1.\" $NetBSD: sysctl.7,v 1.37 2010/04/10 04:49:17 jruoho Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd April 10, 2010 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Sh Top level names 72The top level names are defined with a CTL_ prefix in 73.In sys/sysctl.h , 74and are as follows. 75The next and subsequent levels down are found in the include files 76listed here, and described in separate sections below. 77.Bl -column security CTL_SECURITY "Next level names" "High kernel limits" 78.It Sy Name Constant Next level names Description 79.It kern CTL_KERN sys/sysctl.h High kernel limits 80.It vm CTL_VM uvm/uvm_param.h Virtual memory 81.It vfs CTL_VFS sys/mount.h Filesystem 82.It net CTL_NET sys/socket.h Networking 83.It debug CTL_DEBUG sys/sysctl.h Debugging 84.It hw CTL_HW sys/sysctl.h Generic CPU, I/O 85.It machdep CTL_MACHDEP sys/sysctl.h Machine dependent 86.It user CTL_USER sys/sysctl.h User-level 87.It ddb CTL_DDB sys/sysctl.h In-kernel debugger 88.It proc CTL_PROC sys/sysctl.h Per-process 89.It vendor CTL_VENDOR ? Vendor specific 90.It emul CTL_EMUL sys/sysctl.h Emulation settings 91.It security CTL_SECURITY sys/sysctl.h Security settings 92.El 93.Sh The debug.* subtree 94The debugging variables vary from system to system. 95A debugging variable may be added or deleted without need to recompile 96.Nm 97to know about it. 98Each time it runs, 99.Nm 100gets the list of debugging variables from the kernel and 101displays their current values. 102The system defines twenty 103.Va ( struct ctldebug ) 104variables named 105.Dv debug0 106through 107.Dv debug19 . 108They are declared as separate variables so that they can be 109individually initialized at the location of their associated variable. 110The loader prevents multiple use of the same variable by issuing errors 111if a variable is initialized in more than one place. 112For example, to export the variable 113.Dv dospecialcheck 114as a debugging variable, the following declaration would be used: 115.Bd -literal -offset indent -compact 116int dospecialcheck = 1; 117struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 118.Ed 119.Pp 120Note that the dynamic implementation of 121.Nm 122currently in use largely makes this particular 123.Nm 124interface obsolete. 125See 126.Xr sysctl 8 127.\" and 128.\" .Xr sysctl 9 129for more information. 130.Sh The vfs.* subtree 131A distinguished second level name, 132.Li vfs.generic ( VFS_GENERIC ) , 133is used to get general information about all filesystems. 134It has the following third level identifiers: 135.Bl -tag -width compact 136.It vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 137The highest valid filesystem type number. 138.It vfs.generic.conf ( VFS_CONF ) 139Returns configuration information about the file-system type given as a fourth 140level identifier. 141.El 142.Pp 143The remaining second level identifiers are the file-system names, identified 144by the type number returned by a 145.Xr statvfs 2 146call or from 147.Li vfs.generic.conf . 148The third level identifiers available for each filesystem 149are given in the header file that defines the mount 150argument structure for that filesystem. 151.Sh The hw.* subtree 152The string and integer information available for the 153.Li hw 154level is detailed below. 155The changeable column shows whether a process with appropriate 156privilege may change the value. 157.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 158.It Sy Second level name Type Changeable 159.It hw.alignbytes integer no 160.It hw.byteorder integer no 161.It hw.cnmagic string yes 162.It hw.disknames string no 163.It hw.diskstats struct no 164.It hw.machine string no 165.It hw.machine_arch string no 166.It hw.model string no 167.It hw.ncpu integer no 168.It hw.pagesize integer no 169.It hw.physmem integer no 170.It hw.physmem64 quad no 171.It hw.usermem integer no 172.It hw.usermem64 quad no 173.El 174.Pp 175.Bl -tag -width "123456" 176.It Li hw.alignbytes ( HW_ALIGNBYTES ) 177Alignment constraint for all possible data types. 178This shows the value 179.Dv ALIGNBYTES 180in 181.Pa /usr/include/machine/param.h , 182at the kernel compilation time. 183.It Li hw.byteorder ( HW_BYTEORDER ) 184The byteorder (4,321, or 1,234). 185.It Li hw.cnmagic ( HW_CNMAGIC ) 186The console magic key sequence. 187.It Li hw.disknames ( HW_DISKNAMES ) 188The list of (space separated) disk device names on the system. 189.It Li hw.iostatnames ( HW_IOSTATNAMES ) 190A space separated list of devices that will have I/O statistics 191collected on them. 192.It Li hw.iostats ( HW_IOSTATS ) 193Return statistical information on the NFS mounts, disk and tape 194devices on the system. 195An array of 196.Va struct io_sysctl 197structures is returned, 198whose size depends on the current number of such objects in the system. 199The third level name is the size of the 200.Va struct io_sysctl . 201The type of object can be determined by examining the 202.Va type 203element of 204.Va struct io_sysctl . 205Which can be 206.Dv IOSTAT_DISK 207(disk drive), 208.Dv IOSTAT_TAPE 209(tape drive), or 210.Dv IOSTAT_NFS 211(NFS mount). 212.It Li hw.machine ( HW_MACHINE ) 213The machine class. 214.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 215The machine CPU class. 216.It Li hw.model ( HW_MODEL ) 217The machine model. 218.It Li hw.ncpu ( HW_NCPU ) 219The number of CPUs. 220.It Li hw.pagesize ( HW_PAGESIZE ) 221The software page size. 222.It Li hw.physmem ( HW_PHYSMEM ) 223The bytes of physical memory as a 32-bit integer. 224.It Li hw.physmem64 ( HW_PHYSMEM64 ) 225The bytes of physical memory as a 64-bit integer. 226.It Li hw.usermem ( HW_USERMEM ) 227The bytes of non-kernel memory as a 32-bit integer. 228.It Li hw.usermem64 ( HW_USERMEM64 ) 229The bytes of non-kernel memory as a 64-bit integer. 230.El 231.Sh The kern.* subtree 232The string and integer information available for the 233.Li kern 234level is detailed below. 235The changeable column shows whether a process with appropriate 236privilege may change the value. 237The types of data currently available are process information, 238system vnodes, the open file entries, routing table entries, 239virtual memory statistics, load average history, and clock rate 240information. 241.Bl -column "kern.posix_reader_writer_locks" "struct kinfo_drivers" "not applicable" 242.It Sy Second level name Type Changeable 243.It kern.argmax integer no 244.It kern.autonicetime integer yes 245.It kern.autoniceval integer yes 246.It kern.boottime struct timeval no 247.It kern.bufq node not applicable 248.It kern.ccpu integer no 249.It kern.clockrate struct clockinfo no 250.It kern.consdev integer no 251.It kern.cp_id struct no 252.It kern.cp_time uint64_t[\|] no 253.It kern.defcorename string yes 254.It kern.domainname string yes 255.It kern.drivers struct kinfo_drivers no 256.It kern.file struct file no 257.It kern.forkfsleep integer yes 258.It kern.fscale integer no 259.It kern.fsync integer no 260.It kern.hardclock_ticks integer no 261.It kern.hostid integer yes 262.It kern.hostname string yes 263.It kern.iov_max integer no 264.It kern.job_control integer no 265.It kern.labeloffset integer no 266.It kern.labelsector integer no 267.It kern.login_name_max integer no 268.It kern.logsigexit integer yes 269.It kern.mapped_files integer no 270.It kern.maxfiles integer yes 271.It kern.maxpartitions integer no 272.It kern.maxphys integer no 273.It kern.maxproc integer yes 274.It kern.maxptys integer yes 275.It kern.maxvnodes integer yes 276.It kern.mbuf node not applicable 277.It kern.memlock integer no 278.It kern.memlock_range integer no 279.It kern.memory_protection integer no 280.It kern.monotonic_clock integer no 281.It kern.msgbuf integer no 282.It kern.msgbufsize integer no 283.It kern.ngroups integer no 284.It kern.ntptime struct ntptimeval no 285.It kern.osrelease string no 286.It kern.osrev integer no 287.It kern.ostype string no 288.It kern.pipe node not applicable 289.It kern.posix1 integer no 290.It kern.posix_barriers integer no 291.It kern.posix_reader_writer_locks integer no 292.It kern.posix_semaphores integer no 293.It kern.posix_spin_locks integer no 294.It kern.posix_threads integer no 295.It kern.posix_timers integer no 296.It kern.proc struct kinfo_proc no 297.It kern.proc2 struct kinfo_proc2 no 298.It kern.proc_args string no 299.It kern.prof node not applicable 300.It kern.rawpartition integer no 301.It kern.root_device string no 302.It kern.root_partition integer no 303.It kern.rtc_offset integer yes 304.It kern.saved_ids integer no 305.It kern.securelevel integer raise only 306.It kern.synchronized_io integer no 307.It kern.ipc node not applicable 308.It kern.timecounter node not applicable 309.It kern.timex struct no 310.It kern.tkstat node not applicable 311.It kern.urandom integer no 312.It kern.version string no 313.It kern.vnode struct vnode no 314.El 315.Bl -tag -width "123456" 316.It Li kern.argmax ( KERN_ARGMAX ) 317The maximum bytes of argument to 318.Xr execve 2 . 319.It Li kern.autonicetime ( KERN_AUTONICETIME ) 320The number of seconds of CPU-time a non-root process may accumulate before 321having its priority lowered from the default to the value of KERN_AUTONICEVAL. 322If set to 0, automatic lowering of priority is not performed, and if set to \-1 323all non-root processes are immediately lowered. 324.It Li kern.autoniceval ( KERN_AUTONICEVAL ) 325The priority assigned for automatically niced processes. 326.It Li kern.boothowto 327Flags passed from the boot loader; see 328.Xr reboot 2 329for the meanings of the flags. 330.It Li kern.boottime ( KERN_BOOTTIME ) 331A 332.Va struct timeval 333structure is returned. 334This structure contains the time that the system was booted. 335.It Li kern.ccpu ( KERN_CCPU ) 336The scheduler exponential decay value. 337.It Li kern.clockrate ( KERN_CLOCKRATE ) 338A 339.Va struct clockinfo 340structure is returned. 