1.\" $NetBSD: sysctl.7,v 1.20 2009/03/01 21:50:55 wiz Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd March 1, 2009 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Sh Top level names 72The top level names are defined with a CTL_ prefix in 73.Aq Pa sys/sysctl.h , 74and are as follows. 75The next and subsequent levels down are found in the include files 76listed here, and described in separate sections below. 77.Bl -column securityXX CTLXSECURITYXX "Next level namesXX" DescriptionXX 78.It Sy Name Constant Next level names Description 79.It kern CTL\_KERN sys/sysctl.h High kernel limits 80.It vm CTL\_VM uvm/uvm_param.h Virtual memory 81.It vfs CTL\_VFS sys/mount.h Filesystem 82.It net CTL\_NET sys/socket.h Networking 83.It debug CTL\_DEBUG sys/sysctl.h Debugging 84.It hw CTL\_HW sys/sysctl.h Generic CPU, I/O 85.It machdep CTL\_MACHDEP sys/sysctl.h Machine dependent 86.It user CTL\_USER sys/sysctl.h User-level 87.It ddb CTL\_DDB sys/sysctl.h In-kernel debugger 88.It proc CTL\_PROC sys/sysctl.h Per-process 89.It vendor CTL\_VENDOR ? Vendor specific 90.It emul CTL\_EMUL sys/sysctl.h Emulation settings 91.It security CTL\_SECURITY sys/sysctl.h Security settings 92.El 93.Sh The debug.* subtree 94The debugging variables vary from system to system. 95A debugging variable may be added or deleted without need to recompile 96.Nm 97to know about it. 98Each time it runs, 99.Nm 100gets the list of debugging variables from the kernel and 101displays their current values. 102The system defines twenty 103.Va ( struct ctldebug ) 104variables named 105.Dv debug0 106through 107.Dv debug19 . 108They are declared as separate variables so that they can be 109individually initialized at the location of their associated variable. 110The loader prevents multiple use of the same variable by issuing errors 111if a variable is initialized in more than one place. 112For example, to export the variable 113.Dv dospecialcheck 114as a debugging variable, the following declaration would be used: 115.Bd -literal -offset indent -compact 116int dospecialcheck = 1; 117struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 118.Ed 119.Pp 120Note that the dynamic implementation of 121.Nm 122currently in use largely makes this particular 123.Nm 124interface obsolete. 125See 126.Xr sysctl 8 127.\" and 128.\" .Xr sysctl 9 129for more information. 130.Sh The vfs.* subtree 131A distinguished second level name, 132.Li vfs.generic ( VFS_GENERIC ) , 133is used to get general information about all filesystems. 134One of its third level identifiers is 135.Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 136that gives the highest valid filesystem type number. 137Its other third level identifier is 138.Li vfs.generic.conf ( VFS_CONF ) 139that returns configuration information about the filesystem 140type given as a fourth level identifier. 141The remaining second level identifiers are the 142filesystem type number returned by a 143.Xr statvfs 2 144call or from 145.Li vfs.generic.conf . 146The third level identifiers available for each filesystem 147are given in the header file that defines the mount 148argument structure for that filesystem. 149.Sh The hw.* subtree 150The string and integer information available for the 151.Li hw 152level is detailed below. 153The changeable column shows whether a process with appropriate 154privilege may change the value. 