1.\" $NetBSD: sysctl.7,v 1.51 2010/08/06 18:36:09 jruoho Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd August 6, 2010 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Ss Top level names 72The top level names are defined with a CTL_ prefix in 73.In sys/sysctl.h , 74and are as follows. 75The next and subsequent levels down are found in the include files 76listed here, and described in separate sections below. 77.Bl -column security CTL_SECURITY "Next level names" "High kernel limits" 78.It Sy Name Constant Next level names Description 79.It kern CTL_KERN sys/sysctl.h High kernel limits 80.It vm CTL_VM uvm/uvm_param.h Virtual memory 81.It vfs CTL_VFS sys/mount.h Filesystem 82.It net CTL_NET sys/socket.h Networking 83.It debug CTL_DEBUG sys/sysctl.h Debugging 84.It hw CTL_HW sys/sysctl.h Generic CPU, I/O 85.It machdep CTL_MACHDEP sys/sysctl.h Machine dependent 86.It user CTL_USER sys/sysctl.h User-level 87.It ddb CTL_DDB sys/sysctl.h In-kernel debugger 88.It proc CTL_PROC sys/sysctl.h Per-process 89.It vendor CTL_VENDOR ? Vendor specific 90.It emul CTL_EMUL sys/sysctl.h Emulation settings 91.It security CTL_SECURITY sys/sysctl.h Security settings 92.El 93.Ss The debug.* subtree 94The debugging variables vary from system to system. 95A debugging variable may be added or deleted without need to recompile 96.Nm 97to know about it. 98Each time it runs, 99.Nm 100gets the list of debugging variables from the kernel and 101displays their current values. 102The system defines twenty 103.Va ( struct ctldebug ) 104variables named 105.Dv debug0 106through 107.Dv debug19 . 108They are declared as separate variables so that they can be 109individually initialized at the location of their associated variable. 110The loader prevents multiple use of the same variable by issuing errors 111if a variable is initialized in more than one place. 112For example, to export the variable 113.Dv dospecialcheck 114as a debugging variable, the following declaration would be used: 115.Pp 116.Bd -literal -offset indent -compact 117int dospecialcheck = 1; 118struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 119.Ed 120.Pp 121Note that the dynamic implementation of 122.Nm 123currently in use largely makes this particular 124.Nm 125interface obsolete. 126See 127.Xr sysctl 8 128.\" and 129.\" .Xr sysctl 9 130for more information. 131.Ss The vfs.* subtree 132A distinguished second level name, 133.Li vfs.generic ( VFS_GENERIC ) , 134is used to get general information about all filesystems. 135It has the following third level identifiers: 136.Bl -tag -width compact 137.It vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 138The highest valid filesystem type number. 139.It vfs.generic.conf ( VFS_CONF ) 140Returns configuration information about the file-system type given as a fourth 141level identifier. 142.El 143.Pp 144The remaining second level identifiers are the file-system names, identified 145by the type number returned by a 146.Xr statvfs 2 147call or from 148.Li vfs.generic.conf . 149The third level identifiers available for each filesystem 150are given in the header file that defines the mount 151argument structure for that filesystem. 152.Ss The hw.* subtree 153The string and integer information available for the 154.Li hw 155level is detailed below. 156The changeable column shows whether a process with appropriate 157privilege may change the value. 158.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 159.It Sy Second level name Type Changeable 160.It hw.alignbytes integer no 161.It hw.byteorder integer no 162.It hw.cnmagic string yes 163.It hw.disknames string no 164.It hw.diskstats struct no 165.It hw.machine string no 166.It hw.machine_arch string no 167.It hw.model string no 168.It hw.ncpu integer no 169.It hw.pagesize integer no 170.It hw.physmem integer no 171.It hw.physmem64 quad no 172.It hw.usermem integer no 173.It hw.usermem64 quad no 174.El 175.Pp 176.Bl -tag -width "123456" 177.It Li hw.alignbytes ( HW_ALIGNBYTES ) 178Alignment constraint for all possible data types. 179This shows the value 180.Dv ALIGNBYTES 181in 182.Pa /usr/include/machine/param.h , 183at the kernel compilation time. 184.It Li hw.byteorder ( HW_BYTEORDER ) 185The byteorder (4,321, or 1,234). 186.It Li hw.cnmagic ( HW_CNMAGIC ) 187The console magic key sequence. 188.It Li hw.disknames ( HW_DISKNAMES ) 189The list of (space separated) disk device names on the system. 190.It Li hw.iostatnames ( HW_IOSTATNAMES ) 191A space separated list of devices that will have I/O statistics 192collected on them. 193.It Li hw.iostats ( HW_IOSTATS ) 194Return statistical information on the NFS mounts, disk and tape 195devices on the system. 196An array of 197.Va struct io_sysctl 198structures is returned, 199whose size depends on the current number of such objects in the system. 200The third level name is the size of the 201.Va struct io_sysctl . 202The type of object can be determined by examining the 203.Va type 204element of 205.Va struct io_sysctl . 206Which can be 207.Dv IOSTAT_DISK 208(disk drive), 209.Dv IOSTAT_TAPE 210(tape drive), or 211.Dv IOSTAT_NFS 212(NFS mount). 213.It Li hw.machine ( HW_MACHINE ) 214The machine class. 215.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 216The machine CPU class. 217.It Li hw.model ( HW_MODEL ) 218The machine model. 219.It Li hw.ncpu ( HW_NCPU ) 220The number of CPUs. 221.It Li hw.pagesize ( HW_PAGESIZE ) 222The software page size. 223.It Li hw.physmem ( HW_PHYSMEM ) 224The bytes of physical memory as a 32-bit integer. 225.It Li hw.physmem64 ( HW_PHYSMEM64 ) 226The bytes of physical memory as a 64-bit integer. 227.It Li hw.usermem ( HW_USERMEM ) 228The bytes of non-kernel memory as a 32-bit integer. 229.It Li hw.usermem64 ( HW_USERMEM64 ) 230The bytes of non-kernel memory as a 64-bit integer. 231.El 232.Ss The kern.* subtree 233This subtree includes data generally related to the kernel. 234The string and integer information available for the 235.Li kern 236level is detailed below. 237The changeable column shows whether a process with appropriate 238privilege may change the value. 239.Bl -column "kern.posix_reader_writer_locks" \ 240"struct kinfo_drivers" "not applicable" 241.It Sy Second level name Type Changeable 242.It kern.aio_listio_max integer yes 243.It kern.aio_max integer yes 244.It kern.arandom integer no 245.It kern.argmax integer no 246.It kern.boothowto integer no 247.It kern.boottime struct timeval no 248.\".It kern.bufq node not applicable 249.It kern.ccpu integer no 250.It kern.clockrate struct clockinfo no 251.It kern.consdev integer no 252.It kern.coredump node not applicable 253.It kern.cp_id struct no 254.It kern.cp_time uint64_t[\|] no 255.It kern.cryptodevallowsoft integer yes 256.It kern.defcorename string yes 257.It kern.detachall integer yes 258.It kern.domainname string yes 259.It kern.drivers struct kinfo_drivers no 260.It kern.dump_on_panic integer yes 261.It kern.file struct file no 262.It kern.forkfsleep integer yes 263.It kern.fscale integer no 264.It kern.fsync integer no 265.It kern.hardclock_ticks integer no 266.It kern.hostid integer yes 267.It kern.hostname string yes 268.It kern.iov_max integer no 269.It kern.ipc node not applicable 270.It kern.job_control integer no 271.It kern.labeloffset integer no 272.It kern.labelsector integer no 273.It kern.login_name_max integer no 274.It kern.logsigexit integer yes 275.It kern.mapped_files integer no 276.It kern.maxfiles integer yes 277.It kern.maxpartitions integer no 278.It kern.maxphys integer no 279.It kern.maxproc integer yes 280.It kern.maxptys integer yes 281.It kern.maxvnodes integer yes 282.It kern.mbuf node not applicable 283.It kern.memlock integer no 284.It kern.memlock_range integer no 285.It kern.memory_protection integer no 286.It kern.module node not applicable 287.It kern.monotonic_clock integer no 288.It kern.mqueue node not applicable 289.It kern.msgbuf integer no 290.It kern.msgbufsize integer no 291.It kern.ngroups integer no 292.\".It kern.no_sa_support integer yes 293.It kern.ntptime struct ntptimeval no 294.It kern.osrelease string no 295.It kern.osrevision integer no 296.It kern.ostype string no 297.\".It kern.panic_now integer yes 298.It kern.pipe node not applicable 299.\" .It kern.posix node not applicable 300.It kern.posix1version integer no 301.It kern.posix_aio integer no 302.It kern.posix_barriers integer no 303.It kern.posix_reader_writer_locks integer no 304.\".It kern.posix_sched integer yes 305.It kern.posix_semaphores integer no 306.It kern.posix_spin_locks integer no 307.It kern.posix_threads integer no 308.It kern.posix_timers integer no 309.It kern.proc struct kinfo_proc no 310.It kern.proc2 struct kinfo_proc2 no 311.It kern.proc_args string no 312.It kern.profiling node not applicable 313.\".It kern.pset node not applicable 314.It kern.rawpartition integer no 315.It kern.root_device string no 316.It kern.root_partition integer no 317.It kern.rtc_offset integer yes 318.It kern.saved_ids integer no 319.It kern.sbmax integer yes 320.\".It kern.sched node not applicable 321.It kern.securelevel integer raise only 322.It kern.somaxkva integer yes 323.It kern.synchronized_io integer no 324.It kern.timecounter node not applicable 325.It kern.timex struct no 326.It kern.tkstat node not applicable 327.It kern.urandom integer no 328.It kern.usercrypto integer yes 329.It kern.userasymcrypto integer yes 330.It kern.veriexec node not applicable 331.It kern.version string no 332.It kern.vnode struct vnode no 333.El 334.Bl -tag -width "123456" 335.It Li kern.aio_listio_max 336The maximum number of asynchronous 337.Tn I/O 338operations in a single list I/O call. 339Like with all variables related to 340.Xr aio 3 , 341the variable may be created and removed dynamically 342upon loading or unloading the corresponding kernel module. 343.It Li kern.aio_max 344The maximum number of asynchronous I/O operations. 345.It Li kern.arandom 346This variable picks a random number each time it is queried. 347The used random number generator 348.Pq Tn RNG 349is based on 350.Xr arc4random 3 . 351.It Li kern.argmax ( KERN_ARGMAX ) 352The maximum bytes of argument to 353.Xr execve 2 . 354.It Li kern.boothowto 355Flags passed from the boot loader; see 356.Xr reboot 2 357for the meanings of the flags. 358.It Li kern.boottime ( KERN_BOOTTIME ) 359A 360.Va struct timeval 361structure is returned. 362This structure contains the time that the system was booted. 363.\" .It Li kern.bufq 364.\" XXX: Undocumented. 365.It Li kern.ccpu ( KERN_CCPU ) 366The scheduler exponential decay value. 367.It Li kern.clockrate ( KERN_CLOCKRATE ) 368A 369.Va struct clockinfo 370structure is returned. 371This structure contains the clock, statistics clock and profiling clock 372frequencies, the number of micro-seconds per hz tick, and the clock 373skew rate. 374Refer to 375.Xr hz 9 376for additional details. 