize integer yes 1490.It ip hostzerobroadcast integer yes 1491.It ip lowportmin integer yes 1492.It ip lowportmax integer yes 1493.It ip maxflows integer yes 1494.It ip maxfragpackets integer yes 1495.It ip mtudisc integer yes 1496.It ip mtudisctimeout integer yes 1497.It ip random_id integer yes 1498.It ip redirect integer yes 1499.It ip subnetsarelocal integer yes 1500.It ip ttl integer yes 1501.It tcp rfc1323 integer yes 1502.It tcp sendspace integer yes 1503.It tcp recvspace integer yes 1504.It tcp mssdflt integer yes 1505.It tcp syn_cache_limit integer yes 1506.It tcp syn_bucket_limit integer yes 1507.It tcp syn_cache_interval integer yes 1508.It tcp init_win integer yes 1509.It tcp init_win_local integer yes 1510.It tcp mss_ifmtu integer yes 1511.It tcp win_scale integer yes 1512.It tcp timestamps integer yes 1513.It tcp cwm integer yes 1514.It tcp cwm_burstsize integer yes 1515.It tcp ack_on_push integer yes 1516.It tcp keepidle integer yes 1517.It tcp keepintvl integer yes 1518.It tcp keepcnt integer yes 1519.It tcp slowhz integer no 1520.It tcp keepinit integer yes 1521.It tcp log_refused integer yes 1522.It tcp rstppslimit integer yes 1523.It tcp ident struct no 1524.It tcp drop struct no 1525.It tcp sack.enable integer yes 1526.It tcp sack.globalholes integer no 1527.It tcp sack.globalmaxholes integer yes 1528.It tcp sack.maxholes integer yes 1529.It tcp ecn.enable integer yes 1530.It tcp ecn.maxretries integer yes 1531.It tcp congctl.selected string yes 1532.It tcp congctl.available string yes 1533.It tcp abc.enable integer yes 1534.It tcp abc.aggressive integer yes 1535.It udp checksum integer yes 1536.It udp do_loopback_cksum integer yes 1537.It udp recvspace integer yes 1538.It udp sendspace integer yes 1539.El 1540.Pp 1541The variables are as follows: 1542.Bl -tag -width "123456" 1543.It Li arp.nd_delay 1544The delay in seconds before sending the first probe, 1545after it has been decided that the entry is stale. 1546.It Li arp.nd_bmaxtries 1547The maximum number of broadcasts send to discover the hardware address 1548claiming an IP address. 1549.It Li arp.nd_umaxtries 1550The maximum number of unicasts send to the hardware address to ensure 1551it still claims an IP address. 1552.It Li arp.nd_basereachable 1553The number of milliseconds the ARP entry is considered reachable before 1554probing reachability. 1555.It Li arp.nd_retrans 1556The number of milliseconds between ARP probes. 1557.It Li arp.nd_nud 1558If set to non-zero, perform Neighor Unreachability Detection. 1559.It Li arp.nd_maxnudhint 1560Neighbor discovery permits upper layer protocols to supply reachability 1561hints, to avoid unnecessary neighbor discovery exchanges. 1562The variable defines the number of consecutive hints the neighbor discovery 1563layer will take. 1564For example, by setting the variable to 3, neighbor discovery layer 1565will take 3 consecutive hints in maximum. 1566After receiving 3 hints, neighbor discovery layer will perform 1567normal neighbor discovery process. 1568.It Li carp.allow 1569If set to 0, incoming 1570.Xr carp 4 1571packets will not be processed. 1572If set to any other value, processing will occur. 1573Enabled by default. 1574.It Li carp.arpbalance 1575If set to any value other than 0, the ARP balancing functionality of 1576.Xr carp 4 1577is enabled. 1578When ARP requests are received for an IP address which is part of any virtual 1579host, carp will hash the source IP in the ARP request to select one of the 1580virtual hosts from the set of all the virtual hosts which have that IP address. 1581The master of that host will respond with the correct virtual MAC address. 1582Disabled by default. 1583.It Li carp.log 1584If set to any value other than 0, 1585.Xr carp 4 1586will log errors. 1587Disabled by default. 1588.It Li carp.preempt 1589If set to 0, 1590.Xr carp 4 1591will not attempt to become master if it is receiving advertisements from 1592another active master. 1593If set to any other value, carp will become master of the virtual host if it 1594believes it can send advertisements more frequently than the current master. 1595Disabled by default. 1596.It Li ip.allowsrcrt 1597If set to 1, the host accepts source routed packets. 1598.It Li ip.anonportalgo.available 1599The available RFC 6056 port randomization algorithms. 1600.It Li ip.anonportalgo.reserve 1601A bitmask of ports that will not be used during anonymous or privileged 1602port selection. 1603.It Li ip.anonportalgo.selected 1604The currently selected RFC 6056 port randomization algorithm; see 1605.Xr rfc6056 7 1606for details. 1607.It Li ip.anonportmax 1608The highest port number to use for TCP and UDP ephemeral port allocation. 1609This cannot be set to less than 1024 or greater than 65535, and must 1610be greater than 1611.Li ip.anonportmin . 1612.It Li ip.anonportmin 1613The lowest port number to use for TCP and UDP ephemeral port allocation. 1614This cannot be set to less than 1024 or greater than 65535. 1615.It Li ip.checkinterface 1616If set to non-zero, the host will reject packets addressed to it 1617that arrive on an interface not bound to that address. 1618Currently, this must be disabled if NAT is used to translate the 1619destination address to another local interface, or if addresses 1620are added to the loopback interface instead of the interface where 1621the packets for those packets are received. 1622.It Li ip.dad_count 1623The number of 1624.Xr arp 4 1625probes sent for Address Conflict Detection. 1626Set to 0 to disable this. 1627.It Li ip.directed-broadcast 1628If set to 1, enables directed broadcast behavior for the host. 1629.It Li ip.do_loopback_cksum 1630Perform IP checksum on loopback. 1631.It Li ip.forwarding 1632If set to 1, enables IP forwarding for the host, 1633meaning that the host is acting as a router. 1634.It Li ip.forwsrcrt 1635If set to 1, enables forwarding of source-routed packets for the host. 1636This value may only be changed if the kernel security level is less than 1. 1637.It Li ip.gifttl 1638The maximum time-to-live (hop count) value for an IPv4 packet generated by 1639.Xr gif 4 1640tunnel interface. 1641.It Li ip.grettl 1642The maximum time-to-live (hop count) value for an IPv4 packet generated by 1643.Xr gre 4 1644tunnel interface. 1645.It Li ip.hashsize 1646The size of IPv4 Fast Forward hash table. 1647This value must be a power of 2 (64, 256...). 1648A larger hash table size results in fewer collisions. 1649Also see 1650.Li ip.maxflows . 1651.It Li ip.hostzerobroadcast 1652All zeroes address is broadcast address. 1653.It Li ip.lowportmax 1654The highest port number to use for TCP and UDP reserved port allocation. 1655This cannot be set to less than 0 or greater than 1024, and must 1656be greater than 1657.Li ip.lowportmin . 1658.It Li ip.lowportmin 1659The lowest port number to use for TCP and UDP reserved port allocation. 1660This cannot be set to less than 0 or greater than 1024, and must 1661be smaller than 1662.Li ip.lowportmax . 1663.It Li ip.maxflows 1664IPv4 Fast Forwarding is enabled by default. 1665If set to 0, IPv4 Fast Forwarding is disabled. 