1.\" $NetBSD: sysctl.7,v 1.58 2011/01/19 08:37:56 wiz Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd January 19, 2011 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Ss Top level names 72The top level names are defined with a 73.Va CTL_ 74prefix in 75.In sys/sysctl.h , 76and are as follows. 77The next and subsequent levels down are found in the include files 78listed here, and described in separate sections below. 79.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits" 80.It Sy Name Ta Sy Constant Ta Sy Next level names Ta Sy Description 81.It kern Ta Dv CTL_KERN Ta In sys/sysctl.h Ta High kernel limits 82.It vm Ta Dv CTL_VM Ta In uvm/uvm_param.h Ta Virtual memory 83.It vfs Ta Dv CTL_VFS Ta In sys/mount.h Ta Filesystem 84.It net Ta Dv CTL_NET Ta In sys/socket.h Ta Networking 85.It debug Ta Dv CTL_DEBUG Ta In sys/sysctl.h Ta Debugging 86.It hw Ta Dv CTL_HW Ta In sys/sysctl.h Ta Generic CPU, I/O 87.It machdep Ta Dv CTL_MACHDEP Ta In sys/sysctl.h Ta Machine dependent 88.It user Ta Dv CTL_USER Ta In sys/sysctl.h Ta User-level 89.It ddb Ta Dv CTL_DDB Ta In sys/sysctl.h Ta In-kernel debugger 90.It proc Ta Dv CTL_PROC Ta In sys/sysctl.h Ta Per-process 91.It vendor Ta Dv CTL_VENDOR Ta ? Ta Vendor specific 92.It emul Ta Dv CTL_EMUL Ta In sys/sysctl.h Ta Emulation settings 93.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h Ta Security settings 94.El 95.Ss The debug.* subtree 96The debugging variables vary from system to system. 97A debugging variable may be added or deleted without need to recompile 98.Nm 99to know about it. 100Each time it runs, 101.Nm 102gets the list of debugging variables from the kernel and 103displays their current values. 104The system defines twenty 105.Vt ( struct ctldebug ) 106variables named 107.Dv debug0 108through 109.Dv debug19 . 110They are declared as separate variables so that they can be 111individually initialized at the location of their associated variable. 112The loader prevents multiple use of the same variable by issuing errors 113if a variable is initialized in more than one place. 114For example, to export the variable 115.Va dospecialcheck 116as a debugging variable, the following declaration would be used: 117.Pp 118.Bd -literal -offset indent -compact 119int dospecialcheck = 1; 120struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 121.Ed 122.Pp 123Note that the dynamic implementation of 124.Nm 125currently in use largely makes this particular 126.Nm 127interface obsolete. 128See 129.Xr sysctl 8 130.\" and 131.\" .Xr sysctl 9 132for more information. 133.Ss The vfs.* subtree 134A distinguished second level name, 135.Li vfs.generic ( VFS_GENERIC ) , 136is used to get general information about all file systems. 137It has the following third level identifiers: 138.Bl -tag -width "123456" 139.It Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 140The highest valid file system type number. 141.It Li vfs.generic.conf ( VFS_CONF ) 142Returns configuration information about the file system type given as a fourth 143level identifier. 144.El 145.Pp 146A second level name for controlling the 147.Xr wapbl 4 148(Write Ahead Physical Block Logging file system journalling) 149capabilities with the following third level identifiers: 150.Bl -tag -width "123456" 151.It Li vfs.wapbl.flush_disk_cache 152Controls whether to attempt to flush the disk cache on each commit. 153It defaults to 1 and it should always be on to ensure data integrity in 154case of a crash. 155For slow disks, turning it off can improve performance. 156.It Li vfs.wapbl.verbose_commit 157For each transaction log commit, print the number of bytes written 158and the time it took to commit as seconds.nanoseconds. 159.El 160.Pp 161The remaining second level identifiers are the file system names, identified 162by the type number returned by a 163.Xr statvfs 2 164call or from 165.Li vfs.generic.conf . 166.Pp 167The third level identifiers available for each file system 168are given in the header file that defines the mount 169argument structure for that file system. 170.Ss The hw.* subtree 171The string and integer information available for the 172.Li hw 173level is detailed below. 174The changeable column shows whether a process with appropriate 175privilege may change the value. 176.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent 177.It Sy Second level name Type Changeable 178.It hw.alignbytes integer no 179.It hw.byteorder integer no 180.It hw.cnmagic string yes 181.It hw.disknames string no 182.It hw.diskstats struct no 183.It hw.machine string no 184.It hw.machine_arch string no 185.It hw.model string no 186.It hw.ncpu integer no 187.It hw.pagesize integer no 188.It hw.physmem integer no 189.It hw.physmem64 quad no 190.It hw.usermem integer no 191.It hw.usermem64 quad no 192.El 193.Pp 194.Bl -tag -width "123456" 195.It Li hw.alignbytes ( HW_ALIGNBYTES ) 196Alignment constraint for all possible data types. 197This shows the value 198.Dv ALIGNBYTES 199in 200.In machine/param.h , 201at the kernel compilation time. 202.It Li hw.byteorder ( HW_BYTEORDER ) 203The byteorder (4321, or 1234). 204.It Li hw.cnmagic ( HW_CNMAGIC ) 205The console magic key sequence. 206.It Li hw.disknames ( HW_DISKNAMES ) 207The list of (space separated) disk device names on the system. 208.It Li hw.iostatnames ( HW_IOSTATNAMES ) 209A space separated list of devices that will have I/O statistics 210collected on them. 211.It Li hw.iostats ( HW_IOSTATS ) 212Return statistical information on the NFS mounts, disk and tape 213devices on the system. 214An array of 215.Vt struct io_sysctl 216structures is returned, 217whose size depends on the current number of such objects in the system. 218The third level name is the size of the 219.Vt struct io_sysctl . 220The type of object can be determined by examining the 221.Va type 222element of 223.Vt struct io_sysctl . 224Which can be 225.Dv IOSTAT_DISK 226(disk drive), 227.Dv IOSTAT_TAPE 228(tape drive), or 229.Dv IOSTAT_NFS 230(NFS mount). 231.It Li hw.machine ( HW_MACHINE ) 232The machine class. 233.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 234The machine CPU class. 235.It Li hw.model ( HW_MODEL ) 236The machine model. 237.It Li hw.ncpu ( HW_NCPU ) 238The number of CPUs. 239.It Li hw.pagesize ( HW_PAGESIZE ) 240The software page size. 241.It Li hw.physmem ( HW_PHYSMEM ) 242The bytes of physical memory as a 32-bit integer. 243.It Li hw.physmem64 ( HW_PHYSMEM64 ) 244The bytes of physical memory as a 64-bit integer. 245.It Li hw.usermem ( HW_USERMEM ) 246The bytes of non-kernel memory as a 32-bit integer. 247.It Li hw.usermem64 ( HW_USERMEM64 ) 248The bytes of non-kernel memory as a 64-bit integer. 249.El 250.Ss The kern.* subtree 251This subtree includes data generally related to the kernel. 252The string and integer information available for the 253.Li kern 254level is detailed below. 255The changeable column shows whether a process with appropriate 256privilege may change the value. 257.Bl -column "kern.posix_reader_writer_locks" \ 258"struct kinfo_drivers" "not applicable" 259.It Sy Second level name Type Changeable 260.It kern.aio_listio_max integer yes 261.It kern.aio_max integer yes 262.It kern.arandom integer no 263.It kern.argmax integer no 264.It kern.boothowto integer no 265.It kern.boottime struct timeval no 266.\".It kern.bufq node not applicable 267.It kern.ccpu integer no 268.It kern.clockrate struct clockinfo no 269.It kern.consdev integer no 270.It kern.coredump node not applicable 271.It kern.cp_id struct no 272.It kern.cp_time uint64_t[\|] no 273.It kern.cryptodevallowsoft integer yes 274.It kern.defcorename string yes 275.It kern.detachall integer yes 276.It kern.domainname string yes 277.It kern.drivers struct kinfo_drivers no 278.It kern.dump_on_panic integer yes 279.It kern.file struct file no 280.It kern.forkfsleep integer yes 281.It kern.fscale integer no 282.It kern.fsync integer no 283.It kern.hardclock_ticks integer no 284.It kern.hostid integer yes 285.It kern.hostname string yes 286.It kern.iov_max integer no 287.It kern.ipc node not applicable 288.It kern.job_control integer no 289.It kern.labeloffset integer no 290.It kern.labelsector integer no 291.It kern.login_name_max integer no 292.It kern.logsigexit integer yes 293.It kern.mapped_files integer no 294.It kern.maxfiles integer yes 295.It kern.maxpartitions integer no 296.It kern.maxphys integer no 297.It kern.maxproc integer yes 298.It kern.maxptys integer yes 299.It kern.maxvnodes integer yes 300.It kern.mbuf node not applicable 301.It kern.memlock integer no 302.It kern.memlock_range integer no 303.It kern.memory_protection integer no 304.It kern.module node not applicable 305.It kern.monotonic_clock integer no 306.It kern.mqueue node not applicable 307.It kern.msgbuf integer no 308.It kern.msgbufsize integer no 309.It kern.ngroups integer no 310.\".It kern.no_sa_support integer yes 311.It kern.ntptime struct ntptimeval no 312.It kern.osrelease string no 313.It kern.osrevision integer no 314.It kern.ostype string no 315.\".It kern.panic_now integer yes 316.It kern.pipe node not applicable 317.\" .It kern.posix node not applicable 318.It kern.posix1version integer no 319.It kern.posix_aio integer no 320.It kern.posix_barriers integer no 321.It kern.posix_reader_writer_locks integer no 322.\".It kern.posix_sched integer yes 323.It kern.posix_semaphores integer no 324.It kern.posix_spin_locks integer no 325.It kern.posix_threads integer no 326.It kern.posix_timers integer no 327.It kern.proc struct kinfo_proc no 328.It kern.proc2 struct kinfo_proc2 no 329.It kern.proc_args string no 330.It kern.profiling node not applicable 331.\".It kern.pset node not applicable 332.It kern.rawpartition integer no 333.It kern.root_device string no 334.It kern.root_partition integer no 335.It kern.rtc_offset integer yes 336.It kern.saved_ids integer no 337.It kern.sbmax integer yes 338.\".It kern.sched node not applicable 339.It kern.securelevel integer raise only 340.It kern.somaxkva integer yes 341.It kern.synchronized_io integer no 342.It kern.timecounter node not applicable 343.It kern.timex struct no 344.It kern.tkstat node not applicable 345.It kern.urandom integer no 346.It kern.usercrypto integer yes 347.It kern.userasymcrypto integer yes 348.It kern.veriexec node not applicable 349.It kern.version string no 350.It kern.vnode struct vnode no 351.El 352.Bl -tag -width "123456" 353.It Li kern.aio_listio_max 354The maximum number of asynchronous 355.Tn I/O 356operations in a single list I/O call. 357Like with all variables related to 358.Xr aio 3 , 359the variable may be created and removed dynamically 360upon loading or unloading the corresponding kernel module. 361.It Li kern.aio_max 362The maximum number of asynchronous I/O operations. 363.It Li kern.arandom 364This variable picks a random number each time it is queried. 365The used random number generator 366.Pf ( Tn RNG ) 367is based on 368.Xr arc4random 3 . 