377.It Li kern.consdev ( KERN_CONSDEV ) 378Console device. 379.It Li kern.coredump 380Settings related to set-id processes coredumps. 381By default, set-id processes do not dump core in situations where 382other processes would. 383The settings in this node allows an administrator to change this 384behavior. 385.Pp 386The third level name is 387.Dv kern.coredump.setid 388and fourth level variables are described below. 389.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent 390.It Sy Fourth level name Type Changeable 391.It kern.coredump.setid.dump integer yes 392.It kern.coredump.setid.group integer yes 393.It kern.coredump.setid.mode integer yes 394.It kern.coredump.setid.owner integer yes 395.It kern.coredump.setid.path string yes 396.El 397.Bl -tag -width "123456" 398.It Li kern.coredump.setid.dump 399If non-zero, set-id processes will dump core. 400.It Li kern.coredump.setid.group 401The group-id for the set-id processes' coredump. 402.It Li kern.coredump.setid.mode 403The mode for the set-id processes' coredump. 404See 405.Xr chmod 1 . 406.It Li kern.coredump.setid.owner 407The user-id that will be used as the owner of the set-id processes' 408coredump. 409.It Li kern.coredump.setid.path 410The path to which set-id processes' coredumps will be saved to. 411Same syntax as kern.defcorename. 412.El 413.It Li kern.cp_id ( KERN_CP_ID ) 414Mapping of CPU number to CPU id. 415.It Li kern.cp_time ( KERN_CP_TIME ) 416Returns an array of CPUSTATES uint64_ts. 417This array contains the 418number of clock ticks spent in different CPU states. 419On multi-processor systems, the sum across all CPUs is returned unless 420appropriate space is given for one data set for each CPU. 421Data for a specific CPU can also be obtained by adding the number of the 422CPU at the end of the MIB, enlarging it by one. 423.It Li kern.cryptodevallowsoft 424This variable controls userland access to hardware versus software transforms 425in the 426.Xr crypto 4 427system. 428The available values are as follows: 429.Bl -tag -width XX0 -offset indent 430.It Dv \*[Lt] 0 431Always force userlevel requests to use software transforms. 432.It Dv = 0 433If present, use hardware and grant userlevel requests for 434non-accelerated transforms (handling the latter in software). 435.It Dv \*[Gt] 0 436Allow user requests only for transforms which are hardware-accelerated. 437.El 438.It Li kern.defcorename ( KERN_DEFCORENAME ) 439Default template for the name of core dump files (see also 440.Li proc.pid.corename 441in the per-process variables 442.Li proc.* , 443and 444.Xr core 5 445for format of this template). 446The default value is 447.Nm %n.core 448and can be changed with the kernel configuration option 449.Cd options DEFCORENAME 450(see 451.Xr options 4 452). 453.It Li kern.detachall 454Detach all devices at shutdown. 455.It Li kern.domainname ( KERN_DOMAINNAME ) 456Get or set the YP domain name. 457.It Li kern.drivers ( KERN_DRIVERS ) 458Return an array of 459.Va struct kinfo_drivers 460that contains the name and major device numbers of all the device drivers 461in the current kernel. 462The 463.Va d_name 464field is always a NUL terminated string. 465The 466.Va d_bmajor 467field will be set to \-1 if the driver doesn't have a block device. 468.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 469Perform a crash dump on system 470.Xr panic 9 . 471.It Li kern.file ( KERN_FILE ) 472Return the entire file table. 473The returned data consists of a single 474.Va struct filelist 475followed by an array of 476.Va struct file , 477whose size depends on the current number of such objects in the system. 478.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 479If 480.Xr fork 2 481system call fails due to limit on number of processes (either 482the global maxproc limit or user's one), wait for this many 483milliseconds before returning 484.Er EAGAIN 485error to process. 486Useful to keep heavily forking runaway processes in bay. 487Default zero (no sleep). 488Maximum is 20 seconds. 489.It Li kern.fscale ( KERN_FSCALE ) 490The kernel fixed-point scale factor. 491.It Li kern.fsync ( KERN_FSYNC ) 492Return 1 if the POSIX 1003.1b File Synchronization Option is available 493on this system, 494otherwise 0. 495.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 496Returns the number of 497.Xr hardclock 9 498ticks. 499.It Li kern.hostid ( KERN_HOSTID ) 500Get or set the host identifier. 501This is aimed to replace the legacy 502.Xr gethostid 3 503and 504.Xr sethostid 3 505system calls. 506.It Li kern.hostname ( KERN_HOSTNAME ) 507Get or set the 508.Xr hostname 1 . 509.It Li kern.iov_max ( KERN_IOV_MAX ) 510Return the maximum number of 511.Va iovec 512structures that a process has available for use with 513.Xr preadv 2 , 514.Xr pwritev 2 , 515.Xr readv 2 , 516.Xr recvmsg 2 , 517.Xr sendmsg 2 518and 519.Xr writev 2 . 520.It Li kern.ipc ( KERN_SYSVIPC ) 521Return information about the SysV IPC parameters. 522The third level names for the ipc variables are detailed below. 523.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 524.It Sy Third level name Type Changeable 525.It kern.ipc.sysvmsg integer no 526.It kern.ipc.sysvsem integer no 527.It kern.ipc.sysvshm integer no 528.It kern.ipc.sysvipc_info struct no 529.It kern.ipc.shmmax integer yes 530.It kern.ipc.shmmni integer yes 531.It kern.ipc.shmseg integer yes 532.It kern.ipc.shmmaxpgs integer yes 533.It kern.ipc.shm_use_phys integer yes 534.It kern.ipc.msgmni integer yes 535.It kern.ipc.msgseg integer yes 536.It kern.ipc.semmni integer yes 537.It kern.ipc.semmns integer yes 538.It kern.ipc.semmnu integer yes 539.El 540.Bl -tag -width "123456" 541.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 542Returns 1 if System V style message queue functionality is available 543on this system, 544otherwise 0. 545.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 546Returns 1 if System V style semaphore functionality is available 547on this system, 548otherwise 0. 549.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 550Returns 1 if System V style share memory functionality is available 551on this system, 552otherwise 0. 553.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 554Return System V style IPC configuration and run-time information. 555The fourth level name selects the System V style IPC facility. 556.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 557.It Sy Fourth level name Type 558.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 559.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 560.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 561.El 562.Pp 563.Bl -tag -width "123456" 564.It Li KERN_SYSVIPC_MSG_INFO 565Return information on the System V style message facility. 566The 567.Sy msg_sysctl_info 568structure is defined in 569.In sys/msg.h . 570.It Li KERN_SYSVIPC_SEM_INFO 571Return information on the System V style semaphore facility. 572The 573.Sy sem_sysctl_info 574structure is defined in 575.In sys/sem.h . 576.It Li KERN_SYSVIPC_SHM_INFO 577Return information on the System V style shared memory facility. 578The 579.Sy shm_sysctl_info 580structure is defined in 581.In sys/shm.h . 582.El 583.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 584Max shared memory segment size in bytes. 585.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 586Max number of shared memory identifiers. 587.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 588Max shared memory segments per process. 589.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 590Max amount of shared memory in pages. 591.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 592Locking of shared memory in physical memory. 593If 0, memory can be swapped 594out, otherwise it will be locked in physical memory. 595.It Li kern.ipc.msgmni 596Max number of message queue identifiers. 597.It Li kern.ipc.msgseg 598Max number of number of message segments. 599.It Li kern.ipc.semmni 600Max number of number of semaphore identifiers. 601.It Li kern.ipc.semmns 602Max number of number of semaphores in system. 603.It Li kern.ipc.semmnu 604Max number of undo structures in system. 605.El 606.It Li kern.job_control ( KERN_JOB_CONTROL ) 607Return 1 if job control is available on this system, otherwise 0. 608.It Li kern.labeloffset ( KERN_LABELOFFSET ) 609The offset within the sector specified by KERN_LABELSECTOR of the 610.Xr disklabel 5 . 611.It Li kern.labelsector ( KERN_LABELSECTOR ) 612The sector number containing the 613.Xr disklabel 5 . 614.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 615The size of the storage required for a login name, in bytes, 616including the terminating NUL. 617.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 618If this flag is non-zero, the kernel will 619.Xr log 9 620all process exits due to signals which create a 621.Xr core 5 622file, and whether the coredump was created. 623.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 624Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 625on this system, 626otherwise 0. 627.It Li kern.maxfiles ( KERN_MAXFILES ) 628The maximum number of open files that may be open in the system. 629.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 630The maximum number of partitions allowed per disk. 631.It Li kern.maxphys ( KERN_MAXPHYS ) 632Maximum raw I/O transfer size. 633.It Li kern.maxproc ( KERN_MAXPROC ) 634The maximum number of simultaneous processes the system will allow. 635.It Li kern.maxptys ( KERN_MAXPTYS ) 636The maximum number of pseudo terminals. 637This value can be both raised and lowered, though it cannot 638be set lower than number of currently used ptys. 639See also 640.Xr pty 4 . 641.It Li kern.maxvnodes ( KERN_MAXVNODES ) 642The maximum number of vnodes available on the system. 643This can only be raised. 644.It Li kern.mbuf ( KERN_MBUF ) 645Return information about the mbuf control variables. 646Mbufs are data structures which store network packets and other data 647structures in the networking code, see 648.Xr mbuf 9 . 649The third level names for the mbuf variables are detailed below. 650The changeable column shows whether a process with appropriate 651privilege may change the value. 652.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 653.It Sy Third level name Type Changeable 654.\" XXX Changeable? really? 655.It kern.mbuf.mblowat integer yes 656.It kern.mbuf.mclbytes integer yes 657.It kern.mbuf.mcllowat integer yes 658.It kern.mbuf.msize integer yes 659.It kern.mbuf.nmbclusters integer yes 660.El 661.Pp 662The variables are as follows: 663.Bl -tag -width "123456" 664.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 665The mbuf low water mark. 666.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 667The mbuf cluster size. 668.