1666.Li ip.maxflows 1667controls the maximum amount of flows which can be created. 1668The default value is 256. 1669.It Li ip.maxfragpackets 1670The maximum number of fragmented packets the node will accept. 16710 means that the node will not accept any fragmented packets. 1672\-1 means that the node will accept as many fragmented packets as it receives. 1673The flag is provided basically for avoiding possible DoS attacks. 1674.It Li ip.mtudisc 1675If set to 1, enables Path MTU Discovery (RFC 1191). 1676When Path MTU Discovery is enabled, the transmitted TCP segment 1677size will be determined by the advertised maximum segment size 1678(MSS) from the remote end, as constrained by the path MTU. 1679If MTU Discovery is disabled, the transmitted segment size will 1680never be greater than 1681.Li tcp.mssdflt 1682(the local maximum segment size). 1683.It Li ip.mtudisctimeout 1684The number of seconds in which a route added by the Path MTU 1685Discovery engine will time out. 1686When the route times out, the Path 1687MTU Discovery engine will attempt to probe a larger path MTU. 1688.It Li ip.random_id 1689Assign random ip_id values. 1690.It Li ip.redirect 1691If set to 1, ICMP redirects may be sent by the host. 1692This option is ignored unless the host is routing IP packets, 1693and should normally be enabled on all systems. 1694.It Li ip.subnetsarelocal 1695If set to 1, subnets are to be considered local addresses. 1696.It Li ip.ttl 1697The maximum time-to-live (hop count) value for an IP packet sourced by 1698the system. 1699This value applies to normal transport protocols, not to ICMP. 1700.It Li icmp.errppslimit 1701The variable specifies the maximum number of outgoing ICMP error messages, 1702per second. 1703ICMP error messages that exceeded the value are subject to rate limitation 1704and will not go out from the node. 1705Negative value disables rate limitation. 1706.It Li icmp.maskrepl 1707If set to 1, ICMP network mask requests are to be answered. 1708.It Li icmp.rediraccept 1709If set to non-zero, the host will accept ICMP redirect packets. 1710Note that routers will never accept ICMP redirect packets, 1711and the variable is meaningful on IP hosts only. 1712.It Li icmp.redirtimeout 1713The variable specifies lifetime of routing entries generated by incoming 1714ICMP redirect. 1715This defaults to 600 seconds. 1716.It Li icmp.returndatabytes 1717Number of bytes to return in an ICMP error message. 1718.It Li icmp.bmcastecho 1719If set to 1, enables responding to ICMP echo or timestamp request to the 1720broadcast address. 1721.It Li icmp.dynamic_rt_msg 1722A boolean that the kernel sends routing message for RTM_DYNAMIC or not. 1723If set to true, sends such routing message. 1724.It Li tcp.ack_on_push 1725If set to 1, TCP is to immediately transmit an ACK upon reception of 1726a packet with PUSH set. 1727This can avoid losing a round trip time in some rare situations, 1728but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1729Use of this option is generally not recommended, but 1730the variable exists in case your configuration really needs it. 1731.It Li tcp.cwm 1732If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1733Monitoring algorithm. 1734This algorithm prevents line-rate bursts of packets that could 1735otherwise occur when data begins flowing on an idle TCP connection. 1736These line-rate bursts can contribute to network and router congestion. 1737This can be particularly useful on World Wide Web servers 1738which support HTTP/1.1, which has lingering connections. 1739.It Li tcp.cwm_burstsize 1740The Congestion Window Monitoring allowed burst size, in terms 1741of packet count. 1742.It Li tcp.delack_ticks 1743Number of ticks to delay sending an ACK. 1744.It Li tcp.do_loopback_cksum 1745Perform TCP checksum on loopback. 1746.It Li tcp.init_win 1747A value indicating the TCP initial congestion window. 1748The valid range 1749is 0 to 10 (maximum specified by RFC6928), 1750with a default of 4 (approximately 4K per RFC3390). 1751.It Li tcp.init_win_local 1752Like 1753.Li tcp.init_win , 1754but used when communicating with hosts on a local network. 1755.It Li tcp.keepcnt 1756Number of keepalive probes sent before declaring a connection dead. 1757If set to zero, there is no limit; 1758keepalives will be sent until some kind of 1759response is received from the peer. 1760.It Li tcp.keepidle 1761Time a connection must be idle before keepalives are sent (if keepalives 1762are enabled for the connection). 1763See also tcp.slowhz. 1764.It Li tcp.keepintvl 1765Time after a keepalive probe is sent until, in the absence of any response, 1766another probe is sent. 1767See also tcp.slowhz. 1768.It Li tcp.log_refused 1769If set to 1, refused TCP connections to the host will be logged. 1770.It Li tcp.keepinit 1771Timeout in seconds during connection establishment. 1772.It Li tcp.mss_ifmtu 1773If set to 1, TCP calculates the outgoing maximum segment size based on 1774the MTU of the appropriate interface. 1775If set to 0, it is calculated based on the greater of the MTU of the 1776interface, and the largest (non-loopback) interface MTU on the system. 1777.It Li tcp.mssdflt 1778The default maximum segment size both advertised to the peer 1779and to use when either the peer does not advertise a maximum segment size to 1780us during connection setup or Path MTU Discovery 1781.Li ( ip.mtudisc ) 1782is disabled. 1783Do not change this value unless you really know what you are doing. 1784.It Li tcp.recvspace 1785The default TCP receive buffer size. 1786.It Li tcp.rfc1323 1787If set to 1, enables RFC 1323 extensions to TCP. 1788.It Li tcp.rstppslimit 1789The variable specifies the maximum number of outgoing TCP RST packets, 1790per second. 1791TCP RST packet that exceeded the value are subject to rate limitation 1792and will not go out from the node. 1793Negative value disables rate limitation. 1794.It Li tcp.ident 1795Return the user ID of a connected socket pair. 1796(RFC1413 Identification Protocol lookups.) 1797.It Li tcp.drop 1798Drop a TCP socket pair connection. 1799.It Li tcp.sack.enable 1800If set to 1, enables RFC 2018 Selective ACKnowledgement. 1801.It Li tcp.sack.globalholes 1802Global number of TCP SACK holes. 1803.It Li tcp.sack.globalmaxholes 1804Global maximum number of TCP SACK holes. 1805.It Li tcp.sack.maxholes 1806Maximum number of TCP SACK holes allowed per connection. 1807.It Li tcp.ecn.enable 1808If set to 1, enables RFC 3168 Explicit Congestion Notification. 1809.It Li tcp.ecn.maxretries 1810Number of times to retry sending the ECN-setup packet. 1811.It Li tcp.sendspace 1812The default TCP send buffer size. 1813.It Li tcp.slowhz 1814The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1815of a clock that ticks tcp.slowhz times per second. 1816(That is, their values 1817must be divided by the tcp.slowhz value to get times in seconds.) 1818.It Li tcp.syn_bucket_limit 1819The maximum number of entries allowed per hash bucket in the TCP 1820compressed state engine. 1821.It Li tcp.syn_cache_limit 1822The maximum number of entries allowed in the TCP compressed state 1823engine. 