369.It Li kern.argmax ( KERN_ARGMAX ) 370The maximum bytes of argument to 371.Xr execve 2 . 372.It Li kern.boothowto 373Flags passed from the boot loader; see 374.Xr reboot 2 375for the meanings of the flags. 376.It Li kern.boottime ( KERN_BOOTTIME ) 377A 378.Vt struct timeval 379structure is returned. 380This structure contains the time that the system was booted. 381.\" .It Li kern.bufq 382.\" XXX: Undocumented. 383.It Li kern.ccpu ( KERN_CCPU ) 384The scheduler exponential decay value. 385.It Li kern.clockrate ( KERN_CLOCKRATE ) 386A 387.Vt struct clockinfo 388structure is returned. 389This structure contains the clock, statistics clock and profiling clock 390frequencies, the number of micro-seconds per hz tick, and the clock 391skew rate. 392Refer to 393.Xr hz 9 394for additional details. 395.It Li kern.consdev ( KERN_CONSDEV ) 396Console device. 397.It Li kern.coredump 398Settings related to set-id processes coredumps. 399By default, set-id processes do not dump core in situations where 400other processes would. 401The settings in this node allows an administrator to change this 402behavior. 403.Pp 404The third level name is 405.Dv kern.coredump.setid 406and fourth level variables are described below. 407.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent 408.It Sy Fourth level name Type Changeable 409.It kern.coredump.setid.dump integer yes 410.It kern.coredump.setid.group integer yes 411.It kern.coredump.setid.mode integer yes 412.It kern.coredump.setid.owner integer yes 413.It kern.coredump.setid.path string yes 414.El 415.Bl -tag -width "123456" 416.It Li kern.coredump.setid.dump 417If non-zero, set-id processes will dump core. 418.It Li kern.coredump.setid.group 419The group-id for the set-id processes' coredump. 420.It Li kern.coredump.setid.mode 421The mode for the set-id processes' coredump. 422See 423.Xr chmod 1 . 424.It Li kern.coredump.setid.owner 425The user-id that will be used as the owner of the set-id processes' 426coredump. 427.It Li kern.coredump.setid.path 428The path to which set-id processes' coredumps will be saved to. 429Same syntax as kern.defcorename. 430.El 431.It Li kern.cp_id ( KERN_CP_ID ) 432Mapping of CPU number to CPU id. 433.It Li kern.cp_time ( KERN_CP_TIME ) 434Returns an array of 435.Dv CPUSTATES 436.Vt uint64_t Ns s. 437This array contains the 438number of clock ticks spent in different CPU states. 439On multi-processor systems, the sum across all CPUs is returned unless 440appropriate space is given for one data set for each CPU. 441Data for a specific CPU can also be obtained by adding the number of the 442CPU at the end of the MIB, enlarging it by one. 443.It Li kern.cryptodevallowsoft 444This variable controls userland access to hardware versus software transforms 445in the 446.Xr crypto 4 447system. 448The available values are as follows: 449.Bl -tag -width XX0 -offset indent 450.It Dv \*[Lt] 0 451Always force userlevel requests to use software transforms. 452.It Dv = 0 453If present, use hardware and grant userlevel requests for 454non-accelerated transforms (handling the latter in software). 455.It Dv \*[Gt] 0 456Allow user requests only for transforms which are hardware-accelerated. 457.El 458.It Li kern.defcorename ( KERN_DEFCORENAME ) 459Default template for the name of core dump files (see also 460.Li proc.pid.corename 461in the per-process variables 462.Li proc.* , 463and 464.Xr core 5 465for format of this template). 466The default value is 467.Pa %n.core 468and can be changed with the kernel configuration option 469.Cd options DEFCORENAME 470(see 471.Xr options 4 472). 473.It Li kern.detachall 474Detach all devices at shutdown. 475.It Li kern.domainname ( KERN_DOMAINNAME ) 476Get or set the YP domain name. 477.It Li kern.drivers ( KERN_DRIVERS ) 478Return an array of 479.Vt struct kinfo_drivers 480that contains the name and major device numbers of all the device drivers 481in the current kernel. 482The 483.Va d_name 484field is always a NUL terminated string. 485The 486.Va d_bmajor 487field will be set to \-1 if the driver doesn't have a block device. 488.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 489Perform a crash dump on system 490.Xr panic 9 . 491.It Li kern.file ( KERN_FILE ) 492Return the entire file table. 493The returned data consists of a single 494.Vt struct filelist 495followed by an array of 496.Vt struct file , 497whose size depends on the current number of such objects in the system. 498.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 499If 500.Xr fork 2 501system call fails due to limit on number of processes (either 502the global maxproc limit or user's one), wait for this many 503milliseconds before returning 504.Er EAGAIN 505error to process. 506Useful to keep heavily forking runaway processes in bay. 507Default zero (no sleep). 508Maximum is 20 seconds. 509.It Li kern.fscale ( KERN_FSCALE ) 510The kernel fixed-point scale factor. 511.It Li kern.fsync ( KERN_FSYNC ) 512Return 1 if the 513.St -p1003.1b-93 514File Synchronization Option is available 515on this system, 516otherwise\ 0. 517.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 518Returns the number of 519.Xr hardclock 9 520ticks. 521.It Li kern.hostid ( KERN_HOSTID ) 522Get or set the host identifier. 523This is aimed to replace the legacy 524.Xr gethostid 3 525and 526.Xr sethostid 3 527system calls. 528.It Li kern.hostname ( KERN_HOSTNAME ) 529Get or set the 530.Xr hostname 1 . 531.It Li kern.iov_max ( KERN_IOV_MAX ) 532Return the maximum number of 533.Vt iovec 534structures that a process has available for use with 535.Xr preadv 2 , 536.Xr pwritev 2 , 537.Xr readv 2 , 538.Xr recvmsg 2 , 539.Xr sendmsg 2 540and 541.Xr writev 2 . 542.It Li kern.ipc ( KERN_SYSVIPC ) 543Return information about the SysV IPC parameters. 544The third level names for the ipc variables are detailed below. 545.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 546.It Sy Third level name Type Changeable 547.It kern.ipc.sysvmsg integer no 548.It kern.ipc.sysvsem integer no 549.It kern.ipc.sysvshm integer no 550.It kern.ipc.sysvipc_info struct no 551.It kern.ipc.shmmax integer yes 552.It kern.ipc.shmmni integer yes 553.It kern.ipc.shmseg integer yes 554.It kern.ipc.shmmaxpgs integer yes 555.It kern.ipc.shm_use_phys integer yes 556.It kern.ipc.msgmni integer yes 557.It kern.ipc.msgseg integer yes 558.It kern.ipc.semmni integer yes 559.It kern.ipc.semmns integer yes 560.It kern.ipc.semmnu integer yes 561.El 562.Bl -tag -width "123456" 563.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 564Returns 1 if System V style message queue functionality is available 565on this system, 566otherwise\ 0. 567.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 568Returns 1 if System V style semaphore functionality is available 569on this system, 570otherwise\ 0. 571.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 572Returns 1 if System V style share memory functionality is available 573on this system, 574otherwise\ 0. 575.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 576Return System V style IPC configuration and run-time information. 577The fourth level name selects the System V style IPC facility. 578.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 579.It Sy Fourth level name Type 580.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 581.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 582.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 583.El 584.Pp 585.Bl -tag -width "123456" 586.It Li KERN_SYSVIPC_MSG_INFO 587Return information on the System V style message facility. 588The 589.Sy msg_sysctl_info 590structure is defined in 591.In sys/msg.h . 592.It Li KERN_SYSVIPC_SEM_INFO 593Return information on the System V style semaphore facility. 594The 595.Sy sem_sysctl_info 596structure is defined in 597.In sys/sem.h . 598.It Li KERN_SYSVIPC_SHM_INFO 599Return information on the System V style shared memory facility. 600The 601.Sy shm_sysctl_info 602structure is defined in 603.In sys/shm.h . 604.El 605.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 606Max shared memory segment size in bytes. 607.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 608Max number of shared memory identifiers. 609.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 610Max shared memory segments per process. 611.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 612Max amount of shared memory in pages. 613.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 614Locking of shared memory in physical memory. 615If 0, memory can be swapped 616out, otherwise it will be locked in physical memory. 617.It Li kern.ipc.msgmni 618Max number of message queue identifiers. 619.It Li kern.ipc.msgseg 620Max number of number of message segments. 621.It Li kern.ipc.semmni 622Max number of number of semaphore identifiers. 623.It Li kern.ipc.semmns 624Max number of number of semaphores in system. 625.It Li kern.ipc.semmnu 626Max number of undo structures in system. 627.El 628.It Li kern.job_control ( KERN_JOB_CONTROL ) 629Return 1 if job control is available on this system, otherwise\ 0. 630.It Li kern.labeloffset ( KERN_LABELOFFSET ) 631The offset within the sector specified by 632.Dv KERN_LABELSECTOR 633of the 634.Xr disklabel 5 . 635.It Li kern.labelsector ( KERN_LABELSECTOR ) 636The sector number containing the 637.Xr disklabel 5 . 638.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 639The size of the storage required for a login name, in bytes, 640including the terminating NUL. 641.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 642If this flag is non-zero, the kernel will 643.Xr log 9 644all process exits due to signals which create a 645.Xr core 5 646file, and whether the coredump was created. 647.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 648Returns 1 if the 649.St -p1003.1b-93 650Memory Mapped Files Option is available on this system, 651otherwise\ 0. 652.It Li kern.maxfiles ( KERN_MAXFILES ) 653The maximum number of open files that may be open in the system. 654.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 655The maximum number of partitions allowed per disk. 656.It Li kern.maxphys ( KERN_MAXPHYS ) 657Maximum raw I/O transfer size. 658.It Li kern.maxproc ( KERN_MAXPROC ) 659The maximum number of simultaneous processes the system will allow. 660.It Li kern.maxptys ( KERN_MAXPTYS ) 661The maximum number of pseudo terminals. 662This value can be both raised and lowered, though it cannot 663be set lower than number of currently used ptys. 664See also 665.Xr pty 4 . 666.It Li kern.maxvnodes ( KERN_MAXVNODES ) 667The maximum number of vnodes available on the system. 668This can only be raised. 669.It Li kern.mbuf ( KERN_MBUF ) 670Return information about the mbuf control variables. 671Mbufs are data structures which store network packets and other data 672structures in the networking code, see 673.Xr mbuf 9 . 674The third level names for the mbuf variables are detailed below. 