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 669The mbuf cluster low water mark. 670.It Li kern.mbuf.msize ( MBUF_MSIZE ) 671The mbuf base size. 672.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 673The limit on the number of mbuf clusters. 674The variable can only be increased, and only increased on machines with 675direct-mapped pool pages. 676.El 677.It Li kern.memlock ( KERN_MEMLOCK ) 678Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 679on this system, 680otherwise 0. 681.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 682Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 683on this system, 684otherwise 0. 685.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 686Returns 1 if the POSIX 1003.1b Memory Protection Option is available 687on this system, 688otherwise 0. 689.It Li kern.module 690Settings related to kernel modules. 691The third level names for the settings are described below. 692.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent 693.It Sy Third level name Type Changeable 694.It kern.module.autoload integer yes 695.It kern.module.verbose integer yes 696.El 697.Pp 698The variables are as follows: 699.Bl -tag -width "123456" 700.It Li kern.module.autoload 701A boolean that controls whether kernel modules are loaded automatically. 702See for example 703.Xr modstat 8 704for additional details. 705.It Li kern.module.verbose 706A boolean that enables or disables verbose 707debug messages related to kernel modules. 708.El 709.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 710Returns the standard version the implementation of the POSIX 1003.1b 711Monotonic Clock Option conforms to, 712otherwise 0. 713.It Li kern.mqueue 714Settings related to 715.Tn POSIX 716message queues; see 717.Xr mqueue 3 . 718This node is created dynamically when 719the corresponding kernel module is loaded. 720The third level names for the settings are described below. 721.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent 722.It Sy Third level name Type Changeable 723.It kern.mqueue.mq_open_max integer yes 724.It kern.mqueue.mq_prio_max integer yes 725.It kern.mqueue.mq_max_msgsize integer yes 726.It kern.mqueue.mq_def_maxmsg integer yes 727.It kern.mqueue.mq_max_maxmsg integer yes 728.El 729.Pp 730The variables are: 731.Bl -tag -width "123456" 732.It Li kern.mqueue.mq_open_max 733The maximum number of message queue descriptors any single process can open. 734.It Li kern.mqueue.mq_prio_max 735The maximum priority of a message. 736.It Li kern.mqueue.mq_max_msgsize 737The maximum size of a message in a message queue. 738.It Li kern.mqueue.mq_def_maxmsg 739The default maximum message count. 740.It Li kern.mqueue.mq_max_maxmsg 741The maximum number of messages in a message queue. 742.El 743.It Li kern.msgbuf ( KERN_MSGBUF ) 744The kernel message buffer, rotated so that the head of the circular kernel 745message buffer is at the start of the returned data. 746The returned data may contain NUL bytes. 747.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 748The maximum number of characters that the kernel message buffer can hold. 749.It Li kern.ngroups ( KERN_NGROUPS ) 750The maximum number of supplemental groups. 751.\" .It Li kern.no_sa_support 752.\" XXX: Undocumented. 753.It Li kern.ntptime ( KERN_NTPTIME ) 754A 755.Va struct ntptimeval 756structure is returned. 757This structure contains data used by the 758.Xr ntpd 8 759program. 760.It Li kern.osrelease ( KERN_OSRELEASE ) 761The system release string. 762.It Li kern.osrevision ( KERN_OSREV ) 763The system revision string. 764.It Li kern.ostype ( KERN_OSTYPE ) 765The system type string. 766.\".It Li kern.panic_now 767.\" XXX: Undocumented. 768.It Li kern.pipe ( KERN_PIPE ) 769Pipe settings. 770The third level names for the integer pipe settings is detailed below. 771The changeable column shows whether a process with appropriate 772privilege may change the value. 773.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 774.It Sy Third level name Type Changeable 775.It kern.pipe.kvasiz integer yes 776.It kern.pipe.maxbigpipes integer yes 777.It kern.pipe.maxkvasz integer yes 778.It kern.pipe.limitkva integer yes 779.It kern.pipe.nbigpipes integer yes 780.El 781.Pp 782The variables are as follows: 783.Bl -tag -width "123456" 784.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 785Amount of kernel memory consumed by pipe buffers. 786.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 787Maximum number of "big" pipes. 788.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 789Maximum amount of kernel memory to be used for pipes. 790.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 791Limit for direct transfers via page loan. 792.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 793Number of "big" pipes. 794.El 795.\" XXX: Undocumented .It Li kern.posix ( ? ) 796.\" This is a node in which the only variable is semmax. 797.It Li kern.posix1version ( KERN_POSIX1 ) 798The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 799attempts to comply. 800.It Li kern.posix_aio 801The version of 802.St -p1003.1 803and its Asynchronous I/O option to which the system attempts to conform. 804.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 805The version of 806.St -p1003.1 807and its 808Barriers 809option to which the system attempts to conform, 810otherwise 0. 811.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 812The version of 813.St -p1003.1 814and its 815Read-Write Locks 816option to which the system attempts to conform, 817otherwise 0. 818.\".It Li kern.posix_sched 819.\" XXX: Undocumented. 820.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 821The version of 822.St -p1003.1 823and its 824Semaphores 825option to which the system attempts to conform, 826otherwise 0. 827.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 828The version of 829.St -p1003.1 830and its 831Spin Locks 832option to which the system attempts to conform, 833otherwise 0. 834.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 835The version of 836.St -p1003.1 837and its 838Threads 839option to which the system attempts to conform, 840otherwise 0. 841.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 842The version of 843.St -p1003.1 844and its 845Timers 846option to which the system attempts to conform, 847otherwise 0. 848.It Li kern.proc ( KERN_PROC ) 849Return the entire process table, or a subset of it. 850An array of 851.Va struct kinfo_proc 852structures is returned, 853whose size depends on the current number of such objects in the system. 854The third and fourth level numeric names are as follows: 855.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 856.It Sy Third level name Fourth level is: 857.It KERN_PROC_ALL None 858.It KERN_PROC_GID A group ID 859.It KERN_PROC_PID A process ID 860.It KERN_PROC_PGRP A process group 861.It KERN_PROC_RGID A real group ID 862.It KERN_PROC_RUID A real user ID 863.It KERN_PROC_SESSION A session ID 864.It KERN_PROC_TTY A tty device 865.It KERN_PROC_UID A user ID 866.El 867.It Li kern.proc2 ( KERN_PROC2 ) 868As for KERN_PROC, but an array of 869.Va struct kinfo_proc2 870structures are returned. 871The fifth level name is the size of the 872.Va struct kinfo_proc2 873and the sixth level name is the number of structures to return. 874.It Li kern.proc_args ( KERN_PROC_ARGS ) 875Return the argv or environment strings (or the number thereof) 876of a process. 877Multiple strings are returned separated by NUL characters. 878The third level name is the process ID. 879The fourth level name is as follows: 880.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent 881.It KERN_PROC_ARGV The argv strings 882.It KERN_PROC_ENV The environ strings 883.It KERN_PROC_NARGV The number of argv strings 884.It KERN_PROC_NENV The number of environ strings 885.El 886.It Li kern.profiling ( KERN_PROF ) 887Return profiling information about the kernel. 888If the kernel is not compiled for profiling, 889attempts to retrieve any of the KERN_PROF values will 890fail with 891.Er EOPNOTSUPP . 892The third level names for the string and integer profiling information 893is detailed below. 894The changeable column shows whether a process with appropriate 895privilege may change the value. 896.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 897.It Sy Third level name Type Changeable 898.It kern.profiling.count u_short[\|] yes 899.It kern.profiling.froms u_short[\|] yes 900.It kern.profiling.gmonparam struct gmonparam no 901.It kern.profiling.state integer yes 902.It kern.profiling.tos struct tostruct yes 903.El 904.Pp 905The variables are as follows: 906.Bl -tag -width "123456" 907.It Li kern.profiling.count ( GPROF_COUNT ) 908Array of statistical program counter counts. 909.It Li kern.profiling.froms ( GPROF_FROMS ) 910Array indexed by program counter of call-from points. 911.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 912Structure giving the sizes of the above arrays. 913.It Li kern.profiling.state ( GPROF_STATE ) 914Profiling state. 915If set to GMON_PROF_ON, starts profiling. 916If set to GMON_PROF_OFF, stops profiling. 917.It Li kern.profiling.tos ( GPROF_TOS ) 918Array of 919.Va struct tostruct 920describing destination of calls and their counts. 921.El 922.\" .It Li kern.pset 923.\" XXX: Undocumented. 924.It Li kern.rawpartition ( KERN_RAWPARTITION ) 925The raw partition of a disk (a == 0). 926.It Li kern.root_device ( KERN_ROOT_DEVICE ) 927The name of the root device (e.g., 928.Dq wd0 ) . 929.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 930The root partition on the root device (a == 0). 931.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 932Return the offset of real time clock from UTC in minutes. 933.It Li kern.saved_ids ( KERN_SAVED_IDS ) 934Returns 1 if saved set-group and saved set-user ID is available. 935.It Li kern.sbmax ( KERN_SBMAX ) 936Maximum socket buffer size. 937.\" XXX units? 938.It Li kern.securelevel ( KERN_SECURELVL ) 939See 940.Xr secmodel_securelevel 9 . 941.\" .It Li kern.sched 942.\" XXX: Undocumented. 943.It Li kern.somaxkva ( KERN_SOMAXKVA ) 944Maximum amount of kernel memory to be used for socket buffers. 945.\" XXX units? 946.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 947Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 948on this system, 949otherwise 0. 950.It Li kern.timecounter ( dynamic ) 951Display and control the timecounter source of the system. 952.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 953.It Sy Third level name Type Changeable 954.It kern.timecounter.choice string no 955.It kern.timecounter.hardware string yes 956.It kern.timecounter.timestepwarnings integer yes 957.El 958.Pp 959The variables are as follows: 960.Bl -tag -width "123456" 961.It Li kern.timecounter.choice ( dynamic ) 962The list of available timecounters with their quality and frequency. 