1824.It Li tcp.timestamps 1825If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1826used for measuring TCP round trip times, are enabled. 1827.It Li tcp.win_scale 1828If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1829for increasing the TCP window size, are enabled. 1830.It Li tcp.congctl.available 1831The available TCP congestion control algorithms. 1832.It Li tcp.congctl.selected 1833The currently selected TCP congestion control algorithm. 1834.It Li tcp.abc.enable 1835If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1836If set to 0, use traditional Packet Counting. 1837.It Li tcp.abc.aggressive 1838Choose the L parameter found in RFC 3465. 1839L is the maximum cwnd increase for an ack during slow start. 1840If set to 1, use L=2*SMSS. 1841If set to 0, use L=1*SMSS. 1842It has no effect unless tcp.abc.enable is set to 1. 1843.It Li udp.checksum 1844If set to 1, UDP checksums are being computed. 1845Received non-zero UDP checksums are always checked. 1846Disabling UDP checksums is strongly discouraged. 1847.It Li udp.recvspace 1848The default UDP receive buffer size. 1849.It Li udp.sendspace 1850The default UDP send buffer size. 1851.El 1852.Pp 1853For variables net.*.ipsec, please refer to 1854.Xr ipsec 4 . 1855.It Li net.inet6 ( Dv PF_INET6 ) 1856Get or set various global information about the IPv6 1857.Pq Internet Protocol version 6 . 1858The third level name is the protocol. 1859The fourth level name is the variable name. 1860The currently defined protocols and names are: 1861.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent 1862.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable 1863.It icmp6 errppslimit integer yes 1864.It icmp6 mtudisc_hiwat integer yes 1865.It icmp6 mtudisc_lowat integer yes 1866.It icmp6 nd6_debug integer yes 1867.It icmp6 nd6_delay integer yes 1868.It icmp6 nd6_maxnudhint integer yes 1869.It icmp6 nd6_mmaxtries integer yes 1870.It icmp6 nd6_prune integer yes 1871.It icmp6 nd6_umaxtries integer yes 1872.It icmp6 nd6_useloopback integer yes 1873.It icmp6 nodeinfo integer yes 1874.It icmp6 rediraccept integer yes 1875.It icmp6 redirtimeout integer yes 1876.It icmp6 reflect_pmtu boolean yes 1877.It icmp6 dynamic_rt_msg boolean yes 1878.It ip6 accept_rtadv integer yes 1879.It ip6 addctlpolicy struct in6_addrpolicy no 1880.It ip6 anonportalgo.selected string yes 1881.It ip6 anonportalgo.available string yes 1882.It ip6 anonportalgo.reserve struct yes 1883.It ip6 anonportmax integer yes 1884.It ip6 anonportmin integer yes 1885.It ip6 auto_flowlabel integer yes 1886.It ip6 dad_count integer yes 1887.It ip6 defmcasthlim integer yes 1888.It ip6 forwarding integer yes 1889.It ip6 gifhlim integer yes 1890.It ip6 hashsize integer yes 1891.It ip6 hlim integer yes 1892.It ip6 hdrnestlimit integer yes 1893.It ip6 kame_version string no 1894.It ip6 keepfaith integer yes 1895.It ip6 log_interval integer yes 1896.It ip6 lowportmax integer yes 1897.It ip6 lowportmin integer yes 1898.It ip6 maxdynroutes integer yes 1899.It ip6 maxifprefixes integer yes 1900.It ip6 maxifdefrouters integer yes 1901.It ip6 maxflows integer yes 1902.It ip6 maxfragpackets integer yes 1903.It ip6 maxfrags integer yes 1904.It ip6 neighborgcthresh integer yes 1905.It ip6 param_rt_msg integer yes 1906.It ip6 redirect integer yes 1907.It ip6 rr_prune integer yes 1908.It ip6 use_deprecated integer yes 1909.It ip6 v6only integer yes 1910.It udp6 do_loopback_cksum integer yes 1911.It udp6 recvspace integer yes 1912.It udp6 sendspace integer yes 1913.El 1914.Pp 1915The variables are as follows: 1916.Bl -tag -width "123456" 1917.It Li ip6.accept_rtadv 1918If set to non-zero, the node will accept ICMPv6 router advertisement packets 1919and autoconfigures address prefixes and default routers. 1920The node must be a host 1921.Pq not a router 1922for the option to be meaningful. 1923.It Li ip6.anonportalgo.available 1924The available RFC 6056 port randomization algorithms. 1925.It Li ip6.anonportalgo.reserve 1926A bitmask of ports that will not be used during anonymous or privileged 1927port selection. 1928.It Li ip6.anonportalgo.selected 1929The currently selected RFC 6056 port randomization algorithm; see 1930.Xr rfc6056 7 1931for details. 1932.It Li ip6.anonportmax 1933The highest port number to use for TCP and UDP ephemeral port allocation. 1934This cannot be set to less than 1024 or greater than 65535, and must 1935be greater than 1936.Li ip6.anonportmin . 1937.It Li ip6.anonportmin 1938The lowest port number to use for TCP and UDP ephemeral port allocation. 1939This cannot be set to less than 1024 or greater than 65535. 1940.It Li ip6.auto_flowlabel 1941On connected transport protocol packets, 1942fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1943.It Li ip6.dad_count 1944The variable configures number of IPv6 DAD 1945.Pq duplicated address detection 1946probe packets. 1947The packets will be generated when IPv6 interface addresses are configured. 1948.It Li ip6.defmcasthlim 1949The default hop limit value for an IPv6 multicast packet sourced by the node. 1950This value applies to all the transport protocols on top of IPv6. 1951There are APIs to override the value, as documented in 1952.Xr ip6 4 . 1953.It Li ip6.forwarding 1954If set to 1, enables IPv6 forwarding for the node, 1955meaning that the node is acting as a router. 1956If set to 0, disables IPv6 forwarding for the node, 1957meaning that the node is acting as a host. 1958IPv6 specification defines node behavior for 1959.Dq router 1960case and 1961.Dq host 1962case quite differently, and changing this variable during operation 1963may cause serious trouble. 1964It is recommended to configure the variable at bootstrap time, 1965and bootstrap time only. 1966.It Li ip6.gifhlim 1967The maximum hop limit value for an IPv6 packet generated by 1968.Xr gif 4 1969tunnel interface. 1970.It Li ip6.hdrnestlimit 1971The number of IPv6 extension headers permitted on incoming IPv6 packets. 1972If set to 0, the node will accept as many extension headers as possible. 1973.It Li ip6.hashsize 1974The size of IPv6 Fast Forward hash table. 1975This value must be a power of 2 (64, 256, ...). 1976A larger hash table size results in fewer collisions. 1977Also see 1978.Li ip6.maxflows . 1979.It Li ip6.hlim 1980The default hop limit value for an IPv6 unicast packet sourced by the node. 1981This value applies to all the transport protocols on top of IPv6. 1982There are APIs to override the value, as documented in 1983.Xr ip6 4 . 1984.It Li ip6.kame_version 1985The string identifies the version of KAME IPv6 stack implemented in the kernel. 1986.It Li ip6.keepfaith 1987If set to non-zero, it enables 1988.Dq FAITH 1989TCP relay IPv6-to-IPv4 translator code in the kernel. 1990Refer 1991.Xr faith 4 1992and 1993.Xr faithd 8 1994for detail. 1995.It Li ip6.log_interval 1996The variable controls amount of logs generated by IPv6 packet 1997forwarding engine, by setting interval between log output 1998.Pq in seconds . 1999.It Li ip6.lowportmax 2000The highest port number to use for TCP and UDP reserved port allocation. 