675The changeable column shows whether a process with appropriate 676privilege may change the value. 677.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 678.It Sy Third level name Type Changeable 679.\" XXX Changeable? really? 680.It kern.mbuf.mblowat integer yes 681.It kern.mbuf.mclbytes integer yes 682.It kern.mbuf.mcllowat integer yes 683.It kern.mbuf.msize integer yes 684.It kern.mbuf.nmbclusters integer yes 685.El 686.Pp 687The variables are as follows: 688.Bl -tag -width "123456" 689.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 690The mbuf low water mark. 691.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 692The mbuf cluster size. 693.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 694The mbuf cluster low water mark. 695.It Li kern.mbuf.msize ( MBUF_MSIZE ) 696The mbuf base size. 697.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 698The limit on the number of mbuf clusters. 699The variable can only be increased, and only increased on machines with 700direct-mapped pool pages. 701.El 702.It Li kern.memlock ( KERN_MEMLOCK ) 703Returns 1 if the 704.St -p1003.1b-93 705Process Memory Locking Option is available on this system, 706otherwise\ 0. 707.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 708Returns 1 if the 709.St -p1003.1b-93 710Range Memory Locking Option is available on this system, 711otherwise\ 0. 712.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 713Returns 1 if the 714.St -p1003.1b-93 715Memory Protection Option is available on this system, 716otherwise\ 0. 717.It Li kern.module 718Settings related to kernel modules. 719The third level names for the settings are described below. 720.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent 721.It Sy Third level name Type Changeable 722.It kern.module.autoload integer yes 723.It kern.module.verbose integer yes 724.El 725.Pp 726The variables are as follows: 727.Bl -tag -width "123456" 728.It Li kern.module.autoload 729A boolean that controls whether kernel modules are loaded automatically. 730See 731.Xr module 7 732for additional details. 733.It Li kern.module.verbose 734A boolean that enables or disables verbose 735debug messages related to kernel modules. 736.El 737.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 738Returns the standard version the implementation of the 739.St -p1003.1b-93 740Monotonic Clock Option conforms to, 741otherwise\ 0. 742.It Li kern.mqueue 743Settings related to 744.Tn POSIX 745message queues; see 746.Xr mqueue 3 . 747This node is created dynamically when 748the corresponding kernel module is loaded. 749The third level names for the settings are described below. 750.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent 751.It Sy Third level name Type Changeable 752.It kern.mqueue.mq_open_max integer yes 753.It kern.mqueue.mq_prio_max integer yes 754.It kern.mqueue.mq_max_msgsize integer yes 755.It kern.mqueue.mq_def_maxmsg integer yes 756.It kern.mqueue.mq_max_maxmsg integer yes 757.El 758.Pp 759The variables are: 760.Bl -tag -width "123456" 761.It Li kern.mqueue.mq_open_max 762The maximum number of message queue descriptors any single process can open. 763.It Li kern.mqueue.mq_prio_max 764The maximum priority of a message. 765.It Li kern.mqueue.mq_max_msgsize 766The maximum size of a message in a message queue. 767.It Li kern.mqueue.mq_def_maxmsg 768The default maximum message count. 769.It Li kern.mqueue.mq_max_maxmsg 770The maximum number of messages in a message queue. 771.El 772.It Li kern.msgbuf ( KERN_MSGBUF ) 773The kernel message buffer, rotated so that the head of the circular kernel 774message buffer is at the start of the returned data. 775The returned data may contain NUL bytes. 776.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 777The maximum number of characters that the kernel message buffer can hold. 778.It Li kern.ngroups ( KERN_NGROUPS ) 779The maximum number of supplemental groups. 780.\" .It Li kern.no_sa_support 781.\" XXX: Undocumented. 782.It Li kern.ntptime ( KERN_NTPTIME ) 783A 784.Vt struct ntptimeval 785structure is returned. 786This structure contains data used by the 787.Xr ntpd 8 788program. 789.It Li kern.osrelease ( KERN_OSRELEASE ) 790The system release string. 791.It Li kern.osrevision ( KERN_OSREV ) 792The system revision string. 793.It Li kern.ostype ( KERN_OSTYPE ) 794The system type string. 795.\".It Li kern.panic_now 796.\" XXX: Undocumented. 797.It Li kern.pipe ( KERN_PIPE ) 798Pipe settings. 799The third level names for the integer pipe settings is detailed below. 800The changeable column shows whether a process with appropriate 801privilege may change the value. 802.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 803.It Sy Third level name Type Changeable 804.It kern.pipe.kvasiz integer yes 805.It kern.pipe.maxbigpipes integer yes 806.It kern.pipe.maxkvasz integer yes 807.It kern.pipe.limitkva integer yes 808.It kern.pipe.nbigpipes integer yes 809.El 810.Pp 811The variables are as follows: 812.Bl -tag -width "123456" 813.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 814Amount of kernel memory consumed by pipe buffers. 815.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 816Maximum number of 817.Dq big 818pipes. 819.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 820Maximum amount of kernel memory to be used for pipes. 821.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 822Limit for direct transfers via page loan. 823.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 824Number of 825.Dq big 826pipes. 827.El 828.\" XXX: Undocumented .It Li kern.posix ( ? ) 829.\" This is a node in which the only variable is semmax. 830.It Li kern.posix1version ( KERN_POSIX1 ) 831The version of ISO/IEC 9945 832.Pq St -p1003.1 833with which the system attempts to comply. 834.It Li kern.posix_aio 835The version of 836.St -p1003.1 837and its Asynchronous I/O option to which the system attempts to conform. 838.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 839The version of 840.St -p1003.1 841and its 842Barriers 843option to which the system attempts to conform, 844otherwise\ 0. 845.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 846The version of 847.St -p1003.1 848and its 849Read-Write Locks 850option to which the system attempts to conform, 851otherwise\ 0. 852.\".It Li kern.posix_sched 853.\" XXX: Undocumented. 854.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 855The version of 856.St -p1003.1 857and its 858Semaphores 859option to which the system attempts to conform, 860otherwise\ 0. 861.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 862The version of 863.St -p1003.1 864and its 865Spin Locks 866option to which the system attempts to conform, 867otherwise\ 0. 868.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 869The version of 870.St -p1003.1 871and its 872Threads 873option to which the system attempts to conform, 874otherwise\ 0. 875.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 876The version of 877.St -p1003.1 878and its 879Timers 880option to which the system attempts to conform, 881otherwise\ 0. 882.It Li kern.proc ( KERN_PROC ) 883Return the entire process table, or a subset of it. 884An array of 885.Vt struct kinfo_proc 886structures is returned, 887whose size depends on the current number of such objects in the system. 888The third and fourth level numeric names are as follows: 889.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 890.It Sy Third level name Fourth level is: 891.It KERN_PROC_ALL None 892.It KERN_PROC_GID A group ID 893.It KERN_PROC_PID A process ID 894.It KERN_PROC_PGRP A process group 895.It KERN_PROC_RGID A real group ID 896.It KERN_PROC_RUID A real user ID 897.It KERN_PROC_SESSION A session ID 898.It KERN_PROC_TTY A tty device 899.It KERN_PROC_UID A user ID 900.El 901.It Li kern.proc2 ( KERN_PROC2 ) 902As for 903.Dv KERN_PROC , 904but an array of 905.Vt struct kinfo_proc2 906structures are returned. 907The fifth level name is the size of the 908.Vt struct kinfo_proc2 909and the sixth level name is the number of structures to return. 910.It Li kern.proc_args ( KERN_PROC_ARGS ) 911Return the argv or environment strings (or the number thereof) 912of a process. 913Multiple strings are returned separated by NUL characters. 914The third level name is the process ID. 915The fourth level name is as follows: 916.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent 917.It KERN_PROC_ARGV The argv strings 918.It KERN_PROC_ENV The environ strings 919.It KERN_PROC_NARGV The number of argv strings 920.It KERN_PROC_NENV The number of environ strings 921.El 922.It Li kern.profiling ( KERN_PROF ) 923Return profiling information about the kernel. 924If the kernel is not compiled for profiling, 925attempts to retrieve any of the 926.Dv KERN_PROF 927values will fail with 928.Er EOPNOTSUPP . 929The third level names for the string and integer profiling information 930is detailed below. 931The changeable column shows whether a process with appropriate 932privilege may change the value. 933.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 934.It Sy Third level name Type Changeable 935.It kern.profiling.count u_short[\|] yes 936.It kern.profiling.froms u_short[\|] yes 937.It kern.profiling.gmonparam struct gmonparam no 938.It kern.profiling.state integer yes 939.It kern.profiling.tos struct tostruct yes 940.El 941.Pp 942The variables are as follows: 943.Bl -tag -width "123456" 944.It Li kern.profiling.count ( GPROF_COUNT ) 945Array of statistical program counter counts. 946.It Li kern.profiling.froms ( GPROF_FROMS ) 947Array indexed by program counter of call-from points. 948.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 949Structure giving the sizes of the above arrays. 950.It Li kern.profiling.state ( GPROF_STATE ) 951Profiling state. 952If set to 953.Dv GMON_PROF_ON , 954starts profiling. 955If set to 956.Dv GMON_PROF_OFF , 957stops profiling. 958.It Li kern.profiling.tos ( GPROF_TOS ) 959Array of 960.Vt struct tostruct 961describing destination of calls and their counts. 962.El 963.\" .It Li kern.pset 964.\" XXX: Undocumented. 965.It Li kern.rawpartition ( KERN_RAWPARTITION ) 966The raw partition of a disk (a == 0). 967.It Li kern.root_device ( KERN_ROOT_DEVICE ) 968The name of the root device (e.g., 969.Dq wd0 ) . 970.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 971The root partition on the root device (a == 0). 972.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 973Return the offset of real time clock from UTC in minutes. 974.It Li kern.saved_ids ( KERN_SAVED_IDS ) 975Returns 1 if saved set-group and saved set-user ID is available. 976.It Li kern.sbmax ( KERN_SBMAX ) 977Maximum socket buffer size. 978.\" XXX units? 979.It Li kern.securelevel ( KERN_SECURELVL ) 980See 981.Xr secmodel_securelevel 9 . 982.\" .It Li kern.sched 983.\" XXX: Undocumented. 984.It Li kern.somaxkva ( KERN_SOMAXKVA ) 985Maximum amount of kernel memory to be used for socket buffers. 