155.Bl -column "Second level nameXXXXXX" "struct disk_sysctlXXX" -offset indent 156.It Sy Second level name Type Changeable 157.It hw.acpi.supported_states string no 158.It hw.alignbytes integer no 159.It hw.byteorder integer no 160.It hw.cnmagic string yes 161.It hw.disknames string no 162.It hw.diskstats struct no 163.It hw.machine string no 164.It hw.machine_arch string no 165.It hw.model string no 166.It hw.ncpu integer no 167.It hw.pagesize integer no 168.It hw.physmem integer no 169.It hw.physmem64 quad no 170.It hw.usermem integer no 171.It hw.usermem64 quad no 172.El 173.Pp 174.Bl -tag -width "123456" 175.It Li hw.acpi.support_states 176List of possible 177.Tn ACPI 178sleep states. 179The list can contain the following values: 180.Bl -tag -width XS1X 181.It S0 182fully running 183.It S1 184power on suspend (CPU and hard disks are off) 185.It S2 186similar to S3, usually not implemented 187.It S3 188suspend-to-RAM 189.It S4 190suspend-to-disk (needs BIOS support) 191.It S5 192power off 193.El 194.It Li hw.alignbytes ( HW_ALIGNBYTES ) 195Alignment constraint for all possible data types. 196This shows the value 197.Dv ALIGNBYTES 198in 199.Pa /usr/include/machine/param.h , 200at the kernel compilation time. 201.It Li hw.byteorder ( HW_BYTEORDER ) 202The byteorder (4,321, or 1,234). 203.It Li hw.cnmagic ( HW_CNMAGIC ) 204The console magic key sequence. 205.It Li hw.disknames ( HW_DISKNAMES ) 206The list of (space separated) disk device names on the system. 207.It Li hw.iostatnames ( HW_IOSTATNAMES ) 208A space separated list of devices that will have I/O statistics 209collected on them. 210.It Li hw.iostats ( HW_IOSTATS ) 211Return statistical information on the NFS mounts, disk and tape 212devices on the system. 213An array of 214.Va struct io_sysctl 215structures is returned, 216whose size depends on the current number of such objects in the system. 217The third level name is the size of the 218.Va struct io_sysctl . 219The type of object can be determined by examining the 220.Va type 221element of 222.Va struct io_sysctl . 223Which can be 224.Dv IOSTAT_DISK 225(disk drive), 226.Dv IOSTAT_TAPE 227(tape drive), or 228.Dv IOSTAT_NFS 229(NFS mount). 230.It Li hw.machine ( HW_MACHINE ) 231The machine class. 232.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 233The machine CPU class. 234.It Li hw.model ( HW_MODEL ) 235The machine model. 236.It Li hw.ncpu ( HW_NCPU ) 237The number of CPUs. 238.ne 1i 239.It Li hw.pagesize ( HW_PAGESIZE ) 240The software page size. 241.It Li hw.physmem ( HW_PHYSMEM ) 242The bytes of physical memory as a 32-bit integer. 243.It Li hw.physmem64 ( HW_PHYSMEM64 ) 244The bytes of physical memory as a 64-bit integer. 245.It Li hw.usermem ( HW_USERMEM ) 246The bytes of non-kernel memory as a 32-bit integer. 247.It Li hw.usermem64 ( HW_USERMEM64 ) 248The bytes of non-kernel memory as a 64-bit integer. 249.El 250.Sh The kern.* subtree 251The string and integer information available for the 252.Li kern 253level is detailed below. 254The changeable column shows whether a process with appropriate 255privilege may change the value. 256The types of data currently available are process information, 257system vnodes, the open file entries, routing table entries, 258virtual memory statistics, load average history, and clock rate 259information. 260.Bl -column "kern.posix_reader_writer_locks" "struct clockrateXXX" -offset indent 261.It Sy Second level name Type Changeable 262.It kern.argmax integer no 263.It kern.autonicetime integer yes 264.It kern.autoniceval integer yes 265.It kern.boottime struct timeval no 266.It kern.bufq node not applicable 267.It kern.ccpu integer no 268.It kern.clockrate struct clockinfo no 269.It kern.consdev integer no 270.It kern.cp\_id struct no 271.It kern.cp\_time uint64_t[\|] no 272.It kern.defcorename string yes 273.It kern.domainname string yes 274.It kern.drivers struct kinfo_drivers no 275.It kern.file struct file no 276.It kern.forkfsleep integer yes 277.It kern.fscale integer