341This structure contains the clock, statistics clock and profiling clock 342frequencies, the number of micro-seconds per hz tick, and the clock 343skew rate. 344Refer to 345.Xr hz 9 346for additional details. 347.It Li kern.consdev ( KERN_CONSDEV ) 348Console device. 349.It Li kern.cp_id ( KERN_CP_ID ) 350Mapping of CPU number to CPU id. 351.It Li kern.cp_time ( KERN_CP_TIME ) 352Returns an array of CPUSTATES uint64_ts. 353This array contains the 354number of clock ticks spent in different CPU states. 355On multi-processor systems, the sum across all CPUs is returned unless 356appropriate space is given for one data set for each CPU. 357Data for a specific CPU can also be obtained by adding the number of the 358CPU at the end of the MIB, enlarging it by one. 359.It Li kern.defcorename ( KERN_DEFCORENAME ) 360Default template for the name of core dump files (see also 361.Li proc.pid.corename 362in the per-process variables 363.Li proc.* , 364and 365.Xr core 5 366for format of this template). 367The default value is 368.Nm %n.core 369and can be changed with the kernel configuration option 370.Cd options DEFCORENAME 371(see 372.Xr options 4 373). 374.It Li kern.domainname ( KERN_DOMAINNAME ) 375Get or set the YP domain name. 376.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 377Perform a crash dump on system panic. 378.It Li kern.drivers ( KERN_DRIVERS ) 379Return an array of 380.Va struct kinfo_drivers 381that contains the name and major device numbers of all the device drivers 382in the current kernel. 383The 384.Va d_name 385field is always a NUL terminated string. 386The 387.Va d_bmajor 388field will be set to \-1 if the driver doesn't have a block device. 389.It Li kern.file ( KERN_FILE ) 390Return the entire file table. 391The returned data consists of a single 392.Va struct filelist 393followed by an array of 394.Va struct file , 395whose size depends on the current number of such objects in the system. 396.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 397If 398.Xr fork 2 399system call fails due to limit on number of processes (either 400the global maxproc limit or user's one), wait for this many 401milliseconds before returning 402.Er EAGAIN 403error to process. 404Useful to keep heavily forking runaway processes in bay. 405Default zero (no sleep). 406Maximum is 20 seconds. 407.It Li kern.fscale ( KERN_FSCALE ) 408The kernel fixed-point scale factor. 409.It Li kern.fsync ( KERN_FSYNC ) 410Return 1 if the POSIX 1003.1b File Synchronization Option is available 411on this system, 412otherwise 0. 413.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 414Returns the number of 415.Xr hardclock 9 416ticks. 417.It Li kern.hostid ( KERN_HOSTID ) 418Get or set the host id. 419.It Li kern.hostname ( KERN_HOSTNAME ) 420Get or set the hostname. 421.It Li kern.iov_max ( KERN_IOV_MAX ) 422Return the maximum number of 423.Va iovec 424structures that a process has available for use with 425.Xr preadv 2 , 426.Xr pwritev 2 , 427.Xr readv 2 , 428.Xr recvmsg 2 , 429.Xr sendmsg 2 430and 431.Xr writev 2 . 432.It Li kern.job_control ( KERN_JOB_CONTROL ) 433Return 1 if job control is available on this system, otherwise 0. 434.It Li kern.labeloffset ( KERN_LABELOFFSET ) 435The offset within the sector specified by KERN_LABELSECTOR of the 436.Xr disklabel 5 . 437.It Li kern.labelsector ( KERN_LABELSECTOR ) 438The sector number containing the 439.Xr disklabel 5 . 440.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 441The size of the storage required for a login name, in bytes, 442including the terminating NUL. 443.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 444If this flag is non-zero, the kernel will 445.Xr log 9 446all process exits due to signals which create a 447.Xr core 5 448file, and whether the coredump was created. 449.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 450Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 451on this system, 452otherwise 0. 453.It Li kern.maxfiles ( KERN_MAXFILES ) 454The maximum number of open files that may be open in the system. 455.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 456The maximum number of partitions allowed per disk. 457.It Li kern.maxphys ( KERN_MAXPHYS ) 458Maximum raw I/O transfer size. 459.It Li kern.maxproc ( KERN_MAXPROC ) 460The maximum number of simultaneous processes the system will allow. 461.It Li kern.maxptys ( KERN_MAXPTYS ) 462The maximum number of pseudo terminals. 463This value can be both raised and lowered, though it cannot 464be set lower than number of currently used ptys. 465See also 466.Xr pty 4 . 467.It Li kern.maxvnodes ( KERN_MAXVNODES ) 468The maximum number of vnodes available on the system. 469This can only be raised. 470.It Li kern.mbuf ( KERN_MBUF ) 471Return information about the mbuf control variables. 472Mbufs are data structures which store network packets and other data 473structures in the networking code, see 474.Xr mbuf 9 . 475The third level names for the mbuf variables are detailed below. 476The changeable column shows whether a process with appropriate 477privilege may change the value. 478.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 479.It Sy Third level name Type Changeable 480.\" XXX Changeable? really? 481.It kern.mbuf.mblowat integer yes 482.It kern.mbuf.mclbytes integer yes 483.It kern.mbuf.mcllowat integer yes 484.It kern.mbuf.msize integer yes 485.It kern.mbuf.nmbclusters integer yes 486.El 487.Pp 488The variables are as follows: 489.Bl -tag -width "123456" 490.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 491The mbuf low water mark. 492.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 493The mbuf cluster size. 494.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 495The mbuf cluster low water mark. 496.It Li kern.mbuf.msize ( MBUF_MSIZE ) 497The mbuf base size. 498.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 499The limit on the number of mbuf clusters. 500The variable can only be increased, and only increased on machines with 501direct-mapped pool pages. 502.El 503.It Li kern.memlock ( KERN_MEMLOCK ) 504Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 505on this system, 506otherwise 0. 507.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 508Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 509on this system, 510otherwise 0. 511.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 512Returns 1 if the POSIX 1003.1b Memory Protection Option is available 513on this system, 514otherwise 0. 515.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 516Returns the standard version the implementation of the POSIX 1003.1b 517Monotonic Clock Option conforms to, 518otherwise 0. 519.It Li kern.msgbuf ( KERN_MSGBUF ) 520The kernel message buffer, rotated so that the head of the circular kernel 521message buffer is at the start of the returned data. 522The returned data may contain NUL bytes. 523.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 524The maximum number of characters that the kernel message buffer can hold. 525.It Li kern.ngroups ( KERN_NGROUPS ) 526The maximum number of supplemental groups. 527.It Li kern.ntptime ( KERN_NTPTIME ) 528A 529.Va struct ntptimeval 530structure is returned. 531This structure contains data used by the 532.Xr ntpd 8 533program. 534.It Li kern.osrelease ( KERN_OSRELEASE ) 535The system release string. 536.It Li kern.osrevision ( KERN_OSREV ) 537The system revision string. 538.It Li kern.ostype ( KERN_OSTYPE ) 539The system type string. 540.It Li kern.pipe ( KERN_PIPE ) 541Pipe settings. 542The third level names for the integer pipe settings is detailed below. 543The changeable column shows whether a process with appropriate 544privilege may change the value. 545.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 546.It Sy Third level name Type Changeable 547.It kern.pipe.kvasiz integer yes 548.It kern.pipe.maxbigpipes integer yes 549.It kern.pipe.maxkvasz integer yes 550.It kern.pipe.limitkva integer yes 551.It kern.pipe.nbigpipes integer yes 552.El 553.Pp 554The variables are as follows: 555.Bl -tag -width "123456" 556.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 557Amount of kernel memory consumed by pipe buffers. 558.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 559Maximum number of "big" pipes. 560.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 561Maximum amount of kernel memory to be used for pipes. 562.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 563Limit for direct transfers via page loan. 564.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 565Number of "big" pipes. 566.El 567.It Li kern.posix1version ( KERN_POSIX1 ) 568The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 569attempts to comply. 570.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 571The version of 572.St -p1003.1 573and its 574Barriers 575option to which the system attempts to conform, 576otherwise 0. 577.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 578The version of 579.St -p1003.1 580and its 581Read-Write Locks 582option to which the system attempts to conform, 583otherwise 0. 584.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 585The version of 586.St -p1003.1 587and its 588Semaphores 589option to which the system attempts to conform, 590otherwise 0. 591.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 592The version of 593.St -p1003.1 594and its 595Spin Locks 596option to which the system attempts to conform, 597otherwise 0. 598.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 599The version of 600.St -p1003.1 601and its 602Threads 603option to which the system attempts to conform, 604otherwise 0. 605.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 606The version of 607.St -p1003.1 608and its 609Timers 610option to which the system attempts to conform, 611otherwise 0. 612.It Li kern.proc ( KERN_PROC ) 613Return the entire process table, or a subset of it. 614An array of 615.Va struct kinfo_proc 616structures is returned, 617whose size depends on the current number of such objects in the system. 