986.\" XXX units? 987.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 988Returns 1 if the 989.St -p1003.1b-93 990Synchronized I/O Option is available on this system, 991otherwise\ 0. 992.It Li kern.timecounter ( dynamic ) 993Display and control the timecounter source of the system. 994.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 995.It Sy Third level name Type Changeable 996.It kern.timecounter.choice string no 997.It kern.timecounter.hardware string yes 998.It kern.timecounter.timestepwarnings integer yes 999.El 1000.Pp 1001The variables are as follows: 1002.Bl -tag -width "123456" 1003.It Li kern.timecounter.choice ( dynamic ) 1004The list of available timecounters with their quality and frequency. 1005.It Li kern.timecounter.hardware ( dynamic ) 1006The currently selected timecounter source. 1007.It Li kern.timecounter.timestepwarnings ( dynamic ) 1008If non-zero display a message each time the time is stepped. 1009.El 1010.It Li kern.timex ( KERN_TIMEX ) 1011Not available. 1012.It Li kern.tkstat ( KERN_TKSTAT ) 1013Return information about the number of characters sent and received 1014on ttys. 1015The third level names for the tty statistic variables are detailed below. 1016The changeable column shows whether a process 1017with appropriate privilege may change the value. 1018.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 1019.It Sy Third level name Type Changeable 1020.It kern.tkstat.cancc quad no 1021.It kern.tkstat.nin quad no 1022.It kern.tkstat.nout quad no 1023.It kern.tkstat.rawcc quad no 1024.El 1025.Pp 1026The variables are as follows: 1027.Bl -tag -width "123456" 1028.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 1029The number of canonical input characters. 1030.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 1031The total number of input characters. 1032.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 1033The total number of output characters. 1034.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 1035The number of raw input characters. 1036.El 1037.It Li kern.urandom ( KERN_URND ) 1038Random integer value. 1039.It Li kern.usercrypto 1040When enabled, allows userland to 1041.Xr open 2 1042the 1043.Pa /dev/crypto 1044special device, used by the 1045.Xr crypto 4 1046system. 1047.It Li kern.userasymcrypto 1048Enables or disables the use of software asymmetric crypto support in the 1049.Xr crypto 4 1050system. 1051.It Li kern.veriexec 1052Runtime information for 1053.Xr veriexec 8 . 1054.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent 1055.It Sy Third level name Type Changeable 1056.It kern.veriexec.algorithms string no 1057.It kern.veriexec.count node not applicable 1058.It kern.veriexec.strict integer yes 1059.It kern.veriexec.verbose integer yes 1060.El 1061.Bl -tag -width "123456" 1062.It Li kern.veriexec.algorithms 1063Returns a string with the supported algorithms in Veriexec. 1064.It Li kern.veriexec.count 1065Sub-nodes are added to this node as new mounts are monitored by Veriexec. 1066Each mount will be under its own 1067.No tableN 1068node. 1069Under each node there will be three variables, indicating the mount 1070point, the file system type, and the number of entries. 1071.It Li kern.veriexec.strict 1072Controls the strict level of Veriexec. 1073See 1074.Xr security 8 1075for more information on each level's implications. 1076.It Li kern.veriexec.verbose 1077Controls the verbosity level of Veriexec. 1078If 0, only the minimal 1079indication required will be given about what's happening - fingerprint 1080mismatches, removal of entries from the tables, modification of a 1081fingerprinted file. 1082If 1, more messages will be printed (ie., when a file with a valid 1083fingerprint is accessed). 1084Verbose level 2 is debug mode. 1085.El 1086.It Li kern.version ( KERN_VERSION ) 1087The system version string. 1088.It Li kern.vnode ( KERN_VNODE ) 1089Return the entire vnode table. 1090Note, the vnode table is not necessarily a consistent snapshot of 1091the system. 1092The returned data consists of an array whose size depends on the 1093current number of such objects in the system. 1094Each element of the array contains the kernel address of a vnode 1095.Vt struct vnode * 1096followed by the vnode itself 1097.Vt struct vnode . 1098.\" XXX: Undocumented: kern.lwp: no children? 1099.El 1100.Ss The machdep.* subtree 1101The set of variables defined is architecture dependent. 1102Most architectures define at least the following variables. 1103.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent 1104.It Sy Second level name Type Changeable 1105.It Li machdep.booted_kernel string no 1106.El 1107.\" XXX: Document the above. 1108.Ss The net.* subtree 1109The string and integer information available for the 1110.Li net 1111level is detailed below. 1112The changeable column shows whether a process with appropriate 1113privilege may change the value. 1114The second and third levels are typically the protocol family and 1115protocol number, though this is not always the case. 1116.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 1117.It Sy Second level name Type Changeable 1118.It net.route routing messages no 1119.It net.inet IPv4 values yes 1120.It net.inet6 IPv6 values yes 1121.It net.key IPsec key management values yes 1122.El 1123.Pp 1124.Bl -tag -width "123456" 1125.It Li net.route ( PF_ROUTE ) 1126.\" XXX really? 1127Return the entire routing table or a subset of it. 1128The data is returned as a sequence of routing messages (see 1129.Xr route 4 1130for the header file, format and meaning). 1131The length of each message is contained in the message header. 1132.Pp 1133The third level name is a protocol number, which is currently always\ 0. 1134The fourth level name is an address family, which may be set to 0 to 1135select all address families. 1136The fifth and sixth level names are as follows: 1137.Bl -column "Fifth level name" "Sixth level is:" -offset indent 1138.It Sy Fifth level name Sixth level is: 1139.It NET_RT_FLAGS rtflags 1140.It NET_RT_DUMP None 1141.It NET_RT_IFLIST None 1142.El 1143.It Li net.inet ( PF_INET ) 1144Get or set various global information about the IPv4 1145.Pq Internet Protocol version 4 . 1146The third level name is the protocol. 1147The fourth level name is the variable name. 1148The currently defined protocols and names are: 1149.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n 1150.It Sy Protocol name Variable name Type Changeable 1151.It arp down integer yes 1152.It arp keep integer yes 1153.It arp prune integer yes 1154.It arp refresh integer yes 1155.It carp allow integer yes 1156.It carp preempt integer yes 1157.It carp log integer yes 1158.It carp arpbalance integer yes 1159.It icmp errppslimit integer yes 1160.It icmp maskrepl integer yes 1161.It icmp rediraccept integer yes 1162.It icmp redirtimeout integer yes 1163.It icmp bmcastecho integer yes 1164.It ip allowsrcrt integer yes 1165.It ip anonportmax integer yes 1166.It ip anonportmin integer yes 1167.It ip checkinterface integer yes 1168.It ip directed-broadcast integer yes 1169.It ip do_loopback_cksum integer yes 1170.It ip forwarding integer yes 1171.It ip forwsrcrt integer yes 1172.It ip gifttl integer yes 1173.It ip grettl integer yes 1174.It ip hashsize integer yes 1175.It ip hostzerobroadcast integer yes 1176.It ip lowportmin integer yes 1177.It ip lowportmax integer yes 1178.It ip maxflows integer yes 1179.It ip maxfragpackets integer yes 1180.It ip mtudisc integer yes 1181.It ip mtudisctimeout integer yes 1182.It ip random_id integer yes 1183.It ip redirect integer yes 1184.It ip subnetsarelocal integer yes 1185.It ip ttl integer yes 1186.It tcp rfc1323 integer yes 1187.It tcp sendspace integer yes 1188.It tcp recvspace integer yes 1189.It tcp mssdflt integer yes 1190.It tcp syn_cache_limit integer yes 1191.It tcp syn_bucket_limit integer yes 1192.It tcp syn_cache_interval integer yes 1193.It tcp init_win integer yes 1194.It tcp init_win_local integer yes 1195.It tcp mss_ifmtu integer yes 1196.It tcp win_scale integer yes 1197.It tcp timestamps integer yes 1198.It tcp compat_42 integer yes 1199.It tcp cwm integer yes 1200.It tcp cwm_burstsize integer yes 1201.It tcp ack_on_push integer yes 1202.It tcp keepidle integer yes 1203.It tcp keepintvl integer yes 1204.It tcp keepcnt integer yes 1205.It tcp slowhz integer no 1206.It tcp keepinit integer yes 1207.It tcp log_refused integer yes 1208.It tcp rstppslimit integer yes 1209.It tcp ident struct no 1210.It tcp drop struct no 1211.It tcp sack.enable integer yes 1212.It tcp sack.globalholes integer no 1213.It tcp sack.globalmaxholes integer yes 1214.It tcp sack.maxholes integer yes 1215.It tcp ecn.enable integer yes 1216.It tcp ecn.maxretries integer yes 1217.It tcp congctl.selected string yes 1218.It tcp congctl.available string yes 1219.It tcp abc.enable integer yes 1220.It tcp abc.aggressive integer yes 1221.It udp checksum integer yes 1222.It udp do_loopback_cksum integer yes 1223.It udp recvspace integer yes 1224.It udp sendspace integer yes 1225.El 1226.Pp 1227The variables are as follows: 1228.Bl -tag -width "123456" 1229.It Li arp.down 1230Failed ARP entry lifetime. 1231.It Li arp.keep 1232Valid ARP entry lifetime. 1233.It Li arp.prune 1234ARP cache pruning interval. 1235.It Li arp.refresh 1236ARP entry refresh interval. 1237.It Li carp.allow 1238If set to 0, incoming 1239.Xr carp 4 1240packets will not be processed. 1241If set to any other value, processing will occur. 1242Enabled by default. 1243.It Li carp.arpbalance 1244If set to any value other than 0, the ARP balancing functionality of 1245.Xr carp 4 1246is enabled. 1247When ARP requests are received for an IP address which is part of any virtual 1248host, carp will hash the source IP in the ARP request to select one of the 1249virtual hosts from the set of all the virtual hosts which have that IP address. 1250The master of that host will respond with the correct virtual MAC address. 1251Disabled by default. 1252.It Li carp.log 1253If set to any value other than 0, 1254.Xr carp 4 1255will log errors. 1256Disabled by default. 1257.It Li carp.preempt 1258If set to 0, 1259.Xr carp 4 1260will not attempt to become master if it is receiving advertisements from 1261another active master. 1262If set to any other value, carp will become master of the virtual host if it 1263believes it can send advertisements more frequently than the current master. 1264Disabled by default. 1265.It Li ip.allowsrcrt 1266If set to 1, the host accepts source routed packets. 1267.It Li ip.anonportmax 1268The highest port number to use for TCP and UDP ephemeral port allocation. 1269This cannot be set to less than 1024 or greater than 65535, and must 1270be greater than 1271.Li ip.anonportmin . 1272.It Li ip.anonportmin 1273The lowest port number to use for TCP and UDP ephemeral port allocation. 1274This cannot be set to less than 1024 or greater than 65535. 