963.It Li kern.timecounter.hardware ( dynamic ) 964The currently selected timecounter source. 965.It Li kern.timecounter.timestepwarnings ( dynamic ) 966If non-zero display a message each time the time is stepped. 967.El 968.It Li kern.timex ( KERN_TIMEX ) 969Not available. 970.It Li kern.tkstat ( KERN_TKSTAT ) 971Return information about the number of characters sent and received 972on ttys. 973The third level names for the tty statistic variables are detailed below. 974The changeable column shows whether a process 975with appropriate privilege may change the value. 976.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 977.It Sy Third level name Type Changeable 978.It kern.tkstat.cancc quad no 979.It kern.tkstat.nin quad no 980.It kern.tkstat.nout quad no 981.It kern.tkstat.rawcc quad no 982.El 983.Pp 984The variables are as follows: 985.Bl -tag -width "123456" 986.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 987The number of canonical input characters. 988.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 989The total number of input characters. 990.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 991The total number of output characters. 992.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 993The number of raw input characters. 994.El 995.It Li kern.urandom ( KERN_URND ) 996Random integer value. 997.It Li kern.usercrypto 998When enabled, allows userland to 999.Xr open 2 1000the 1001.Pa /dev/crypto 1002special device, used by the 1003.Xr crypto 4 1004system. 1005.It Li kern.userasymcrypto 1006Enables or disables the use of software asymmetric crypto support in the 1007.Xr crypto 4 1008system. 1009.It Li kern.veriexec 1010Runtime information for 1011.Xr veriexec 8 . 1012.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent 1013.It Sy Third level name Type Changeable 1014.It kern.veriexec.algorithms string no 1015.It kern.veriexec.count node not applicable 1016.It kern.veriexec.strict integer yes 1017.It kern.veriexec.verbose integer yes 1018.El 1019.Bl -tag -width "123456" 1020.It Li kern.veriexec.algorithms 1021Returns a string with the supported algorithms in Veriexec. 1022.It Li kern.veriexec.count 1023Sub-nodes are added to this node as new mounts are monitored by Veriexec. 1024Each mount will be under its own 1025.No tableN 1026node. 1027Under each node there will be three variables, indicating the mount 1028point, the file-system type, and the number of entries. 1029.It Li kern.veriexec.strict 1030Controls the strict level of Veriexec. 1031See 1032.Xr security 8 1033for more information on each level's implications. 1034.It Li kern.veriexec.verbose 1035Controls the verbosity level of Veriexec. 1036If 0, only the minimal 1037indication required will be given about what's happening - fingerprint 1038mismatches, removal of entries from the tables, modification of a 1039fingerprinted file. 1040If 1, more messages will be printed (ie., when a file with a valid 1041fingerprint is accessed). 1042Verbose level 2 is debug mode. 1043.El 1044.It Li kern.version ( KERN_VERSION ) 1045The system version string. 1046.It Li kern.vnode ( KERN_VNODE ) 1047Return the entire vnode table. 1048Note, the vnode table is not necessarily a consistent snapshot of 1049the system. 1050The returned data consists of an array whose size depends on the 1051current number of such objects in the system. 1052Each element of the array contains the kernel address of a vnode 1053.Va struct vnode * 1054followed by the vnode itself 1055.Va struct vnode . 1056.\" XXX: Undocumented: kern.lwp: no children? 1057.El 1058.Ss The machdep.* subtree 1059The set of variables defined is architecture dependent. 1060Most architectures define at least the following variables. 1061.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent 1062.It Sy Second level name Type Changeable 1063.It Li machdep.booted_kernel string no 1064.El 1065.\" XXX: Document the above. 1066.Ss The net.* subtree 1067The string and integer information available for the 1068.Li net 1069level is detailed below. 1070The changeable column shows whether a process with appropriate 1071privilege may change the value. 1072The second and third levels are typically the protocol family and 1073protocol number, though this is not always the case. 1074.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 1075.It Sy Second level name Type Changeable 1076.It net.route routing messages no 1077.It net.inet IPv4 values yes 1078.It net.inet6 IPv6 values yes 1079.It net.key IPsec key management values yes 1080.El 1081.Pp 1082.Bl -tag -width "123456" 1083.It Li net.route ( PF_ROUTE ) 1084.\" XXX really? 1085Return the entire routing table or a subset of it. 1086The data is returned as a sequence of routing messages (see 1087.Xr route 4 1088for the header file, format and meaning). 1089The length of each message is contained in the message header. 1090.Pp 1091The third level name is a protocol number, which is currently always 0. 1092The fourth level name is an address family, which may be set to 0 to 1093select all address families. 1094The fifth and sixth level names are as follows: 1095.Bl -column "Fifth level name" "Sixth level is:" -offset indent 1096.It Sy Fifth level name Sixth level is: 1097.It NET_RT_FLAGS rtflags 1098.It NET_RT_DUMP None 1099.It NET_RT_IFLIST None 1100.El 1101.It Li net.inet ( PF_INET ) 1102Get or set various global information about the IPv4 1103.Pq Internet Protocol version 4 . 1104The third level name is the protocol. 1105The fourth level name is the variable name. 1106The currently defined protocols and names are: 1107.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n 1108.It Sy Protocol name Variable name Type Changeable 1109.It arp down integer yes 1110.It arp keep integer yes 1111.It arp prune integer yes 1112.It arp refresh integer yes 1113.It carp allow integer yes 1114.It carp preempt integer yes 1115.It carp log integer yes 1116.It carp arpbalance integer yes 1117.It icmp errppslimit integer yes 1118.It icmp maskrepl integer yes 1119.It icmp rediraccept integer yes 1120.It icmp redirtimeout integer yes 1121.It icmp bmcastecho integer yes 1122.It ip allowsrcrt integer yes 1123.It ip anonportmax integer yes 1124.It ip anonportmin integer yes 1125.It ip checkinterface integer yes 1126.It ip directed-broadcast integer yes 1127.It ip do_loopback_cksum integer yes 1128.It ip forwarding integer yes 1129.It ip forwsrcrt integer yes 1130.It ip gifttl integer yes 1131.It ip grettl integer yes 1132.It ip hashsize integer yes 1133.It ip hostzerobroadcast integer yes 1134.It ip lowportmin integer yes 1135.It ip lowportmax integer yes 1136.It ip maxflows integer yes 1137.It ip maxfragpackets integer yes 1138.It ip mtudisc integer yes 1139.It ip mtudisctimeout integer yes 1140.It ip random_id integer yes 1141.It ip redirect integer yes 1142.It ip subnetsarelocal integer yes 1143.It ip ttl integer yes 1144.It tcp rfc1323 integer yes 1145.It tcp sendspace integer yes 1146.It tcp recvspace integer yes 1147.It tcp mssdflt integer yes 1148.It tcp syn_cache_limit integer yes 1149.It tcp syn_bucket_limit integer yes 1150.It tcp syn_cache_interval integer yes 1151.It tcp init_win integer yes 1152.It tcp init_win_local integer yes 1153.It tcp mss_ifmtu integer yes 1154.It tcp win_scale integer yes 1155.It tcp timestamps integer yes 1156.It tcp compat_42 integer yes 1157.It tcp cwm integer yes 1158.It tcp cwm_burstsize integer yes 1159.It tcp ack_on_push integer yes 1160.It tcp keepidle integer yes 1161.It tcp keepintvl integer yes 1162.It tcp keepcnt integer yes 1163.It tcp slowhz integer no 1164.It tcp keepinit integer yes 1165.It tcp log_refused integer yes 1166.It tcp rstppslimit integer yes 1167.It tcp ident struct no 1168.It tcp drop struct no 1169.It tcp sack.enable integer yes 1170.It tcp sack.globalholes integer no 1171.It tcp sack.globalmaxholes integer yes 1172.It tcp sack.maxholes integer yes 1173.It tcp ecn.enable integer yes 1174.It tcp ecn.maxretries integer yes 1175.It tcp congctl.selected string yes 1176.It tcp congctl.available string yes 1177.It tcp abc.enable integer yes 1178.It tcp abc.aggressive integer yes 1179.It udp checksum integer yes 1180.It udp do_loopback_cksum integer yes 1181.It udp recvspace integer yes 1182.It udp sendspace integer yes 1183.El 1184.Pp 1185The variables are as follows: 1186.Bl -tag -width "123456" 1187.It Li arp.down 1188Failed ARP entry lifetime. 1189.It Li arp.keep 1190Valid ARP entry lifetime. 1191.It Li arp.prune 1192ARP cache pruning interval. 1193.It Li arp.refresh 1194ARP entry refresh interval. 1195.It Li carp.allow 1196If set to 0, incoming 1197.Xr carp 4 1198packets will not be processed. 1199If set to any other value, processing will occur. 1200Enabled by default. 1201.It Li carp.arpbalance 1202If set to any value other than 0, the ARP balancing functionality of 1203.Xr carp 4 1204is enabled. 1205When ARP requests are received for an IP address which is part of any virtual 1206host, carp will hash the source IP in the ARP request to select one of the 1207virtual hosts from the set of all the virtual hosts which have that IP address. 1208The master of that host will respond with the correct virtual MAC address. 1209Disabled by default. 1210.It Li carp.log 1211If set to any value other than 0, 1212.Xr carp 4 1213will log errors. 1214Disabled by default. 1215.It Li carp.preempt 1216If set to 0, 1217.Xr carp 4 1218will not attempt to become master if it is receiving advertisements from 1219another active master. 1220If set to any other value, carp will become master of the virtual host if it 1221believes it can send advertisements more frequently than the current master. 1222Disabled by default. 1223.It Li ip.allowsrcrt 1224If set to 1, the host accepts source routed packets. 1225.It Li ip.anonportmax 1226The highest port number to use for TCP and UDP ephemeral port allocation. 1227This cannot be set to less than 1024 or greater than 65535, and must 1228be greater than 1229.Li ip.anonportmin . 1230.It Li ip.anonportmin 1231The lowest port number to use for TCP and UDP ephemeral port allocation. 1232This cannot be set to less than 1024 or greater than 65535. 1233.It Li ip.checkinterface 1234If set to non-zero, the host will reject packets addressed to it 1235that arrive on an interface not bound to that address. 1236Currently, this must be disabled if ipnat is used to translate the 1237destination address to another local interface, or if addresses 1238are added to the loopback interface instead of the interface where 1239the packets for those packets are received. 1240.It Li ip.directed-broadcast 1241If set to 1, enables directed broadcast behavior for the host. 1242.It Li ip.do_loopback_cksum 1243Perform IP checksum on loopback. 