618The third and fourth level numeric names are as follows: 619.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 620.It Sy Third level name Fourth level is: 621.It KERN_PROC_ALL None 622.It KERN_PROC_GID A group ID 623.It KERN_PROC_PID A process ID 624.It KERN_PROC_PGRP A process group 625.It KERN_PROC_RGID A real group ID 626.It KERN_PROC_RUID A real user ID 627.It KERN_PROC_SESSION A session ID 628.It KERN_PROC_TTY A tty device 629.It KERN_PROC_UID A user ID 630.El 631.It Li kern.proc2 ( KERN_PROC2 ) 632As for KERN_PROC, but an array of 633.Va struct kinfo_proc2 634structures are returned. 635The fifth level name is the size of the 636.Va struct kinfo_proc2 637and the sixth level name is the number of structures to return. 638.It Li kern.proc_args ( KERN_PROC_ARGS ) 639Return the argv or environment strings (or the number thereof) 640of a process. 641Multiple strings are returned separated by NUL characters. 642The third level name is the process ID. 643The fourth level name is as follows: 644.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent 645.It KERN_PROC_ARGV The argv strings 646.It KERN_PROC_ENV The environ strings 647.It KERN_PROC_NARGV The number of argv strings 648.It KERN_PROC_NENV The number of environ strings 649.El 650.It Li kern.profiling ( KERN_PROF ) 651Return profiling information about the kernel. 652If the kernel is not compiled for profiling, 653attempts to retrieve any of the KERN_PROF values will 654fail with 655.Er EOPNOTSUPP . 656The third level names for the string and integer profiling information 657is detailed below. 658The changeable column shows whether a process with appropriate 659privilege may change the value. 660.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 661.It Sy Third level name Type Changeable 662.It kern.profiling.count u_short[\|] yes 663.It kern.profiling.froms u_short[\|] yes 664.It kern.profiling.gmonparam struct gmonparam no 665.It kern.profiling.state integer yes 666.It kern.profiling.tos struct tostruct yes 667.El 668.Pp 669The variables are as follows: 670.Bl -tag -width "123456" 671.It Li kern.profiling.count ( GPROF_COUNT ) 672Array of statistical program counter counts. 673.It Li kern.profiling.froms ( GPROF_FROMS ) 674Array indexed by program counter of call-from points. 675.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 676Structure giving the sizes of the above arrays. 677.It Li kern.profiling.state ( GPROF_STATE ) 678Profiling state. 679If set to GMON_PROF_ON, starts profiling. 680If set to GMON_PROF_OFF, stops profiling. 681.It Li kern.profiling.tos ( GPROF_TOS ) 682Array of 683.Va struct tostruct 684describing destination of calls and their counts. 685.El 686.It Li kern.rawpartition ( KERN_RAWPARTITION ) 687The raw partition of a disk (a == 0). 688.It Li kern.root_device ( KERN_ROOT_DEVICE ) 689The name of the root device (e.g., 690.Dq wd0 ) . 691.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 692The root partition on the root device (a == 0). 693.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 694Return the offset of real time clock from UTC in minutes. 695.It Li kern.saved_ids ( KERN_SAVED_IDS ) 696Returns 1 if saved set-group and saved set-user ID is available. 697.It Li kern.sbmax ( KERN_SBMAX ) 698Maximum socket buffer size. 699.\" XXX units? 700.It Li kern.securelevel ( KERN_SECURELVL ) 701See 702.Xr secmodel_securelevel 9 . 703.It Li kern.somaxkva ( KERN_SOMAXKVA ) 704Maximum amount of kernel memory to be used for socket buffers. 705.\" XXX units? 706.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 707Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 708on this system, 709otherwise 0. 710.It Li kern.ipc ( KERN_SYSVIPC ) 711Return information about the SysV IPC parameters. 712The third level names for the ipc variables are detailed below. 713.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 714.It Sy Third level name Type Changeable 715.It kern.ipc.sysvmsg integer no 716.It kern.ipc.sysvsem integer no 717.It kern.ipc.sysvshm integer no 718.It kern.ipc.sysvipc_info struct no 719.It kern.ipc.shmmax integer yes 720.It kern.ipc.shmmni integer yes 721.It kern.ipc.shmseg integer yes 722.It kern.ipc.shmmaxpgs integer yes 723.It kern.ipc.shm_use_phys integer yes 724.It kern.ipc.msgmni integer yes 725.It kern.ipc.msgseg integer yes 726.It kern.ipc.semmni integer yes 727.It kern.ipc.semmns integer yes 728.It kern.ipc.semmnu integer yes 729.El 730.Bl -tag -width "123456" 731.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 732Returns 1 if System V style message queue functionality is available 733on this system, 734otherwise 0. 735.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 736Returns 1 if System V style semaphore functionality is available 737on this system, 738otherwise 0. 739.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 740Returns 1 if System V style share memory functionality is available 741on this system, 742otherwise 0. 743.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 744Return System V style IPC configuration and run-time information. 745The fourth level name selects the System V style IPC facility. 746.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 747.It Sy Fourth level name Type 748.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 749.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 750.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 751.El 752.Pp 753.Bl -tag -width "123456" 754.It Li KERN_SYSVIPC_MSG_INFO 755Return information on the System V style message facility. 756The 757.Sy msg_sysctl_info 758structure is defined in 759.In sys/msg.h . 760.It Li KERN_SYSVIPC_SEM_INFO 761Return information on the System V style semaphore facility. 762The 763.Sy sem_sysctl_info 764structure is defined in 765.In sys/sem.h . 766.It Li KERN_SYSVIPC_SHM_INFO 767Return information on the System V style shared memory facility. 768The 769.Sy shm_sysctl_info 770structure is defined in 771.In sys/shm.h . 772.El 773.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 774Max shared memory segment size in bytes. 775.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 776Max number of shared memory identifiers. 777.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 778Max shared memory segments per process. 779.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 780Max amount of shared memory in pages. 781.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 782Locking of shared memory in physical memory. 783If 0, memory can be swapped 784out, otherwise it will be locked in physical memory. 785.It Li kern.ipc.msgmni 786Max number of message queue identifiers. 787.It Li kern.ipc.msgseg 788Max number of number of message segments. 789.It Li kern.ipc.semmni 790Max number of number of semaphore identifiers. 791.It Li kern.ipc.semmns 792Max number of number of semaphores in system. 793.It Li kern.ipc.semmnu 794Max number of undo structures in system. 795.El 796.It Li kern.timecounter ( dynamic ) 797Display and control the timecounter source of the system. 798.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 799.It Sy Third level name Type Changeable 800.It kern.timecounter.choice string no 801.It kern.timecounter.hardware string yes 802.It kern.timecounter.timestepwarnings integer yes 803.El 804.Pp 805The variables are as follows: 806.Bl -tag -width "123456" 807.It Li kern.timecounter.choice ( dynamic ) 808The list of available timecounters with their quality and frequency. 809.It Li kern.timecounter.hardware ( dynamic ) 810The currently selected timecounter source. 811.It Li kern.timecounter.timestepwarnings ( dynamic ) 812If non-zero display a message each time the time is stepped. 813.El 814.It Li kern.timex ( KERN_TIMEX ) 815Not available. 816.It Li kern.tkstat ( KERN_TKSTAT ) 817Return information about the number of characters sent and received 818on ttys. 819The third level names for the tty statistic variables are detailed below. 820The changeable column shows whether a process 821with appropriate privilege may change the value. 822.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 823.It Sy Third level name Type Changeable 824.It kern.tkstat.cancc quad no 825.It kern.tkstat.nin quad no 826.It kern.tkstat.nout quad no 827.It kern.tkstat.rawcc quad no 828.El 829.Pp 830The variables are as follows: 831.Bl -tag -width "123456" 832.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 833The number of canonical input characters. 834.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 835The total number of input characters. 836.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 837The total number of output characters. 838.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 839The number of raw input characters. 840.El 841.It Li kern.urandom ( KERN_URND ) 842Random integer value. 843.It Li kern.veriexec 844Tunings for Verixec. 845.Bl -tag -width "123456" 846.It Li kern.veriexec.algorithms 847Returns a string with the supported algorithms in Veriexec. 848.It Li kern.veriexec.count 849Sub-nodes are added to this node as new mounts are monitored by Veriexec. 850Each mount will be under its own 851.No tableN 852node. 853Under each node there will be three variables, indicating the mount 854point, the file-system type, and the number of entries. 855.It Li kern.veriexec.strict 856Controls the strict level of Veriexec. 857See 858.Xr security 8 859for more information on each level's implications. 860.It Li kern.veriexec.verbose 861Controls the verbosity level of Veriexec. 862If 0, only the minimal 863indication required will be given about what's happening - fingerprint 864mismatches, removal of entries from the tables, modification of a 865fingerprinted file. 866If 1, more messages will be printed (ie., when a file with a valid 867fingerprint is accessed). 868Verbose level 2 is debug mode. 869.El 870.It Li kern.version ( KERN_VERSION ) 871The system version string. 872.It Li kern.vnode ( KERN_VNODE ) 873Return the entire vnode table. 