2001This cannot be set to less than 0 or greater than 1024, and must 2002be greater than 2003.Li ip6.lowportmin . 2004.It Li ip6.lowportmin 2005The lowest port number to use for TCP and UDP reserved port allocation. 2006This cannot be set to less than 0 or greater than 1024, and must 2007be smaller than 2008.Li ip6.lowportmax . 2009.It Li ip6.maxdynroutes 2010Maximum number of routes created by redirect. 2011Set it to negative to disable. 2012The default value is 4096. 2013.It Li ip6.maxifprefixes 2014Maximum number of prefixes created by route advertisements per interface. 2015Set it to negative to disable. 2016The default value is 16. 2017.It Li ip6.maxifdefrouters 16 2018Maximum number of default routers created by route advertisements per interface. 2019Set it to negative to disable. 2020The default value is 16. 2021.It Li ip6.maxflows 2022IPv6 Fast Forwarding is enabled by default. 2023If set to 0, IPv6 Fast Forwarding is disabled. 2024.Li ip6.maxflows 2025controls the maximum amount of flows which can be created. 2026The default value is 256. 2027.It Li ip6.maxfragpackets 2028The maximum number of fragmented packets the node will accept. 20290 means that the node will not accept any fragmented packets. 2030\-1 means that the node will accept as many fragmented packets as it receives. 2031The flag is provided basically for avoiding possible DoS attacks. 2032.It Li ip6.maxfrags 2033The maximum number of fragments the node will accept. 20340 means that the node will not accept any fragments. 2035\-1 means that the node will accept as many fragments as it receives. 2036The flag is provided basically for avoiding possible DoS attacks. 2037.It Li ip6.neighborgcthresh 2038Maximum number of entries in neighbor cache per interface. 2039Set to negative to disable. 2040The default value is 2048. 2041.It Li ip6.param_rt_msg 2042If set to 0, parameter changing routing message is suppressed. 2043If set to 1, parameter changing routing message is sent by RTM_NEWADDR. 2044Other values are undefined yet. 2045.It Li ip6.redirect 2046If set to 1, ICMPv6 redirects may be sent by the node. 2047This option is ignored unless the node is routing IP packets, 2048and should normally be enabled on all systems. 2049.It Li ip6.rr_prune 2050The variable specifies interval between IPv6 router renumbering prefix 2051babysitting, in seconds. 2052.It Li ip6.use_deprecated 2053The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 2054.It Li ip6.v6only 2055The variable specifies initial value for 2056.Dv IPV6_V6ONLY 2057socket option for 2058.Dv AF_INET6 2059socket. 2060Please refer to 2061.Xr ip6 4 2062for detail. 2063.It Li icmp6.errppslimit 2064The variable specifies the maximum number of outgoing ICMPv6 error messages, 2065per second. 2066ICMPv6 error messages that exceeded the value are subject to rate limitation 2067and will not go out from the node. 2068Negative value disables rate limitation. 2069.It Li icmp6.mtudisc_hiwat 2070.It Li icmp6.mtudisc_lowat 2071The variables define the maximum number of routing table entries, 2072created due to path MTU discovery 2073.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 2074When IPv6 path MTU discovery happens, we keep path MTU information into 2075the routing table. 2076If the number of routing table entries exceed the value, 2077the kernel will not attempt to keep the path MTU information. 2078.Li icmp6.mtudisc_hiwat 2079is used when we have verified ICMPv6 too big messages. 2080.Li icmp6.mtudisc_lowat 2081is used when we have unverified ICMPv6 too big messages. 2082Verification is performed by using address/port pairs kept in connected pcbs. 2083Negative value disables the upper limit. 2084.It Li icmp6.nd6_debug 2085If set to non-zero, kernel IPv6 neighbor discovery code will generate 2086debugging messages. 2087The debug outputs are useful to diagnose IPv6 interoperability issues. 2088The flag must be set to 0 for normal operation. 2089.It Li icmp6.nd6_delay 2090The variable specifies 2091.Dv DELAY_FIRST_PROBE_TIME 2092timing constant in IPv6 neighbor discovery specification 2093.Pq RFC 2461 , 2094in seconds. 2095.It Li icmp6.nd6_maxnudhint 2096Neighbor discovery permits upper layer protocols to supply reachability 2097hints, to avoid unnecessary neighbor discovery exchanges. 2098The variable defines the number of consecutive hints the neighbor discovery 2099layer will take. 2100For example, by setting the variable to 3, neighbor discovery layer 2101will take 3 consecutive hints in maximum. 2102After receiving 3 hints, neighbor discovery layer will perform 2103normal neighbor discovery process. 2104.It Li icmp6.nd6_mmaxtries 2105The variable specifies 2106.Dv MAX_MULTICAST_SOLICIT 2107constant in IPv6 neighbor discovery specification 2108.Pq RFC 2461 . 2109.It Li icmp6.nd6_prune 2110The variable specifies interval between IPv6 neighbor cache babysitting, 2111in seconds. 2112.It Li icmp6.nd6_umaxtries 2113The variable specifies 2114.Dv MAX_UNICAST_SOLICIT 2115constant in IPv6 neighbor discovery specification 2116.Pq RFC 2461 . 2117.It Li icmp6.nd6_useloopback 2118If set to non-zero, kernel IPv6 stack will use loopback interface for 2119local traffic. 2120.It Li icmp6.nodeinfo 2121The variable enables responses to ICMPv6 node information queries. 2122If you set the variable to 0, responses will not be generated for 2123ICMPv6 node information queries. 2124Since node information queries can have a security impact, it is 2125possible to fine tune which responses should be answered. 2126Two separate bits can be set. 2127.Bl -tag -width "12345" 2128.It 1 2129Respond to ICMPv6 FQDN queries, e.g. 2130.Li ping6 -w . 2131.It 2 2132Respond to ICMPv6 node addresses queries, e.g. 2133.Li ping6 -a . 2134.El 2135.It Li icmp6.rediraccept 2136If set to non-zero, the host will accept ICMPv6 redirect packets. 2137Note that IPv6 routers will never accept ICMPv6 redirect packets, 2138and the variable is meaningful on IPv6 hosts 2139.Pq non-router 2140only. 2141.It Li icmp6.redirtimeout 2142The variable specifies lifetime of routing entries generated by incoming 2143ICMPv6 redirect. 2144.It Li icmp6.reflect_pmtu 2145A boolean that icmpv6 reflecting uses path MTU discovery or not. 2146When not, icmpv6 reflecting uses IPV6_MINMTU. 2147.It Li icmp6.dynamic_rt_msg 2148A boolean that the kernel sends routing message for RTM_DYNAMIC or not. 2149If set to true, sends such routing message. 2150.It Li udp6.do_loopback_cksum 2151Perform UDP checksum on loopback. 2152.It Li udp6.recvspace 2153Default UDP receive buffer size. 2154.It Li udp6.sendspace 2155Default UDP send buffer size. 2156.El 2157.Pp 2158We reuse net.*.tcp for TCP over IPv6, 2159and therefore we do not have variables net.*.tcp6. 2160Variables net.inet6.udp6 have identical meaning to net.inet.udp. 2161Please refer to 2162.Li PF_INET 2163section above. 2164For variables net.*.ipsec6, please refer to 2165.Xr ipsec 4 . 2166.It Li net.key ( Dv PF_KEY ) 2167Get or set various global information about the IPsec key management. 2168The third level name is the variable name. 2169The currently defined variable and names are: 2170.