1275.It Li ip.checkinterface 1276If set to non-zero, the host will reject packets addressed to it 1277that arrive on an interface not bound to that address. 1278Currently, this must be disabled if ipnat is used to translate the 1279destination address to another local interface, or if addresses 1280are added to the loopback interface instead of the interface where 1281the packets for those packets are received. 1282.It Li ip.directed-broadcast 1283If set to 1, enables directed broadcast behavior for the host. 1284.It Li ip.do_loopback_cksum 1285Perform IP checksum on loopback. 1286.It Li ip.forwarding 1287If set to 1, enables IP forwarding for the host, 1288meaning that the host is acting as a router. 1289.It Li ip.forwsrcrt 1290If set to 1, enables forwarding of source-routed packets for the host. 1291This value may only be changed if the kernel security level is less than 1. 1292.It Li ip.gifttl 1293The maximum time-to-live (hop count) value for an IPv4 packet generated by 1294.Xr gif 4 1295tunnel interface. 1296.It Li ip.grettl 1297The maximum time-to-live (hop count) value for an IPv4 packet generated by 1298.Xr gre 4 1299tunnel interface. 1300.It Li ip.hashsize 1301The size of IPv4 Fast Forward hash table. 1302This value must be a power of 2 (64, 256...). 1303A larger hash table size results in fewer collisions. 1304Also see 1305.Li ip.maxflows . 1306.It Li ip.hostzerobroadcast 1307All zeroes address is broadcast address. 1308.It Li ip.lowportmax 1309The highest port number to use for TCP and UDP reserved port allocation. 1310This cannot be set to less than 0 or greater than 1024, and must 1311be greater than 1312.Li ip.lowportmin . 1313.It Li ip.lowportmin 1314The lowest port number to use for TCP and UDP reserved port allocation. 1315This cannot be set to less than 0 or greater than 1024, and must 1316be smaller than 1317.Li ip.lowportmax . 1318.It Li ip.maxflows 1319IPv4 Fast Forwarding is enabled by default. 1320If set to 0, IPv4 Fast Forwarding is disabled. 1321.Li ip.maxflows 1322controls the maximum amount of flows which can be created. 1323The default value is 256. 1324.It Li ip.maxfragpackets 1325The maximum number of fragmented packets the node will accept. 13260 means that the node will not accept any fragmented packets. 1327\-1 means that the node will accept as many fragmented packets as it receives. 1328The flag is provided basically for avoiding possible DoS attacks. 1329.It Li ip.mtudisc 1330If set to 1, enables Path MTU Discovery (RFC 1191). 1331When Path MTU Discovery is enabled, the transmitted TCP segment 1332size will be determined by the advertised maximum segment size 1333(MSS) from the remote end, as constrained by the path MTU. 1334If MTU Discovery is disabled, the transmitted segment size will 1335never be greater than 1336.Li tcp.mssdflt 1337(the local maximum segment size). 1338.It Li ip.mtudisctimeout 1339The number of seconds in which a route added by the Path MTU 1340Discovery engine will time out. 1341When the route times out, the Path 1342MTU Discovery engine will attempt to probe a larger path MTU. 1343.It Li ip.random_id 1344Assign random ip_id values. 1345.It Li ip.redirect 1346If set to 1, ICMP redirects may be sent by the host. 1347This option is ignored unless the host is routing IP packets, 1348and should normally be enabled on all systems. 1349.It Li ip.subnetsarelocal 1350If set to 1, subnets are to be considered local addresses. 1351.It Li ip.ttl 1352The maximum time-to-live (hop count) value for an IP packet sourced by 1353the system. 1354This value applies to normal transport protocols, not to ICMP. 1355.It Li icmp.errppslimit 1356The variable specifies the maximum number of outgoing ICMP error messages, 1357per second. 1358ICMP error messages that exceeded the value are subject to rate limitation 1359and will not go out from the node. 1360Negative value disables rate limitation. 1361.It Li icmp.maskrepl 1362If set to 1, ICMP network mask requests are to be answered. 1363.It Li icmp.rediraccept 1364If set to non-zero, the host will accept ICMP redirect packets. 1365Note that routers will never accept ICMP redirect packets, 1366and the variable is meaningful on IP hosts only. 1367.It Li icmp.redirtimeout 1368The variable specifies lifetime of routing entries generated by incoming 1369ICMP redirect. 1370This defaults to 600 seconds. 1371.It Li icmp.returndatabytes 1372Number of bytes to return in an ICMP error message. 1373.It Li icmp.bmcastecho 1374If set to 1, enables responding to ICMP echo or timestamp request to the 1375broadcast address. 1376.It Li tcp.ack_on_push 1377If set to 1, TCP is to immediately transmit an ACK upon reception of 1378a packet with PUSH set. 1379This can avoid losing a round trip time in some rare situations, 1380but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1381Use of this option is generally not recommended, but 1382the variable exists in case your configuration really needs it. 1383.It Li tcp.compat_42 1384If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1385Use of this option is not recommended, although it may be 1386required in order to communicate with extremely old TCP implementations. 1387.It Li tcp.cwm 1388If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1389Monitoring algorithm. 1390This algorithm prevents line-rate bursts of packets that could 1391otherwise occur when data begins flowing on an idle TCP connection. 1392These line-rate bursts can contribute to network and router congestion. 1393This can be particularly useful on World Wide Web servers 1394which support HTTP/1.1, which has lingering connections. 1395.It Li tcp.cwm_burstsize 1396The Congestion Window Monitoring allowed burst size, in terms 1397of packet count. 1398.It Li tcp.delack_ticks 1399Number of ticks to delay sending an ACK. 1400.It Li tcp.do_loopback_cksum 1401Perform TCP checksum on loopback. 1402.It Li tcp.init_win 1403A value indicating the TCP initial congestion window. 1404If this value is 0, an auto-tuning algorithm designed to use an initial 1405window of approximately 4K bytes is in use. 1406Otherwise, this value indicates a fixed number of packets. 1407.It Li tcp.init_win_local 1408Like 1409.Li tcp.init_win , 1410but used when communicating with hosts on a local network. 1411.It Li tcp.keepcnt 1412Number of keepalive probes sent before declaring a connection dead. 1413If set to zero, there is no limit; 1414keepalives will be sent until some kind of 1415response is received from the peer. 1416.It Li tcp.keepidle 1417Time a connection must be idle before keepalives are sent (if keepalives 1418are enabled for the connection). 1419See also tcp.slowhz. 1420.It Li tcp.keepintvl 1421Time after a keepalive probe is sent until, in the absence of any response, 1422another probe is sent. 1423See also tcp.slowhz. 1424.It Li tcp.log_refused 1425If set to 1, refused TCP connections to the host will be logged. 1426.It Li tcp.keepinit 1427Timeout in seconds during connection establishment. 1428.It Li tcp.mss_ifmtu 1429If set to 1, TCP calculates the outgoing maximum segment size based on 1430the MTU of the appropriate interface. 1431If set to 0, it is calculated based on the greater of the MTU of the 1432interface, and the largest (non-loopback) interface MTU on the system. 1433.It Li tcp.mssdflt 1434The default maximum segment size both advertised to the peer 1435and to use when either the peer does not advertise a maximum segment size to 1436us during connection setup or Path MTU Discovery 1437.Li ( ip.mtudisc ) 1438is disabled. 1439Do not change this value unless you really know what you are doing. 1440.It Li tcp.recvspace 1441The default TCP receive buffer size. 1442.It Li tcp.rfc1323 1443If set to 1, enables RFC 1323 extensions to TCP. 1444.It Li tcp.rstppslimit 1445The variable specifies the maximum number of outgoing TCP RST packets, 1446per second. 1447TCP RST packet that exceeded the value are subject to rate limitation 1448and will not go out from the node. 1449Negative value disables rate limitation. 1450.It Li tcp.ident 1451Return the user ID of a connected socket pair. 1452(RFC1413 Identification Protocol lookups.) 1453.It Li tcp.drop 1454Drop a TCP socket pair connection. 1455.It Li tcp.sack.enable 1456If set to 1, enables RFC 2018 Selective ACKnowledgement. 1457.It Li tcp.sack.globalholes 1458Global number of TCP SACK holes. 1459.It Li tcp.sack.globalmaxholes 1460Global maximum number of TCP SACK holes. 1461.It Li tcp.sack.maxholes 1462Maximum number of TCP SACK holes allowed per connection. 1463.It Li tcp.ecn.enable 1464If set to 1, enables RFC 3168 Explicit Congestion Notification. 1465.It Li tcp.ecn.maxretries 1466Number of times to retry sending the ECN-setup packet. 1467.It Li tcp.sendspace 1468The default TCP send buffer size. 1469.It Li tcp.slowhz 1470The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1471of a clock that ticks tcp.slowhz times per second. 1472(That is, their values 1473must be divided by the tcp.slowhz value to get times in seconds.) 1474.It Li tcp.syn_bucket_limit 1475The maximum number of entries allowed per hash bucket in the TCP 1476compressed state engine. 1477.It Li tcp.syn_cache_limit 1478The maximum number of entries allowed in the TCP compressed state 1479engine. 1480.It Li tcp.timestamps 1481If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1482used for measuring TCP round trip times, are enabled. 1483.It Li tcp.win_scale 1484If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1485for increasing the TCP window size, are enabled. 1486.It Li tcp.congctl.available 1487The available TCP congestion control algorithms. 1488.It Li tcp.congctl.selected 1489The currently selected TCP congestion control algorithm. 1490.It Li tcp.abc.enable 1491If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1492If set to 0, use traditional Packet Counting. 1493.It Li tcp.abc.aggressive 1494Choose the L parameter found in RFC 3465. 1495L is the maximum cwnd increase for an ack during slow start. 1496If set to 1, use L=2*SMSS. 1497If set to 0, use L=1*SMSS. 1498It has no effect unless tcp.abc.enable is set to 1. 1499.It Li udp.checksum 1500If set to 1, UDP checksums are being computed. 1501Received non-zero UDP checksums are always checked. 1502Disabling UDP checksums is strongly discouraged. 1503.It Li udp.sendspace 1504The default UDP send buffer size. 1505.It Li udp.recvspace 1506The default UDP receive buffer size. 1507.El 1508.Pp 1509For variables net.*.ipsec, please refer to 1510.Xr ipsec 4 . 1511.It Li net.inet6 ( PF_INET6 ) 1512Get or set various global information about the IPv6 1513.Pq Internet Protocol version 6 . 1514The third level name is the protocol. 1515The fourth level name is the variable name. 1516The currently defined protocols and names are: 1517.