874Note, the vnode table is not necessarily a consistent snapshot of 875the system. 876The returned data consists of an array whose size depends on the 877current number of such objects in the system. 878Each element of the array contains the kernel address of a vnode 879.Va struct vnode * 880followed by the vnode itself 881.Va struct vnode . 882.It Li kern.coredump.setid 883Settings related to set-id processes coredumps. 884By default, set-id processes do not dump core in situations where 885other processes would. 886The settings in this node allows an administrator to change this 887behavior. 888.Pp 889.Bl -tag -width "123456" 890.It Li kern.coredump.setid.dump 891If non-zero, set-id processes will dump core. 892.It Li kern.coredump.setid.group 893The group-id for the set-id processes' coredump. 894.It Li kern.coredump.setid.mode 895The mode for the set-id processes' coredump. 896See 897.Xr chmod 1 . 898.It Li kern.coredump.setid.owner 899The user-id that will be used as the owner of the set-id processes' 900coredump. 901.It Li kern.coredump.setid.path 902The path to which set-id processes' coredumps will be saved to. 903Same syntax as kern.defcorename. 904.El 905.\" XXX kern.lwp 906.El 907.Sh The machdep.* subtree 908The set of variables defined is architecture dependent. 909Most architectures define at least the following variables. 910.Bl -column "Second level name" "Type" "Changeable" -offset indent 911.It Sy Second level name Type Changeable 912.It Li CPU_CONSDEV dev_t no 913.El 914.Sh The net.* subtree 915The string and integer information available for the 916.Li net 917level is detailed below. 918The changeable column shows whether a process with appropriate 919privilege may change the value. 920The second and third levels are typically the protocol family and 921protocol number, though this is not always the case. 922.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 923.It Sy Second level name Type Changeable 924.It net.route routing messages no 925.It net.inet IPv4 values yes 926.It net.inet6 IPv6 values yes 927.It net.key IPsec key management values yes 928.El 929.Pp 930.Bl -tag -width "123456" 931.It Li net.route ( PF_ROUTE ) 932.\" XXX really? 933Return the entire routing table or a subset of it. 934The data is returned as a sequence of routing messages (see 935.Xr route 4 936for the header file, format and meaning). 937The length of each message is contained in the message header. 938.Pp 939The third level name is a protocol number, which is currently always 0. 940The fourth level name is an address family, which may be set to 0 to 941select all address families. 942The fifth and sixth level names are as follows: 943.Bl -column "Fifth level name" "Sixth level is:" -offset indent 944.It Sy Fifth level name Sixth level is: 945.It NET_RT_FLAGS rtflags 946.It NET_RT_DUMP None 947.It NET_RT_IFLIST None 948.El 949.It Li net.inet ( PF_INET ) 950Get or set various global information about the IPv4 951.Pq Internet Protocol version 4 . 952The third level name is the protocol. 953The fourth level name is the variable name. 954The currently defined protocols and names are: 955.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n 956.It Sy Protocol name Variable name Type Changeable 957.It arp down integer yes 958.It arp keep integer yes 959.It arp prune integer yes 960.It arp refresh integer yes 961.It carp allow integer yes 962.It carp preempt integer yes 963.It carp log integer yes 964.It carp arpbalance integer yes 965.It icmp errppslimit integer yes 966.It icmp maskrepl integer yes 967.It icmp rediraccept integer yes 968.It icmp redirtimeout integer yes 969.It icmp bmcastecho integer yes 970.It ip allowsrcrt integer yes 971.It ip anonportmax integer yes 972.It ip anonportmin integer yes 973.It ip checkinterface integer yes 974.It ip directed-broadcast integer yes 975.It ip do_loopback_cksum integer yes 976.It ip forwarding integer yes 977.It ip forwsrcrt integer yes 978.It ip gifttl integer yes 979.It ip grettl integer yes 980.It ip hashsize integer yes 981.It ip hostzerobroadcast integer yes 982.It ip lowportmin integer yes 983.It ip lowportmax integer yes 984.It ip maxflows integer yes 985.It ip maxfragpackets integer yes 986.It ip mtudisc integer yes 987.It ip mtudisctimeout integer yes 988.It ip random_id integer yes 989.It ip redirect integer yes 990.It ip subnetsarelocal integer yes 991.It ip ttl integer yes 992.It tcp rfc1323 integer yes 993.It tcp sendspace integer yes 994.It tcp recvspace integer yes 995.It tcp mssdflt integer yes 996.It tcp syn_cache_limit integer yes 997.It tcp syn_bucket_limit integer yes 998.It tcp syn_cache_interval integer yes 999.It tcp init_win integer yes 1000.It tcp init_win_local integer yes 1001.It tcp mss_ifmtu integer yes 1002.It tcp win_scale integer yes 1003.It tcp timestamps integer yes 1004.It tcp compat_42 integer yes 1005.It tcp cwm integer yes 1006.It tcp cwm_burstsize integer yes 1007.It tcp ack_on_push integer yes 1008.It tcp keepidle integer yes 1009.It tcp keepintvl integer yes 1010.It tcp keepcnt integer yes 1011.It tcp slowhz integer no 1012.It tcp keepinit integer yes 1013.It tcp log_refused integer yes 1014.It tcp rstppslimit integer yes 1015.It tcp ident struct no 1016.It tcp drop struct no 1017.It tcp sack.enable integer yes 1018.It tcp sack.globalholes integer no 1019.It tcp sack.globalmaxholes integer yes 1020.It tcp sack.maxholes integer yes 1021.It tcp ecn.enable integer yes 1022.It tcp ecn.maxretries integer yes 1023.It tcp congctl.selected string yes 1024.It tcp congctl.available string yes 1025.It tcp abc.enable integer yes 1026.It tcp abc.aggressive integer yes 1027.It udp checksum integer yes 1028.It udp do_loopback_cksum integer yes 1029.It udp recvspace integer yes 1030.It udp sendspace integer yes 1031.El 1032.Pp 1033The variables are as follows: 1034.Bl -tag -width "123456" 1035.It Li arp.down 1036Failed ARP entry lifetime. 1037.It Li arp.keep 1038Valid ARP entry lifetime. 1039.It Li arp.prune 1040ARP cache pruning interval. 1041.It Li arp.refresh 1042ARP entry refresh interval. 1043.It Li carp.allow 1044If set to 0, incoming 1045.Xr carp 4 1046packets will not be processed. 1047If set to any other value, processing will occur. 1048Enabled by default. 1049.It Li carp.arpbalance 1050If set to any value other than 0, the ARP balancing functionality of 1051.Xr carp 4 1052is enabled. 1053When ARP requests are received for an IP address which is part of any virtual 1054host, carp will hash the source IP in the ARP request to select one of the 1055virtual hosts from the set of all the virtual hosts which have that IP address. 1056The master of that host will respond with the correct virtual MAC address. 1057Disabled by default. 1058.It Li carp.log 1059If set to any value other than 0, 1060.Xr carp 4 1061will log errors. 1062Disabled by default. 1063.It Li carp.preempt 1064If set to 0, 1065.Xr carp 4 1066will not attempt to become master if it is receiving advertisements from 1067another active master. 1068If set to any other value, carp will become master of the virtual host if it 1069believes it can send advertisements more frequently than the current master. 1070Disabled by default. 1071.It Li ip.allowsrcrt 1072If set to 1, the host accepts source routed packets. 1073.It Li ip.anonportmax 1074The highest port number to use for TCP and UDP ephemeral port allocation. 1075This cannot be set to less than 1024 or greater than 65535, and must 1076be greater than 1077.Li ip.anonportmin . 1078.It Li ip.anonportmin 1079The lowest port number to use for TCP and UDP ephemeral port allocation. 1080This cannot be set to less than 1024 or greater than 65535. 1081.It Li ip.checkinterface 1082If set to non-zero, the host will reject packets addressed to it 1083that arrive on an interface not bound to that address. 1084Currently, this must be disabled if ipnat is used to translate the 1085destination address to another local interface, or if addresses 1086are added to the loopback interface instead of the interface where 1087the packets for those packets are received. 1088.It Li ip.directed-broadcast 1089If set to 1, enables directed broadcast behavior for the host. 1090.It Li ip.do_loopback_cksum 1091Perform IP checksum on loopback. 1092.It Li ip.forwarding 1093If set to 1, enables IP forwarding for the host, 1094meaning that the host is acting as a router. 1095.It Li ip.forwsrcrt 1096If set to 1, enables forwarding of source-routed packets for the host. 1097This value may only be changed if the kernel security level is less than 1. 1098.It Li ip.gifttl 1099The maximum time-to-live (hop count) value for an IPv4 packet generated by 1100.Xr gif 4 1101tunnel interface. 1102.It Li ip.grettl 1103The maximum time-to-live (hop count) value for an IPv4 packet generated by 1104.Xr gre 4 1105tunnel interface. 1106.It Li ip.hashsize 1107The size of IPv4 Fast Forward hash table. 1108This value must be a power of 2 (64, 256...). 1109A larger hash table size results in fewer collisions. 1110Also see 1111.Li ip.maxflows . 1112.It Li ip.hostzerobroadcast 1113All zeroes address is broadcast address. 1114.It Li ip.lowportmax 1115The highest port number to use for TCP and UDP reserved port allocation. 1116This cannot be set to less than 0 or greater than 1024, and must 1117be greater than 1118.Li ip.lowportmin . 1119.It Li ip.lowportmin 1120The lowest port number to use for TCP and UDP reserved port allocation. 1121This cannot be set to less than 0 or greater than 1024, and must 1122be smaller than 1123.Li ip.lowportmax . 1124.It Li ip.maxflows 1125IPv4 Fast Forwarding is enabled by default. 1126If set to 0, IPv4 Fast Forwarding is disabled. 1127.Li ip.maxflows 1128controls the maximum amount of flows which can be created. 1129The default value is 256. 1130.It Li ip.maxfragpackets 1131The maximum number of fragmented packets the node will accept. 11320 means that the node will not accept any fragmented packets. 1133\-1 means that the node will accept as many fragmented packets as it receives. 