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 2171.It Sy Variable Type Ta Sy Changeable 2172.It debug integer yes 2173.It enabled integer yes 2174.It used integer no 2175.It spi_try integer yes 2176.It spi_min_value integer yes 2177.It spi_max_value integer yes 2178.It larval_lifetime integer yes 2179.It blockacq_count integer yes 2180.It blockacq_lifetime integer yes 2181.It esp_keymin integer yes 2182.It esp_auth integer yes 2183.It ah_keymin integer yes 2184.It allow_different_idtype boolean yes 2185.El 2186The variables are as follows: 2187.Bl -tag -width "123456" 2188.It Li debug 2189Turn on debugging message from within the kernel. 2190The value is a bitmap, as defined in 2191.In netipsec/key_debug.h . 2192.It Li enabled 2193Control processing of IPsec control messages. 2194.Bl -tag -width indent 2195.It 0 2196Never allow IPsec processing 2197.It 1 2198Allow IPsec processing when SPD policies are present. 2199.It 2 2200Force IPsec processing even when SPD policies are not present. 2201.El 2202.It Li used 2203Based on if IPsec is enabled, and SPD rule existence, show if 2204IPsec is being used. 2205Note that currently once IPsec is being used, it cannot be disabled. 2206.It Li spi_try 2207The number of times the kernel will try to obtain an unique SPI 2208when it generates it from random number generator. 2209.It Li spi_min_value 2210Minimum SPI value when generating it within the kernel. 2211.It Li spi_max_value 2212Maximum SPI value when generating it within the kernel. 2213.It Li larval_lifetime 2214Lifetime for LARVAL SAD entries, in seconds. 2215.It Li blockacq_count 2216Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 2217It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 2218key management daemon. 2219.It Li blockacq_lifetime 2220Lifetime of ACQUIRE PF_KEY message. 2221.It Li esp_keymin 2222Minimum ESP key length, in bits. 2223The value is used when the kernel creates proposal payload 2224on ACQUIRE PF_KEY message. 2225.It Li esp_auth 2226Whether ESP authentication should be used or not. 2227Non-zero value indicates that ESP authentication should be used. 2228The value is used when the kernel creates proposal payload 2229on ACQUIRE PF_KEY message. 2230.It Li ah_keymin 2231Minimum AH key length, in bits, 2232The value is used when the kernel creates proposal payload 2233on ACQUIRE PF_KEY message. 2234.It Li allow_different_idtype 2235A boolean that allow or disallow different identifier types 2236on IDii and IDir. 2237Allowing that can improve interconnectivity to some VPN appliances. 2238.El 2239.It Li net.local ( Dv PF_LOCAL ) 2240Get or set various global information about 2241.Dv AF_LOCAL 2242type sockets. 2243For some variables, the third level name is the variable name: 2244.Bl -column "Variable" "integer" "Changeable" -offset indent 2245.It Sy Variable Type Ta Sy Changeable 2246.It inflight integer no 2247.It deferred integer no 2248.El 2249The variables are as follows: 2250.Bl -tag -width "123456" 2251.It Li inflight 2252The number of file descriptors currently passed between processes, 2253.Qq in flight . 2254.It Li deferred 2255The number of file descriptors passed between processes that have been 2256deferred for cleanup by a kernel task. 2257.El 2258.Pp 2259Other variables are specific to a socket type: 2260.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent 2261.It Sy "Socket Type" Sy Variable Type Ta Sy Changeable 2262.It dgram pcblist struct no 2263.It dgram recvspace integer yes 2264.It dgram sendspace integer yes 2265.It seqpacket pcblist struct no 2266.It stream pcblist struct no 2267.It stream recvspace integer yes 2268.It stream sendspace integer yes 2269.El 2270The variables are as follows: 2271.Bl -tag -width "123456" 2272.It Li dgram.pcblist 2273The Protocol Control Block list structure for datagram sockets. 2274Parsed by 2275.Xr netstat 1 2276or 2277.Xr sockstat 1 . 2278.It Li dgram.recvspace 2279The default datagram receive buffer size. 2280.It Li dgram.sendspace 2281The default datagram send buffer size. 2282.It Li seqpacket.pcblist 2283The Protocol Control Block list structure for Sequential Packet sockets. 2284Parsed by 2285.Xr netstat 1 2286or 2287.Xr sockstat 1 . 2288.It Li stream.pcblist 2289The Protocol Control Block list structure for stream sockets. 2290Parsed by 2291.Xr netstat 1 2292or 2293.Xr sockstat 1 . 2294.It Li stream.recvspace 2295The default stream receive buffer size. 2296.It Li stream.sendspace 2297The default stream send buffer size. 2298.El 2299.El 2300.Ss The proc.* subtree 2301The string and integer information available for the 2302.Li proc 2303level is detailed below. 2304The changeable column shows whether a process with appropriate 2305privilege may change the value. 2306These values are per-process, 2307and as such may change from one process to another. 2308When a process is created, 2309the default values are inherited from its parent. 2310When a set-user-ID or set-group-ID binary is executed, the 2311value of PROC_PID_CORENAME is reset to the system default value. 2312The second level name is either the magic value PROC_CURPROC, which 2313points to the current process, or the PID of the target process. 2314.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 2315.It Sy Third level name Ta Sy Type Ta Sy Changeable 2316.It proc.pid.corename string yes 2317.It proc.pid.rlimit node not applicable 2318.It proc.pid.stopfork int yes 2319.It proc.pid.stopexec int yes 2320.It proc.pid.stopexit int yes 2321.It proc.pid.paxflags int no 2322.El 2323.Bl -tag -width "123456" 2324.It Li proc.pid.corename ( Dv PROC_PID_CORENAME ) 2325The template used for the core dump file name (see 2326.Xr core 5 2327for details). 2328The base name must either be 2329.Pa core 2330or end with the suffix 2331.Pa .core 2332(the super-user may set arbitrary names). 2333By default it points to 2334.Dv KERN_DEFCORENAME . 2335.It Li proc.pid.rlimit ( Dv PROC_PID_LIMIT ) 2336Return resources limits, as defined for the 2337.Xr getrlimit 2 2338and 2339.Xr setrlimit 2 2340system calls. 2341The fourth level name is one of: 2342.Bl -tag -width "123456" 2343.It Li proc.pid.rlimit.cputime ( Dv PROC_PID_LIMIT_CPU ) 2344The maximum amount of CPU time (in seconds) to be used by each process. 2345.It Li proc.pid.rlimit.filesize ( Dv PROC_PID_LIMIT_FSIZE ) 2346The largest size (in bytes) file that may be created. 2347.It Li proc.pid.rlimit.datasize ( Dv PROC_PID_LIMIT_DATA ) 2348The maximum size (in bytes) of the data segment for a process; 2349this defines how far a program may extend its break with the 2350.Xr sbrk 2 2351system call. 2352.It Li proc.pid.rlimit.stacksize ( Dv PROC_PID_LIMIT_STACK ) 2353The maximum size (in bytes) of the stack segment for a process; 2354this defines how far a program's stack segment may be extended. 2355Stack extension is performed automatically by the system. 2356.It Li proc.pid.rlimit.coredumpsize ( Dv PROC_PID_LIMIT_CORE ) 2357The largest size (in bytes) 2358.Pa core 2359file that may be created. 