1.\" $NetBSD: sysctl.7,v 1.69 2012/03/22 07:58:18 wiz Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd September 24, 2011 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Ss Top level names 72The top level names are defined with a 73.Va CTL_ 74prefix in 75.In sys/sysctl.h , 76and are as follows. 77The next and subsequent levels down are found in the include files 78listed here, and described in separate sections below. 79.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits" 80.It Sy Name Ta Sy Constant Ta Sy Next level names Ta Sy Description 81.It kern Ta Dv CTL_KERN Ta In sys/sysctl.h Ta High kernel limits 82.It vm Ta Dv CTL_VM Ta In uvm/uvm_param.h Ta Virtual memory 83.It vfs Ta Dv CTL_VFS Ta In sys/mount.h Ta Filesystem 84.It net Ta Dv CTL_NET Ta In sys/socket.h Ta Networking 85.It debug Ta Dv CTL_DEBUG Ta In sys/sysctl.h Ta Debugging 86.It hw Ta Dv CTL_HW Ta In sys/sysctl.h Ta Generic CPU, I/O 87.It machdep Ta Dv CTL_MACHDEP Ta In sys/sysctl.h Ta Machine dependent 88.It user Ta Dv CTL_USER Ta In sys/sysctl.h Ta User-level 89.It ddb Ta Dv CTL_DDB Ta In sys/sysctl.h Ta In-kernel debugger 90.It proc Ta Dv CTL_PROC Ta In sys/sysctl.h Ta Per-process 91.It vendor Ta Dv CTL_VENDOR Ta ? Ta Vendor specific 92.It emul Ta Dv CTL_EMUL Ta In sys/sysctl.h Ta Emulation settings 93.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h Ta Security settings 94.El 95.Ss The debug.* subtree 96The debugging variables vary from system to system. 97A debugging variable may be added or deleted without need to recompile 98.Nm 99to know about it. 100Each time it runs, 101.Nm 102gets the list of debugging variables from the kernel and 103displays their current values. 104The system defines twenty 105.Vt ( struct ctldebug ) 106variables named 107.Dv debug0 108through 109.Dv debug19 . 110They are declared as separate variables so that they can be 111individually initialized at the location of their associated variable. 112The loader prevents multiple use of the same variable by issuing errors 113if a variable is initialized in more than one place. 114For example, to export the variable 115.Va dospecialcheck 116as a debugging variable, the following declaration would be used: 117.Pp 118.Bd -literal -offset indent -compact 119int dospecialcheck = 1; 120struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 121.Ed 122.Pp 123Note that the dynamic implementation of 124.Nm 125currently in use largely makes this particular 126.Nm 127interface obsolete. 128See 129.Xr sysctl 8 130.\" and 131.\" .Xr sysctl 9 132for more information. 133.Ss The vfs.* subtree 134A distinguished second level name, 135.Li vfs.generic ( VFS_GENERIC ) , 136is used to get general information about all file systems. 137It has the following third level identifiers: 138.Bl -tag -width "123456" 139.It Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 140The highest valid file system type number. 141.It Li vfs.generic.conf ( VFS_CONF ) 142Returns configuration information about the file system type given as a fourth 143level identifier. 144.It Li vfs.generic.usermount ( VFS_USERMOUNT ) 145Determines if non superuser mounts are allowed, defaults to 146.Dv 0 . 147.It Li vfs.generic.magiclinks ( VFS_MAGICLINKS ) 148Controls if expansion of variables is going to be performed on pathnames 149or not. 150Defaults to no variable expansion, 151.Dv 0 . 152Variables are of the form 153.Li @name 154and the variables supported are described in 155.Xr symlink 7 156under 157.Dq "MAGIC SYMLINKS" . 158.El 159.Pp 160A second level name for controlling the 161.Xr wapbl 4 162(Write Ahead Physical Block Logging file system journalling) 163capabilities with the following third level identifiers: 164.Bl -tag -width "123456" 165.It Li vfs.wapbl.flush_disk_cache 166Controls whether to attempt to flush the disk cache on each commit. 167It defaults to 1 and it should always be on to ensure data integrity in 168case of a crash. 169For slow disks, turning it off can improve performance. 170.It Li vfs.wapbl.verbose_commit 171For each transaction log commit, print the number of bytes written 172and the time it took to commit as seconds.nanoseconds. 173.El 174.Pp 175The remaining second level identifiers are the file system names, identified 176by the type number returned by a 177.Xr statvfs 2 178call or from 179.Li vfs.generic.conf . 180.Pp 181The third level identifiers available for each file system 182are given in the header file that defines the mount 183argument structure for that file system. 184.Ss The hw.* subtree 185The string and integer information available for the 186.Li hw 187level is detailed below. 188The changeable column shows whether a process with appropriate 189privilege may change the value. 190.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 191.It Sy Second level name Type Changeable 192.It hw.alignbytes integer no 193.It hw.byteorder integer no 194.It hw.cnmagic string yes 195.It hw.disknames string no 196.It hw.diskstats struct no 197.It hw.machine string no 198.It hw.machine_arch string no 199.It hw.model string no 200.It hw.ncpu integer no 201.It hw.pagesize integer no 202.It hw.physmem integer no 203.It hw.physmem64 quad no 204.It hw.usermem integer no 205.It hw.usermem64 quad no 206.El 207.Pp 208.Bl -tag -width "123456" 209.It Li hw.alignbytes ( HW_ALIGNBYTES ) 210Alignment constraint for all possible data types. 211This shows the value 212.Dv ALIGNBYTES 213in 214.In machine/param.h , 215at the kernel compilation time. 216.It Li hw.byteorder ( HW_BYTEORDER ) 217The byteorder (4321, or 1234). 218.It Li hw.cnmagic ( HW_CNMAGIC ) 219The console magic key sequence. 220.It Li hw.disknames ( HW_DISKNAMES ) 221The list of (space separated) disk device names on the system. 222.It Li hw.iostatnames ( HW_IOSTATNAMES ) 223A space separated list of devices that will have I/O statistics 224collected on them. 225.It Li hw.iostats ( HW_IOSTATS ) 226Return statistical information on the NFS mounts, disk and tape 227devices on the system. 228An array of 229.Vt struct io_sysctl 230structures is returned, 231whose size depends on the current number of such objects in the system. 232The third level name is the size of the 233.Vt struct io_sysctl . 234The type of object can be determined by examining the 235.Va type 236element of 237.Vt struct io_sysctl . 238Which can be 239.Dv IOSTAT_DISK 240(disk drive), 241.Dv IOSTAT_TAPE 242(tape drive), or 243.Dv IOSTAT_NFS 244(NFS mount). 245.It Li hw.machine ( HW_MACHINE ) 246The machine class. 247.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 248The machine CPU class. 249.It Li hw.model ( HW_MODEL ) 250The machine model. 251.It Li hw.ncpu ( HW_NCPU ) 252The number of CPUs. 253.It Li hw.pagesize ( HW_PAGESIZE ) 254The software page size. 255.It Li hw.physmem ( HW_PHYSMEM ) 256The bytes of physical memory as a 32-bit integer. 257.It Li hw.physmem64 ( HW_PHYSMEM64 ) 258The bytes of physical memory as a 64-bit integer. 259.It Li hw.usermem ( HW_USERMEM ) 260The bytes of non-kernel memory as a 32-bit integer. 261.It Li hw.usermem64 ( HW_USERMEM64 ) 262The bytes of non-kernel memory as a 64-bit integer. 263.El 264.Ss The kern.* subtree 265This subtree includes data generally related to the kernel. 266The string and integer information available for the 267.Li kern 268level is detailed below. 269The changeable column shows whether a process with appropriate 270privilege may change the value. 271.Bl -column "kern.posix_reader_writer_locks" \ 272"struct kinfo_drivers" "not applicable" 273.It Sy Second level name Type Changeable 274.It kern.aio_listio_max integer yes 275.It kern.aio_max integer yes 276.It kern.arandom integer no 277.It kern.argmax integer no 278.It kern.boothowto integer no 279.It kern.boottime struct timeval no 280.\".It kern.bufq node not applicable 281.It kern.ccpu integer no 282.It kern.clockrate struct clockinfo no 283.It kern.consdev integer no 284.It kern.coredump node not applicable 285.It kern.cp_id struct no 286.It kern.cp_time uint64_t[\|] no 287.It kern.cryptodevallowsoft integer yes 288.It kern.defcorename string yes 289.It kern.detachall integer yes 290.It kern.domainname string yes 291.It kern.drivers struct kinfo_drivers no 292.It kern.dump_on_panic integer yes 293.It kern.file struct file no 294.It kern.forkfsleep integer yes 295.It kern.fscale integer no 296.It kern.fsync integer no 297.It kern.hardclock_ticks integer no 298.It kern.hostid integer yes 299.It kern.hostname string yes 300.It kern.iov_max integer no 301.It kern.ipc node not applicable 302.It kern.job_control integer no 303.It kern.labeloffset integer no 304.It kern.labelsector integer no 305.It kern.login_name_max integer no 306.It kern.logsigexit integer yes 307.It kern.mapped_files integer no 308.It kern.maxfiles integer yes 309.It kern.maxpartitions integer no 310.It kern.maxphys integer no 311.It kern.maxproc integer yes 312.It kern.maxptys integer yes 313.It kern.maxvnodes integer yes 314.It kern.mbuf node not applicable 315.It kern.memlock integer no 316.It kern.memlock_range integer no 317.It kern.memory_protection integer no 318.It kern.module node not applicable 319.It kern.monotonic_clock integer no 320.It kern.mqueue node not applicable 321.It kern.msgbuf integer no 322.It kern.msgbufsize integer no 323.It kern.ngroups integer no 324.\".It kern.no_sa_support integer yes 325.It kern.ntptime struct ntptimeval no 326.It kern.osrelease string no 327.It kern.osrevision integer no 328.It kern.ostype string no 329.\".It kern.panic_now integer yes 330.It kern.pipe node not applicable 331.\" .It kern.posix node not applicable 332.It kern.posix1version integer no 333.It kern.posix_aio integer no 334.It kern.posix_barriers integer no 335.It kern.posix_reader_writer_locks integer no 336.\".It kern.posix_sched integer yes 337.It kern.posix_semaphores integer no 338.It kern.posix_spin_locks integer no 339.It kern.posix_threads integer no 340.It kern.posix_timers integer no 341.It kern.proc struct kinfo_proc no 342.It kern.proc2 struct kinfo_proc2 no 343.It kern.proc_args string no 344.It kern.profiling node not applicable 345.\".It kern.pset node not applicable 346.It kern.rawpartition integer no 347.It kern.root_device string no 348.It kern.root_partition integer no 349.It kern.rtc_offset integer yes 350.It kern.saved_ids integer no 351.It kern.sbmax integer yes 352.\".It kern.sched node not applicable 353.It kern.securelevel integer raise only 354.It kern.somaxkva integer yes 355.It kern.synchronized_io integer no 356.It kern.timecounter node not applicable 357.It kern.timex struct no 358.It kern.tkstat node not applicable 359.It kern.tty node not applicable 360.It kern.urandom integer no 361.It kern.usercrypto integer yes 362.It kern.userasymcrypto integer yes 363.It kern.veriexec node not applicable 364.It kern.version string no 365.It kern.vnode struct vnode no 366.El 367.Bl -tag -width "123456" 368.It Li kern.aio_listio_max 369The maximum number of asynchronous 370.Tn I/O 371operations in a single list I/O call. 372Like with all variables related to 373.Xr aio 3 , 374the variable may be created and removed dynamically 375upon loading or unloading the corresponding kernel module. 