1134The flag is provided basically for avoiding possible DoS attacks. 1135.It Li ip.mtudisc 1136If set to 1, enables Path MTU Discovery (RFC 1191). 1137When Path MTU Discovery is enabled, the transmitted TCP segment 1138size will be determined by the advertised maximum segment size 1139(MSS) from the remote end, as constrained by the path MTU. 1140If MTU Discovery is disabled, the transmitted segment size will 1141never be greater than 1142.Li tcp.mssdflt 1143(the local maximum segment size). 1144.It Li ip.mtudisctimeout 1145The number of seconds in which a route added by the Path MTU 1146Discovery engine will time out. 1147When the route times out, the Path 1148MTU Discovery engine will attempt to probe a larger path MTU. 1149.It Li ip.random_id 1150Assign random ip_id values. 1151.It Li ip.redirect 1152If set to 1, ICMP redirects may be sent by the host. 1153This option is ignored unless the host is routing IP packets, 1154and should normally be enabled on all systems. 1155.It Li ip.subnetsarelocal 1156If set to 1, subnets are to be considered local addresses. 1157.It Li ip.ttl 1158The maximum time-to-live (hop count) value for an IP packet sourced by 1159the system. 1160This value applies to normal transport protocols, not to ICMP. 1161.It Li icmp.errppslimit 1162The variable specifies the maximum number of outgoing ICMP error messages, 1163per second. 1164ICMP error messages that exceeded the value are subject to rate limitation 1165and will not go out from the node. 1166Negative value disables rate limitation. 1167.It Li icmp.maskrepl 1168If set to 1, ICMP network mask requests are to be answered. 1169.It Li icmp.rediraccept 1170If set to non-zero, the host will accept ICMP redirect packets. 1171Note that routers will never accept ICMP redirect packets, 1172and the variable is meaningful on IP hosts only. 1173.It Li icmp.redirtimeout 1174The variable specifies lifetime of routing entries generated by incoming 1175ICMP redirect. 1176This defaults to 600 seconds. 1177.It Li icmp.returndatabytes 1178Number of bytes to return in an ICMP error message. 1179.It Li icmp.bmcastecho 1180If set to 1, enables responding to ICMP echo or timestamp request to the 1181broadcast address. 1182.It Li tcp.ack_on_push 1183If set to 1, TCP is to immediately transmit an ACK upon reception of 1184a packet with PUSH set. 1185This can avoid losing a round trip time in some rare situations, 1186but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1187Use of this option is generally not recommended, but 1188the variable exists in case your configuration really needs it. 1189.It Li tcp.compat_42 1190If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1191Use of this option is not recommended, although it may be 1192required in order to communicate with extremely old TCP implementations. 1193.It Li tcp.cwm 1194If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1195Monitoring algorithm. 1196This algorithm prevents line-rate bursts of packets that could 1197otherwise occur when data begins flowing on an idle TCP connection. 1198These line-rate bursts can contribute to network and router congestion. 1199This can be particularly useful on World Wide Web servers 1200which support HTTP/1.1, which has lingering connections. 1201.It Li tcp.cwm_burstsize 1202The Congestion Window Monitoring allowed burst size, in terms 1203of packet count. 1204.It Li tcp.delack_ticks 1205Number of ticks to delay sending an ACK. 1206.It Li tcp.do_loopback_cksum 1207Perform TCP checksum on loopback. 1208.It Li tcp.init_win 1209A value indicating the TCP initial congestion window. 1210If this value is 0, an auto-tuning algorithm designed to use an initial 1211window of approximately 4K bytes is in use. 1212Otherwise, this value indicates a fixed number of packets. 1213.It Li tcp.init_win_local 1214Like 1215.Li tcp.init_win , 1216but used when communicating with hosts on a local network. 1217.It Li tcp.keepcnt 1218Number of keepalive probes sent before declaring a connection dead. 1219If set to zero, there is no limit; 1220keepalives will be sent until some kind of 1221response is received from the peer. 1222.It Li tcp.keepidle 1223Time a connection must be idle before keepalives are sent (if keepalives 1224are enabled for the connection). 1225See also tcp.slowhz. 1226.It Li tcp.keepintvl 1227Time after a keepalive probe is sent until, in the absence of any response, 1228another probe is sent. 1229See also tcp.slowhz. 1230.It Li tcp.log_refused 1231If set to 1, refused TCP connections to the host will be logged. 1232.It Li tcp.keepinit 1233Timeout in seconds during connection establishment. 1234.It Li tcp.mss_ifmtu 1235If set to 1, TCP calculates the outgoing maximum segment size based on 1236the MTU of the appropriate interface. 1237If set to 0, it is calculated based on the greater of the MTU of the 1238interface, and the largest (non-loopback) interface MTU on the system. 1239.It Li tcp.mssdflt 1240The default maximum segment size both advertised to the peer 1241and to use when either the peer does not advertise a maximum segment size to 1242us during connection setup or Path MTU Discovery 1243.Li ( ip.mtudisc ) 1244is disabled. 1245Do not change this value unless you really know what you are doing. 1246.It Li tcp.recvspace 1247The default TCP receive buffer size. 1248.It Li tcp.rfc1323 1249If set to 1, enables RFC 1323 extensions to TCP. 1250.It Li tcp.rstppslimit 1251The variable specifies the maximum number of outgoing TCP RST packets, 1252per second. 1253TCP RST packet that exceeded the value are subject to rate limitation 1254and will not go out from the node. 1255Negative value disables rate limitation. 1256.It Li tcp.ident 1257Return the user ID of a connected socket pair. 1258(RFC1413 Identification Protocol lookups.) 1259.It Li tcp.drop 1260Drop a TCP socket pair connection. 1261.It Li tcp.sack.enable 1262If set to 1, enables RFC 2018 Selective ACKnowledgement. 1263.It Li tcp.sack.globalholes 1264Global number of TCP SACK holes. 1265.It Li tcp.sack.globalmaxholes 1266Global maximum number of TCP SACK holes. 1267.It Li tcp.sack.maxholes 1268Maximum number of TCP SACK holes allowed per connection. 1269.It Li tcp.ecn.enable 1270If set to 1, enables RFC 3168 Explicit Congestion Notification. 1271.It Li tcp.ecn.maxretries 1272Number of times to retry sending the ECN-setup packet. 1273.It Li tcp.sendspace 1274The default TCP send buffer size. 1275.It Li tcp.slowhz 1276The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1277of a clock that ticks tcp.slowhz times per second. 1278(That is, their values 1279must be divided by the tcp.slowhz value to get times in seconds.) 1280.It Li tcp.syn_bucket_limit 1281The maximum number of entries allowed per hash bucket in the TCP 1282compressed state engine. 1283.It Li tcp.syn_cache_limit 1284The maximum number of entries allowed in the TCP compressed state 1285engine. 1286.It Li tcp.timestamps 1287If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1288used for measuring TCP round trip times, are enabled. 1289.It Li tcp.win_scale 1290If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1291for increasing the TCP window size, are enabled. 1292.It Li tcp.congctl.available 1293The available TCP congestion control algorithms. 1294.It Li tcp.congctl.selected 1295The currently selected TCP congestion control algorithm. 1296.It Li tcp.abc.enable 1297If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1298If set to 0, use traditional Packet Counting. 1299.It Li tcp.abc.aggressive 1300Choose the L parameter found in RFC 3465. 1301L is the maximum cwnd increase for an ack during slow start. 1302If set to 1, use L=2*SMSS. 1303If set to 0, use L=1*SMSS. 1304It has no effect unless tcp.abc.enable is set to 1. 1305.It Li udp.checksum 1306If set to 1, UDP checksums are being computed. 1307Received non-zero UDP checksums are always checked. 1308Disabling UDP checksums is strongly discouraged. 1309.It Li udp.sendspace 1310The default UDP send buffer size. 1311.It Li udp.recvspace 1312The default UDP receive buffer size. 1313.El 1314.Pp 1315For variables net.*.ipsec, please refer to 1316.Xr ipsec 4 . 1317.It Li net.inet6 ( PF_INET6 ) 1318Get or set various global information about the IPv6 1319.Pq Internet Protocol version 6 . 1320The third level name is the protocol. 1321The fourth level name is the variable name. 1322The currently defined protocols and names are: 1323.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent 1324.It Sy Protocol name Variable name Type Changeable 1325.It icmp6 errppslimit integer yes 1326.It icmp6 mtudisc_hiwat integer yes 1327.It icmp6 mtudisc_lowat integer yes 1328.It icmp6 nd6_debug integer yes 1329.It icmp6 nd6_delay integer yes 1330.It icmp6 nd6_maxnudhint integer yes 1331.It icmp6 nd6_mmaxtries integer yes 1332.It icmp6 nd6_prune integer yes 1333.It icmp6 nd6_umaxtries integer yes 1334.It icmp6 nd6_useloopback integer yes 1335.It icmp6 nodeinfo integer yes 1336.It icmp6 rediraccept integer yes 1337.It icmp6 redirtimeout integer yes 1338.It ip6 accept_rtadv integer yes 1339.It ip6 anonportmax integer yes 1340.It ip6 anonportmin integer yes 1341.It ip6 auto_flowlabel integer yes 1342.It ip6 dad_count integer yes 1343.It ip6 defmcasthlim integer yes 1344.It ip6 forwarding integer yes 1345.It ip6 gifhlim integer yes 1346.It ip6 hashsize integer yes 1347.It ip6 hlim integer yes 1348.It ip6 hdrnestlimit integer yes 1349.It ip6 kame_version string no 1350.It ip6 keepfaith integer yes 1351.It ip6 log_interval integer yes 1352.It ip6 lowportmax integer yes 1353.It ip6 lowportmin integer yes 1354.It ip6 maxflows integer yes 1355.It ip6 maxfragpackets integer yes 1356.It ip6 maxfrags integer yes 1357.It ip6 redirect integer yes 1358.It ip6 rr_prune integer yes 1359.It ip6 use_deprecated integer yes 1360.It ip6 v6only integer yes 1361.It udp6 do_loopback_cksum integer yes 1362.It udp6 recvspace integer yes 1363.It udp6 sendspace integer yes 1364.El 1365.Pp 1366The variables are as follows: 1367.Bl -tag -width "123456" 1368.It Li ip6.accept_rtadv 1369If set to non-zero, the node will accept ICMPv6 router advertisement packets 1370and autoconfigures address prefixes and default routers. 