2360.It Li proc.pid.rlimit.memoryuse ( Dv PROC_PID_LIMIT_RSS ) 2361The maximum size (in bytes) to which a process's resident set size may 2362grow. 2363This imposes a limit on the amount of physical memory to be given to 2364a process; if memory is tight, the system will prefer to take memory 2365from processes that are exceeding their declared resident set size. 2366.It Li proc.pid.rlimit.memorylocked ( Dv PROC_PID_LIMIT_MEMLOCK ) 2367The maximum size (in bytes) which a process may lock into memory 2368using the 2369.Xr mlock 2 2370function. 2371.It Li proc.pid.rlimit.maxproc ( Dv PROC_PID_LIMIT_NPROC ) 2372The maximum number of simultaneous processes for this user id. 2373.It Li proc.pid.rlimit.descriptors ( Dv PROC_PID_LIMIT_NOFILE ) 2374The maximum number of open files for this process. 2375.It Li proc.pid.rlimit.sbsize ( Dv PROC_PID_LIMIT_SBSIZE ) 2376The maximum size (in bytes) of the socket buffers 2377set by the 2378.Xr setsockopt 2 2379.Dv SO_RCVBUF 2380and 2381.Dv SO_SNDBUF 2382options. 2383.It Li proc.pid.rlimit.vmemoryuse ( Dv PROC_PID_LIMIT_AS ) 2384The maximum size (in bytes) which a process can obtain. 2385.It Li proc.pid.rlimit.maxlwp ( Dv PROC_PID_LIMIT_NTHR ) 2386The maximum number of threads that cen be created and running at one time in 2387the process. 2388The first thread of each process is not counted against this. 2389.El 2390.Pp 2391The fifth level name is one of 2392.Li soft ( Dv PROC_PID_LIMIT_TYPE_SOFT ) 2393or 2394.Li hard ( Dv PROC_PID_LIMIT_TYPE_HARD ) , 2395to select respectively the soft or hard limit. 2396Both are of type integer. 2397.It Li proc.pid.stopfork ( Dv PROC_PID_STOPFORK ) 2398If non zero, the process' children will be stopped after 2399.Xr fork 2 2400calls. 2401The children are created in the SSTOP state and are never scheduled 2402for running before being stopped. 2403This feature enables attaching to a process with a debugger such as 2404.Xr gdb 1 2405before the process has the opportunity to actually do anything. 2406.Pp 2407This value is inherited by the process's children, and it also 2408applies to emulation specific system calls that fork a new process, such as 2409.Fn sproc 2410or 2411.Fn clone . 2412.It Li proc.pid.stopexec ( Dv PROC_PID_STOPEXEC ) 2413If non zero, the process will be stopped on the next 2414.Xr exec 3 2415call. 2416The process created by 2417.Xr exec 3 2418is created in the SSTOP state and is never scheduled for running 2419before being stopped. 2420This feature enables attaching to a process with a debugger such as 2421.Xr gdb 1 2422before the process has the opportunity to actually do anything. 2423.Pp 2424This value is inherited by the process's children. 2425.It Li proc.pid.stopexit ( Dv PROC_PID_STOPEXIT ) 2426If non zero, the process will be stopped when it has cause to exit, 2427either by way of calling 2428.Xr exit 3 , 2429.Xr _exit 2 , 2430or by the receipt of a specific signal. 2431The process is stopped before any of its resources or vm space is 2432released allowing examination of the termination state of the process 2433before it disappears. 2434This feature can be used to examine the final conditions of the 2435process's vmspace via 2436.Xr pmap 1 2437or its resource settings with 2438.Xr sysctl 8 2439before it disappears. 2440.Pp 2441This value is also inherited by the process's children. 2442.It Li proc.pid.paxflags ( Dv PROC_PID_PAXFLAGS ) 2443This read-only variable returns the current value of the process's pax 2444flags (see 2445.Xr paxctl 8 ) . 2446.El 2447.Ss The user.* subtree ( Dv CTL_USER ) 2448The string and integer information available for the 2449.Li user 2450level is detailed below. 2451The changeable column shows whether a process with appropriate 2452privilege may change the value. 2453.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 2454.It Sy Second level name Ta Sy Type Ta Sy Changeable 2455.It user.atexit_max integer no 2456.It user.bc_base_max integer no 2457.It user.bc_dim_max integer no 2458.It user.bc_scale_max integer no 2459.It user.bc_string_max integer no 2460.It user.coll_weights_max integer no 2461.It user.cs_path string no 2462.It user.expr_nest_max integer no 2463.It user.line_max integer no 2464.It user.posix2_c_bind integer no 2465.It user.posix2_c_dev integer no 2466.It user.posix2_char_term integer no 2467.It user.posix2_fort_dev integer no 2468.It user.posix2_fort_run integer no 2469.It user.posix2_localedef integer no 2470.It user.posix2_sw_dev integer no 2471.It user.posix2_upe integer no 2472.It user.posix2_version integer no 2473.It user.re_dup_max integer no 2474.It user.stream_max integer no 2475.It user.stream_max integer no 2476.It user.tzname_max integer no 2477.El 2478.Bl -tag -width "123456" 2479.It Li user.atexit_max ( Dv USER_ATEXIT_MAX ) 2480The maximum number of functions that may be registered with 2481.Xr atexit 3 . 2482.It Li user.bc_base_max ( Dv USER_BC_BASE_MAX ) 2483The maximum ibase/obase values in the 2484.Xr bc 1 2485utility. 2486.It Li user.bc_dim_max ( Dv USER_BC_DIM_MAX ) 2487The maximum array size in the 2488.Xr bc 1 2489utility. 2490.It Li user.bc_scale_max ( Dv USER_BC_SCALE_MAX ) 2491The maximum scale value in the 2492.Xr bc 1 2493utility. 2494.It Li user.bc_string_max ( Dv USER_BC_STRING_MAX ) 2495The maximum string length in the 2496.Xr bc 1 2497utility. 2498.It Li user.coll_weights_max ( Dv USER_COLL_WEIGHTS_MAX ) 2499The maximum number of weights that can be assigned to any entry of 2500the LC_COLLATE order keyword in the locale definition file. 2501.It Li user.cs_path ( USER_CS_PATH ) 2502Return a value for the 2503.Ev PATH 2504environment variable that finds all the standard utilities. 2505.It Li user.expr_nest_max ( Dv USER_EXPR_NEST_MAX ) 2506The maximum number of expressions that can be nested within 2507parenthesis by the 2508.Xr expr 1 2509utility. 2510.It Li user.line_max ( Dv USER_LINE_MAX ) 2511The maximum length in bytes of a text-processing utility's input 2512line. 2513.It Li user.posix2_char_term ( Dv USER_POSIX2_CHAR_TERM ) 2514Return 1 if the system supports at least one terminal type capable of 2515all operations described in 2516.St -p1003.2 , 2517otherwise\ 0. 2518.It Li user.posix2_c_bind ( Dv USER_POSIX2_C_BIND ) 2519Return 1 if the system's C-language development facilities support the 2520C-Language Bindings Option, otherwise\ 0. 2521.It Li user.posix2_c_dev ( Dv USER_POSIX2_C_DEV ) 2522Return 1 if the system supports the C-Language Development Utilities Option, 2523otherwise\ 0. 2524.It Li user.posix2_fort_dev ( Dv USER_POSIX2_FORT_DEV ) 2525Return 1 if the system supports the FORTRAN Development Utilities Option, 2526otherwise\ 0. 2527.It Li user.posix2_fort_run ( Dv USER_POSIX2_FORT_RUN ) 2528Return 1 if the system supports the FORTRAN Runtime Utilities Option, 2529otherwise\ 0. 2530.It Li user.posix2_localedef ( Dv USER_POSIX2_LOCALEDEF ) 2531Return 1 if the system supports the creation of locales, otherwise\ 0. 2532.It Li user.posix2_sw_dev ( Dv USER_POSIX2_SW_DEV ) 2533Return 1 if the system supports the Software Development Utilities Option, 2534otherwise\ 0. 2535.It Li user.posix2_upe ( Dv USER_POSIX2_UPE ) 2536Return 1 if the system supports the User Portability Utilities Option, 2537otherwise\ 0. 