1244.It Li ip.forwarding 1245If set to 1, enables IP forwarding for the host, 1246meaning that the host is acting as a router. 1247.It Li ip.forwsrcrt 1248If set to 1, enables forwarding of source-routed packets for the host. 1249This value may only be changed if the kernel security level is less than 1. 1250.It Li ip.gifttl 1251The maximum time-to-live (hop count) value for an IPv4 packet generated by 1252.Xr gif 4 1253tunnel interface. 1254.It Li ip.grettl 1255The maximum time-to-live (hop count) value for an IPv4 packet generated by 1256.Xr gre 4 1257tunnel interface. 1258.It Li ip.hashsize 1259The size of IPv4 Fast Forward hash table. 1260This value must be a power of 2 (64, 256...). 1261A larger hash table size results in fewer collisions. 1262Also see 1263.Li ip.maxflows . 1264.It Li ip.hostzerobroadcast 1265All zeroes address is broadcast address. 1266.It Li ip.lowportmax 1267The highest port number to use for TCP and UDP reserved port allocation. 1268This cannot be set to less than 0 or greater than 1024, and must 1269be greater than 1270.Li ip.lowportmin . 1271.It Li ip.lowportmin 1272The lowest port number to use for TCP and UDP reserved port allocation. 1273This cannot be set to less than 0 or greater than 1024, and must 1274be smaller than 1275.Li ip.lowportmax . 1276.It Li ip.maxflows 1277IPv4 Fast Forwarding is enabled by default. 1278If set to 0, IPv4 Fast Forwarding is disabled. 1279.Li ip.maxflows 1280controls the maximum amount of flows which can be created. 1281The default value is 256. 1282.It Li ip.maxfragpackets 1283The maximum number of fragmented packets the node will accept. 12840 means that the node will not accept any fragmented packets. 1285\-1 means that the node will accept as many fragmented packets as it receives. 1286The flag is provided basically for avoiding possible DoS attacks. 1287.It Li ip.mtudisc 1288If set to 1, enables Path MTU Discovery (RFC 1191). 1289When Path MTU Discovery is enabled, the transmitted TCP segment 1290size will be determined by the advertised maximum segment size 1291(MSS) from the remote end, as constrained by the path MTU. 1292If MTU Discovery is disabled, the transmitted segment size will 1293never be greater than 1294.Li tcp.mssdflt 1295(the local maximum segment size). 1296.It Li ip.mtudisctimeout 1297The number of seconds in which a route added by the Path MTU 1298Discovery engine will time out. 1299When the route times out, the Path 1300MTU Discovery engine will attempt to probe a larger path MTU. 1301.It Li ip.random_id 1302Assign random ip_id values. 1303.It Li ip.redirect 1304If set to 1, ICMP redirects may be sent by the host. 1305This option is ignored unless the host is routing IP packets, 1306and should normally be enabled on all systems. 1307.It Li ip.subnetsarelocal 1308If set to 1, subnets are to be considered local addresses. 1309.It Li ip.ttl 1310The maximum time-to-live (hop count) value for an IP packet sourced by 1311the system. 1312This value applies to normal transport protocols, not to ICMP. 1313.It Li icmp.errppslimit 1314The variable specifies the maximum number of outgoing ICMP error messages, 1315per second. 1316ICMP error messages that exceeded the value are subject to rate limitation 1317and will not go out from the node. 1318Negative value disables rate limitation. 1319.It Li icmp.maskrepl 1320If set to 1, ICMP network mask requests are to be answered. 1321.It Li icmp.rediraccept 1322If set to non-zero, the host will accept ICMP redirect packets. 1323Note that routers will never accept ICMP redirect packets, 1324and the variable is meaningful on IP hosts only. 1325.It Li icmp.redirtimeout 1326The variable specifies lifetime of routing entries generated by incoming 1327ICMP redirect. 1328This defaults to 600 seconds. 1329.It Li icmp.returndatabytes 1330Number of bytes to return in an ICMP error message. 1331.It Li icmp.bmcastecho 1332If set to 1, enables responding to ICMP echo or timestamp request to the 1333broadcast address. 1334.It Li tcp.ack_on_push 1335If set to 1, TCP is to immediately transmit an ACK upon reception of 1336a packet with PUSH set. 1337This can avoid losing a round trip time in some rare situations, 1338but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1339Use of this option is generally not recommended, but 1340the variable exists in case your configuration really needs it. 1341.It Li tcp.compat_42 1342If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1343Use of this option is not recommended, although it may be 1344required in order to communicate with extremely old TCP implementations. 1345.It Li tcp.cwm 1346If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1347Monitoring algorithm. 1348This algorithm prevents line-rate bursts of packets that could 1349otherwise occur when data begins flowing on an idle TCP connection. 1350These line-rate bursts can contribute to network and router congestion. 1351This can be particularly useful on World Wide Web servers 1352which support HTTP/1.1, which has lingering connections. 1353.It Li tcp.cwm_burstsize 1354The Congestion Window Monitoring allowed burst size, in terms 1355of packet count. 1356.It Li tcp.delack_ticks 1357Number of ticks to delay sending an ACK. 1358.It Li tcp.do_loopback_cksum 1359Perform TCP checksum on loopback. 1360.It Li tcp.init_win 1361A value indicating the TCP initial congestion window. 1362If this value is 0, an auto-tuning algorithm designed to use an initial 1363window of approximately 4K bytes is in use. 1364Otherwise, this value indicates a fixed number of packets. 1365.It Li tcp.init_win_local 1366Like 1367.Li tcp.init_win , 1368but used when communicating with hosts on a local network. 1369.It Li tcp.keepcnt 1370Number of keepalive probes sent before declaring a connection dead. 1371If set to zero, there is no limit; 1372keepalives will be sent until some kind of 1373response is received from the peer. 1374.It Li tcp.keepidle 1375Time a connection must be idle before keepalives are sent (if keepalives 1376are enabled for the connection). 1377See also tcp.slowhz. 1378.It Li tcp.keepintvl 1379Time after a keepalive probe is sent until, in the absence of any response, 1380another probe is sent. 1381See also tcp.slowhz. 1382.It Li tcp.log_refused 1383If set to 1, refused TCP connections to the host will be logged. 1384.It Li tcp.keepinit 1385Timeout in seconds during connection establishment. 1386.It Li tcp.mss_ifmtu 1387If set to 1, TCP calculates the outgoing maximum segment size based on 1388the MTU of the appropriate interface. 1389If set to 0, it is calculated based on the greater of the MTU of the 1390interface, and the largest (non-loopback) interface MTU on the system. 1391.It Li tcp.mssdflt 1392The default maximum segment size both advertised to the peer 1393and to use when either the peer does not advertise a maximum segment size to 1394us during connection setup or Path MTU Discovery 1395.Li ( ip.mtudisc ) 1396is disabled. 1397Do not change this value unless you really know what you are doing. 1398.It Li tcp.recvspace 1399The default TCP receive buffer size. 1400.It Li tcp.rfc1323 1401If set to 1, enables RFC 1323 extensions to TCP. 1402.It Li tcp.rstppslimit 1403The variable specifies the maximum number of outgoing TCP RST packets, 1404per second. 1405TCP RST packet that exceeded the value are subject to rate limitation 1406and will not go out from the node. 1407Negative value disables rate limitation. 1408.It Li tcp.ident 1409Return the user ID of a connected socket pair. 1410(RFC1413 Identification Protocol lookups.) 1411.It Li tcp.drop 1412Drop a TCP socket pair connection. 1413.It Li tcp.sack.enable 1414If set to 1, enables RFC 2018 Selective ACKnowledgement. 1415.It Li tcp.sack.globalholes 1416Global number of TCP SACK holes. 1417.It Li tcp.sack.globalmaxholes 1418Global maximum number of TCP SACK holes. 1419.It Li tcp.sack.maxholes 1420Maximum number of TCP SACK holes allowed per connection. 1421.It Li tcp.ecn.enable 1422If set to 1, enables RFC 3168 Explicit Congestion Notification. 1423.It Li tcp.ecn.maxretries 1424Number of times to retry sending the ECN-setup packet. 1425.It Li tcp.sendspace 1426The default TCP send buffer size. 1427.It Li tcp.slowhz 1428The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1429of a clock that ticks tcp.slowhz times per second. 1430(That is, their values 1431must be divided by the tcp.slowhz value to get times in seconds.) 1432.It Li tcp.syn_bucket_limit 1433The maximum number of entries allowed per hash bucket in the TCP 1434compressed state engine. 1435.It Li tcp.syn_cache_limit 1436The maximum number of entries allowed in the TCP compressed state 1437engine. 1438.It Li tcp.timestamps 1439If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1440used for measuring TCP round trip times, are enabled. 1441.It Li tcp.win_scale 1442If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1443for increasing the TCP window size, are enabled. 1444.It Li tcp.congctl.available 1445The available TCP congestion control algorithms. 1446.It Li tcp.congctl.selected 1447The currently selected TCP congestion control algorithm. 1448.It Li tcp.abc.enable 1449If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1450If set to 0, use traditional Packet Counting. 1451.It Li tcp.abc.aggressive 1452Choose the L parameter found in RFC 3465. 1453L is the maximum cwnd increase for an ack during slow start. 1454If set to 1, use L=2*SMSS. 1455If set to 0, use L=1*SMSS. 1456It has no effect unless tcp.abc.enable is set to 1. 1457.It Li udp.checksum 1458If set to 1, UDP checksums are being computed. 1459Received non-zero UDP checksums are always checked. 1460Disabling UDP checksums is strongly discouraged. 1461.It Li udp.sendspace 1462The default UDP send buffer size. 1463.It Li udp.recvspace 1464The default UDP receive buffer size. 1465.El 1466.Pp 1467For variables net.*.ipsec, please refer to 1468.Xr ipsec 4 . 1469.It Li net.inet6 ( PF_INET6 ) 1470Get or set various global information about the IPv6 1471.Pq Internet Protocol version 6 . 1472The third level name is the protocol. 1473The fourth level name is the variable name. 1474The currently defined protocols and names are: 1475.