376.It Li kern.aio_max 377The maximum number of asynchronous I/O operations. 378.It Li kern.arandom 379This variable picks a random number each time it is queried. 380The used random number generator 381.Pf ( Tn RNG ) 382is based on 383.Xr arc4random 3 . 384.It Li kern.argmax ( KERN_ARGMAX ) 385The maximum bytes of argument to 386.Xr execve 2 . 387.It Li kern.boothowto 388Flags passed from the boot loader; see 389.Xr reboot 2 390for the meanings of the flags. 391.It Li kern.boottime ( KERN_BOOTTIME ) 392A 393.Vt struct timeval 394structure is returned. 395This structure contains the time that the system was booted. 396.\" .It Li kern.bufq 397.\" XXX: Undocumented. 398.It Li kern.ccpu ( KERN_CCPU ) 399The scheduler exponential decay value. 400.It Li kern.clockrate ( KERN_CLOCKRATE ) 401A 402.Vt struct clockinfo 403structure is returned. 404This structure contains the clock, statistics clock and profiling clock 405frequencies, the number of micro-seconds per hz tick, and the clock 406skew rate. 407Refer to 408.Xr hz 9 409for additional details. 410.It Li kern.consdev ( KERN_CONSDEV ) 411Console device. 412.It Li kern.coredump 413Settings related to set-id processes coredumps. 414By default, set-id processes do not dump core in situations where 415other processes would. 416The settings in this node allows an administrator to change this 417behavior. 418.Pp 419The third level name is 420.Dv kern.coredump.setid 421and fourth level variables are described below. 422.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent 423.It Sy Fourth level name Type Changeable 424.It kern.coredump.setid.dump integer yes 425.It kern.coredump.setid.group integer yes 426.It kern.coredump.setid.mode integer yes 427.It kern.coredump.setid.owner integer yes 428.It kern.coredump.setid.path string yes 429.El 430.Bl -tag -width "123456" 431.It Li kern.coredump.setid.dump 432If non-zero, set-id processes will dump core. 433.It Li kern.coredump.setid.group 434The group-id for the set-id processes' coredump. 435.It Li kern.coredump.setid.mode 436The mode for the set-id processes' coredump. 437See 438.Xr chmod 1 . 439.It Li kern.coredump.setid.owner 440The user-id that will be used as the owner of the set-id processes' 441coredump. 442.It Li kern.coredump.setid.path 443The path to which set-id processes' coredumps will be saved to. 444Same syntax as kern.defcorename. 445.El 446.It Li kern.cp_id ( KERN_CP_ID ) 447Mapping of CPU number to CPU id. 448.It Li kern.cp_time ( KERN_CP_TIME ) 449Returns an array of 450.Dv CPUSTATES 451.Vt uint64_t Ns s. 452This array contains the 453number of clock ticks spent in different CPU states. 454On multi-processor systems, the sum across all CPUs is returned unless 455appropriate space is given for one data set for each CPU. 456Data for a specific CPU can also be obtained by adding the number of the 457CPU at the end of the MIB, enlarging it by one. 458.It Li kern.cryptodevallowsoft 459This variable controls userland access to hardware versus software transforms 460in the 461.Xr crypto 4 462system. 463The available values are as follows: 464.Bl -tag -width XX0 -offset indent 465.It Dv \*[Lt] 0 466Always force userlevel requests to use software transforms. 467.It Dv = 0 468If present, use hardware and grant userlevel requests for 469non-accelerated transforms (handling the latter in software). 470.It Dv \*[Gt] 0 471Allow user requests only for transforms which are hardware-accelerated. 472.El 473.It Li kern.defcorename ( KERN_DEFCORENAME ) 474Default template for the name of core dump files (see also 475.Li proc.pid.corename 476in the per-process variables 477.Li proc.* , 478and 479.Xr core 5 480for format of this template). 481The default value is 482.Pa %n.core 483and can be changed with the kernel configuration option 484.Cd options DEFCORENAME 485(see 486.Xr options 4 487). 488.It Li kern.detachall 489Detach all devices at shutdown. 490.It Li kern.domainname ( KERN_DOMAINNAME ) 491Get or set the YP domain name. 492.It Li kern.drivers ( KERN_DRIVERS ) 493Return an array of 494.Vt struct kinfo_drivers 495that contains the name and major device numbers of all the device drivers 496in the current kernel. 497The 498.Va d_name 499field is always a NUL terminated string. 500The 501.Va d_bmajor 502field will be set to \-1 if the driver doesn't have a block device. 503.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 504Perform a crash dump on system 505.Xr panic 9 . 506.It Li kern.file ( KERN_FILE ) 507Return the entire file table. 508The returned data consists of a single 509.Vt struct filelist 510followed by an array of 511.Vt struct file , 512whose size depends on the current number of such objects in the system. 513.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 514If 515.Xr fork 2 516system call fails due to limit on number of processes (either 517the global maxproc limit or user's one), wait for this many 518milliseconds before returning 519.Er EAGAIN 520error to process. 521Useful to keep heavily forking runaway processes in bay. 522Default zero (no sleep). 523Maximum is 20 seconds. 524.It Li kern.fscale ( KERN_FSCALE ) 525The kernel fixed-point scale factor. 526.It Li kern.fsync ( KERN_FSYNC ) 527Return 1 if the 528.St -p1003.1b-93 529File Synchronization Option is available 530on this system, 531otherwise\ 0. 532.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 533Returns the number of 534.Xr hardclock 9 535ticks. 536.It Li kern.hostid ( KERN_HOSTID ) 537Get or set the host identifier. 538This is aimed to replace the legacy 539.Xr gethostid 3 540and 541.Xr sethostid 3 542system calls. 543.It Li kern.hostname ( KERN_HOSTNAME ) 544Get or set the 545.Xr hostname 1 . 546.It Li kern.iov_max ( KERN_IOV_MAX ) 547Return the maximum number of 548.Vt iovec 549structures that a process has available for use with 550.Xr preadv 2 , 551.Xr pwritev 2 , 552.Xr readv 2 , 553.Xr recvmsg 2 , 554.Xr sendmsg 2 555and 556.Xr writev 2 . 557.It Li kern.ipc ( KERN_SYSVIPC ) 558Return information about the SysV IPC parameters. 559The third level names for the ipc variables are detailed below. 560.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 561.It Sy Third level name Type Changeable 562.It kern.ipc.sysvmsg integer no 563.It kern.ipc.sysvsem integer no 564.It kern.ipc.sysvshm integer no 565.It kern.ipc.sysvipc_info struct no 566.It kern.ipc.shmmax integer yes 567.It kern.ipc.shmmni integer yes 568.It kern.ipc.shmseg integer yes 569.It kern.ipc.shmmaxpgs integer yes 570.It kern.ipc.shm_use_phys integer yes 571.It kern.ipc.msgmni integer yes 572.It kern.ipc.msgseg integer yes 573.It kern.ipc.semmni integer yes 574.It kern.ipc.semmns integer yes 575.It kern.ipc.semmnu integer yes 576.El 577.Bl -tag -width "123456" 578.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 579Returns 1 if System V style message queue functionality is available 580on this system, 581otherwise\ 0. 582.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 583Returns 1 if System V style semaphore functionality is available 584on this system, 585otherwise\ 0. 586.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 587Returns 1 if System V style share memory functionality is available 588on this system, 589otherwise\ 0. 590.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 591Return System V style IPC configuration and run-time information. 592The fourth level name selects the System V style IPC facility. 593.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 594.It Sy Fourth level name Type 595.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 596.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 597.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 598.El 599.Pp 600.Bl -tag -width "123456" 601.It Li KERN_SYSVIPC_MSG_INFO 602Return information on the System V style message facility. 603The 604.Sy msg_sysctl_info 605structure is defined in 606.In sys/msg.h . 607.It Li KERN_SYSVIPC_SEM_INFO 608Return information on the System V style semaphore facility. 609The 610.Sy sem_sysctl_info 611structure is defined in 612.In sys/sem.h . 613.It Li KERN_SYSVIPC_SHM_INFO 614Return information on the System V style shared memory facility. 615The 616.Sy shm_sysctl_info 617structure is defined in 618.In sys/shm.h . 619.El 620.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 621Max shared memory segment size in bytes. 622.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 623Max number of shared memory identifiers. 624.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 625Max shared memory segments per process. 626.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 627Max amount of shared memory in pages. 628.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 629Locking of shared memory in physical memory. 630If 0, memory can be swapped 631out, otherwise it will be locked in physical memory. 632.It Li kern.ipc.msgmni 633Max number of message queue identifiers. 634.It Li kern.ipc.msgseg 635Max number of number of message segments. 636.It Li kern.ipc.semmni 637Max number of number of semaphore identifiers. 638.It Li kern.ipc.semmns 639Max number of number of semaphores in system. 640.It Li kern.ipc.semmnu 641Max number of undo structures in system. 642.El 643.It Li kern.job_control ( KERN_JOB_CONTROL ) 644Return 1 if job control is available on this system, otherwise\ 0. 645.It Li kern.labeloffset ( KERN_LABELOFFSET ) 646The offset within the sector specified by 647.Dv KERN_LABELSECTOR 648of the 649.Xr disklabel 5 . 650.It Li kern.labelsector ( KERN_LABELSECTOR ) 651The sector number containing the 652.Xr disklabel 5 . 653.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 654The size of the storage required for a login name, in bytes, 655including the terminating NUL. 656.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 657If this flag is non-zero, the kernel will 658.Xr log 9 659all process exits due to signals which create a 660.Xr core 5 661file, and whether the coredump was created. 662.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 663Returns 1 if the 664.St -p1003.1b-93 665Memory Mapped Files Option is available on this system, 666otherwise\ 0. 667.It Li kern.maxfiles ( KERN_MAXFILES ) 668The maximum number of open files that may be open in the system. 669.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 670The maximum number of partitions allowed per disk. 671.It Li kern.maxphys ( KERN_MAXPHYS ) 672Maximum raw I/O transfer size. 673.It Li kern.maxproc ( KERN_MAXPROC ) 674The maximum number of simultaneous processes the system will allow. 675.It Li kern.maxptys ( KERN_MAXPTYS ) 676The maximum number of pseudo terminals. 677This value can be both raised and lowered, though it cannot 678be set lower than number of currently used ptys. 679See also 680.Xr pty 4 . 681.It Li kern.maxvnodes ( KERN_MAXVNODES ) 682The maximum number of vnodes available on the system. 683This can only be raised. 684.It Li kern.mbuf ( KERN_MBUF ) 685Return information about the mbuf control variables. 686Mbufs are data structures which store network packets and other data 687structures in the networking code, see 688.Xr mbuf 9 . 689The third level names for the mbuf variables are detailed below. 