2538.It Li user.posix2_version ( Dv USER_POSIX2_VERSION ) 2539The version of 2540.St -p1003.2 2541with which the system attempts to comply. 2542.It Li user.re_dup_max ( Dv USER_RE_DUP_MAX ) 2543The maximum number of repeated occurrences of a regular expression 2544permitted when using interval notation. 2545.It Li user.stream_max ( Dv USER_STREAM_MAX ) 2546The minimum maximum number of streams that a process may have open 2547at any one time. 2548.It Li user.tzname_max ( Dv USER_TZNAME_MAX ) 2549The minimum maximum number of types supported for the name of a 2550timezone. 2551.El 2552.Ss The vm.* subtree ( Dv CTL_VM ) 2553The string and integer information available for the 2554.Li vm 2555level is detailed below. 2556The changeable column shows whether a process with appropriate 2557privilege may change the value. 2558.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 2559.It Sy Second level name Ta Sy Type Ta Sy Changeable 2560.It vm.anonmax int yes 2561.It vm.anonmin int yes 2562.It vm.bufcache int yes 2563.It vm.bufmem int no 2564.It vm.bufmem_hiwater int yes 2565.It vm.bufmem_lowater int yes 2566.It vm.execmax int yes 2567.It vm.execmin int yes 2568.It vm.filemax int yes 2569.It vm.filemin int yes 2570.It vm.loadavg struct loadavg no 2571.It vm.maxslp int no 2572.It vm.nkmempages int no 2573.It vm.uspace int no 2574.It vm.uvmexp struct uvmexp no 2575.It vm.uvmexp2 struct uvmexp_sysctl no 2576.It vm.vmmeter struct vmtotal no 2577.It vm.proc.map struct kinfo_vmentry no 2578.It vm.guard_size unsigned int no 2579.It vm.thread_guard_size unsigned int yes 2580.It vm.swap_encrypt bool yes 2581.El 2582.Bl -tag -width "123456" 2583.It Li vm.anonmax ( Dv VM_ANONMAX ) 2584The percentage of physical memory which will be reclaimed 2585from other types of memory usage to store anonymous application data. 2586.It Li vm.anonmin ( Dv VM_ANONMIN ) 2587The percentage of physical memory which will be always be available for 2588anonymous application data. 2589.It Li vm.bufcache ( Dv VM_BUFCACHE ) 2590The percentage of physical memory which will be available 2591for the buffer cache. 2592.It Li vm.bufmem ( Dv VM_BUFMEM ) 2593The amount of kernel memory that is being used by the buffer cache. 2594.It Li vm.bufmem_lowater ( Dv VM_BUFMEM_LOWATER ) 2595The minimum amount of kernel memory to reserve for the 2596buffer cache. 2597.It Li vm.bufmem_hiwater ( Dv VM_BUFMEM_HIWATER ) 2598The maximum amount of kernel memory to be used for the 2599buffer cache. 2600.It Li vm.execmax ( Dv VM_EXECMAX ) 2601The percentage of physical memory which will be reclaimed 2602from other types of memory usage to store cached executable data. 2603.It Li vm.execmin ( Dv VM_EXECMIN ) 2604The percentage of physical memory which will be always be available for 2605cached executable data. 2606.It Li vm.filemax ( Dv VM_FILEMAX ) 2607The percentage of physical memory which will be reclaimed 2608from other types of memory usage to store cached file data. 2609.It Li vm.filemin ( Dv VM_FILEMIN ) 2610The percentage of physical memory which will be always be available for 2611cached file data. 2612.It Li vm.loadavg ( Dv VM_LOADAVG ) 2613Return the load average history. 2614The returned data consists of a 2615.Vt struct loadavg . 2616.It Li vm.maxslp ( Dv VM_MAXSLP ) 2617The value of the maxslp kernel global variable. 2618.It Li vm.vmmeter ( Dv VM_METER ) 2619Return system wide virtual memory statistics. 2620The returned data consists of a 2621.Vt struct vmtotal . 2622.It vm.user_va0_disable 2623A flag which controls whether user processes can map virtual address\ 0. 2624.It Li vm.proc.map ( Dv VM_PROC ) 2625The third level is 2626.Dv VM_PROC_MAP , 2627the fourth is the pid of the process to display the vm object entries for, and 2628the fifth is the size of 2629.Vt struct kinfo_vmentry . 2630Returns an array of 2631.Vt struct kinfo_vmentry 2632objects. 2633.It Li vm.ubc_direct Bq Sy "EXPERIMENTAL" Ns No , default off 2634Use direct map for UBC I/O, avoiding need to map and unmap buffer memory. 2635Speeds up operation for fast I/O devices like NVMe, especially 2636on multi-CPU systems. 2637Only available on some architectures. 2638.It Li vm.uspace ( Dv VM_USPACE ) 2639The number of bytes allocated for each kernel stack. 2640.It Li vm.uvmexp ( Dv VM_UVMEXP ) 2641Return system wide virtual memory statistics. 2642The returned data consists of a 2643.Vt struct uvmexp . 2644.It Li vm.uvmexp2 ( Dv VM_UVMEXP2 ) 2645Return system wide virtual memory statistics. 2646The returned data consists of a 2647.Vt struct uvmexp_sysctl . 2648.It Li vm.guard_size 2649Return system wide guard size for the main thread of a program. 2650.It Li vm.thread_guard_size 2651Return system wide default size for the guard area of all other threads 2652of a program. 2653.It Li vm.swap_encrypt 2654If true, encrypt data while swapped out to disk. 2655.Pp 2656Each swap device maintains an independent AES-256 key, generated when 2657the first page is swapped to that device. 2658Each page is swapped independently using AES-CBC, with an 2659initialization vector chosen by the encryption under the AES-256 key of 2660the little-endian swap slot number padded to 128 bits with zeros. 2661(This is essentially the 2662.Xr cgd 4 2663.Sq encblkno1 2664method.) 2665.Pp 2666Changes to 2667.Li vm.swap_encrypt 2668only affect pages of swap newly written out. 2669To force encrypting or decrypting all existing swap, or to rekey 2670previously encrypted swap, you can remove the swap devices and re-add 2671them with 2672.Xr swapctl 8 , 2673with the caveat that whatever pages were already written to disk 2674unencrypted or encrypted with a compromised key may still be written to 2675disk afterward. 2676.El 2677.Ss The ddb.* subtree ( Dv CTL_DDB ) 2678The information available for the 2679.Li ddb 2680level is detailed below. 2681The changeable column shows whether a process with appropriate 2682privilege may change the value. 2683.Bl -column "Second level name" "integer" "Changeable" -offset indent 2684.It Sy Second level name Ta Sy Type Ta Sy Changeable 2685.It ddb.commandonenter string yes 2686.It ddb.dumpstack integer yes 2687.It ddb.fromconsole integer yes 2688.It ddb.lines integer yes 2689.It ddb.maxoff integer yes 2690.It ddb.maxwidth integer yes 2691.It ddb.onpanic integer yes 2692.It ddb.panicstackframes integer yes 2693.It ddb.radix integer yes 2694.It ddb.tabstops integer yes 2695.It ddb.tee_msgbuf integer yes 2696.El 2697.Bl -tag -width "123456" 2698.It Li ddb.commandonenter 2699If not empty, the string is used as the DDB command to be executed each time 2700DDB is entered. 2701.It Li ddb.dumpstack 2702A value of 1 causes a stack trace to be printed on entering ddb from a panic. 2703A value of 0 disables this behaviour. 2704The default value is 1. 2705.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE ) 2706If not zero, DDB may be entered by sending a break on a serial 2707console or by a special key sequence on a graphics console. 2708.It Li ddb.lines ( Dv DDBCTL_LINES ) 2709Number of display lines. 2710.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF ) 2711The maximum symbol offset. 2712.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH ) 2713The maximum output line width. 