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent 1518.It Sy Protocol name Variable name Type Changeable 1519.It icmp6 errppslimit integer yes 1520.It icmp6 mtudisc_hiwat integer yes 1521.It icmp6 mtudisc_lowat integer yes 1522.It icmp6 nd6_debug integer yes 1523.It icmp6 nd6_delay integer yes 1524.It icmp6 nd6_maxnudhint integer yes 1525.It icmp6 nd6_mmaxtries integer yes 1526.It icmp6 nd6_prune integer yes 1527.It icmp6 nd6_umaxtries integer yes 1528.It icmp6 nd6_useloopback integer yes 1529.It icmp6 nodeinfo integer yes 1530.It icmp6 rediraccept integer yes 1531.It icmp6 redirtimeout integer yes 1532.It ip6 accept_rtadv integer yes 1533.It ip6 anonportmax integer yes 1534.It ip6 anonportmin integer yes 1535.It ip6 auto_flowlabel integer yes 1536.It ip6 dad_count integer yes 1537.It ip6 defmcasthlim integer yes 1538.It ip6 forwarding integer yes 1539.It ip6 gifhlim integer yes 1540.It ip6 hashsize integer yes 1541.It ip6 hlim integer yes 1542.It ip6 hdrnestlimit integer yes 1543.It ip6 kame_version string no 1544.It ip6 keepfaith integer yes 1545.It ip6 log_interval integer yes 1546.It ip6 lowportmax integer yes 1547.It ip6 lowportmin integer yes 1548.It ip6 maxflows integer yes 1549.It ip6 maxfragpackets integer yes 1550.It ip6 maxfrags integer yes 1551.It ip6 redirect integer yes 1552.It ip6 rr_prune integer yes 1553.It ip6 use_deprecated integer yes 1554.It ip6 v6only integer yes 1555.It udp6 do_loopback_cksum integer yes 1556.It udp6 recvspace integer yes 1557.It udp6 sendspace integer yes 1558.El 1559.Pp 1560The variables are as follows: 1561.Bl -tag -width "123456" 1562.It Li ip6.accept_rtadv 1563If set to non-zero, the node will accept ICMPv6 router advertisement packets 1564and autoconfigures address prefixes and default routers. 1565The node must be a host 1566.Pq not a router 1567for the option to be meaningful. 1568.It Li ip6.anonportmax 1569The highest port number to use for TCP and UDP ephemeral port allocation. 1570This cannot be set to less than 1024 or greater than 65535, and must 1571be greater than 1572.Li ip6.anonportmin . 1573.It Li ip6.anonportmin 1574The lowest port number to use for TCP and UDP ephemeral port allocation. 1575This cannot be set to less than 1024 or greater than 65535. 1576.It Li ip6.auto_flowlabel 1577On connected transport protocol packets, 1578fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1579.It Li ip6.dad_count 1580The variable configures number of IPv6 DAD 1581.Pq duplicated address detection 1582probe packets. 1583The packets will be generated when IPv6 interface addresses are configured. 1584.It Li ip6.defmcasthlim 1585The default hop limit value for an IPv6 multicast packet sourced by the node. 1586This value applies to all the transport protocols on top of IPv6. 1587There are APIs to override the value, as documented in 1588.Xr ip6 4 . 1589.It Li ip6.forwarding 1590If set to 1, enables IPv6 forwarding for the node, 1591meaning that the node is acting as a router. 1592If set to 0, disables IPv6 forwarding for the node, 1593meaning that the node is acting as a host. 1594IPv6 specification defines node behavior for 1595.Dq router 1596case and 1597.Dq host 1598case quite differently, and changing this variable during operation 1599may cause serious trouble. 1600It is recommended to configure the variable at bootstrap time, 1601and bootstrap time only. 1602.It Li ip6.gifhlim 1603The maximum hop limit value for an IPv6 packet generated by 1604.Xr gif 4 1605tunnel interface. 1606.It Li ip6.hdrnestlimit 1607The number of IPv6 extension headers permitted on incoming IPv6 packets. 1608If set to 0, the node will accept as many extension headers as possible. 1609.It Li ip6.hashsize 1610The size of IPv6 Fast Forward hash table. 1611This value must be a power of 2 (64, 256, ...). 1612A larger hash table size results in fewer collisions. 1613Also see 1614.Li ip6.maxflows . 1615.It Li ip6.hlim 1616The default hop limit value for an IPv6 unicast packet sourced by the node. 1617This value applies to all the transport protocols on top of IPv6. 1618There are APIs to override the value, as documented in 1619.Xr ip6 4 . 1620.It Li ip6.kame_version 1621The string identifies the version of KAME IPv6 stack implemented in the kernel. 1622.It Li ip6.keepfaith 1623If set to non-zero, it enables 1624.Dq FAITH 1625TCP relay IPv6-to-IPv4 translator code in the kernel. 1626Refer 1627.Xr faith 4 1628and 1629.Xr faithd 8 1630for detail. 1631.It Li ip6.log_interval 1632The variable controls amount of logs generated by IPv6 packet 1633forwarding engine, by setting interval between log output 1634.Pq in seconds . 1635.It Li ip6.lowportmax 1636The highest port number to use for TCP and UDP reserved port allocation. 1637This cannot be set to less than 0 or greater than 1024, and must 1638be greater than 1639.Li ip6.lowportmin . 1640.It Li ip6.lowportmin 1641The lowest port number to use for TCP and UDP reserved port allocation. 1642This cannot be set to less than 0 or greater than 1024, and must 1643be smaller than 1644.Li ip6.lowportmax . 1645.It Li ip6.maxflows 1646IPv6 Fast Forwarding is enabled by default. 1647If set to 0, IPv6 Fast Forwarding is disabled. 1648.Li ip6.maxflows 1649controls the maximum amount of flows which can be created. 1650The default value is 256. 1651.It Li ip6.maxfragpackets 1652The maximum number of fragmented packets the node will accept. 16530 means that the node will not accept any fragmented packets. 1654\-1 means that the node will accept as many fragmented packets as it receives. 1655The flag is provided basically for avoiding possible DoS attacks. 1656.It Li ip6.maxfrags 1657The maximum number of fragments the node will accept. 16580 means that the node will not accept any fragments. 1659\-1 means that the node will accept as many fragments as it receives. 1660The flag is provided basically for avoiding possible DoS attacks. 1661.It Li ip6.redirect 1662If set to 1, ICMPv6 redirects may be sent by the node. 1663This option is ignored unless the node is routing IP packets, 1664and should normally be enabled on all systems. 1665.It Li ip6.rr_prune 1666The variable specifies interval between IPv6 router renumbering prefix 1667babysitting, in seconds. 1668.It Li ip6.use_deprecated 1669The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1670.It Li ip6.v6only 1671The variable specifies initial value for 1672.Dv IPV6_V6ONLY 1673socket option for 1674.Dv AF_INET6 1675socket. 1676Please refer to 1677.Xr ip6 4 1678for detail. 1679.It Li icmp6.errppslimit 1680The variable specifies the maximum number of outgoing ICMPv6 error messages, 1681per second. 1682ICMPv6 error messages that exceeded the value are subject to rate limitation 1683and will not go out from the node. 1684Negative value disables rate limitation. 1685.It Li icmp6.mtudisc_hiwat 1686.It Li icmp6.mtudisc_lowat 1687The variables define the maximum number of routing table entries, 1688created due to path MTU discovery 1689.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1690When IPv6 path MTU discovery happens, we keep path MTU information into 1691the routing table. 1692If the number of routing table entries exceed the value, 1693the kernel will not attempt to keep the path MTU information. 1694.Li icmp6.mtudisc_hiwat 1695is used when we have verified ICMPv6 too big messages. 1696.Li icmp6.mtudisc_lowat 1697is used when we have unverified ICMPv6 too big messages. 1698Verification is performed by using address/port pairs kept in connected pcbs. 1699Negative value disables the upper limit. 1700.It Li icmp6.nd6_debug 1701If set to non-zero, kernel IPv6 neighbor discovery code will generate 1702debugging messages. 1703The debug outputs are useful to diagnose IPv6 interoperability issues. 1704The flag must be set to 0 for normal operation. 1705.It Li icmp6.nd6_delay 1706The variable specifies 1707.Dv DELAY_FIRST_PROBE_TIME 1708timing constant in IPv6 neighbor discovery specification 1709.Pq RFC 2461 , 1710in seconds. 1711.It Li icmp6.nd6_maxnudhint 1712IPv6 neighbor discovery permits upper layer protocols to supply reachability 1713hints, to avoid unnecessary neighbor discovery exchanges. 1714The variable defines the number of consecutive hints the neighbor discovery 1715layer will take. 1716For example, by setting the variable to 3, neighbor discovery layer 1717will take 3 consecutive hints in maximum. 1718After receiving 3 hints, neighbor discovery layer will perform 1719normal neighbor discovery process. 1720.It Li icmp6.nd6_mmaxtries 1721The variable specifies 1722.Dv MAX_MULTICAST_SOLICIT 1723constant in IPv6 neighbor discovery specification 1724.Pq RFC 2461 . 1725.It Li icmp6.nd6_prune 1726The variable specifies interval between IPv6 neighbor cache babysitting, 1727in seconds. 1728.It Li icmp6.nd6_umaxtries 1729The variable specifies 1730.Dv MAX_UNICAST_SOLICIT 1731constant in IPv6 neighbor discovery specification 1732.Pq RFC 2461 . 1733.It Li icmp6.nd6_useloopback 1734If set to non-zero, kernel IPv6 stack will use loopback interface for 1735local traffic. 1736.It Li icmp6.nodeinfo 1737The variable enables responses to ICMPv6 node information queries. 1738If you set the variable to 0, responses will not be generated for 1739ICMPv6 node information queries. 1740Since node information queries can have a security impact, it is 1741possible to fine tune which responses should be answered. 1742Two separate bits can be set. 1743.Bl -tag -width "12345" 1744.It 1 1745Respond to ICMPv6 FQDN queries, e.g. 1746.Li ping6 -w . 1747.It 2 1748Respond to ICMPv6 node addresses queries, e.g. 1749.Li ping6 -a . 1750.El 1751.It Li icmp6.rediraccept 1752If set to non-zero, the host will accept ICMPv6 redirect packets. 1753Note that IPv6 routers will never accept ICMPv6 redirect packets, 1754and the variable is meaningful on IPv6 hosts 1755.Pq non-router 1756only. 1757.It Li icmp6.redirtimeout 1758The variable specifies lifetime of routing entries generated by incoming 1759ICMPv6 redirect. 1760.It Li udp6.do_loopback_cksum 1761Perform UDP checksum on loopback. 1762.It Li udp6.recvspace 1763Default UDP receive buffer size. 1764.It Li udp6.sendspace 1765Default UDP send buffer size. 1766.El 1767.Pp 1768We reuse net.*.tcp for 1769.Tn TCP 1770over 1771.Tn IPv6 , 1772and therefore we do not have variables net.*.tcp6. 1773Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1774Please refer to 1775.Li PF_INET 1776section above. 1777For variables net.*.ipsec6, please refer to 1778.Xr ipsec 4 . 1779.It Li net.key ( PF_KEY ) 1780Get or set various global information about the IPsec key management. 1781The third level name is the variable name. 1782The currently defined variable and names are: 1783.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 1784.It Sy Variable name Type Changeable 1785.It debug integer yes 1786.It spi_try integer yes 1787.It spi_min_value integer yes 1788.It spi_max_value integer yes 1789.It larval_lifetime integer yes 1790.It blockacq_count integer yes 1791.It blockacq_lifetime integer yes 1792.It esp_keymin integer yes 1793.It esp_auth integer yes 1794.It ah_keymin integer yes 1795.El 1796.Pp 1797The variables are as follows: 1798.Bl -tag -width "123456" 1799.It Li debug 1800Turn on debugging message from within the kernel. 