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent 1476.It Sy Protocol name Variable name Type Changeable 1477.It icmp6 errppslimit integer yes 1478.It icmp6 mtudisc_hiwat integer yes 1479.It icmp6 mtudisc_lowat integer yes 1480.It icmp6 nd6_debug integer yes 1481.It icmp6 nd6_delay integer yes 1482.It icmp6 nd6_maxnudhint integer yes 1483.It icmp6 nd6_mmaxtries integer yes 1484.It icmp6 nd6_prune integer yes 1485.It icmp6 nd6_umaxtries integer yes 1486.It icmp6 nd6_useloopback integer yes 1487.It icmp6 nodeinfo integer yes 1488.It icmp6 rediraccept integer yes 1489.It icmp6 redirtimeout integer yes 1490.It ip6 accept_rtadv integer yes 1491.It ip6 anonportmax integer yes 1492.It ip6 anonportmin integer yes 1493.It ip6 auto_flowlabel integer yes 1494.It ip6 dad_count integer yes 1495.It ip6 defmcasthlim integer yes 1496.It ip6 forwarding integer yes 1497.It ip6 gifhlim integer yes 1498.It ip6 hashsize integer yes 1499.It ip6 hlim integer yes 1500.It ip6 hdrnestlimit integer yes 1501.It ip6 kame_version string no 1502.It ip6 keepfaith integer yes 1503.It ip6 log_interval integer yes 1504.It ip6 lowportmax integer yes 1505.It ip6 lowportmin integer yes 1506.It ip6 maxflows integer yes 1507.It ip6 maxfragpackets integer yes 1508.It ip6 maxfrags integer yes 1509.It ip6 redirect integer yes 1510.It ip6 rr_prune integer yes 1511.It ip6 use_deprecated integer yes 1512.It ip6 v6only integer yes 1513.It udp6 do_loopback_cksum integer yes 1514.It udp6 recvspace integer yes 1515.It udp6 sendspace integer yes 1516.El 1517.Pp 1518The variables are as follows: 1519.Bl -tag -width "123456" 1520.It Li ip6.accept_rtadv 1521If set to non-zero, the node will accept ICMPv6 router advertisement packets 1522and autoconfigures address prefixes and default routers. 1523The node must be a host 1524.Pq not a router 1525for the option to be meaningful. 1526.It Li ip6.anonportmax 1527The highest port number to use for TCP and UDP ephemeral port allocation. 1528This cannot be set to less than 1024 or greater than 65535, and must 1529be greater than 1530.Li ip6.anonportmin . 1531.It Li ip6.anonportmin 1532The lowest port number to use for TCP and UDP ephemeral port allocation. 1533This cannot be set to less than 1024 or greater than 65535. 1534.It Li ip6.auto_flowlabel 1535On connected transport protocol packets, 1536fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1537.It Li ip6.dad_count 1538The variable configures number of IPv6 DAD 1539.Pq duplicated address detection 1540probe packets. 1541The packets will be generated when IPv6 interface addresses are configured. 1542.It Li ip6.defmcasthlim 1543The default hop limit value for an IPv6 multicast packet sourced by the node. 1544This value applies to all the transport protocols on top of IPv6. 1545There are APIs to override the value, as documented in 1546.Xr ip6 4 . 1547.It Li ip6.forwarding 1548If set to 1, enables IPv6 forwarding for the node, 1549meaning that the node is acting as a router. 1550If set to 0, disables IPv6 forwarding for the node, 1551meaning that the node is acting as a host. 1552IPv6 specification defines node behavior for 1553.Dq router 1554case and 1555.Dq host 1556case quite differently, and changing this variable during operation 1557may cause serious trouble. 1558It is recommended to configure the variable at bootstrap time, 1559and bootstrap time only. 1560.It Li ip6.gifhlim 1561The maximum hop limit value for an IPv6 packet generated by 1562.Xr gif 4 1563tunnel interface. 1564.It Li ip6.hdrnestlimit 1565The number of IPv6 extension headers permitted on incoming IPv6 packets. 1566If set to 0, the node will accept as many extension headers as possible. 1567.It Li ip6.hashsize 1568The size of IPv6 Fast Forward hash table. 1569This value must be a power of 2 (64, 256...). 1570A larger hash table size results in fewer collisions. 1571Also see 1572.Li ip6.maxflows . 1573.It Li ip6.hlim 1574The default hop limit value for an IPv6 unicast packet sourced by the node. 1575This value applies to all the transport protocols on top of IPv6. 1576There are APIs to override the value, as documented in 1577.Xr ip6 4 . 1578.It Li ip6.kame_version 1579The string identifies the version of KAME IPv6 stack implemented in the kernel. 1580.It Li ip6.keepfaith 1581If set to non-zero, it enables 1582.Dq FAITH 1583TCP relay IPv6-to-IPv4 translator code in the kernel. 1584Refer 1585.Xr faith 4 1586and 1587.Xr faithd 8 1588for detail. 1589.It Li ip6.log_interval 1590The variable controls amount of logs generated by IPv6 packet 1591forwarding engine, by setting interval between log output 1592.Pq in seconds . 1593.It Li ip6.lowportmax 1594The highest port number to use for TCP and UDP reserved port allocation. 1595This cannot be set to less than 0 or greater than 1024, and must 1596be greater than 1597.Li ip6.lowportmin . 1598.It Li ip6.lowportmin 1599The lowest port number to use for TCP and UDP reserved port allocation. 1600This cannot be set to less than 0 or greater than 1024, and must 1601be smaller than 1602.Li ip6.lowportmax . 1603.It Li ip6.maxflows 1604IPv6 Fast Forwarding is enabled by default. 1605If set to 0, IPv6 Fast Forwarding is disabled. 1606.Li ip6.maxflows 1607controls the maximum amount of flows which can be created. 1608The default value is 256. 1609.It Li ip6.maxfragpackets 1610The maximum number of fragmented packets the node will accept. 16110 means that the node will not accept any fragmented packets. 1612\-1 means that the node will accept as many fragmented packets as it receives. 1613The flag is provided basically for avoiding possible DoS attacks. 1614.It Li ip6.maxfrags 1615The maximum number of fragments the node will accept. 16160 means that the node will not accept any fragments. 1617\-1 means that the node will accept as many fragments as it receives. 1618The flag is provided basically for avoiding possible DoS attacks. 1619.It Li ip6.redirect 1620If set to 1, ICMPv6 redirects may be sent by the node. 1621This option is ignored unless the node is routing IP packets, 1622and should normally be enabled on all systems. 1623.It Li ip6.rr_prune 1624The variable specifies interval between IPv6 router renumbering prefix 1625babysitting, in seconds. 1626.It Li ip6.use_deprecated 1627The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1628.It Li ip6.v6only 1629The variable specifies initial value for 1630.Dv IPV6_V6ONLY 1631socket option for 1632.Dv AF_INET6 1633socket. 1634Please refer to 1635.Xr ip6 4 1636for detail. 1637.It Li icmp6.errppslimit 1638The variable specifies the maximum number of outgoing ICMPv6 error messages, 1639per second. 1640ICMPv6 error messages that exceeded the value are subject to rate limitation 1641and will not go out from the node. 1642Negative value disables rate limitation. 1643.It Li icmp6.mtudisc_hiwat 1644.It Li icmp6.mtudisc_lowat 1645The variables define the maximum number of routing table entries, 1646created due to path MTU discovery 1647.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1648When IPv6 path MTU discovery happens, we keep path MTU information into 1649the routing table. 1650If the number of routing table entries exceed the value, 1651the kernel will not attempt to keep the path MTU information. 1652.Li icmp6.mtudisc_hiwat 1653is used when we have verified ICMPv6 too big messages. 1654.Li icmp6.mtudisc_lowat 1655is used when we have unverified ICMPv6 too big messages. 1656Verification is performed by using address/port pairs kept in connected pcbs. 1657Negative value disables the upper limit. 1658.It Li icmp6.nd6_debug 1659If set to non-zero, kernel IPv6 neighbor discovery code will generate 1660debugging messages. 1661The debug outputs are useful to diagnose IPv6 interoperability issues. 1662The flag must be set to 0 for normal operation. 1663.It Li icmp6.nd6_delay 1664The variable specifies 1665.Dv DELAY_FIRST_PROBE_TIME 1666timing constant in IPv6 neighbor discovery specification 1667.Pq RFC 2461 , 1668in seconds. 1669.It Li icmp6.nd6_maxnudhint 1670IPv6 neighbor discovery permits upper layer protocols to supply reachability 1671hints, to avoid unnecessary neighbor discovery exchanges. 1672The variable defines the number of consecutive hints the neighbor discovery 1673layer will take. 1674For example, by setting the variable to 3, neighbor discovery layer 1675will take 3 consecutive hints in maximum. 1676After receiving 3 hints, neighbor discovery layer will perform 1677normal neighbor discovery process. 1678.It Li icmp6.nd6_mmaxtries 1679The variable specifies 1680.Dv MAX_MULTICAST_SOLICIT 1681constant in IPv6 neighbor discovery specification 1682.Pq RFC 2461 . 1683.It Li icmp6.nd6_prune 1684The variable specifies interval between IPv6 neighbor cache babysitting, 1685in seconds. 1686.It Li icmp6.nd6_umaxtries 1687The variable specifies 1688.Dv MAX_UNICAST_SOLICIT 1689constant in IPv6 neighbor discovery specification 1690.Pq RFC 2461 . 1691.It Li icmp6.nd6_useloopback 1692If set to non-zero, kernel IPv6 stack will use loopback interface for 1693local traffic. 1694.It Li icmp6.nodeinfo 1695The variable enables responses to ICMPv6 node information queries. 1696If you set the variable to 0, responses will not be generated for 1697ICMPv6 node information queries. 1698Since node information queries can have a security impact, it is 1699possible to fine tune which responses should be answered. 1700Two separate bits can be set. 1701.Bl -tag -width "12345" 1702.It 1 1703Respond to ICMPv6 FQDN queries, e.g. 1704.Li ping6 -w . 1705.It 2 1706Respond to ICMPv6 node addresses queries, e.g. 1707.Li ping6 -a . 1708.El 1709.It Li icmp6.rediraccept 1710If set to non-zero, the host will accept ICMPv6 redirect packets. 1711Note that IPv6 routers will never accept ICMPv6 redirect packets, 1712and the variable is meaningful on IPv6 hosts 1713.Pq non-router 1714only. 1715.It Li icmp6.redirtimeout 1716The variable specifies lifetime of routing entries generated by incoming 1717ICMPv6 redirect. 1718.It Li udp6.do_loopback_cksum 1719Perform UDP checksum on loopback. 1720.It Li udp6.recvspace 1721Default UDP receive buffer size. 1722.It Li udp6.sendspace 1723Default UDP send buffer size. 1724.El 1725.Pp 1726We reuse net.*.tcp for 1727.Tn TCP 1728over 1729.Tn IPv6 , 1730and therefore we do not have variables net.*.tcp6. 1731Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1732Please refer to 1733.Li PF_INET 1734section above. 1735For variables net.*.ipsec6, please refer to 1736.Xr ipsec 4 . 1737.It Li net.key ( PF_KEY ) 1738Get or set various global information about the IPsec key management. 1739The third level name is the variable name. 1740The currently defined variable and names are: 1741.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 1742.It Sy Variable name Type Changeable 1743.It debug integer yes 1744.It spi_try integer yes 1745.It spi_min_value integer yes 1746.It spi_max_value integer yes 1747.It larval_lifetime integer yes 1748.It blockacq_count integer yes 1749.It blockacq_lifetime integer yes 1750.It esp_keymin integer yes 1751.It esp_auth integer yes 1752.It ah_keymin integer yes 1753.El 1754.Pp 1755The variables are as follows: 1756.Bl -tag -width "123456" 1757.It Li debug 1758Turn on debugging message from within the kernel. 1759The value is a bitmap, as defined in 1760.Pa /usr/include/netkey/key_debug.h . 