690The changeable column shows whether a process with appropriate 691privilege may change the value. 692.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 693.It Sy Third level name Type Changeable 694.\" XXX Changeable? really? 695.It kern.mbuf.mblowat integer yes 696.It kern.mbuf.mclbytes integer yes 697.It kern.mbuf.mcllowat integer yes 698.It kern.mbuf.msize integer yes 699.It kern.mbuf.nmbclusters integer yes 700.El 701.Pp 702The variables are as follows: 703.Bl -tag -width "123456" 704.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 705The mbuf low water mark. 706.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 707The mbuf cluster size. 708.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 709The mbuf cluster low water mark. 710.It Li kern.mbuf.msize ( MBUF_MSIZE ) 711The mbuf base size. 712.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 713The limit on the number of mbuf clusters. 714The variable can only be increased, and only increased on machines with 715direct-mapped pool pages. 716.El 717.It Li kern.memlock ( KERN_MEMLOCK ) 718Returns 1 if the 719.St -p1003.1b-93 720Process Memory Locking Option is available on this system, 721otherwise\ 0. 722.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 723Returns 1 if the 724.St -p1003.1b-93 725Range Memory Locking Option is available on this system, 726otherwise\ 0. 727.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 728Returns 1 if the 729.St -p1003.1b-93 730Memory Protection Option is available on this system, 731otherwise\ 0. 732.It Li kern.module 733Settings related to kernel modules. 734The third level names for the settings are described below. 735.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent 736.It Sy Third level name Type Changeable 737.It kern.module.autoload integer yes 738.It kern.module.verbose integer yes 739.El 740.Pp 741The variables are as follows: 742.Bl -tag -width "123456" 743.It Li kern.module.autoload 744A boolean that controls whether kernel modules are loaded automatically. 745See 746.Xr module 7 747for additional details. 748.It Li kern.module.verbose 749A boolean that enables or disables verbose 750debug messages related to kernel modules. 751.El 752.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 753Returns the standard version the implementation of the 754.St -p1003.1b-93 755Monotonic Clock Option conforms to, 756otherwise\ 0. 757.It Li kern.mqueue 758Settings related to 759.Tn POSIX 760message queues; see 761.Xr mqueue 3 . 762This node is created dynamically when 763the corresponding kernel module is loaded. 764The third level names for the settings are described below. 765.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent 766.It Sy Third level name Type Changeable 767.It kern.mqueue.mq_open_max integer yes 768.It kern.mqueue.mq_prio_max integer yes 769.It kern.mqueue.mq_max_msgsize integer yes 770.It kern.mqueue.mq_def_maxmsg integer yes 771.It kern.mqueue.mq_max_maxmsg integer yes 772.El 773.Pp 774The variables are: 775.Bl -tag -width "123456" 776.It Li kern.mqueue.mq_open_max 777The maximum number of message queue descriptors any single process can open. 778.It Li kern.mqueue.mq_prio_max 779The maximum priority of a message. 780.It Li kern.mqueue.mq_max_msgsize 781The maximum size of a message in a message queue. 782.It Li kern.mqueue.mq_def_maxmsg 783The default maximum message count. 784.It Li kern.mqueue.mq_max_maxmsg 785The maximum number of messages in a message queue. 786.El 787.It Li kern.msgbuf ( KERN_MSGBUF ) 788The kernel message buffer, rotated so that the head of the circular kernel 789message buffer is at the start of the returned data. 790The returned data may contain NUL bytes. 791.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 792The maximum number of characters that the kernel message buffer can hold. 793.It Li kern.ngroups ( KERN_NGROUPS ) 794The maximum number of supplemental groups. 795.\" .It Li kern.no_sa_support 796.\" XXX: Undocumented. 797.It Li kern.ntptime ( KERN_NTPTIME ) 798A 799.Vt struct ntptimeval 800structure is returned. 801This structure contains data used by the 802.Xr ntpd 8 803program. 804.It Li kern.osrelease ( KERN_OSRELEASE ) 805The system release string. 806.It Li kern.osrevision ( KERN_OSREV ) 807The system revision string. 808.It Li kern.ostype ( KERN_OSTYPE ) 809The system type string. 810.\".It Li kern.panic_now 811.\" XXX: Undocumented. 812.It Li kern.pipe ( KERN_PIPE ) 813Pipe settings. 814The third level names for the integer pipe settings is detailed below. 815The changeable column shows whether a process with appropriate 816privilege may change the value. 817.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 818.It Sy Third level name Type Changeable 819.It kern.pipe.kvasiz integer yes 820.It kern.pipe.maxbigpipes integer yes 821.It kern.pipe.maxkvasz integer yes 822.It kern.pipe.limitkva integer yes 823.It kern.pipe.nbigpipes integer yes 824.El 825.Pp 826The variables are as follows: 827.Bl -tag -width "123456" 828.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 829Amount of kernel memory consumed by pipe buffers. 830.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 831Maximum number of 832.Dq big 833pipes. 834.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 835Maximum amount of kernel memory to be used for pipes. 836.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 837Limit for direct transfers via page loan. 838.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 839Number of 840.Dq big 841pipes. 842.El 843.\" XXX: Undocumented .It Li kern.posix ( ? ) 844.\" This is a node in which the only variable is semmax. 845.It Li kern.posix1version ( KERN_POSIX1 ) 846The version of ISO/IEC 9945 847.Pq St -p1003.1 848with which the system attempts to comply. 849.It Li kern.posix_aio 850The version of 851.St -p1003.1 852and its Asynchronous I/O option to which the system attempts to conform. 853.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 854The version of 855.St -p1003.1 856and its 857Barriers 858option to which the system attempts to conform, 859otherwise\ 0. 860.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 861The version of 862.St -p1003.1 863and its 864Read-Write Locks 865option to which the system attempts to conform, 866otherwise\ 0. 867.\".It Li kern.posix_sched 868.\" XXX: Undocumented. 869.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 870The version of 871.St -p1003.1 872and its 873Semaphores 874option to which the system attempts to conform, 875otherwise\ 0. 876.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 877The version of 878.St -p1003.1 879and its 880Spin Locks 881option to which the system attempts to conform, 882otherwise\ 0. 883.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 884The version of 885.St -p1003.1 886and its 887Threads 888option to which the system attempts to conform, 889otherwise\ 0. 890.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 891The version of 892.St -p1003.1 893and its 894Timers 895option to which the system attempts to conform, 896otherwise\ 0. 897.It Li kern.proc ( KERN_PROC ) 898Return the entire process table, or a subset of it. 899An array of 900.Vt struct kinfo_proc 901structures is returned, 902whose size depends on the current number of such objects in the system. 903The third and fourth level numeric names are as follows: 904.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 905.It Sy Third level name Fourth level is: 906.It KERN_PROC_ALL None 907.It KERN_PROC_GID A group ID 908.It KERN_PROC_PID A process ID 909.It KERN_PROC_PGRP A process group 910.It KERN_PROC_RGID A real group ID 911.It KERN_PROC_RUID A real user ID 912.It KERN_PROC_SESSION A session ID 913.It KERN_PROC_TTY A tty device 914.It KERN_PROC_UID A user ID 915.El 916.It Li kern.proc2 ( KERN_PROC2 ) 917As for 918.Dv KERN_PROC , 919but an array of 920.Vt struct kinfo_proc2 921structures are returned. 922The fifth level name is the size of the 923.Vt struct kinfo_proc2 924and the sixth level name is the number of structures to return. 925.It Li kern.proc_args ( KERN_PROC_ARGS ) 926Return the argv or environment strings (or the number thereof) 927of a process. 928Multiple strings are returned separated by NUL characters. 929The third level name is the process ID. 930The fourth level name is as follows: 931.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent 932.It KERN_PROC_ARGV The argv strings 933.It KERN_PROC_ENV The environ strings 934.It KERN_PROC_NARGV The number of argv strings 935.It KERN_PROC_NENV The number of environ strings 936.El 937.It Li kern.profiling ( KERN_PROF ) 938Return profiling information about the kernel. 939If the kernel is not compiled for profiling, 940attempts to retrieve any of the 941.Dv KERN_PROF 942values will fail with 943.Er EOPNOTSUPP . 944The third level names for the string and integer profiling information 945is detailed below. 946The changeable column shows whether a process with appropriate 947privilege may change the value. 948.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 949.It Sy Third level name Type Changeable 950.It kern.profiling.count u_short[\|] yes 951.It kern.profiling.froms u_short[\|] yes 952.It kern.profiling.gmonparam struct gmonparam no 953.It kern.profiling.state integer yes 954.It kern.profiling.tos struct tostruct yes 955.El 956.Pp 957The variables are as follows: 958.Bl -tag -width "123456" 959.It Li kern.profiling.count ( GPROF_COUNT ) 960Array of statistical program counter counts. 961.It Li kern.profiling.froms ( GPROF_FROMS ) 962Array indexed by program counter of call-from points. 963.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 964Structure giving the sizes of the above arrays. 965.It Li kern.profiling.state ( GPROF_STATE ) 966Profiling state. 967If set to 968.Dv GMON_PROF_ON , 969starts profiling. 970If set to 971.Dv GMON_PROF_OFF , 972stops profiling. 973.It Li kern.profiling.tos ( GPROF_TOS ) 974Array of 975.Vt struct tostruct 976describing destination of calls and their counts. 977.El 978.\" .It Li kern.pset 979.\" XXX: Undocumented. 980.It Li kern.rawpartition ( KERN_RAWPARTITION ) 981The raw partition of a disk (a == 0). 982.It Li kern.root_device ( KERN_ROOT_DEVICE ) 983The name of the root device (e.g., 984.Dq wd0 ) . 985.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 986The root partition on the root device (a == 0). 987.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 988Return the offset of real time clock from UTC in minutes. 989.It Li kern.saved_ids ( KERN_SAVED_IDS ) 990Returns 1 if saved set-group and saved set-user ID is available. 991.It Li kern.sbmax ( KERN_SBMAX ) 992Maximum socket buffer size. 993.\" XXX units? 994.It Li kern.securelevel ( KERN_SECURELVL ) 995See 996.Xr secmodel_securelevel 9 . 997.\" .It Li kern.sched 998.\" XXX: Undocumented. 999.It Li kern.somaxkva ( KERN_SOMAXKVA ) 1000Maximum amount of kernel memory to be used for socket buffers. 1001.\" XXX units? 1002.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 1003Returns 1 if the 1004.St -p1003.1b-93 1005Synchronized I/O Option is available on this system, 1006otherwise\ 0. 1007.It Li kern.timecounter ( dynamic ) 1008Display and control the timecounter source of the system. 