2714.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC ) 2715If greater than zero, DDB will be entered if the kernel panics. 2716A value of 1 causes the system to enter DDB on panic. 2717A value of 0 causes the kernel to attempt to print a stack trace, then 2718reboot, while a value of \-1 means neither a stack trace will be printed 2719nor DDB entered. 2720.It Li ddb.panicstackframes 2721Number of stack frames to display on panic. 2722Useful to avoid scrolling away the interesting frames on a glass tty. 2723Default value is 2724.Dv 65535 2725(all frames), useful value around 2726.Dv 10 . 2727.It Li ddb.radix ( Dv DDBCTL_RADIX ) 2728The input and output radix. 2729.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS ) 2730Tab width. 2731.It Li ddb.tee_msgbuf 2732If not zero, DDB will output also to the kernel message buffer. 2733.El 2734.Pp 2735Some of these MIB 2736nodes are also available as variables from within the debugger. 2737See 2738.Xr ddb 4 2739for more details. 2740.Ss The security.* subtree ( Dv CTL_SECURITY ) 2741The 2742.Li security 2743level contains various security-related settings for 2744the system. 2745The available second level names are: 2746.Bl -column "Second level name" "integer" "Changeable" -offset indent 2747.It Sy Second level name Ta Sy Type Ta Sy Changeable 2748.It Li security.curtain integer yes 2749.It Li security.models node not applicable 2750.It Li security.pax node not applicable 2751.El 2752.Pp 2753Available settings are detailed below. 2754.Bl -tag -width "123456" 2755.It Li security.curtain 2756If non-zero, will filter return objects according to the user ID 2757requesting information about them, preventing users from 2758accessing any objects they do not own. 2759.Pp 2760At the moment, it affects 2761.Xr ps 1 , 2762.Xr netstat 1 2763(for 2764.Dv PF_INET , 2765.Dv PF_INET6 , 2766and 2767.Dv PF_UNIX 2768PCBs), and 2769.Xr w 1 . 2770.It Li security.models 2771.Nx 2772supports pluggable security models. 2773Every security model used, whether if loaded as a module or built with the system, 2774is required to add an entry to this node with at least one element, 2775.Dq name , 2776indicating the name of the security model. 2777.Pp 2778In addition to the name, any settings and other information private to the 2779security model will be available under this node. 2780See 2781.Xr secmodel 9 2782for more information. 2783.It Li security.pax 2784Settings for PaX \(em exploit mitigation features. 2785For more information on any of the PaX features, please see 2786.Xr paxctl 8 2787and 2788.Xr security 7 . 2789The available third and fourth level names are: 2790.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ 2791-offset 2n 2792.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable 2793.It Li security.pax.aslr.enabled integer yes 2794.\".It Li security.pax.aslr.exec_len integer yes 2795.It Li security.pax.aslr.global integer yes 2796.\".It Li security.pax.aslr.mmap_len integer yes 2797.\".It Li security.pax.aslr.stack_len integer yes 2798.It Li security.pax.mprotect.enabled integer yes 2799.It Li security.pax.mprotect.global integer yes 2800.It Li security.pax.mprotect.ptrace integer yes 2801.It Li security.pax.segvguard.enabled integer yes 2802.It Li security.pax.segvguard.expiry_timeout integer yes 2803.It Li security.pax.segvguard.global integer yes 2804.It Li security.pax.segvguard.max_crashes integer yes 2805.It Li security.pax.segvguard.suspend_timeout integer yes 2806.El 2807.Bl -tag -width "123456" 2808.It Li security.pax.aslr.enabled 2809Enable PaX ASLR (Address Space Layout Randomization). 2810.Pp 2811The value of this 2812knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2813explicit enable. 2814.\".It Li security.pax.aslr.exec_len 2815.\" XXX: Undocumented. 2816.It Li security.pax.aslr.global 2817Specifies the default global policy for programs without an 2818explicit enable/disable flag. 2819.Pp 2820When non-zero, all programs will get PaX ASLR, except those exempted with 2821.Xr paxctl 8 . 2822Otherwise, all programs will not get PaX ASLR, except those specifically 2823marked as such with 2824.Xr paxctl 8 . 2825.\".It Li security.pax.aslr.mmap_len 2826.\" XXX: Undocumented. 2827.\" .It Li security.pax.aslr.stack_len 2828.\" XXX: Undocumented. 2829.It Li security.pax.mprotect.enabled 2830Enable PaX MPROTECT restrictions. 2831.Pp 2832These are 2833.Xr mprotect 2 2834restrictions to better enforce a W^X policy. 2835The value of this 2836knob must be non-zero for PaX MPROTECT to be enabled, even if a 2837program is set to explicit enable. 2838.It Li security.pax.mprotect.global 2839Specifies the default global policy for programs without an 2840explicit enable/disable flag. 2841.Pp 2842When non-zero, all programs will get the PaX MPROTECT restrictions, 2843except those exempted with 2844.Xr paxctl 8 . 2845Otherwise, all programs will not get the PaX MPROTECT restrictions, 2846except those specifically marked as such with 2847.Xr paxctl 8 . 2848.It Li security.pax.mprotect.ptrace 2849This variable allows 2850.Xr ptrace 2 2851to override PaX MPROTECT permissions. 2852It can have the following values: 2853.Bl -tag -width XX -compact 2854.It 0 2855Does not let override any permissions. 2856.It 1 2857Disables PaX MPROTECT from processes that start executing while traced (default). 2858.It 2 2859Bypasses PaX MPROTECT for all processes being traced. 2860.El 2861.It Li security.pax.segvguard.enabled 2862Enable PaX Segvguard. 2863.Pp 2864PaX Segvguard can detect and prevent certain exploitation attempts, where 2865an attacker may try for example to brute-force function return addresses 2866of respawning daemons. 2867.Pp 2868.Em Note : 2869The 2870.Nx 2871interface and implementation of the Segvguard is still experimental, and may 2872change in future releases. 2873.It Li security.pax.segvguard.expiry_timeout 2874If the max number was not reached within this timeout (in seconds), the entry 2875will expire. 2876.It Li security.pax.segvguard.global 2877Specifies the default global policy for programs without an 2878explicit enable/disable flag. 2879.Pp 2880When non-zero, all programs will get the PaX Segvguard, 2881except those exempted with 2882.Xr paxctl 8 . 2883Otherwise, no program will get the PaX Segvguard restrictions, 2884except those specifically marked as such with 2885.Xr paxctl 8 . 2886.It Li security.pax.segvguard.max_crashes 2887The maximum number of segfaults a program can receive before suspension. 2888.It Li security.pax.segvguard.suspend_timeout 2889Number of seconds to suspend a user from running a faulting program when the 2890limit was exceeded. 2891.El 2892.El 2893.Ss The vendor.* subtree ( Dv CTL_VENDOR ) 2894The 2895.Li vendor 2896toplevel name is reserved to be used by vendors who wish to 2897have their own private MIB tree. 2898Intended use is to store values under 2899.Dq vendor.<yourname>.* . 2900.Sh SEE ALSO 2901.Xr sysctl 3 , 2902.Xr ipsec 4 , 2903.Xr tcp 4 , 2904.Xr security 7 , 2905.Xr sysctl 8 2906.Sh HISTORY 2907The 2908.Nm 2909variables first appeared in 2910.Bx 4.4 . 2911