1761.It Li spi_try 1762The number of times the kernel will try to obtain an unique SPI 1763when it generates it from random number generator. 1764.It Li spi_min_value 1765Minimum SPI value when generating it within the kernel. 1766.It Li spi_max_value 1767Maximum SPI value when generating it within the kernel. 1768.It Li larval_lifetime 1769Lifetime for LARVAL SAD entries, in seconds. 1770.It Li blockacq_count 1771Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1772It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1773key management daemon. 1774.It Li blockacq_lifetime 1775Lifetime of ACQUIRE PF_KEY message. 1776.It Li esp_keymin 1777Minimum ESP key length, in bits. 1778The value is used when the kernel creates proposal payload 1779on ACQUIRE PF_KEY message. 1780.It Li esp_auth 1781Whether ESP authentication should be used or not. 1782Non-zero value indicates that ESP authentication should be used. 1783The value is used when the kernel creates proposal payload 1784on ACQUIRE PF_KEY message. 1785.It Li ah_keymin 1786Minimum AH key length, in bits, 1787The value is used when the kernel creates proposal payload 1788on ACQUIRE PF_KEY message. 1789.El 1790.El 1791.Ss The proc.* subtree 1792The string and integer information available for the 1793.Li proc 1794level is detailed below. 1795The changeable column shows whether a process with appropriate 1796privilege may change the value. 1797These values are per-process, 1798and as such may change from one process to another. 1799When a process is created, 1800the default values are inherited from its parent. 1801When a set-user-ID or set-group-ID binary is executed, the 1802value of PROC_PID_CORENAME is reset to the system default value. 1803The second level name is either the magic value PROC_CURPROC, which 1804points to the current process, or the PID of the target process. 1805.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 1806.It Sy Third level name Type Changeable 1807.It proc.pid.corename string yes 1808.It proc.pid.rlimit node not applicable 1809.It proc.pid.stopfork int yes 1810.It proc.pid.stopexec int yes 1811.It proc.pid.stopexit int yes 1812.El 1813.Bl -tag -width "123456" 1814.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1815The template used for the core dump file name (see 1816.Xr core 5 1817for details). 1818The base name must either be 1819.Nm core 1820or end with the suffix ``.core'' (the super-user may set arbitrary names). 1821By default it points to KERN_DEFCORENAME. 1822.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1823Return resources limits, as defined for the 1824.Xr getrlimit 2 1825and 1826.Xr setrlimit 2 1827system calls. 1828The fourth level name is one of: 1829.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1830.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1831The maximum amount of CPU time (in seconds) to be used by each process. 1832.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1833The largest size (in bytes) file that may be created. 1834.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1835The maximum size (in bytes) of the data segment for a process; 1836this defines how far a program may extend its break with the 1837.Xr sbrk 2 1838system call. 1839.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1840The maximum size (in bytes) of the stack segment for a process; 1841this defines how far a program's stack segment may be extended. 1842Stack extension is performed automatically by the system. 1843.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1844The largest size (in bytes) 1845.Pa core 1846file that may be created. 1847.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1848The maximum size (in bytes) to which a process's resident set size may 1849grow. 1850This imposes a limit on the amount of physical memory to be given to 1851a process; if memory is tight, the system will prefer to take memory 1852from processes that are exceeding their declared resident set size. 1853.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1854The maximum size (in bytes) which a process may lock into memory 1855using the 1856.Xr mlock 2 1857function. 1858.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1859The maximum number of simultaneous processes for this user id. 1860.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1861The maximum number of open files for this process. 1862.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) 1863The maximum size (in bytes) of the socket buffers 1864set by the 1865.Xr setsockopt 2 1866.Dv SO_RCVBUF 1867and 1868.Dv SO_SNDBUF 1869options. 1870.El 1871.Pp 1872The fifth level name is one of 1873.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or 1874.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1875to select respectively the soft or hard limit. 1876Both are of type integer. 1877.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1878If non zero, the process' children will be stopped after 1879.Xr fork 2 1880calls. 1881The children is created in the SSTOP state and is never scheduled 1882for running before being stopped. 1883This feature helps attaching a process with a debugger such as 1884.Xr gdb 1 1885before it had the opportunity to actually do anything. 1886.Pp 1887This value is inherited by the process's children, and it also 1888apply to emulation specific system calls that fork a new process, such as 1889.Fn sproc 1890or 1891.Fn clone . 1892.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1893If non zero, the process will be stopped on next 1894.Xr exec 3 1895call. 1896The process created by 1897.Xr exec 3 1898is created in the SSTOP state and is never scheduled for running 1899before being stopped. 1900This feature helps attaching a process with a debugger such as 1901.Xr gdb 1 1902before it had the opportunity to actually do anything. 1903.Pp 1904This value is inherited by the process's children. 1905.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1906If non zero, the process will be stopped on when it has cause to exit, 1907either by way of calling 1908.Xr exit 3 , 1909.Xr _exit 2 , 1910or by the receipt of a specific signal. 1911The process is stopped before any of its resources or vm space is 1912released allowing examination of the termination state of a process 1913before it disappears. 1914This feature can be used to examine the final conditions of the 1915process's vmspace via 1916.Xr pmap 1 1917or its resource settings with 1918.Xr sysctl 8 1919before it disappears. 1920.Pp 1921This value is also inherited by the process's children. 1922.El 1923.Ss The user.* subtree ( CTL_USER ) 1924The string and integer information available for the 1925.Li user 1926level is detailed below. 1927The changeable column shows whether a process with appropriate 1928privilege may change the value. 1929.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 1930.It Sy Second level name Type Changeable 1931.It user.atexit_max integer no 1932.It user.bc_base_max integer no 1933.It user.bc_dim_max integer no 1934.It user.bc_scale_max integer no 1935.It user.bc_string_max integer no 1936.It user.coll_weights_max integer no 1937.It user.cs_path string no 1938.It user.expr_nest_max integer no 1939.It user.line_max integer no 1940.It user.posix2_c_bind integer no 1941.It user.posix2_c_dev integer no 1942.It user.posix2_char_term integer no 1943.It user.posix2_fort_dev integer no 1944.It user.posix2_fort_run integer no 1945.It user.posix2_localedef integer no 1946.It user.posix2_sw_dev integer no 1947.It user.posix2_upe integer no 1948.It user.posix2_version integer no 1949.It user.re_dup_max integer no 1950.It user.stream_max integer no 1951.It user.stream_max integer no 1952.It user.tzname_max integer no 1953.El 1954.Bl -tag -width "123456" 1955.It Li user.atexit_max ( USER_ATEXIT_MAX ) 1956The maximum number of functions that may be registered with 1957.Xr atexit 3 . 1958.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 1959The maximum ibase/obase values in the 1960.Xr bc 1 1961utility. 1962.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 1963The maximum array size in the 1964.Xr bc 1 1965utility. 1966.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 1967The maximum scale value in the 1968.Xr bc 1 1969utility. 1970.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 1971The maximum string length in the 1972.Xr bc 1 1973utility. 1974.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 1975The maximum number of weights that can be assigned to any entry of 1976the LC_COLLATE order keyword in the locale definition file. 1977.It Li user.cs_path ( USER_CS_PATH ) 1978Return a value for the 1979.Ev PATH 1980environment variable that finds all the standard utilities. 1981.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 1982The maximum number of expressions that can be nested within 1983parenthesis by the 1984.Xr expr 1 1985utility. 1986.It Li user.line_max ( USER_LINE_MAX ) 1987The maximum length in bytes of a text-processing utility's input 1988line. 1989.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 1990Return 1 if the system supports at least one terminal type capable of 1991all operations described in POSIX 1003.2, otherwise 0. 1992.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 1993Return 1 if the system's C-language development facilities support the 1994C-Language Bindings Option, otherwise 0. 1995.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 1996Return 1 if the system supports the C-Language Development Utilities Option, 1997otherwise 0. 1998.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 1999Return 1 if the system supports the FORTRAN Development Utilities Option, 2000otherwise 0. 2001.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 2002Return 1 if the system supports the FORTRAN Runtime Utilities Option, 2003otherwise 0. 2004.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 2005Return 1 if the system supports the creation of locales, otherwise 0. 2006.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 2007Return 1 if the system supports the Software Development Utilities Option, 2008otherwise 0. 2009.It Li user.posix2_upe ( USER_POSIX2_UPE ) 2010Return 1 if the system supports the User Portability Utilities Option, 2011otherwise 0. 2012.It Li user.posix2_version ( USER_POSIX2_VERSION ) 2013The version of POSIX 1003.2 with which the system attempts to comply. 2014.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 2015The maximum number of repeated occurrences of a regular expression 2016permitted when using interval notation. 2017.It Li user.stream_max ( USER_STREAM_MAX ) 2018The minimum maximum number of streams that a process may have open 2019at any one time. 2020.It Li user.tzname_max ( USER_TZNAME_MAX ) 2021The minimum maximum number of types supported for the name of a 2022timezone. 