1009.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 1010.It Sy Third level name Type Changeable 1011.It kern.timecounter.choice string no 1012.It kern.timecounter.hardware string yes 1013.It kern.timecounter.timestepwarnings integer yes 1014.El 1015.Pp 1016The variables are as follows: 1017.Bl -tag -width "123456" 1018.It Li kern.timecounter.choice ( dynamic ) 1019The list of available timecounters with their quality and frequency. 1020.It Li kern.timecounter.hardware ( dynamic ) 1021The currently selected timecounter source. 1022.It Li kern.timecounter.timestepwarnings ( dynamic ) 1023If non-zero display a message each time the time is stepped. 1024.El 1025.It Li kern.timex ( KERN_TIMEX ) 1026Not available. 1027.It Li kern.tkstat ( KERN_TKSTAT ) 1028Return information about the number of characters sent and received 1029on ttys. 1030The third level names for the tty statistic variables are detailed below. 1031The changeable column shows whether a process 1032with appropriate privilege may change the value. 1033.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 1034.It Sy Third level name Type Changeable 1035.It kern.tkstat.cancc quad no 1036.It kern.tkstat.nin quad no 1037.It kern.tkstat.nout quad no 1038.It kern.tkstat.rawcc quad no 1039.El 1040.Pp 1041The variables are as follows: 1042.Bl -tag -width "123456" 1043.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 1044The number of canonical input characters. 1045.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 1046The total number of input characters. 1047.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 1048The total number of output characters. 1049.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 1050The number of raw input characters. 1051.El 1052.It Li kern.tty 1053The third level names for the tty setup variables are detailed below. 1054The changeable column shows whether a process 1055with appropriate privilege may change the value. 1056.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent 1057.It Sy Third level name Type Changeable 1058.It kern.tty.qsize int yes 1059.El 1060.Pp 1061The variables are as follows: 1062.Bl -tag -width "123456" 1063.It Li kern.tty.qsize 1064Control/display the size of the default input and output queues selected 1065during tty creation. 1066Is converted to a power of two and its range is between 1067.Dv 1024 1068and 1069.Dv 65536 . 1070.El 1071.It Li kern.urandom ( KERN_URND ) 1072Random integer value. 1073.It Li kern.usercrypto 1074When enabled, allows userland to 1075.Xr open 2 1076the 1077.Pa /dev/crypto 1078special device, used by the 1079.Xr crypto 4 1080system. 1081.It Li kern.userasymcrypto 1082Enables or disables the use of software asymmetric crypto support in the 1083.Xr crypto 4 1084system. 1085.It Li kern.veriexec 1086Runtime information for 1087.Xr veriexec 8 . 1088.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent 1089.It Sy Third level name Type Changeable 1090.It kern.veriexec.algorithms string no 1091.It kern.veriexec.count node not applicable 1092.It kern.veriexec.strict integer yes 1093.It kern.veriexec.verbose integer yes 1094.El 1095.Bl -tag -width "123456" 1096.It Li kern.veriexec.algorithms 1097Returns a string with the supported algorithms in Veriexec. 1098.It Li kern.veriexec.count 1099Sub-nodes are added to this node as new mounts are monitored by Veriexec. 1100Each mount will be under its own 1101.No tableN 1102node. 1103Under each node there will be three variables, indicating the mount 1104point, the file system type, and the number of entries. 1105.It Li kern.veriexec.strict 1106Controls the strict level of Veriexec. 1107See 1108.Xr security 7 1109for more information on each level's implications. 1110.It Li kern.veriexec.verbose 1111Controls the verbosity level of Veriexec. 1112If 0, only the minimal 1113indication required will be given about what's happening - fingerprint 1114mismatches, removal of entries from the tables, modification of a 1115fingerprinted file. 1116If 1, more messages will be printed (ie., when a file with a valid 1117fingerprint is accessed). 1118Verbose level 2 is debug mode. 1119.El 1120.It Li kern.version ( KERN_VERSION ) 1121The system version string. 1122.It Li kern.vnode ( KERN_VNODE ) 1123Return the entire vnode table. 1124Note, the vnode table is not necessarily a consistent snapshot of 1125the system. 1126The returned data consists of an array whose size depends on the 1127current number of such objects in the system. 1128Each element of the array contains the kernel address of a vnode 1129.Vt struct vnode * 1130followed by the vnode itself 1131.Vt struct vnode . 1132.\" XXX: Undocumented: kern.lwp: no children? 1133.El 1134.Ss The machdep.* subtree 1135The set of variables defined is architecture dependent. 1136Most architectures define at least the following variables. 1137.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent 1138.It Sy Second level name Type Changeable 1139.It Li machdep.booted_kernel string no 1140.El 1141.\" XXX: Document the above. 1142.Ss The net.* subtree 1143The string and integer information available for the 1144.Li net 1145level is detailed below. 1146The changeable column shows whether a process with appropriate 1147privilege may change the value. 1148The second and third levels are typically the protocol family and 1149protocol number, though this is not always the case. 1150.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 1151.It Sy Second level name Type Changeable 1152.It net.route routing messages no 1153.It net.inet IPv4 values yes 1154.It net.inet6 IPv6 values yes 1155.It net.key IPsec key management values yes 1156.El 1157.Pp 1158.Bl -tag -width "123456" 1159.It Li net.route ( PF_ROUTE ) 1160.\" XXX really? 1161Return the entire routing table or a subset of it. 1162The data is returned as a sequence of routing messages (see 1163.Xr route 4 1164for the header file, format and meaning). 1165The length of each message is contained in the message header. 1166.Pp 1167The third level name is a protocol number, which is currently always\ 0. 1168The fourth level name is an address family, which may be set to 0 to 1169select all address families. 1170The fifth and sixth level names are as follows: 1171.Bl -column "Fifth level name" "Sixth level is:" -offset indent 1172.It Sy Fifth level name Sixth level is: 1173.It NET_RT_FLAGS rtflags 1174.It NET_RT_DUMP None 1175.It NET_RT_IFLIST None 1176.El 1177.It Li net.inet ( PF_INET ) 1178Get or set various global information about the IPv4 1179.Pq Internet Protocol version 4 . 1180The third level name is the protocol. 1181The fourth level name is the variable name. 1182The currently defined protocols and names are: 1183.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n 1184.It Sy Protocol name Variable name Type Changeable 1185.It arp down integer yes 1186.It arp keep integer yes 1187.It arp log_movements integer yes 1188.It arp log_permanent_modify integer yes 1189.It arp log_wrong_iface integer yes 1190.It arp prune integer yes 1191.It arp refresh integer yes 1192.It carp allow integer yes 1193.It carp preempt integer yes 1194.It carp log integer yes 1195.It carp arpbalance integer yes 1196.It icmp errppslimit integer yes 1197.It icmp maskrepl integer yes 1198.It icmp rediraccept integer yes 1199.It icmp redirtimeout integer yes 1200.It icmp bmcastecho integer yes 1201.It ip allowsrcrt integer yes 1202.It ip anonportmax integer yes 1203.It ip anonportmin integer yes 1204.It ip checkinterface integer yes 1205.It ip directed-broadcast integer yes 1206.It ip do_loopback_cksum integer yes 1207.It ip forwarding integer yes 1208.It ip forwsrcrt integer yes 1209.It ip gifttl integer yes 1210.It ip grettl integer yes 1211.It ip hashsize integer yes 1212.It ip hostzerobroadcast integer yes 1213.It ip lowportmin integer yes 1214.It ip lowportmax integer yes 1215.It ip maxflows integer yes 1216.It ip maxfragpackets integer yes 1217.It ip mtudisc integer yes 1218.It ip mtudisctimeout integer yes 1219.It ip random_id integer yes 1220.It ip redirect integer yes 1221.It ip subnetsarelocal integer yes 1222.It ip ttl integer yes 1223.It tcp rfc1323 integer yes 1224.It tcp sendspace integer yes 1225.It tcp recvspace integer yes 1226.It tcp mssdflt integer yes 1227.It tcp syn_cache_limit integer yes 1228.It tcp syn_bucket_limit integer yes 1229.It tcp syn_cache_interval integer yes 1230.It tcp init_win integer yes 1231.It tcp init_win_local integer yes 1232.It tcp mss_ifmtu integer yes 1233.It tcp win_scale integer yes 1234.It tcp timestamps integer yes 1235.It tcp compat_42 integer yes 1236.It tcp cwm integer yes 1237.It tcp cwm_burstsize integer yes 1238.It tcp ack_on_push integer yes 1239.It tcp keepidle integer yes 1240.It tcp keepintvl integer yes 1241.It tcp keepcnt integer yes 1242.It tcp slowhz integer no 1243.It tcp keepinit integer yes 1244.It tcp log_refused integer yes 1245.It tcp rstppslimit integer yes 1246.It tcp ident struct no 1247.It tcp drop struct no 1248.It tcp sack.enable integer yes 1249.It tcp sack.globalholes integer no 1250.It tcp sack.globalmaxholes integer yes 1251.It tcp sack.maxholes integer yes 1252.It tcp ecn.enable integer yes 1253.It tcp ecn.maxretries integer yes 1254.It tcp congctl.selected string yes 1255.It tcp congctl.available string yes 1256.It tcp abc.enable integer yes 1257.It tcp abc.aggressive integer yes 1258.It udp checksum integer yes 1259.It udp do_loopback_cksum integer yes 1260.It udp recvspace integer yes 1261.It udp rfc6056.selected string yes 1262.It udp rfc6056.available string yes 1263.It udp sendspace integer yes 1264.El 1265.Pp 1266The variables are as follows: 1267.Bl -tag -width "123456" 1268.It Li arp.down 1269Failed ARP entry lifetime. 1270.It Li arp.keep 1271Valid ARP entry lifetime. 1272.It Li arp.prune 1273ARP cache pruning interval. 1274.It Li arp.refresh 1275ARP entry refresh interval. 1276.It Li carp.allow 1277If set to 0, incoming 1278.Xr carp 4 1279packets will not be processed. 1280If set to any other value, processing will occur. 1281Enabled by default. 1282.It Li carp.arpbalance 1283If set to any value other than 0, the ARP balancing functionality of 1284.Xr carp 4 1285is enabled. 1286When ARP requests are received for an IP address which is part of any virtual 1287host, carp will hash the source IP in the ARP request to select one of the 1288virtual hosts from the set of all the virtual hosts which have that IP address. 1289The master of that host will respond with the correct virtual MAC address. 1290Disabled by default. 1291.It Li carp.log 1292If set to any value other than 0, 1293.Xr carp 4 1294will log errors. 1295Disabled by default. 1296.It Li carp.preempt 1297If set to 0, 1298.Xr carp 4 1299will not attempt to become master if it is receiving advertisements from 1300another active master. 1301If set to any other value, carp will become master of the virtual host if it 1302believes it can send advertisements more frequently than the current master. 1303Disabled by default. 1304.It Li ip.allowsrcrt 1305If set to 1, the host accepts source routed packets. 1306.It Li ip.anonportmax 1307The highest port number to use for TCP and UDP ephemeral port allocation. 