1371The node must be a host 1372.Pq not a router 1373for the option to be meaningful. 1374.It Li ip6.anonportmax 1375The highest port number to use for TCP and UDP ephemeral port allocation. 1376This cannot be set to less than 1024 or greater than 65535, and must 1377be greater than 1378.Li ip6.anonportmin . 1379.It Li ip6.anonportmin 1380The lowest port number to use for TCP and UDP ephemeral port allocation. 1381This cannot be set to less than 1024 or greater than 65535. 1382.It Li ip6.auto_flowlabel 1383On connected transport protocol packets, 1384fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1385.It Li ip6.dad_count 1386The variable configures number of IPv6 DAD 1387.Pq duplicated address detection 1388probe packets. 1389The packets will be generated when IPv6 interface addresses are configured. 1390.It Li ip6.defmcasthlim 1391The default hop limit value for an IPv6 multicast packet sourced by the node. 1392This value applies to all the transport protocols on top of IPv6. 1393There are APIs to override the value, as documented in 1394.Xr ip6 4 . 1395.It Li ip6.forwarding 1396If set to 1, enables IPv6 forwarding for the node, 1397meaning that the node is acting as a router. 1398If set to 0, disables IPv6 forwarding for the node, 1399meaning that the node is acting as a host. 1400IPv6 specification defines node behavior for 1401.Dq router 1402case and 1403.Dq host 1404case quite differently, and changing this variable during operation 1405may cause serious trouble. 1406It is recommended to configure the variable at bootstrap time, 1407and bootstrap time only. 1408.It Li ip6.gifhlim 1409The maximum hop limit value for an IPv6 packet generated by 1410.Xr gif 4 1411tunnel interface. 1412.It Li ip6.hdrnestlimit 1413The number of IPv6 extension headers permitted on incoming IPv6 packets. 1414If set to 0, the node will accept as many extension headers as possible. 1415.It Li ip6.hashsize 1416The size of IPv6 Fast Forward hash table. 1417This value must be a power of 2 (64, 256...). 1418A larger hash table size results in fewer collisions. 1419Also see 1420.Li ip6.maxflows . 1421.It Li ip6.hlim 1422The default hop limit value for an IPv6 unicast packet sourced by the node. 1423This value applies to all the transport protocols on top of IPv6. 1424There are APIs to override the value, as documented in 1425.Xr ip6 4 . 1426.It Li ip6.kame_version 1427The string identifies the version of KAME IPv6 stack implemented in the kernel. 1428.It Li ip6.keepfaith 1429If set to non-zero, it enables 1430.Dq FAITH 1431TCP relay IPv6-to-IPv4 translator code in the kernel. 1432Refer 1433.Xr faith 4 1434and 1435.Xr faithd 8 1436for detail. 1437.It Li ip6.log_interval 1438The variable controls amount of logs generated by IPv6 packet 1439forwarding engine, by setting interval between log output 1440.Pq in seconds . 1441.It Li ip6.lowportmax 1442The highest port number to use for TCP and UDP reserved port allocation. 1443This cannot be set to less than 0 or greater than 1024, and must 1444be greater than 1445.Li ip6.lowportmin . 1446.It Li ip6.lowportmin 1447The lowest port number to use for TCP and UDP reserved port allocation. 1448This cannot be set to less than 0 or greater than 1024, and must 1449be smaller than 1450.Li ip6.lowportmax . 1451.It Li ip6.maxflows 1452IPv6 Fast Forwarding is enabled by default. 1453If set to 0, IPv6 Fast Forwarding is disabled. 1454.Li ip6.maxflows 1455controls the maximum amount of flows which can be created. 1456The default value is 256. 1457.It Li ip6.maxfragpackets 1458The maximum number of fragmented packets the node will accept. 14590 means that the node will not accept any fragmented packets. 1460\-1 means that the node will accept as many fragmented packets as it receives. 1461The flag is provided basically for avoiding possible DoS attacks. 1462.It Li ip6.maxfrags 1463The maximum number of fragments the node will accept. 14640 means that the node will not accept any fragments. 1465\-1 means that the node will accept as many fragments as it receives. 1466The flag is provided basically for avoiding possible DoS attacks. 1467.It Li ip6.redirect 1468If set to 1, ICMPv6 redirects may be sent by the node. 1469This option is ignored unless the node is routing IP packets, 1470and should normally be enabled on all systems. 1471.It Li ip6.rr_prune 1472The variable specifies interval between IPv6 router renumbering prefix 1473babysitting, in seconds. 1474.It Li ip6.use_deprecated 1475The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1476.It Li ip6.v6only 1477The variable specifies initial value for 1478.Dv IPV6_V6ONLY 1479socket option for 1480.Dv AF_INET6 1481socket. 1482Please refer to 1483.Xr ip6 4 1484for detail. 1485.It Li icmp6.errppslimit 1486The variable specifies the maximum number of outgoing ICMPv6 error messages, 1487per second. 1488ICMPv6 error messages that exceeded the value are subject to rate limitation 1489and will not go out from the node. 1490Negative value disables rate limitation. 1491.It Li icmp6.mtudisc_hiwat 1492.It Li icmp6.mtudisc_lowat 1493The variables define the maximum number of routing table entries, 1494created due to path MTU discovery 1495.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1496When IPv6 path MTU discovery happens, we keep path MTU information into 1497the routing table. 1498If the number of routing table entries exceed the value, 1499the kernel will not attempt to keep the path MTU information. 1500.Li icmp6.mtudisc_hiwat 1501is used when we have verified ICMPv6 too big messages. 1502.Li icmp6.mtudisc_lowat 1503is used when we have unverified ICMPv6 too big messages. 1504Verification is performed by using address/port pairs kept in connected pcbs. 1505Negative value disables the upper limit. 1506.It Li icmp6.nd6_debug 1507If set to non-zero, kernel IPv6 neighbor discovery code will generate 1508debugging messages. 1509The debug outputs are useful to diagnose IPv6 interoperability issues. 1510The flag must be set to 0 for normal operation. 1511.It Li icmp6.nd6_delay 1512The variable specifies 1513.Dv DELAY_FIRST_PROBE_TIME 1514timing constant in IPv6 neighbor discovery specification 1515.Pq RFC 2461 , 1516in seconds. 1517.It Li icmp6.nd6_maxnudhint 1518IPv6 neighbor discovery permits upper layer protocols to supply reachability 1519hints, to avoid unnecessary neighbor discovery exchanges. 1520The variable defines the number of consecutive hints the neighbor discovery 1521layer will take. 1522For example, by setting the variable to 3, neighbor discovery layer 1523will take 3 consecutive hints in maximum. 1524After receiving 3 hints, neighbor discovery layer will perform 1525normal neighbor discovery process. 1526.It Li icmp6.nd6_mmaxtries 1527The variable specifies 1528.Dv MAX_MULTICAST_SOLICIT 1529constant in IPv6 neighbor discovery specification 1530.Pq RFC 2461 . 1531.It Li icmp6.nd6_prune 1532The variable specifies interval between IPv6 neighbor cache babysitting, 1533in seconds. 1534.It Li icmp6.nd6_umaxtries 1535The variable specifies 1536.Dv MAX_UNICAST_SOLICIT 1537constant in IPv6 neighbor discovery specification 1538.Pq RFC 2461 . 1539.It Li icmp6.nd6_useloopback 1540If set to non-zero, kernel IPv6 stack will use loopback interface for 1541local traffic. 1542.It Li icmp6.nodeinfo 1543The variable enables responses to ICMPv6 node information queries. 1544If you set the variable to 0, responses will not be generated for 1545ICMPv6 node information queries. 1546Since node information queries can have a security impact, it is 1547possible to fine tune which responses should be answered. 1548Two separate bits can be set. 1549.Bl -tag -width "12345" 1550.It 1 1551Respond to ICMPv6 FQDN queries, e.g. 1552.Li ping6 -w . 1553.It 2 1554Respond to ICMPv6 node addresses queries, e.g. 1555.Li ping6 -a . 1556.El 1557.It Li icmp6.rediraccept 1558If set to non-zero, the host will accept ICMPv6 redirect packets. 1559Note that IPv6 routers will never accept ICMPv6 redirect packets, 1560and the variable is meaningful on IPv6 hosts 1561.Pq non-router 1562only. 1563.It Li icmp6.redirtimeout 1564The variable specifies lifetime of routing entries generated by incoming 1565ICMPv6 redirect. 1566.It Li udp6.do_loopback_cksum 1567Perform UDP checksum on loopback. 1568.It Li udp6.recvspace 1569Default UDP receive buffer size. 1570.It Li udp6.sendspace 1571Default UDP send buffer size. 1572.El 1573.Pp 1574We reuse net.*.tcp for 1575.Tn TCP 1576over 1577.Tn IPv6 , 1578and therefore we do not have variables net.*.tcp6. 1579Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1580Please refer to 1581.Li PF_INET 1582section above. 1583For variables net.*.ipsec6, please refer to 1584.Xr ipsec 4 . 1585.It Li net.key ( PF_KEY ) 1586Get or set various global information about the IPsec key management. 1587The third level name is the variable name. 1588The currently defined variable and names are: 1589.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 1590.It Sy Variable name Type Changeable 1591.It debug integer yes 1592.It spi_try integer yes 1593.It spi_min_value integer yes 1594.It spi_max_value integer yes 1595.It larval_lifetime integer yes 1596.It blockacq_count integer yes 1597.It blockacq_lifetime integer yes 1598.It esp_keymin integer yes 1599.It esp_auth integer yes 1600.It ah_keymin integer yes 1601.El 1602.Pp 1603The variables are as follows: 1604.Bl -tag -width "123456" 1605.It Li debug 1606Turn on debugging message from within the kernel. 1607The value is a bitmap, as defined in 1608.Pa /usr/include/netkey/key_debug.h . 1609.It Li spi_try 1610The number of times the kernel will try to obtain an unique SPI 1611when it generates it from random number generator. 1612.It Li spi_min_value 1613Minimum SPI value when generating it within the kernel. 