2023.El 2024.Ss The vm.* subtree ( CTL_VM ) 2025The string and integer information available for the 2026.Li vm 2027level is detailed below. 2028The changeable column shows whether a process with appropriate 2029privilege may change the value. 2030.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 2031.It Sy Second level name Type Changeable 2032.It vm.anonmax int yes 2033.It vm.anonmin int yes 2034.It vm.bufcache int yes 2035.It vm.bufmem int no 2036.It vm.bufmem_hiwater int yes 2037.It vm.bufmem_lowater int yes 2038.It vm.execmax int yes 2039.It vm.execmin int yes 2040.It vm.filemax int yes 2041.It vm.filemin int yes 2042.It vm.loadavg struct loadavg no 2043.It vm.maxslp int no 2044.It vm.nkmempages int no 2045.It vm.uspace int no 2046.It vm.uvmexp struct uvmexp no 2047.It vm.uvmexp2 struct uvmexp_sysctl no 2048.It vm.vmmeter struct vmtotal no 2049.El 2050.Pp 2051.Bl -tag -width "123456" 2052.It Li vm.anonmax ( VM_ANONMAX ) 2053The percentage of physical memory which will be reclaimed 2054from other types of memory usage to store anonymous application data. 2055.It Li vm.anonmin ( VM_ANONMIN ) 2056The percentage of physical memory which will be always be available for 2057anonymous application data. 2058.It Li vm.bufcache ( VM_BUFCACHE ) 2059The percentage of physical memory which will be available 2060for the buffer cache. 2061.It Li vm.bufmem ( VM_BUFMEM ) 2062The amount of kernel memory that is being used by the buffer cache. 2063.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 2064The minimum amount of kernel memory to reserve for the 2065buffer cache. 2066.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 2067The maximum amount of kernel memory to be used for the 2068buffer cache. 2069.It Li vm.execmax ( VM_EXECMAX ) 2070The percentage of physical memory which will be reclaimed 2071from other types of memory usage to store cached executable data. 2072.It Li vm.execmin ( VM_EXECMIN ) 2073The percentage of physical memory which will be always be available for 2074cached executable data. 2075.It Li vm.filemax ( VM_FILEMAX ) 2076The percentage of physical memory which will be reclaimed 2077from other types of memory usage to store cached file data. 2078.It Li vm.filemin ( VM_FILEMIN ) 2079The percentage of physical memory which will be always be available for 2080cached file data. 2081.It Li vm.loadavg ( VM_LOADAVG ) 2082Return the load average history. 2083The returned data consists of a 2084.Va struct loadavg . 2085.It Li vm.maxslp ( VM_MAXSLP ) 2086The value of the maxslp kernel global variable. 2087.It Li vm.vmmeter ( VM_METER ) 2088Return system wide virtual memory statistics. 2089The returned data consists of a 2090.Va struct vmtotal . 2091.It vm.user_va0_disable 2092A flag which controls whether user processes can map virtual address 0. 2093.It Li vm.uspace ( VM_USPACE ) 2094The number of bytes allocated for each kernel stack. 2095.It Li vm.uvmexp ( VM_UVMEXP ) 2096Return system wide virtual memory statistics. 2097The returned data consists of a 2098.Va struct uvmexp . 2099.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 2100Return system wide virtual memory statistics. 2101The returned data consists of a 2102.Va struct uvmexp_sysctl . 2103.\" XXX vm.idlezero 2104.El 2105.Ss The ddb.* subtree ( CTL_DDB ) 2106The information available for the 2107.Li ddb 2108level is detailed below. 2109The changeable column shows whether a process with appropriate 2110privilege may change the value. 2111.\" XXX sort 2112.Bl -column "Second level name" "integer" "Changeable" -offset indent 2113.It Sy Second level name Type Changeable 2114.It ddb.radix integer yes 2115.It ddb.maxoff integer yes 2116.It ddb.maxwidth integer yes 2117.It ddb.lines integer yes 2118.It ddb.tabstops integer yes 2119.It ddb.onpanic integer yes 2120.It ddb.fromconsole integer yes 2121.It ddb.tee_msgbuf integer yes 2122.It ddb.commandonenter string yes 2123.El 2124.Pp 2125.Bl -tag -width "123456" 2126.It Li ddb.radix ( DDBCTL_RADIX ) 2127The input and output radix. 2128.It Li ddb.maxoff ( DDBCTL_MAXOFF ) 2129The maximum symbol offset. 2130.It Li ddb.maxwidth ( DDBCTL_MAXWIDTH ) 2131The maximum output line width. 2132.It Li ddb.lines ( DDBCTL_LINES ) 2133Number of display lines. 2134.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) 2135Tab width. 2136.It Li ddb.onpanic ( DDBCTL_ONPANIC ) 2137If non-zero, DDB will be entered if the kernel panics. 2138.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) 2139If not zero, DDB may be entered by sending a break on a serial 2140console or by a special key sequence on a graphics console. 2141.It Li ddb.tee_msgbuf 2142If not zero, DDB will output also to the kernel message buffer. 2143.It Li ddb.commandonenter 2144If not empty, a command to be executed on each enter to the 2145.Tn DDB . 2146.\" 2147.\" XXX: (a) ddb.commandonenter is missing in ddb(4); 2148.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. 2149.El 2150.Pp 2151Some of these 2152.Tn MIB 2153nodes are also available as variables from within the debugger. 2154See 2155.Xr ddb 4 2156for more details. 2157.Ss The security.* subtree ( CTL_SECURITY ) 2158The 2159.Li security 2160level contains various security-related settings for 2161the system. 2162The available second level names are: 2163.Bl -column "Second level name" "integer" "Changeable" -offset indent 2164.It Sy Second level name Type Changeable 2165.It Li security.curtain integer yes 2166.It Li security.models node not applicable 2167.It Li security.pax node not applicable 2168.El 2169.Pp 2170Available settings are detailed below. 2171.Pp 2172.Bl -tag -width "123456" 2173.It Li security.curtain 2174If non-zero, will filter return objects according to the user 2175.Tn ID 2176requesting information about them, preventing from users any 2177access to objects they do not own. 2178.Pp 2179At the moment, it affects 2180.Xr ps 1 , 2181.Xr netstat 1 2182(for 2183.Dv PF_INET , 2184.Dv PF_INET6 , 2185and 2186.Dv PF_UNIX 2187PCBs), and 2188.Xr w 1 . 2189.It Li security.models 2190.Nx 2191supports pluggable security models. 2192Every security model used, whether if loaded as a module or built with the system, 2193is required to add an entry to this node with at least one element, 2194.Dq name , 2195indicating the name of the security model. 2196.Pp 2197In addition to the name, any settings and other information private to the 2198security model will be available under this node. 2199See 2200.Xr secmodel 9 2201for more information. 2202.It Li security.pax 2203Settings for PaX -- exploit mitigation features. 2204For more information on any of the PaX features, please see 2205.Xr paxctl 8 2206and 2207.Xr security 8 . 2208The available third and fourth level names are: 2209.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ 2210-offset 2n 2211.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable 2212.It Li security.pax.aslr.enabled integer yes 2213.\".It Li security.pax.aslr.exec_len integer yes 2214.It Li security.pax.aslr.global integer yes 2215.\".It Li security.pax.aslr.mmap_len integer yes 2216.\".It Li security.pax.aslr.stack_len integer yes 2217.It Li security.pax.mprotect.enabled integer yes 2218.It Li security.pax.mprotect.global integer yes 2219.It Li security.pax.segvguard.enabled integer yes 2220.It Li security.pax.segvguard.expiry_timeout integer yes 2221.It Li security.pax.segvguard.global integer yes 2222.It Li security.pax.segvguard.max_crashes integer yes 2223.It Li security.pax.segvguard.suspend_timeout integer yes 2224.El 2225.Pp 2226.Bl -tag -width "123456" 2227.It Li security.pax.aslr.enabled 2228Enable PaX ASLR (Address Space Layout Randomization). 2229.Pp 2230The value of this 2231knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2232explicit enable. 2233.\".It Li security.pax.aslr.exec_len 2234.\" XXX: Undocumented. 2235.It Li security.pax.aslr.global 2236Specifies the default global policy for programs without an 2237explicit enable/disable flag. 2238.Pp 2239When non-zero, all programs will get PaX ASLR, except those exempted with 2240.Xr paxctl 8 . 2241Otherwise, all programs will not get PaX ASLR, except those specifically 2242marked as such with 2243.Xr paxctl 8 . 2244.\".It Li security.pax.aslr.mmap_len 2245.\" XXX: Undocumented. 2246.\" .It Li security.pax.aslr.stack_len 2247.\" XXX: Undocumented. 2248.It Li security.pax.mprotect.enabled 2249Enable PaX MPROTECT restrictions. 2250.Pp 2251These are 2252.Xr mprotect 2 2253restrictions to better enforce a W^X policy. 2254The value of this 2255knob must be non-zero for PaX MPROTECT to be enabled, even if a 2256program is set to explicit enable. 2257.It Li security.pax.mprotect.global 2258Specifies the default global policy for programs without an 2259explicit enable/disable flag. 2260.Pp 2261When non-zero, all programs will get the PaX MPROTECT restrictions, 2262except those exempted with 2263.Xr paxctl 8 . 2264Otherwise, all programs will not get the PaX MPROTECT restrictions, 2265except those specifically marked as such with 2266.Xr paxctl 8 . 2267.It Li security.pax.segvguard.enabled 2268Enable PaX Segvguard. 2269.Pp 2270PaX Segvguard can detect and prevent certain exploitation attempts, where 2271an attacker may try for example to brute-force function return addresses 2272of respawning daemons. 2273.Pp 2274.Em Note : 2275The 2276.Nx 2277interface and implementation of the Segvguard is still experimental, and may 2278change in future releases. 2279.It Li security.pax.segvguard.expiry_timeout 2280If the max number was not reached within this timeout (in seconds), the entry 2281will expire. 2282.It Li security.pax.segvguard.global 2283Specifies the default global policy for programs without an 2284explicit enable/disable flag. 2285.Pp 2286When non-zero, all programs will get the PaX Segvguard, 2287except those exempted with 2288.Xr paxctl 8 . 2289Otherwise, no program will get the PaX Segvguard restrictions, 2290except those specifically marked as such with 2291.Xr paxctl 8 . 2292.It Li security.pax.segvguard.max_crashes 2293The maximum number of segfaults a program can receive before suspension. 2294.It Li security.pax.segvguard.suspend_timeout 2295Number of seconds to suspend a user from running a faulting program when the 2296limit was exceeded. 2297.El 2298.El 2299.Ss The vendor.* subtree ( CTL_VENDOR ) 2300The 2301.Li vendor 2302toplevel name is reserved to be used by vendors who wish to 2303have their own private MIB tree. 2304Intended use is to store values under 2305.Dq vendor.\*[Lt]yourname\*[Gt].* . 2306.Sh SEE ALSO 2307.Xr sysctl 3 , 2308.Xr ipsec 4 , 2309.Xr tcp 4 , 2310.Xr security 8 , 2311.Xr sysctl 8 2312.Sh HISTORY 2313The 2314.Nm 2315variables first appeared in 2316.Bx 4.4 . 2317