1308This cannot be set to less than 1024 or greater than 65535, and must 1309be greater than 1310.Li ip.anonportmin . 1311.It Li ip.anonportmin 1312The lowest port number to use for TCP and UDP ephemeral port allocation. 1313This cannot be set to less than 1024 or greater than 65535. 1314.It Li ip.checkinterface 1315If set to non-zero, the host will reject packets addressed to it 1316that arrive on an interface not bound to that address. 1317Currently, this must be disabled if ipnat is used to translate the 1318destination address to another local interface, or if addresses 1319are added to the loopback interface instead of the interface where 1320the packets for those packets are received. 1321.It Li ip.directed-broadcast 1322If set to 1, enables directed broadcast behavior for the host. 1323.It Li ip.do_loopback_cksum 1324Perform IP checksum on loopback. 1325.It Li ip.forwarding 1326If set to 1, enables IP forwarding for the host, 1327meaning that the host is acting as a router. 1328.It Li ip.forwsrcrt 1329If set to 1, enables forwarding of source-routed packets for the host. 1330This value may only be changed if the kernel security level is less than 1. 1331.It Li ip.gifttl 1332The maximum time-to-live (hop count) value for an IPv4 packet generated by 1333.Xr gif 4 1334tunnel interface. 1335.It Li ip.grettl 1336The maximum time-to-live (hop count) value for an IPv4 packet generated by 1337.Xr gre 4 1338tunnel interface. 1339.It Li ip.hashsize 1340The size of IPv4 Fast Forward hash table. 1341This value must be a power of 2 (64, 256...). 1342A larger hash table size results in fewer collisions. 1343Also see 1344.Li ip.maxflows . 1345.It Li ip.hostzerobroadcast 1346All zeroes address is broadcast address. 1347.It Li ip.lowportmax 1348The highest port number to use for TCP and UDP reserved port allocation. 1349This cannot be set to less than 0 or greater than 1024, and must 1350be greater than 1351.Li ip.lowportmin . 1352.It Li ip.lowportmin 1353The lowest port number to use for TCP and UDP reserved port allocation. 1354This cannot be set to less than 0 or greater than 1024, and must 1355be smaller than 1356.Li ip.lowportmax . 1357.It Li ip.maxflows 1358IPv4 Fast Forwarding is enabled by default. 1359If set to 0, IPv4 Fast Forwarding is disabled. 1360.Li ip.maxflows 1361controls the maximum amount of flows which can be created. 1362The default value is 256. 1363.It Li ip.maxfragpackets 1364The maximum number of fragmented packets the node will accept. 13650 means that the node will not accept any fragmented packets. 1366\-1 means that the node will accept as many fragmented packets as it receives. 1367The flag is provided basically for avoiding possible DoS attacks. 1368.It Li ip.mtudisc 1369If set to 1, enables Path MTU Discovery (RFC 1191). 1370When Path MTU Discovery is enabled, the transmitted TCP segment 1371size will be determined by the advertised maximum segment size 1372(MSS) from the remote end, as constrained by the path MTU. 1373If MTU Discovery is disabled, the transmitted segment size will 1374never be greater than 1375.Li tcp.mssdflt 1376(the local maximum segment size). 1377.It Li ip.mtudisctimeout 1378The number of seconds in which a route added by the Path MTU 1379Discovery engine will time out. 1380When the route times out, the Path 1381MTU Discovery engine will attempt to probe a larger path MTU. 1382.It Li ip.random_id 1383Assign random ip_id values. 1384.It Li ip.redirect 1385If set to 1, ICMP redirects may be sent by the host. 1386This option is ignored unless the host is routing IP packets, 1387and should normally be enabled on all systems. 1388.It Li ip.subnetsarelocal 1389If set to 1, subnets are to be considered local addresses. 1390.It Li ip.ttl 1391The maximum time-to-live (hop count) value for an IP packet sourced by 1392the system. 1393This value applies to normal transport protocols, not to ICMP. 1394.It Li icmp.errppslimit 1395The variable specifies the maximum number of outgoing ICMP error messages, 1396per second. 1397ICMP error messages that exceeded the value are subject to rate limitation 1398and will not go out from the node. 1399Negative value disables rate limitation. 1400.It Li icmp.maskrepl 1401If set to 1, ICMP network mask requests are to be answered. 1402.It Li icmp.rediraccept 1403If set to non-zero, the host will accept ICMP redirect packets. 1404Note that routers will never accept ICMP redirect packets, 1405and the variable is meaningful on IP hosts only. 1406.It Li icmp.redirtimeout 1407The variable specifies lifetime of routing entries generated by incoming 1408ICMP redirect. 1409This defaults to 600 seconds. 1410.It Li icmp.returndatabytes 1411Number of bytes to return in an ICMP error message. 1412.It Li icmp.bmcastecho 1413If set to 1, enables responding to ICMP echo or timestamp request to the 1414broadcast address. 1415.It Li tcp.ack_on_push 1416If set to 1, TCP is to immediately transmit an ACK upon reception of 1417a packet with PUSH set. 1418This can avoid losing a round trip time in some rare situations, 1419but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1420Use of this option is generally not recommended, but 1421the variable exists in case your configuration really needs it. 1422.It Li tcp.compat_42 1423If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1424Use of this option is not recommended, although it may be 1425required in order to communicate with extremely old TCP implementations. 1426.It Li tcp.cwm 1427If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1428Monitoring algorithm. 1429This algorithm prevents line-rate bursts of packets that could 1430otherwise occur when data begins flowing on an idle TCP connection. 1431These line-rate bursts can contribute to network and router congestion. 1432This can be particularly useful on World Wide Web servers 1433which support HTTP/1.1, which has lingering connections. 1434.It Li tcp.cwm_burstsize 1435The Congestion Window Monitoring allowed burst size, in terms 1436of packet count. 1437.It Li tcp.delack_ticks 1438Number of ticks to delay sending an ACK. 1439.It Li tcp.do_loopback_cksum 1440Perform TCP checksum on loopback. 1441.It Li tcp.init_win 1442A value indicating the TCP initial congestion window. 1443If this value is 0, an auto-tuning algorithm designed to use an initial 1444window of approximately 4K bytes is in use. 1445Otherwise, this value indicates a fixed number of packets. 1446.It Li tcp.init_win_local 1447Like 1448.Li tcp.init_win , 1449but used when communicating with hosts on a local network. 1450.It Li tcp.keepcnt 1451Number of keepalive probes sent before declaring a connection dead. 1452If set to zero, there is no limit; 1453keepalives will be sent until some kind of 1454response is received from the peer. 1455.It Li tcp.keepidle 1456Time a connection must be idle before keepalives are sent (if keepalives 1457are enabled for the connection). 1458See also tcp.slowhz. 1459.It Li tcp.keepintvl 1460Time after a keepalive probe is sent until, in the absence of any response, 1461another probe is sent. 1462See also tcp.slowhz. 1463.It Li tcp.log_refused 1464If set to 1, refused TCP connections to the host will be logged. 1465.It Li tcp.keepinit 1466Timeout in seconds during connection establishment. 1467.It Li tcp.mss_ifmtu 1468If set to 1, TCP calculates the outgoing maximum segment size based on 1469the MTU of the appropriate interface. 1470If set to 0, it is calculated based on the greater of the MTU of the 1471interface, and the largest (non-loopback) interface MTU on the system. 1472.It Li tcp.mssdflt 1473The default maximum segment size both advertised to the peer 1474and to use when either the peer does not advertise a maximum segment size to 1475us during connection setup or Path MTU Discovery 1476.Li ( ip.mtudisc ) 1477is disabled. 1478Do not change this value unless you really know what you are doing. 1479.It Li tcp.recvspace 1480The default TCP receive buffer size. 1481.It Li tcp.rfc1323 1482If set to 1, enables RFC 1323 extensions to TCP. 1483.It Li tcp.rstppslimit 1484The variable specifies the maximum number of outgoing TCP RST packets, 1485per second. 1486TCP RST packet that exceeded the value are subject to rate limitation 1487and will not go out from the node. 1488Negative value disables rate limitation. 1489.It Li tcp.ident 1490Return the user ID of a connected socket pair. 1491(RFC1413 Identification Protocol lookups.) 1492.It Li tcp.drop 1493Drop a TCP socket pair connection. 1494.It Li tcp.sack.enable 1495If set to 1, enables RFC 2018 Selective ACKnowledgement. 1496.It Li tcp.sack.globalholes 1497Global number of TCP SACK holes. 1498.It Li tcp.sack.globalmaxholes 1499Global maximum number of TCP SACK holes. 1500.It Li tcp.sack.maxholes 1501Maximum number of TCP SACK holes allowed per connection. 1502.It Li tcp.ecn.enable 1503If set to 1, enables RFC 3168 Explicit Congestion Notification. 1504.It Li tcp.ecn.maxretries 1505Number of times to retry sending the ECN-setup packet. 1506.It Li tcp.sendspace 1507The default TCP send buffer size. 1508.It Li tcp.slowhz 1509The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1510of a clock that ticks tcp.slowhz times per second. 1511(That is, their values 1512must be divided by the tcp.slowhz value to get times in seconds.) 1513.It Li tcp.syn_bucket_limit 1514The maximum number of entries allowed per hash bucket in the TCP 1515compressed state engine. 1516.It Li tcp.syn_cache_limit 1517The maximum number of entries allowed in the TCP compressed state 1518engine. 1519.It Li tcp.timestamps 1520If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1521used for measuring TCP round trip times, are enabled. 1522.It Li tcp.win_scale 1523If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1524for increasing the TCP window size, are enabled. 1525.It Li tcp.congctl.available 1526The available TCP congestion control algorithms. 1527.It Li tcp.congctl.selected 1528The currently selected TCP congestion control algorithm. 1529.It Li tcp.abc.enable 1530If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1531If set to 0, use traditional Packet Counting. 1532.It Li tcp.abc.aggressive 1533Choose the L parameter found in RFC 3465. 1534L is the maximum cwnd increase for an ack during slow start. 1535If set to 1, use L=2*SMSS. 1536If set to 0, use L=1*SMSS. 1537It has no effect unless tcp.abc.enable is set to 1. 1538.It Li udp.checksum 1539If set to 1, UDP checksums are being computed. 1540Received non-zero UDP checksums are always checked. 1541Disabling UDP checksums is strongly discouraged. 1542.It Li udp.recvspace 1543The default UDP receive buffer size. 1544.It Li udp.rfc6056.available 1545The available RFC 6056 port randomization algorithms. 1546.It Li udp.rfc6056.selected 1547The currently selected RFC 6056 port randomization algorithm. 1548.It Li udp.sendspace 1549The default UDP send buffer size. 1550.El 1551.Pp 1552For variables net.*.ipsec, please refer to 1553.Xr ipsec 4 . 1554.It Li net.inet6 ( PF_INET6 ) 1555Get or set various global information about the IPv6 1556.Pq Internet Protocol version 6 . 1557The third level name is the protocol. 