1614.It Li spi_max_value 1615Maximum SPI value when generating it within the kernel. 1616.It Li larval_lifetime 1617Lifetime for LARVAL SAD entries, in seconds. 1618.It Li blockacq_count 1619Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1620It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1621key management daemon. 1622.It Li blockacq_lifetime 1623Lifetime of ACQUIRE PF_KEY message. 1624.It Li esp_keymin 1625Minimum ESP key length, in bits. 1626The value is used when the kernel creates proposal payload 1627on ACQUIRE PF_KEY message. 1628.It Li esp_auth 1629Whether ESP authentication should be used or not. 1630Non-zero value indicates that ESP authentication should be used. 1631The value is used when the kernel creates proposal payload 1632on ACQUIRE PF_KEY message. 1633.It Li ah_keymin 1634Minimum AH key length, in bits, 1635The value is used when the kernel creates proposal payload 1636on ACQUIRE PF_KEY message. 1637.El 1638.El 1639.Sh The proc.* subtree 1640The string and integer information available for the 1641.Li proc 1642level is detailed below. 1643The changeable column shows whether a process with appropriate 1644privilege may change the value. 1645These values are per-process, 1646and as such may change from one process to another. 1647When a process is created, 1648the default values are inherited from its parent. 1649When a set-user-ID or set-group-ID binary is executed, the 1650value of PROC_PID_CORENAME is reset to the system default value. 1651The second level name is either the magic value PROC_CURPROC, which 1652points to the current process, or the PID of the target process. 1653.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 1654.It Sy Third level name Type Changeable 1655.It proc.pid.corename string yes 1656.It proc.pid.rlimit node not applicable 1657.It proc.pid.stopfork int yes 1658.It proc.pid.stopexec int yes 1659.It proc.pid.stopexit int yes 1660.El 1661.Bl -tag -width "123456" 1662.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1663The template used for the core dump file name (see 1664.Xr core 5 1665for details). 1666The base name must either be 1667.Nm core 1668or end with the suffix ``.core'' (the super-user may set arbitrary names). 1669By default it points to KERN_DEFCORENAME. 1670.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1671Return resources limits, as defined for the 1672.Xr getrlimit 2 1673and 1674.Xr setrlimit 2 1675system calls. 1676The fourth level name is one of: 1677.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1678.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1679The maximum amount of CPU time (in seconds) to be used by each process. 1680.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1681The largest size (in bytes) file that may be created. 1682.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1683The maximum size (in bytes) of the data segment for a process; 1684this defines how far a program may extend its break with the 1685.Xr sbrk 2 1686system call. 1687.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1688The maximum size (in bytes) of the stack segment for a process; 1689this defines how far a program's stack segment may be extended. 1690Stack extension is performed automatically by the system. 1691.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1692The largest size (in bytes) 1693.Pa core 1694file that may be created. 1695.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1696The maximum size (in bytes) to which a process's resident set size may 1697grow. 1698This imposes a limit on the amount of physical memory to be given to 1699a process; if memory is tight, the system will prefer to take memory 1700from processes that are exceeding their declared resident set size. 1701.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1702The maximum size (in bytes) which a process may lock into memory 1703using the 1704.Xr mlock 2 1705function. 1706.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1707The maximum number of simultaneous processes for this user id. 1708.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1709The maximum number of open files for this process. 1710.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) 1711The maximum size (in bytes) of the socket buffers 1712set by the 1713.Xr setsockopt 2 1714.Dv SO_RCVBUF 1715and 1716.Dv SO_SNDBUF 1717options. 1718.El 1719.Pp 1720The fifth level name is one of 1721.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or 1722.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1723to select respectively the soft or hard limit. 1724Both are of type integer. 1725.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1726If non zero, the process' children will be stopped after 1727.Xr fork 2 1728calls. 1729The children is created in the SSTOP state and is never scheduled 1730for running before being stopped. 1731This feature helps attaching a process with a debugger such as 1732.Xr gdb 1 1733before it had the opportunity to actually do anything. 1734.Pp 1735This value is inherited by the process's children, and it also 1736apply to emulation specific system calls that fork a new process, such as 1737.Fn sproc 1738or 1739.Fn clone . 1740.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1741If non zero, the process will be stopped on next 1742.Xr exec 3 1743call. 1744The process created by 1745.Xr exec 3 1746is created in the SSTOP state and is never scheduled for running 1747before being stopped. 1748This feature helps attaching a process with a debugger such as 1749.Xr gdb 1 1750before it had the opportunity to actually do anything. 1751.Pp 1752This value is inherited by the process's children. 1753.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1754If non zero, the process will be stopped on when it has cause to exit, 1755either by way of calling 1756.Xr exit 3 , 1757.Xr _exit 2 , 1758or by the receipt of a specific signal. 1759The process is stopped before any of its resources or vm space is 1760released allowing examination of the termination state of a process 1761before it disappears. 1762This feature can be used to examine the final conditions of the 1763process's vmspace via 1764.Xr pmap 1 1765or its resource settings with 1766.Xr sysctl 8 1767before it disappears. 1768.Pp 1769This value is also inherited by the process's children. 1770.El 1771.Sh The user.* subtree ( CTL_USER ) 1772The string and integer information available for the 1773.Li user 1774level is detailed below. 1775The changeable column shows whether a process with appropriate 1776privilege may change the value. 1777.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 1778.It Sy Second level name Type Changeable 1779.It user.atexit_max integer no 1780.It user.bc_base_max integer no 1781.It user.bc_dim_max integer no 1782.It user.bc_scale_max integer no 1783.It user.bc_string_max integer no 1784.It user.coll_weights_max integer no 1785.It user.cs_path string no 1786.It user.expr_nest_max integer no 1787.It user.line_max integer no 1788.It user.posix2_c_bind integer no 1789.It user.posix2_c_dev integer no 1790.It user.posix2_char_term integer no 1791.It user.posix2_fort_dev integer no 1792.It user.posix2_fort_run integer no 1793.It user.posix2_localedef integer no 1794.It user.posix2_sw_dev integer no 1795.It user.posix2_upe integer no 1796.It user.posix2_version integer no 1797.It user.re_dup_max integer no 1798.It user.stream_max integer no 1799.It user.stream_max integer no 1800.It user.tzname_max integer no 1801.El 1802.Bl -tag -width "123456" 1803.It Li user.atexit_max ( USER_ATEXIT_MAX ) 1804The maximum number of functions that may be registered with 1805.Xr atexit 3 . 1806.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 1807The maximum ibase/obase values in the 1808.Xr bc 1 1809utility. 1810.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 1811The maximum array size in the 1812.Xr bc 1 1813utility. 1814.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 1815The maximum scale value in the 1816.Xr bc 1 1817utility. 1818.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 1819The maximum string length in the 1820.Xr bc 1 1821utility. 1822.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 1823The maximum number of weights that can be assigned to any entry of 1824the LC_COLLATE order keyword in the locale definition file. 1825.It Li user.cs_path ( USER_CS_PATH ) 1826Return a value for the 1827.Ev PATH 1828environment variable that finds all the standard utilities. 1829.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 1830The maximum number of expressions that can be nested within 1831parenthesis by the 1832.Xr expr 1 1833utility. 1834.It Li user.line_max ( USER_LINE_MAX ) 1835The maximum length in bytes of a text-processing utility's input 1836line. 1837.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 1838Return 1 if the system supports at least one terminal type capable of 1839all operations described in POSIX 1003.2, otherwise 0. 1840.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 1841Return 1 if the system's C-language development facilities support the 1842C-Language Bindings Option, otherwise 0. 1843.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 1844Return 1 if the system supports the C-Language Development Utilities Option, 1845otherwise 0. 1846.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 1847Return 1 if the system supports the FORTRAN Development Utilities Option, 1848otherwise 0. 1849.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 1850Return 1 if the system supports the FORTRAN Runtime Utilities Option, 1851otherwise 0. 1852.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 1853Return 1 if the system supports the creation of locales, otherwise 0. 1854.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 1855Return 1 if the system supports the Software Development Utilities Option, 1856otherwise 0. 