1801The value is a bitmap, as defined in 1802.In netkey/key_debug.h . 1803.It Li spi_try 1804The number of times the kernel will try to obtain an unique SPI 1805when it generates it from random number generator. 1806.It Li spi_min_value 1807Minimum SPI value when generating it within the kernel. 1808.It Li spi_max_value 1809Maximum SPI value when generating it within the kernel. 1810.It Li larval_lifetime 1811Lifetime for LARVAL SAD entries, in seconds. 1812.It Li blockacq_count 1813Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1814It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1815key management daemon. 1816.It Li blockacq_lifetime 1817Lifetime of ACQUIRE PF_KEY message. 1818.It Li esp_keymin 1819Minimum ESP key length, in bits. 1820The value is used when the kernel creates proposal payload 1821on ACQUIRE PF_KEY message. 1822.It Li esp_auth 1823Whether ESP authentication should be used or not. 1824Non-zero value indicates that ESP authentication should be used. 1825The value is used when the kernel creates proposal payload 1826on ACQUIRE PF_KEY message. 1827.It Li ah_keymin 1828Minimum AH key length, in bits, 1829The value is used when the kernel creates proposal payload 1830on ACQUIRE PF_KEY message. 1831.El 1832.El 1833.Ss The proc.* subtree 1834The string and integer information available for the 1835.Li proc 1836level is detailed below. 1837The changeable column shows whether a process with appropriate 1838privilege may change the value. 1839These values are per-process, 1840and as such may change from one process to another. 1841When a process is created, 1842the default values are inherited from its parent. 1843When a set-user-ID or set-group-ID binary is executed, the 1844value of PROC_PID_CORENAME is reset to the system default value. 1845The second level name is either the magic value PROC_CURPROC, which 1846points to the current process, or the PID of the target process. 1847.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 1848.It Sy Third level name Type Changeable 1849.It proc.pid.corename string yes 1850.It proc.pid.rlimit node not applicable 1851.It proc.pid.stopfork int yes 1852.It proc.pid.stopexec int yes 1853.It proc.pid.stopexit int yes 1854.El 1855.Bl -tag -width "123456" 1856.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1857The template used for the core dump file name (see 1858.Xr core 5 1859for details). 1860The base name must either be 1861.Pa core 1862or end with the suffix 1863.Pa .core 1864(the super-user may set arbitrary names). 1865By default it points to 1866.Dv KERN_DEFCORENAME . 1867.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1868Return resources limits, as defined for the 1869.Xr getrlimit 2 1870and 1871.Xr setrlimit 2 1872system calls. 1873The fourth level name is one of: 1874.Bl -tag -width "123456" 1875.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1876The maximum amount of CPU time (in seconds) to be used by each process. 1877.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1878The largest size (in bytes) file that may be created. 1879.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1880The maximum size (in bytes) of the data segment for a process; 1881this defines how far a program may extend its break with the 1882.Xr sbrk 2 1883system call. 1884.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1885The maximum size (in bytes) of the stack segment for a process; 1886this defines how far a program's stack segment may be extended. 1887Stack extension is performed automatically by the system. 1888.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1889The largest size (in bytes) 1890.Pa core 1891file that may be created. 1892.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1893The maximum size (in bytes) to which a process's resident set size may 1894grow. 1895This imposes a limit on the amount of physical memory to be given to 1896a process; if memory is tight, the system will prefer to take memory 1897from processes that are exceeding their declared resident set size. 1898.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1899The maximum size (in bytes) which a process may lock into memory 1900using the 1901.Xr mlock 2 1902function. 1903.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1904The maximum number of simultaneous processes for this user id. 1905.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1906The maximum number of open files for this process. 1907.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) 1908The maximum size (in bytes) of the socket buffers 1909set by the 1910.Xr setsockopt 2 1911.Dv SO_RCVBUF 1912and 1913.Dv SO_SNDBUF 1914options. 1915.El 1916.Pp 1917The fifth level name is one of 1918.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) 1919or 1920.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1921to select respectively the soft or hard limit. 1922Both are of type integer. 1923.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1924If non zero, the process' children will be stopped after 1925.Xr fork 2 1926calls. 1927The children is created in the SSTOP state and is never scheduled 1928for running before being stopped. 1929This feature helps attaching a process with a debugger such as 1930.Xr gdb 1 1931before it had the opportunity to actually do anything. 1932.Pp 1933This value is inherited by the process's children, and it also 1934apply to emulation specific system calls that fork a new process, such as 1935.Fn sproc 1936or 1937.Fn clone . 1938.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1939If non zero, the process will be stopped on next 1940.Xr exec 3 1941call. 1942The process created by 1943.Xr exec 3 1944is created in the SSTOP state and is never scheduled for running 1945before being stopped. 1946This feature helps attaching a process with a debugger such as 1947.Xr gdb 1 1948before it had the opportunity to actually do anything. 1949.Pp 1950This value is inherited by the process's children. 1951.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1952If non zero, the process will be stopped on when it has cause to exit, 1953either by way of calling 1954.Xr exit 3 , 1955.Xr _exit 2 , 1956or by the receipt of a specific signal. 1957The process is stopped before any of its resources or vm space is 1958released allowing examination of the termination state of a process 1959before it disappears. 1960This feature can be used to examine the final conditions of the 1961process's vmspace via 1962.Xr pmap 1 1963or its resource settings with 1964.Xr sysctl 8 1965before it disappears. 1966.Pp 1967This value is also inherited by the process's children. 1968.El 1969.Ss The user.* subtree ( CTL_USER ) 1970The string and integer information available for the 1971.Li user 1972level is detailed below. 1973The changeable column shows whether a process with appropriate 1974privilege may change the value. 1975.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 1976.It Sy Second level name Type Changeable 1977.It user.atexit_max integer no 1978.It user.bc_base_max integer no 1979.It user.bc_dim_max integer no 1980.It user.bc_scale_max integer no 1981.It user.bc_string_max integer no 1982.It user.coll_weights_max integer no 1983.It user.cs_path string no 1984.It user.expr_nest_max integer no 1985.It user.line_max integer no 1986.It user.posix2_c_bind integer no 1987.It user.posix2_c_dev integer no 1988.It user.posix2_char_term integer no 1989.It user.posix2_fort_dev integer no 1990.It user.posix2_fort_run integer no 1991.It user.posix2_localedef integer no 1992.It user.posix2_sw_dev integer no 1993.It user.posix2_upe integer no 1994.It user.posix2_version integer no 1995.It user.re_dup_max integer no 1996.It user.stream_max integer no 1997.It user.stream_max integer no 1998.It user.tzname_max integer no 1999.El 2000.Bl -tag -width "123456" 2001.It Li user.atexit_max ( USER_ATEXIT_MAX ) 2002The maximum number of functions that may be registered with 2003.Xr atexit 3 . 2004.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 2005The maximum ibase/obase values in the 2006.Xr bc 1 2007utility. 2008.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 2009The maximum array size in the 2010.Xr bc 1 2011utility. 2012.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 2013The maximum scale value in the 2014.Xr bc 1 2015utility. 2016.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 2017The maximum string length in the 2018.Xr bc 1 2019utility. 2020.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 2021The maximum number of weights that can be assigned to any entry of 2022the LC_COLLATE order keyword in the locale definition file. 2023.It Li user.cs_path ( USER_CS_PATH ) 2024Return a value for the 2025.Ev PATH 2026environment variable that finds all the standard utilities. 2027.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 2028The maximum number of expressions that can be nested within 2029parenthesis by the 2030.Xr expr 1 2031utility. 2032.It Li user.line_max ( USER_LINE_MAX ) 2033The maximum length in bytes of a text-processing utility's input 2034line. 2035.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 2036Return 1 if the system supports at least one terminal type capable of 2037all operations described in 2038.St -p1003.2 , 2039otherwise\ 0. 2040.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 2041Return 1 if the system's C-language development facilities support the 2042C-Language Bindings Option, otherwise\ 0. 2043.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 2044Return 1 if the system supports the C-Language Development Utilities Option, 2045otherwise\ 0. 2046.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 2047Return 1 if the system supports the FORTRAN Development Utilities Option, 2048otherwise\ 0. 2049.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 2050Return 1 if the system supports the FORTRAN Runtime Utilities Option, 2051otherwise\ 0. 2052.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 2053Return 1 if the system supports the creation of locales, otherwise\ 0. 2054.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 2055Return 1 if the system supports the Software Development Utilities Option, 2056otherwise\ 0. 2057.It Li user.posix2_upe ( USER_POSIX2_UPE ) 2058Return 1 if the system supports the User Portability Utilities Option, 2059otherwise\ 0. 2060.It Li user.posix2_version ( USER_POSIX2_VERSION ) 2061The version of 2062.St -p1003.2 2063with which the system attempts to comply. 2064.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 2065The maximum number of repeated occurrences of a regular expression 2066permitted when using interval notation. 