1558The fourth level name is the variable name. 1559The currently defined protocols and names are: 1560.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent 1561.It Sy Protocol name Variable name Type Changeable 1562.It icmp6 errppslimit integer yes 1563.It icmp6 mtudisc_hiwat integer yes 1564.It icmp6 mtudisc_lowat integer yes 1565.It icmp6 nd6_debug integer yes 1566.It icmp6 nd6_delay integer yes 1567.It icmp6 nd6_maxnudhint integer yes 1568.It icmp6 nd6_mmaxtries integer yes 1569.It icmp6 nd6_prune integer yes 1570.It icmp6 nd6_umaxtries integer yes 1571.It icmp6 nd6_useloopback integer yes 1572.It icmp6 nodeinfo integer yes 1573.It icmp6 rediraccept integer yes 1574.It icmp6 redirtimeout integer yes 1575.It ip6 accept_rtadv integer yes 1576.It ip6 anonportmax integer yes 1577.It ip6 anonportmin integer yes 1578.It ip6 auto_flowlabel integer yes 1579.It ip6 dad_count integer yes 1580.It ip6 defmcasthlim integer yes 1581.It ip6 forwarding integer yes 1582.It ip6 gifhlim integer yes 1583.It ip6 hashsize integer yes 1584.It ip6 hlim integer yes 1585.It ip6 hdrnestlimit integer yes 1586.It ip6 kame_version string no 1587.It ip6 keepfaith integer yes 1588.It ip6 log_interval integer yes 1589.It ip6 lowportmax integer yes 1590.It ip6 lowportmin integer yes 1591.It ip6 maxflows integer yes 1592.It ip6 maxfragpackets integer yes 1593.It ip6 maxfrags integer yes 1594.It ip6 redirect integer yes 1595.It ip6 rr_prune integer yes 1596.It ip6 use_deprecated integer yes 1597.It ip6 v6only integer yes 1598.It udp6 do_loopback_cksum integer yes 1599.It udp6 recvspace integer yes 1600.It udp6 rfc6056.selected string yes 1601.It udp6 rfc6056.available string yes 1602.It udp6 sendspace integer yes 1603.El 1604.Pp 1605The variables are as follows: 1606.Bl -tag -width "123456" 1607.It Li ip6.accept_rtadv 1608If set to non-zero, the node will accept ICMPv6 router advertisement packets 1609and autoconfigures address prefixes and default routers. 1610The node must be a host 1611.Pq not a router 1612for the option to be meaningful. 1613.It Li ip6.anonportmax 1614The highest port number to use for TCP and UDP ephemeral port allocation. 1615This cannot be set to less than 1024 or greater than 65535, and must 1616be greater than 1617.Li ip6.anonportmin . 1618.It Li ip6.anonportmin 1619The lowest port number to use for TCP and UDP ephemeral port allocation. 1620This cannot be set to less than 1024 or greater than 65535. 1621.It Li ip6.auto_flowlabel 1622On connected transport protocol packets, 1623fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1624.It Li ip6.dad_count 1625The variable configures number of IPv6 DAD 1626.Pq duplicated address detection 1627probe packets. 1628The packets will be generated when IPv6 interface addresses are configured. 1629.It Li ip6.defmcasthlim 1630The default hop limit value for an IPv6 multicast packet sourced by the node. 1631This value applies to all the transport protocols on top of IPv6. 1632There are APIs to override the value, as documented in 1633.Xr ip6 4 . 1634.It Li ip6.forwarding 1635If set to 1, enables IPv6 forwarding for the node, 1636meaning that the node is acting as a router. 1637If set to 0, disables IPv6 forwarding for the node, 1638meaning that the node is acting as a host. 1639IPv6 specification defines node behavior for 1640.Dq router 1641case and 1642.Dq host 1643case quite differently, and changing this variable during operation 1644may cause serious trouble. 1645It is recommended to configure the variable at bootstrap time, 1646and bootstrap time only. 1647.It Li ip6.gifhlim 1648The maximum hop limit value for an IPv6 packet generated by 1649.Xr gif 4 1650tunnel interface. 1651.It Li ip6.hdrnestlimit 1652The number of IPv6 extension headers permitted on incoming IPv6 packets. 1653If set to 0, the node will accept as many extension headers as possible. 1654.It Li ip6.hashsize 1655The size of IPv6 Fast Forward hash table. 1656This value must be a power of 2 (64, 256, ...). 1657A larger hash table size results in fewer collisions. 1658Also see 1659.Li ip6.maxflows . 1660.It Li ip6.hlim 1661The default hop limit value for an IPv6 unicast packet sourced by the node. 1662This value applies to all the transport protocols on top of IPv6. 1663There are APIs to override the value, as documented in 1664.Xr ip6 4 . 1665.It Li ip6.kame_version 1666The string identifies the version of KAME IPv6 stack implemented in the kernel. 1667.It Li ip6.keepfaith 1668If set to non-zero, it enables 1669.Dq FAITH 1670TCP relay IPv6-to-IPv4 translator code in the kernel. 1671Refer 1672.Xr faith 4 1673and 1674.Xr faithd 8 1675for detail. 1676.It Li ip6.log_interval 1677The variable controls amount of logs generated by IPv6 packet 1678forwarding engine, by setting interval between log output 1679.Pq in seconds . 1680.It Li ip6.lowportmax 1681The highest port number to use for TCP and UDP reserved port allocation. 1682This cannot be set to less than 0 or greater than 1024, and must 1683be greater than 1684.Li ip6.lowportmin . 1685.It Li ip6.lowportmin 1686The lowest port number to use for TCP and UDP reserved port allocation. 1687This cannot be set to less than 0 or greater than 1024, and must 1688be smaller than 1689.Li ip6.lowportmax . 1690.It Li ip6.maxflows 1691IPv6 Fast Forwarding is enabled by default. 1692If set to 0, IPv6 Fast Forwarding is disabled. 1693.Li ip6.maxflows 1694controls the maximum amount of flows which can be created. 1695The default value is 256. 1696.It Li ip6.maxfragpackets 1697The maximum number of fragmented packets the node will accept. 16980 means that the node will not accept any fragmented packets. 1699\-1 means that the node will accept as many fragmented packets as it receives. 1700The flag is provided basically for avoiding possible DoS attacks. 1701.It Li ip6.maxfrags 1702The maximum number of fragments the node will accept. 17030 means that the node will not accept any fragments. 1704\-1 means that the node will accept as many fragments as it receives. 1705The flag is provided basically for avoiding possible DoS attacks. 1706.It Li ip6.redirect 1707If set to 1, ICMPv6 redirects may be sent by the node. 1708This option is ignored unless the node is routing IP packets, 1709and should normally be enabled on all systems. 1710.It Li ip6.rr_prune 1711The variable specifies interval between IPv6 router renumbering prefix 1712babysitting, in seconds. 1713.It Li ip6.use_deprecated 1714The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1715.It Li ip6.v6only 1716The variable specifies initial value for 1717.Dv IPV6_V6ONLY 1718socket option for 1719.Dv AF_INET6 1720socket. 1721Please refer to 1722.Xr ip6 4 1723for detail. 1724.It Li icmp6.errppslimit 1725The variable specifies the maximum number of outgoing ICMPv6 error messages, 1726per second. 1727ICMPv6 error messages that exceeded the value are subject to rate limitation 1728and will not go out from the node. 1729Negative value disables rate limitation. 1730.It Li icmp6.mtudisc_hiwat 1731.It Li icmp6.mtudisc_lowat 1732The variables define the maximum number of routing table entries, 1733created due to path MTU discovery 1734.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1735When IPv6 path MTU discovery happens, we keep path MTU information into 1736the routing table. 1737If the number of routing table entries exceed the value, 1738the kernel will not attempt to keep the path MTU information. 1739.Li icmp6.mtudisc_hiwat 1740is used when we have verified ICMPv6 too big messages. 1741.Li icmp6.mtudisc_lowat 1742is used when we have unverified ICMPv6 too big messages. 1743Verification is performed by using address/port pairs kept in connected pcbs. 1744Negative value disables the upper limit. 1745.It Li icmp6.nd6_debug 1746If set to non-zero, kernel IPv6 neighbor discovery code will generate 1747debugging messages. 1748The debug outputs are useful to diagnose IPv6 interoperability issues. 1749The flag must be set to 0 for normal operation. 1750.It Li icmp6.nd6_delay 1751The variable specifies 1752.Dv DELAY_FIRST_PROBE_TIME 1753timing constant in IPv6 neighbor discovery specification 1754.Pq RFC 2461 , 1755in seconds. 1756.It Li icmp6.nd6_maxnudhint 1757IPv6 neighbor discovery permits upper layer protocols to supply reachability 1758hints, to avoid unnecessary neighbor discovery exchanges. 1759The variable defines the number of consecutive hints the neighbor discovery 1760layer will take. 1761For example, by setting the variable to 3, neighbor discovery layer 1762will take 3 consecutive hints in maximum. 1763After receiving 3 hints, neighbor discovery layer will perform 1764normal neighbor discovery process. 1765.It Li icmp6.nd6_mmaxtries 1766The variable specifies 1767.Dv MAX_MULTICAST_SOLICIT 1768constant in IPv6 neighbor discovery specification 1769.Pq RFC 2461 . 1770.It Li icmp6.nd6_prune 1771The variable specifies interval between IPv6 neighbor cache babysitting, 1772in seconds. 1773.It Li icmp6.nd6_umaxtries 1774The variable specifies 1775.Dv MAX_UNICAST_SOLICIT 1776constant in IPv6 neighbor discovery specification 1777.Pq RFC 2461 . 1778.It Li icmp6.nd6_useloopback 1779If set to non-zero, kernel IPv6 stack will use loopback interface for 1780local traffic. 1781.It Li icmp6.nodeinfo 1782The variable enables responses to ICMPv6 node information queries. 1783If you set the variable to 0, responses will not be generated for 1784ICMPv6 node information queries. 1785Since node information queries can have a security impact, it is 1786possible to fine tune which responses should be answered. 1787Two separate bits can be set. 1788.Bl -tag -width "12345" 1789.It 1 1790Respond to ICMPv6 FQDN queries, e.g. 1791.Li ping6 -w . 1792.It 2 1793Respond to ICMPv6 node addresses queries, e.g. 1794.Li ping6 -a . 1795.El 1796.It Li icmp6.rediraccept 1797If set to non-zero, the host will accept ICMPv6 redirect packets. 1798Note that IPv6 routers will never accept ICMPv6 redirect packets, 1799and the variable is meaningful on IPv6 hosts 1800.Pq non-router 1801only. 1802.It Li icmp6.redirtimeout 1803The variable specifies lifetime of routing entries generated by incoming 1804ICMPv6 redirect. 1805.It Li udp6.do_loopback_cksum 1806Perform UDP checksum on loopback. 1807.It Li udp6.recvspace 1808Default UDP receive buffer size. 1809.It Li udp6.rfc6056.available 1810The available RFC 6056 port randomization algorithms for IPv6. 1811.It Li udp6.rfc6056.selected 1812The currently selected RFC 6056 port randomization algorithm for IPv6. 1813.It Li udp6.sendspace 1814Default UDP send buffer size. 1815.El 1816.Pp 1817We reuse net.*.tcp for 1818.Tn TCP 1819over 1820.Tn IPv6 , 1821and therefore we do not have variables net.*.tcp6. 1822Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1823Please refer to 1824.Li PF_INET 1825section above. 1826For variables net.*.ipsec6, please refer to 1827.Xr ipsec 4 . 1828.It Li net.key ( PF_KEY ) 1829Get or set various global information about the IPsec key management. 1830The third level name is the variable name. 1831The currently defined variable and names are: 1832.