1857.It Li user.posix2_upe ( USER_POSIX2_UPE ) 1858Return 1 if the system supports the User Portability Utilities Option, 1859otherwise 0. 1860.It Li user.posix2_version ( USER_POSIX2_VERSION ) 1861The version of POSIX 1003.2 with which the system attempts to comply. 1862.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 1863The maximum number of repeated occurrences of a regular expression 1864permitted when using interval notation. 1865.It Li user.stream_max ( USER_STREAM_MAX ) 1866The minimum maximum number of streams that a process may have open 1867at any one time. 1868.It Li user.tzname_max ( USER_TZNAME_MAX ) 1869The minimum maximum number of types supported for the name of a 1870timezone. 1871.El 1872.Sh The vm.* subtree ( CTL_VM ) 1873The string and integer information available for the 1874.Li vm 1875level is detailed below. 1876The changeable column shows whether a process with appropriate 1877privilege may change the value. 1878.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 1879.It Sy Second level name Type Changeable 1880.It vm.anonmax int yes 1881.It vm.anonmin int yes 1882.It vm.bufcache int yes 1883.It vm.bufmem int no 1884.It vm.bufmem_hiwater int yes 1885.It vm.bufmem_lowater int yes 1886.It vm.execmax int yes 1887.It vm.execmin int yes 1888.It vm.filemax int yes 1889.It vm.filemin int yes 1890.It vm.loadavg struct loadavg no 1891.It vm.maxslp int no 1892.It vm.nkmempages int no 1893.It vm.uspace int no 1894.It vm.uvmexp struct uvmexp no 1895.It vm.uvmexp2 struct uvmexp_sysctl no 1896.It vm.vmmeter struct vmtotal no 1897.El 1898.Pp 1899.Bl -tag -width "123456" 1900.It Li vm.anonmax ( VM_ANONMAX ) 1901The percentage of physical memory which will be reclaimed 1902from other types of memory usage to store anonymous application data. 1903.It Li vm.anonmin ( VM_ANONMIN ) 1904The percentage of physical memory which will be always be available for 1905anonymous application data. 1906.It Li vm.bufcache ( VM_BUFCACHE ) 1907The percentage of physical memory which will be available 1908for the buffer cache. 1909.It Li vm.bufmem ( VM_BUFMEM ) 1910The amount of kernel memory that is being used by the buffer cache. 1911.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 1912The minimum amount of kernel memory to reserve for the 1913buffer cache. 1914.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 1915The maximum amount of kernel memory to be used for the 1916buffer cache. 1917.It Li vm.execmax ( VM_EXECMAX ) 1918The percentage of physical memory which will be reclaimed 1919from other types of memory usage to store cached executable data. 1920.It Li vm.execmin ( VM_EXECMIN ) 1921The percentage of physical memory which will be always be available for 1922cached executable data. 1923.It Li vm.filemax ( VM_FILEMAX ) 1924The percentage of physical memory which will be reclaimed 1925from other types of memory usage to store cached file data. 1926.It Li vm.filemin ( VM_FILEMIN ) 1927The percentage of physical memory which will be always be available for 1928cached file data. 1929.It Li vm.loadavg ( VM_LOADAVG ) 1930Return the load average history. 1931The returned data consists of a 1932.Va struct loadavg . 1933.It Li vm.maxslp ( VM_MAXSLP ) 1934The value of the maxslp kernel global variable. 1935.It Li vm.vmmeter ( VM_METER ) 1936Return system wide virtual memory statistics. 1937The returned data consists of a 1938.Va struct vmtotal . 1939.It vm.user_va0_disable 1940A flag which controls whether user processes can map virtual address 0. 1941.It Li vm.uspace ( VM_USPACE ) 1942The number of bytes allocated for each kernel stack. 1943.It Li vm.uvmexp ( VM_UVMEXP ) 1944Return system wide virtual memory statistics. 1945The returned data consists of a 1946.Va struct uvmexp . 1947.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 1948Return system wide virtual memory statistics. 1949The returned data consists of a 1950.Va struct uvmexp_sysctl . 1951.\" XXX vm.idlezero 1952.El 1953.Sh The ddb.* subtree ( CTL_DDB ) 1954The information available for the 1955.Li ddb 1956level is detailed below. 1957The changeable column shows whether a process with appropriate 1958privilege may change the value. 1959.\" XXX sort 1960.Bl -column "Second level name" "integer" "Changeable" -offset indent 1961.It Sy Second level name Type Changeable 1962.It ddb.radix integer yes 1963.It ddb.maxoff integer yes 1964.It ddb.maxwidth integer yes 1965.It ddb.lines integer yes 1966.It ddb.tabstops integer yes 1967.It ddb.onpanic integer yes 1968.It ddb.fromconsole integer yes 1969.It ddb.tee_msgbuf integer yes 1970.It ddb.commandonenter string yes 1971.El 1972.Pp 1973.Bl -tag -width "123456" 1974.It Li ddb.radix ( DDBCTL_RADIX ) 1975The input and output radix. 1976.It Li ddb.maxoff ( DDBCTL_MAXOFF ) 1977The maximum symbol offset. 1978.It Li ddb.maxwidth ( DDBCTL_MAXWIDTH ) 1979The maximum output line width. 1980.It Li ddb.lines ( DDBCTL_LINES ) 1981Number of display lines. 1982.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) 1983Tab width. 1984.It Li ddb.onpanic ( DDBCTL_ONPANIC ) 1985If non-zero, DDB will be entered if the kernel panics. 1986.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) 1987If not zero, DDB may be entered by sending a break on a serial 1988console or by a special key sequence on a graphics console. 1989.It Li ddb.tee_msgbuf 1990If not zero, DDB will output also to the kernel message buffer. 1991.It Li ddb.commandonenter 1992If not empty, a command to be executed on each enter to the 1993.Tn DDB . 1994.\" 1995.\" XXX: (a) ddb.commandonenter is missing in ddb(4); 1996.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. 1997.El 1998.Pp 1999Some of these 2000.Tn MIB 2001nodes are also available as variables from within the debugger. 2002See 2003.Xr ddb 4 2004for more details. 2005.Sh The security.* subtree ( CTL_SECURITY ) 2006The 2007.Li security 2008level contains various security-related settings for 2009the system. 2010Available settings are detailed below. 2011.Pp 2012.Bl -tag -width "123456" 2013.It Li security.curtain 2014If non-zero, will filter return objects according to the user-id 2015requesting information about them, preventing from users any 2016access to objects they don't own. 2017.Pp 2018At the moment, it affects 2019.Xr ps 1 , 2020.Xr netstat 1 2021(for 2022.Dv PF_INET , 2023.Dv PF_INET6 , 2024and 2025.Dv PF_UNIX 2026PCBs), and 2027.Xr w 1 . 2028.It Li security.models 2029.Nx 2030supports pluggable security models. 2031Every security model used, whether if loaded as a module or built with the system, 2032is required to add an entry to this node with at least one element, 2033.Dq name , 2034indicating the name of the security model. 2035.Pp 2036In addition to the name, any settings and other information private to the 2037security model will be available under this node. 2038See 2039.Xr secmodel 9 2040for more information. 2041.It Li security.pax 2042Settings for PaX -- exploit mitigation features. 2043For more information on any of the PaX features, please see 2044.Xr paxctl 8 2045and 2046.Xr security 8 . 2047.Pp 2048.Bl -tag -width "123456" 2049.It Li security.pax.aslr.enable 2050Enable PaX ASLR (Address Space Layout Randomization). 2051.Pp 2052The value of this 2053knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2054explicit enable. 2055.It Li security.pax.aslr.global 2056Specifies the default global policy for programs without an 2057explicit enable/disable flag. 2058.Pp 2059When non-zero, all programs will get PaX ASLR, except those exempted with 2060.Xr paxctl 8 . 2061Otherwise, all programs will not get PaX ASLR, except those specifically 2062marked as such with 2063.Xr paxctl 8 . 2064.It Li security.pax.mprotect.enable 2065Enable PaX MPROTECT restrictions. 2066.Pp 2067These are 2068.Xr mprotect 2 2069restrictions to better enforce a W^X policy. 2070The value of this 2071knob must be non-zero for PaX MPROTECT to be enabled, even if a 2072program is set to explicit enable. 2073.It Li security.pax.mprotect.global 2074Specifies the default global policy for programs without an 2075explicit enable/disable flag. 2076.Pp 2077When non-zero, all programs will get the PaX MPROTECT restrictions, 2078except those exempted with 2079.Xr paxctl 8 . 2080Otherwise, all programs will not get the PaX MPROTECT restrictions, 2081except those specifically marked as such with 2082.Xr paxctl 8 . 2083.It Li security.pax.segvguard.enable 2084Enable PaX Segvguard. 2085.Pp 2086PaX Segvguard can detect and prevent certain exploitation attempts, where 2087an attacker may try for example to brute-force function return addresses 2088of respawning daemons. 2089.Pp 2090.Em Note : 2091The 2092.Nx 2093interface and implementation of the Segvguard is still experimental, and may 2094change in future releases. 2095.It Li security.pax.segvguard.global 2096Specifies the default global policy for programs without an 2097explicit enable/disable flag. 2098.Pp 2099When non-zero, all programs will get the PaX Segvguard, 2100except those exempted with 2101.Xr paxctl 8 . 2102Otherwise, no program will get the PaX Segvguard restrictions, 2103except those specifically marked as such with 2104.Xr paxctl 8 . 2105.It Li security.pax.segvguard.expiry_timeout 2106If the max number was not reached within this timeout (in seconds), the entry 2107will expire. 2108.It Li security.pax.segvguard.suspend_timeout 2109Number of seconds to suspend a user from running a faulting program when the 2110limit was exceeded. 2111.It Li security.pax.segvguard.max_crashes 2112Max number of segfaults a program can receive before suspension. 2113.El 2114.El 2115.Sh The vendor.* subtree ( CTL_VENDOR ) 2116The 2117.Li vendor 2118toplevel name is reserved to be used by vendors who wish to 2119have their own private MIB tree. 2120Intended use is to store values under 2121.Dq vendor.\*[Lt]yourname\*[Gt].* . 2122.Sh SEE ALSO 2123.Xr sysctl 3 , 2124.Xr ipsec 4 , 2125.Xr tcp 4 , 2126.Xr security 8 , 2127.Xr sysctl 8 2128.Sh HISTORY 2129The 2130.Nm 2131variables first appeared in 2132.Bx 4.4 . 2133