2067.It Li user.stream_max ( USER_STREAM_MAX ) 2068The minimum maximum number of streams that a process may have open 2069at any one time. 2070.It Li user.tzname_max ( USER_TZNAME_MAX ) 2071The minimum maximum number of types supported for the name of a 2072timezone. 2073.El 2074.Ss The vm.* subtree ( CTL_VM ) 2075The string and integer information available for the 2076.Li vm 2077level is detailed below. 2078The changeable column shows whether a process with appropriate 2079privilege may change the value. 2080.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 2081.It Sy Second level name Type Changeable 2082.It vm.anonmax int yes 2083.It vm.anonmin int yes 2084.It vm.bufcache int yes 2085.It vm.bufmem int no 2086.It vm.bufmem_hiwater int yes 2087.It vm.bufmem_lowater int yes 2088.It vm.execmax int yes 2089.It vm.execmin int yes 2090.It vm.filemax int yes 2091.It vm.filemin int yes 2092.It vm.loadavg struct loadavg no 2093.It vm.maxslp int no 2094.It vm.nkmempages int no 2095.It vm.uspace int no 2096.It vm.uvmexp struct uvmexp no 2097.It vm.uvmexp2 struct uvmexp_sysctl no 2098.It vm.vmmeter struct vmtotal no 2099.El 2100.Pp 2101.Bl -tag -width "123456" 2102.It Li vm.anonmax ( VM_ANONMAX ) 2103The percentage of physical memory which will be reclaimed 2104from other types of memory usage to store anonymous application data. 2105.It Li vm.anonmin ( VM_ANONMIN ) 2106The percentage of physical memory which will be always be available for 2107anonymous application data. 2108.It Li vm.bufcache ( VM_BUFCACHE ) 2109The percentage of physical memory which will be available 2110for the buffer cache. 2111.It Li vm.bufmem ( VM_BUFMEM ) 2112The amount of kernel memory that is being used by the buffer cache. 2113.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 2114The minimum amount of kernel memory to reserve for the 2115buffer cache. 2116.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 2117The maximum amount of kernel memory to be used for the 2118buffer cache. 2119.It Li vm.execmax ( VM_EXECMAX ) 2120The percentage of physical memory which will be reclaimed 2121from other types of memory usage to store cached executable data. 2122.It Li vm.execmin ( VM_EXECMIN ) 2123The percentage of physical memory which will be always be available for 2124cached executable data. 2125.It Li vm.filemax ( VM_FILEMAX ) 2126The percentage of physical memory which will be reclaimed 2127from other types of memory usage to store cached file data. 2128.It Li vm.filemin ( VM_FILEMIN ) 2129The percentage of physical memory which will be always be available for 2130cached file data. 2131.It Li vm.loadavg ( VM_LOADAVG ) 2132Return the load average history. 2133The returned data consists of a 2134.Vt struct loadavg . 2135.It Li vm.maxslp ( VM_MAXSLP ) 2136The value of the maxslp kernel global variable. 2137.It Li vm.vmmeter ( VM_METER ) 2138Return system wide virtual memory statistics. 2139The returned data consists of a 2140.Vt struct vmtotal . 2141.It vm.user_va0_disable 2142A flag which controls whether user processes can map virtual address\ 0. 2143.It Li vm.uspace ( VM_USPACE ) 2144The number of bytes allocated for each kernel stack. 2145.It Li vm.uvmexp ( VM_UVMEXP ) 2146Return system wide virtual memory statistics. 2147The returned data consists of a 2148.Vt struct uvmexp . 2149.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 2150Return system wide virtual memory statistics. 2151The returned data consists of a 2152.Vt struct uvmexp_sysctl . 2153.\" XXX vm.idlezero 2154.El 2155.Ss The ddb.* subtree ( CTL_DDB ) 2156The information available for the 2157.Li ddb 2158level is detailed below. 2159The changeable column shows whether a process with appropriate 2160privilege may change the value. 2161.\" XXX sort 2162.Bl -column "Second level name" "integer" "Changeable" -offset indent 2163.It Sy Second level name Type Changeable 2164.It ddb.radix integer yes 2165.It ddb.maxoff integer yes 2166.It ddb.maxwidth integer yes 2167.It ddb.lines integer yes 2168.It ddb.tabstops integer yes 2169.It ddb.onpanic integer yes 2170.It ddb.fromconsole integer yes 2171.It ddb.tee_msgbuf integer yes 2172.It ddb.commandonenter string yes 2173.El 2174.Pp 2175.Bl -tag -width "123456" 2176.It Li ddb.radix ( DDBCTL_RADIX ) 2177The input and output radix. 2178.It Li ddb.maxoff ( DDBCTL_MAXOFF ) 2179The maximum symbol offset. 2180.It Li ddb.maxwidth ( DDBCTL_MAXWIDTH ) 2181The maximum output line width. 2182.It Li ddb.lines ( DDBCTL_LINES ) 2183Number of display lines. 2184.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) 2185Tab width. 2186.It Li ddb.onpanic ( DDBCTL_ONPANIC ) 2187If non-zero, DDB will be entered if the kernel panics. 2188.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) 2189If not zero, DDB may be entered by sending a break on a serial 2190console or by a special key sequence on a graphics console. 2191.It Li ddb.tee_msgbuf 2192If not zero, DDB will output also to the kernel message buffer. 2193.It Li ddb.commandonenter 2194If not empty, a command to be executed on each enter to the 2195.Tn DDB . 2196.\" 2197.\" XXX: (a) ddb.commandonenter is missing in ddb(4); 2198.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. 2199.El 2200.Pp 2201Some of these 2202.Tn MIB 2203nodes are also available as variables from within the debugger. 2204See 2205.Xr ddb 4 2206for more details. 2207.Ss The security.* subtree ( CTL_SECURITY ) 2208The 2209.Li security 2210level contains various security-related settings for 2211the system. 2212The available second level names are: 2213.Bl -column "Second level name" "integer" "Changeable" -offset indent 2214.It Sy Second level name Type Changeable 2215.It Li security.curtain integer yes 2216.It Li security.models node not applicable 2217.It Li security.pax node not applicable 2218.El 2219.Pp 2220Available settings are detailed below. 2221.Pp 2222.Bl -tag -width "123456" 2223.It Li security.curtain 2224If non-zero, will filter return objects according to the user 2225.Tn ID 2226requesting information about them, preventing from users any 2227access to objects they do not own. 2228.Pp 2229At the moment, it affects 2230.Xr ps 1 , 2231.Xr netstat 1 2232(for 2233.Dv PF_INET , 2234.Dv PF_INET6 , 2235and 2236.Dv PF_UNIX 2237PCBs), and 2238.Xr w 1 . 2239.It Li security.models 2240.Nx 2241supports pluggable security models. 2242Every security model used, whether if loaded as a module or built with the system, 2243is required to add an entry to this node with at least one element, 2244.Dq name , 2245indicating the name of the security model. 2246.Pp 2247In addition to the name, any settings and other information private to the 2248security model will be available under this node. 2249See 2250.Xr secmodel 9 2251for more information. 2252.It Li security.pax 2253Settings for PaX -- exploit mitigation features. 2254For more information on any of the PaX features, please see 2255.Xr paxctl 8 2256and 2257.Xr security 8 . 2258The available third and fourth level names are: 2259.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ 2260-offset 2n 2261.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable 2262.It Li security.pax.aslr.enabled integer yes 2263.\".It Li security.pax.aslr.exec_len integer yes 2264.It Li security.pax.aslr.global integer yes 2265.\".It Li security.pax.aslr.mmap_len integer yes 2266.\".It Li security.pax.aslr.stack_len integer yes 2267.It Li security.pax.mprotect.enabled integer yes 2268.It Li security.pax.mprotect.global integer yes 2269.It Li security.pax.segvguard.enabled integer yes 2270.It Li security.pax.segvguard.expiry_timeout integer yes 2271.It Li security.pax.segvguard.global integer yes 2272.It Li security.pax.segvguard.max_crashes integer yes 2273.It Li security.pax.segvguard.suspend_timeout integer yes 2274.El 2275.Pp 2276.Bl -tag -width "123456" 2277.It Li security.pax.aslr.enabled 2278Enable PaX ASLR (Address Space Layout Randomization). 2279.Pp 2280The value of this 2281knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2282explicit enable. 2283.\".It Li security.pax.aslr.exec_len 2284.\" XXX: Undocumented. 2285.It Li security.pax.aslr.global 2286Specifies the default global policy for programs without an 2287explicit enable/disable flag. 2288.Pp 2289When non-zero, all programs will get PaX ASLR, except those exempted with 2290.Xr paxctl 8 . 2291Otherwise, all programs will not get PaX ASLR, except those specifically 2292marked as such with 2293.Xr paxctl 8 . 2294.\".It Li security.pax.aslr.mmap_len 2295.\" XXX: Undocumented. 2296.\" .It Li security.pax.aslr.stack_len 2297.\" XXX: Undocumented. 2298.It Li security.pax.mprotect.enabled 2299Enable PaX MPROTECT restrictions. 2300.Pp 2301These are 2302.Xr mprotect 2 2303restrictions to better enforce a W^X policy. 2304The value of this 2305knob must be non-zero for PaX MPROTECT to be enabled, even if a 2306program is set to explicit enable. 2307.It Li security.pax.mprotect.global 2308Specifies the default global policy for programs without an 2309explicit enable/disable flag. 2310.Pp 2311When non-zero, all programs will get the PaX MPROTECT restrictions, 2312except those exempted with 2313.Xr paxctl 8 . 2314Otherwise, all programs will not get the PaX MPROTECT restrictions, 2315except those specifically marked as such with 2316.Xr paxctl 8 . 2317.It Li security.pax.segvguard.enabled 2318Enable PaX Segvguard. 2319.Pp 2320PaX Segvguard can detect and prevent certain exploitation attempts, where 2321an attacker may try for example to brute-force function return addresses 2322of respawning daemons. 2323.Pp 2324.Em Note : 2325The 2326.Nx 2327interface and implementation of the Segvguard is still experimental, and may 2328change in future releases. 2329.It Li security.pax.segvguard.expiry_timeout 2330If the max number was not reached within this timeout (in seconds), the entry 2331will expire. 2332.It Li security.pax.segvguard.global 2333Specifies the default global policy for programs without an 2334explicit enable/disable flag. 2335.Pp 2336When non-zero, all programs will get the PaX Segvguard, 2337except those exempted with 2338.Xr paxctl 8 . 2339Otherwise, no program will get the PaX Segvguard restrictions, 2340except those specifically marked as such with 2341.Xr paxctl 8 . 2342.It Li security.pax.segvguard.max_crashes 2343The maximum number of segfaults a program can receive before suspension. 2344.It Li security.pax.segvguard.suspend_timeout 2345Number of seconds to suspend a user from running a faulting program when the 2346limit was exceeded. 2347.El 2348.El 2349.Ss The vendor.* subtree ( CTL_VENDOR ) 2350The 2351.Li vendor 2352toplevel name is reserved to be used by vendors who wish to 2353have their own private MIB tree. 2354Intended use is to store values under 2355.Dq vendor.\*[Lt]yourname\*[Gt].* . 2356.Sh SEE ALSO 2357.Xr sysctl 3 , 2358.Xr ipsec 4 , 2359.Xr tcp 4 , 2360.Xr security 8 , 2361.Xr sysctl 8 2362.Sh HISTORY 2363The 2364.Nm 2365variables first appeared in 2366.Bx 4.4 . 2367