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 1833.It Sy Variable name Type Changeable 1834.It debug integer yes 1835.It spi_try integer yes 1836.It spi_min_value integer yes 1837.It spi_max_value integer yes 1838.It larval_lifetime integer yes 1839.It blockacq_count integer yes 1840.It blockacq_lifetime integer yes 1841.It esp_keymin integer yes 1842.It esp_auth integer yes 1843.It ah_keymin integer yes 1844.El 1845.Pp 1846The variables are as follows: 1847.Bl -tag -width "123456" 1848.It Li debug 1849Turn on debugging message from within the kernel. 1850The value is a bitmap, as defined in 1851.In netkey/key_debug.h . 1852.It Li spi_try 1853The number of times the kernel will try to obtain an unique SPI 1854when it generates it from random number generator. 1855.It Li spi_min_value 1856Minimum SPI value when generating it within the kernel. 1857.It Li spi_max_value 1858Maximum SPI value when generating it within the kernel. 1859.It Li larval_lifetime 1860Lifetime for LARVAL SAD entries, in seconds. 1861.It Li blockacq_count 1862Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1863It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1864key management daemon. 1865.It Li blockacq_lifetime 1866Lifetime of ACQUIRE PF_KEY message. 1867.It Li esp_keymin 1868Minimum ESP key length, in bits. 1869The value is used when the kernel creates proposal payload 1870on ACQUIRE PF_KEY message. 1871.It Li esp_auth 1872Whether ESP authentication should be used or not. 1873Non-zero value indicates that ESP authentication should be used. 1874The value is used when the kernel creates proposal payload 1875on ACQUIRE PF_KEY message. 1876.It Li ah_keymin 1877Minimum AH key length, in bits, 1878The value is used when the kernel creates proposal payload 1879on ACQUIRE PF_KEY message. 1880.El 1881.El 1882.Ss The proc.* subtree 1883The string and integer information available for the 1884.Li proc 1885level is detailed below. 1886The changeable column shows whether a process with appropriate 1887privilege may change the value. 1888These values are per-process, 1889and as such may change from one process to another. 1890When a process is created, 1891the default values are inherited from its parent. 1892When a set-user-ID or set-group-ID binary is executed, the 1893value of PROC_PID_CORENAME is reset to the system default value. 1894The second level name is either the magic value PROC_CURPROC, which 1895points to the current process, or the PID of the target process. 1896.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 1897.It Sy Third level name Type Changeable 1898.It proc.pid.corename string yes 1899.It proc.pid.rlimit node not applicable 1900.It proc.pid.stopfork int yes 1901.It proc.pid.stopexec int yes 1902.It proc.pid.stopexit int yes 1903.El 1904.Bl -tag -width "123456" 1905.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1906The template used for the core dump file name (see 1907.Xr core 5 1908for details). 1909The base name must either be 1910.Pa core 1911or end with the suffix 1912.Pa .core 1913(the super-user may set arbitrary names). 1914By default it points to 1915.Dv KERN_DEFCORENAME . 1916.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1917Return resources limits, as defined for the 1918.Xr getrlimit 2 1919and 1920.Xr setrlimit 2 1921system calls. 1922The fourth level name is one of: 1923.Bl -tag -width "123456" 1924.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1925The maximum amount of CPU time (in seconds) to be used by each process. 1926.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1927The largest size (in bytes) file that may be created. 1928.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1929The maximum size (in bytes) of the data segment for a process; 1930this defines how far a program may extend its break with the 1931.Xr sbrk 2 1932system call. 1933.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1934The maximum size (in bytes) of the stack segment for a process; 1935this defines how far a program's stack segment may be extended. 1936Stack extension is performed automatically by the system. 1937.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1938The largest size (in bytes) 1939.Pa core 1940file that may be created. 1941.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1942The maximum size (in bytes) to which a process's resident set size may 1943grow. 1944This imposes a limit on the amount of physical memory to be given to 1945a process; if memory is tight, the system will prefer to take memory 1946from processes that are exceeding their declared resident set size. 1947.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1948The maximum size (in bytes) which a process may lock into memory 1949using the 1950.Xr mlock 2 1951function. 1952.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1953The maximum number of simultaneous processes for this user id. 1954.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1955The maximum number of open files for this process. 1956.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) 1957The maximum size (in bytes) of the socket buffers 1958set by the 1959.Xr setsockopt 2 1960.Dv SO_RCVBUF 1961and 1962.Dv SO_SNDBUF 1963options. 1964.El 1965.Pp 1966The fifth level name is one of 1967.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) 1968or 1969.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1970to select respectively the soft or hard limit. 1971Both are of type integer. 1972.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1973If non zero, the process' children will be stopped after 1974.Xr fork 2 1975calls. 1976The children is created in the SSTOP state and is never scheduled 1977for running before being stopped. 1978This feature helps attaching a process with a debugger such as 1979.Xr gdb 1 1980before it had the opportunity to actually do anything. 1981.Pp 1982This value is inherited by the process's children, and it also 1983apply to emulation specific system calls that fork a new process, such as 1984.Fn sproc 1985or 1986.Fn clone . 1987.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1988If non zero, the process will be stopped on next 1989.Xr exec 3 1990call. 1991The process created by 1992.Xr exec 3 1993is created in the SSTOP state and is never scheduled for running 1994before being stopped. 1995This feature helps attaching a process with a debugger such as 1996.Xr gdb 1 1997before it had the opportunity to actually do anything. 1998.Pp 1999This value is inherited by the process's children. 2000.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 2001If non zero, the process will be stopped on when it has cause to exit, 2002either by way of calling 2003.Xr exit 3 , 2004.Xr _exit 2 , 2005or by the receipt of a specific signal. 2006The process is stopped before any of its resources or vm space is 2007released allowing examination of the termination state of a process 2008before it disappears. 2009This feature can be used to examine the final conditions of the 2010process's vmspace via 2011.Xr pmap 1 2012or its resource settings with 2013.Xr sysctl 8 2014before it disappears. 2015.Pp 2016This value is also inherited by the process's children. 2017.El 2018.Ss The user.* subtree ( CTL_USER ) 2019The string and integer information available for the 2020.Li user 2021level is detailed below. 2022The changeable column shows whether a process with appropriate 2023privilege may change the value. 2024.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 2025.It Sy Second level name Type Changeable 2026.It user.atexit_max integer no 2027.It user.bc_base_max integer no 2028.It user.bc_dim_max integer no 2029.It user.bc_scale_max integer no 2030.It user.bc_string_max integer no 2031.It user.coll_weights_max integer no 2032.It user.cs_path string no 2033.It user.expr_nest_max integer no 2034.It user.line_max integer no 2035.It user.posix2_c_bind integer no 2036.It user.posix2_c_dev integer no 2037.It user.posix2_char_term integer no 2038.It user.posix2_fort_dev integer no 2039.It user.posix2_fort_run integer no 2040.It user.posix2_localedef integer no 2041.It user.posix2_sw_dev integer no 2042.It user.posix2_upe integer no 2043.It user.posix2_version integer no 2044.It user.re_dup_max integer no 2045.It user.stream_max integer no 2046.It user.stream_max integer no 2047.It user.tzname_max integer no 2048.El 2049.Bl -tag -width "123456" 2050.It Li user.atexit_max ( USER_ATEXIT_MAX ) 2051The maximum number of functions that may be registered with 2052.Xr atexit 3 . 2053.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 2054The maximum ibase/obase values in the 2055.Xr bc 1 2056utility. 2057.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 2058The maximum array size in the 2059.Xr bc 1 2060utility. 2061.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 2062The maximum scale value in the 2063.Xr bc 1 2064utility. 2065.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 2066The maximum string length in the 2067.Xr bc 1 2068utility. 2069.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 2070The maximum number of weights that can be assigned to any entry of 2071the LC_COLLATE order keyword in the locale definition file. 2072.It Li user.cs_path ( USER_CS_PATH ) 2073Return a value for the 2074.Ev PATH 2075environment variable that finds all the standard utilities. 2076.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 2077The maximum number of expressions that can be nested within 2078parenthesis by the 2079.Xr expr 1 2080utility. 2081.It Li user.line_max ( USER_LINE_MAX ) 2082The maximum length in bytes of a text-processing utility's input 2083line. 2084.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 2085Return 1 if the system supports at least one terminal type capable of 2086all operations described in 2087.St -p1003.2 , 2088otherwise\ 0. 2089.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 2090Return 1 if the system's C-language development facilities support the 2091C-Language Bindings Option, otherwise\ 0. 2092.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 2093Return 1 if the system supports the C-Language Development Utilities Option, 2094otherwise\ 0. 2095.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 2096Return 1 if the system supports the FORTRAN Development Utilities Option, 2097otherwise\ 0. 2098.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 2099Return 1 if the system supports the FORTRAN Runtime Utilities Option, 2100otherwise\ 0. 2101.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 2102Return 1 if the system supports the creation of locales, otherwise\ 0. 2103.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 2104Return 1 if the system supports the Software Development Utilities Option, 2105otherwise\ 0. 2106.It Li user.posix2_upe ( USER_POSIX2_UPE ) 2107Return 1 if the system supports the User Portability Utilities Option, 2108otherwise\ 0. 2109.It Li user.posix2_version ( USER_POSIX2_VERSION ) 2110The version of 2111.St -p1003.2 2112with which the system attempts to comply. 2113.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 2114The maximum number of repeated occurrences of a regular expression 2115permitted when using interval notation. 2116.It Li user.stream_max ( USER_STREAM_MAX ) 2117The minimum maximum number of streams that a process may have open 2118at any one time. 2119.It Li user.tzname_max ( USER_TZNAME_MAX ) 2120The minimum maximum number of types supported for the name of a 2121timezone. 2122.El 2123.Ss The vm.* subtree ( CTL_VM ) 2124The string and integer information available for the 2125.Li vm 2126level is detailed below. 2127The changeable column shows whether a process with appropriate 2128privilege may change the value. 2129.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 2130.It Sy Second level name Type Changeable 2131.It vm.anonmax int yes 2132.It vm.anonmin int yes 2133.It vm.bufcache int yes 2134.It vm.bufmem int no 2135.It vm.bufmem_hiwater int yes 2136.It vm.bufmem_lowater int yes 2137.It vm.execmax int yes 2138.It vm.execmin int yes 2139.It vm.filemax int yes 2140.It vm.filemin int yes 2141.It vm.loadavg struct loadavg no 2142.It vm.maxslp int no 2143.It vm.nkmempages int no 2144.It vm.uspace int no 2145.It vm.uvmexp struct uvmexp no 2146.It vm.uvmexp2 struct uvmexp_sysctl no 2147.It vm.vmmeter struct vmtotal no 2148.El 2149.Pp 2150.Bl -tag -width "123456" 2151.It Li vm.anonmax ( VM_ANONMAX ) 2152The percentage of physical memory which will be reclaimed 2153from other types of memory usage to store anonymous application data. 2154.It Li vm.anonmin ( VM_ANONMIN ) 2155The percentage of physical memory which will be always be available for 2156anonymous application data. 2157.It Li vm.bufcache ( VM_BUFCACHE ) 2158The percentage of physical memory which will be available 2159for the buffer cache. 2160.It Li vm.bufmem ( VM_BUFMEM ) 2161The amount of kernel memory that is being used by the buffer cache. 2162.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 2163The minimum amount of kernel memory to reserve for the 2164buffer cache. 2165.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 2166The maximum amount of kernel memory to be used for the 2167buffer cache. 2168.It Li vm.execmax ( VM_EXECMAX ) 2169The percentage of physical memory which will be reclaimed 2170from other types of memory usage to store cached executable data. 2171.It Li vm.execmin ( VM_EXECMIN ) 2172The percentage of physical memory which will be always be available for 2173cached executable data. 2174.It Li vm.filemax ( VM_FILEMAX ) 2175The percentage of physical memory which will be reclaimed 2176from other types of memory usage to store cached file data. 2177.It Li vm.filemin ( VM_FILEMIN ) 2178The percentage of physical memory which will be always be available for 2179cached file data. 2180.It Li vm.loadavg ( VM_LOADAVG ) 2181Return the load average history. 2182The returned data consists of a 2183.Vt struct loadavg . 2184.It Li vm.maxslp ( VM_MAXSLP ) 2185The value of the maxslp kernel global variable. 2186.It Li vm.vmmeter ( VM_METER ) 2187Return system wide virtual memory statistics. 2188The returned data consists of a 2189.Vt struct vmtotal . 2190.It vm.user_va0_disable 2191A flag which controls whether user processes can map virtual address\ 0. 2192.It Li vm.uspace ( VM_USPACE ) 2193The number of bytes allocated for each kernel stack. 2194.It Li vm.uvmexp ( VM_UVMEXP ) 2195Return system wide virtual memory statistics. 2196The returned data consists of a 2197.Vt struct uvmexp . 2198.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 2199Return system wide virtual memory statistics. 2200The returned data consists of a 2201.Vt struct uvmexp_sysctl . 2202.\" XXX vm.idlezero 2203.El 2204.Ss The ddb.* subtree ( CTL_DDB ) 2205The information available for the 2206.Li ddb 2207level is detailed below. 2208The changeable column shows whether a process with appropriate 2209privilege may change the value. 2210.\" XXX sort 2211.Bl -column "Second level name" "integer" "Changeable" -offset indent 2212.It Sy Second level name Type Changeable 2213.It ddb.radix integer yes 2214.It ddb.maxoff integer yes 2215.It ddb.maxwidth integer yes 2216.It ddb.lines integer yes 2217.It ddb.tabstops integer yes 2218.It ddb.onpanic integer yes 2219.It ddb.fromconsole integer yes 2220.It ddb.tee_msgbuf integer yes 2221.It ddb.commandonenter string yes 2222.El 2223.Pp 2224.Bl -tag -width "123456" 2225.It Li ddb.radix ( DDBCTL_RADIX ) 2226The input and output radix. 2227.It Li ddb.maxoff ( DDBCTL_MAXOFF ) 2228The maximum symbol offset. 2229.It Li ddb.maxwidth ( DDBCTL_MAXWIDTH ) 2230The maximum output line width. 2231.It Li ddb.lines ( DDBCTL_LINES ) 2232Number of display lines. 2233.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) 2234Tab width. 2235.It Li ddb.onpanic ( DDBCTL_ONPANIC ) 2236If greater than zero, DDB will be entered if the kernel panics. 2237A value of 1 causes the system to enter DDB on panic, while a value of 2 2238causes the kernel to attempt to print out a stack trace before entering DDB. 2239A value of 0 causes the kernel to attempt to print a stack trace, then 2240reboot, while a value of \-1 means neither a stack trace will be printed 2241nor DDB entered. 2242.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) 2243If not zero, DDB may be entered by sending a break on a serial 2244console or by a special key sequence on a graphics console. 2245.It Li ddb.tee_msgbuf 2246If not zero, DDB will output also to the kernel message buffer. 2247.It Li ddb.commandonenter 2248If not empty, a command to be executed on each enter to the 2249.Tn DDB . 2250.\" 2251.\" XXX: (a) ddb.commandonenter is missing in ddb(4); 2252.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. 2253.El 2254.Pp 2255Some of these 2256.Tn MIB 2257nodes are also available as variables from within the debugger. 2258See 2259.Xr ddb 4 2260for more details. 2261.Ss The security.* subtree ( CTL_SECURITY ) 2262The 2263.Li security 2264level contains various security-related settings for 2265the system. 2266The available second level names are: 2267.Bl -column "Second level name" "integer" "Changeable" -offset indent 2268.It Sy Second level name Type Changeable 2269.It Li security.curtain integer yes 2270.It Li security.models node not applicable 2271.It Li security.pax node not applicable 2272.El 2273.Pp 2274Available settings are detailed below. 2275.Pp 2276.Bl -tag -width "123456" 2277.It Li security.curtain 2278If non-zero, will filter return objects according to the user 2279.Tn ID 2280requesting information about them, preventing from users any 2281access to objects they do not own. 2282.Pp 2283At the moment, it affects 2284.Xr ps 1 , 2285.Xr netstat 1 2286(for 2287.Dv PF_INET , 2288.Dv PF_INET6 , 2289and 2290.Dv PF_UNIX 2291PCBs), and 2292.Xr w 1 . 2293.It Li security.models 2294.Nx 2295supports pluggable security models. 2296Every security model used, whether if loaded as a module or built with the system, 2297is required to add an entry to this node with at least one element, 2298.Dq name , 2299indicating the name of the security model. 2300.Pp 2301In addition to the name, any settings and other information private to the 2302security model will be available under this node. 2303See 2304.Xr secmodel 9 2305for more information. 2306.It Li security.pax 2307Settings for PaX -- exploit mitigation features. 2308For more information on any of the PaX features, please see 2309.Xr paxctl 8 2310and 2311.Xr security 7 . 2312The available third and fourth level names are: 2313.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ 2314-offset 2n 2315.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable 2316.It Li security.pax.aslr.enabled integer yes 2317.\".It Li security.pax.aslr.exec_len integer yes 2318.It Li security.pax.aslr.global integer yes 2319.\".It Li security.pax.aslr.mmap_len integer yes 2320.\".It Li security.pax.aslr.stack_len integer yes 2321.It Li security.pax.mprotect.enabled integer yes 2322.It Li security.pax.mprotect.global integer yes 2323.It Li security.pax.segvguard.enabled integer yes 2324.It Li security.pax.segvguard.expiry_timeout integer yes 2325.It Li security.pax.segvguard.global integer yes 2326.It Li security.pax.segvguard.max_crashes integer yes 2327.It Li security.pax.segvguard.suspend_timeout integer yes 2328.El 2329.Pp 2330.Bl -tag -width "123456" 2331.It Li security.pax.aslr.enabled 2332Enable PaX ASLR (Address Space Layout Randomization). 2333.Pp 2334The value of this 2335knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2336explicit enable. 2337.\".It Li security.pax.aslr.exec_len 2338.\" XXX: Undocumented. 2339.It Li security.pax.aslr.global 2340Specifies the default global policy for programs without an 2341explicit enable/disable flag. 2342.Pp 2343When non-zero, all programs will get PaX ASLR, except those exempted with 2344.Xr paxctl 8 . 2345Otherwise, all programs will not get PaX ASLR, except those specifically 2346marked as such with 2347.Xr paxctl 8 . 2348.\".It Li security.pax.aslr.mmap_len 2349.\" XXX: Undocumented. 2350.\" .It Li security.pax.aslr.stack_len 2351.\" XXX: Undocumented. 2352.It Li security.pax.mprotect.enabled 2353Enable PaX MPROTECT restrictions. 2354.Pp 2355These are 2356.Xr mprotect 2 2357restrictions to better enforce a W^X policy. 2358The value of this 2359knob must be non-zero for PaX MPROTECT to be enabled, even if a 2360program is set to explicit enable. 2361.It Li security.pax.mprotect.global 2362Specifies the default global policy for programs without an 2363explicit enable/disable flag. 2364.Pp 2365When non-zero, all programs will get the PaX MPROTECT restrictions, 2366except those exempted with 2367.Xr paxctl 8 . 2368Otherwise, all programs will not get the PaX MPROTECT restrictions, 2369except those specifically marked as such with 2370.Xr paxctl 8 . 2371.It Li security.pax.segvguard.enabled 2372Enable PaX Segvguard. 2373.Pp 2374PaX Segvguard can detect and prevent certain exploitation attempts, where 2375an attacker may try for example to brute-force function return addresses 2376of respawning daemons. 2377.Pp 2378.Em Note : 2379The 2380.Nx 2381interface and implementation of the Segvguard is still experimental, and may 2382change in future releases. 2383.It Li security.pax.segvguard.expiry_timeout 2384If the max number was not reached within this timeout (in seconds), the entry 2385will expire. 2386.It Li security.pax.segvguard.global 2387Specifies the default global policy for programs without an 2388explicit enable/disable flag. 2389.Pp 2390When non-zero, all programs will get the PaX Segvguard, 2391except those exempted with 2392.Xr paxctl 8 . 2393Otherwise, no program will get the PaX Segvguard restrictions, 2394except those specifically marked as such with 2395.Xr paxctl 8 . 2396.It Li security.pax.segvguard.max_crashes 2397The maximum number of segfaults a program can receive before suspension. 2398.It Li security.pax.segvguard.suspend_timeout 2399Number of seconds to suspend a user from running a faulting program when the 2400limit was exceeded. 2401.El 2402.El 2403.Ss The vendor.* subtree ( CTL_VENDOR ) 2404The 2405.Li vendor 2406toplevel name is reserved to be used by vendors who wish to 2407have their own private MIB tree. 2408Intended use is to store values under 2409.Dq vendor.\*[Lt]yourname\*[Gt].* . 2410.Sh SEE ALSO 2411.Xr sysctl 3 , 2412.Xr ipsec 4 , 2413.Xr tcp 4 , 2414.Xr security 7 , 2415.Xr sysctl 8 2416.Sh HISTORY 2417The 2418.Nm 2419variables first appeared in 2420.Bx 4.4 . 2421