no 278.It kern.fsync integer no 279.It kern.hardclock\_ticks integer no 280.It kern.hostid integer yes 281.It kern.hostname string yes 282.It kern.iov\_max integer no 283.It kern.job\_control integer no 284.It kern.labeloffset integer no 285.It kern.labelsector integer no 286.It kern.login\_name\_max integer no 287.It kern.logsigexit integer yes 288.It kern.mapped\_files integer no 289.It kern.maxfiles integer yes 290.It kern.maxpartitions integer no 291.It kern.maxphys integer no 292.It kern.maxproc integer yes 293.It kern.maxptys integer yes 294.It kern.maxvnodes integer yes 295.It kern.mbuf node not applicable 296.It kern.memlock integer no 297.It kern.memlock\_range integer no 298.It kern.memory\_protection integer no 299.It kern.monotonic\_clock integer no 300.It kern.msgbuf integer no 301.It kern.msgbufsize integer no 302.It kern.ngroups integer no 303.It kern.ntptime struct ntptimeval no 304.It kern.osrelease string no 305.It kern.osrev integer no 306.It kern.ostype string no 307.It kern.pipe node not applicable 308.It kern.posix1 integer no 309.It kern.posix\_barriers integer no 310.It kern.posix\_reader\_writer\_locks integer no 311.It kern.posix\_semaphores integer no 312.It kern.posix\_spin\_locks integer no 313.It kern.posix\_threads integer no 314.It kern.posix\_timers integer no 315.It kern.proc struct kinfo_proc no 316.It kern.proc2 struct kinfo_proc2 no 317.It kern.proc\_args string no 318.It kern.prof node not applicable 319.It kern.rawpartition integer no 320.It kern.root\_device string no 321.It kern.root\_partition integer no 322.It kern.rtc\_offset integer yes 323.It kern.saved\_ids integer no 324.It kern.securelevel integer raise only 325.It kern.synchronized\_io integer no 326.It kern.ipc node not applicable 327.It kern.timecounter node not applicable 328.It kern.timex struct no 329.It kern.tkstat node not applicable 330.It kern.urandom integer no 331.It kern.version string no 332.It kern.vnode struct vnode no 333.El 334.ne 1i 335.Pp 336.Bl -tag -width "123456" 337.It Li kern.argmax ( KERN_ARGMAX ) 338The maximum bytes of argument to 339.Xr execve 2 . 340.It Li kern.autonicetime ( KERN_AUTONICETIME ) 341The number of seconds of CPU-time a non-root process may accumulate before 342having its priority lowered from the default to the value of KERN_AUTONICEVAL. 343If set to 0, automatic lowering of priority is not performed, and if set to \-1 344all non-root processes are immediately lowered. 345.It Li kern.autoniceval ( KERN_AUTONICEVAL ) 346The priority assigned for automatically niced processes. 347.It Li kern.boottime ( KERN_BOOTTIME ) 348A 349.Va struct timeval 350structure is returned. 351This structure contains the time that the system was booted. 352.It Li kern.ccpu ( KERN_CCPU ) 353The scheduler exponential decay value. 354.It Li kern.clockrate ( KERN_CLOCKRATE ) 355A 356.Va struct clockinfo 357structure is returned. 358This structure contains the clock, statistics clock and profiling clock 359frequencies, the number of micro-seconds per hz tick, and the clock 360skew rate. 361.It Li kern.consdev ( KERN_CONSDEV ) 362Console device. 363.It Li kern.cp_id ( KERN_CP_ID ) 364Mapping of CPU number to CPU id. 365.It Li kern.cp_time ( KERN_CP_TIME ) 366Returns an array of CPUSTATES uint64_ts. 367This array contains the 368number of clock ticks spent in different CPU states. 369On multi-processor systems, the sum across all CPUs is returned unless 370appropriate space is given for one data set for each CPU. 371Data for a specific CPU can also be obtained by adding the number of the 372CPU at the end of the MIB, enlarging it by one. 373.It Li kern.defcorename ( KERN_DEFCORENAME ) 374Default template for the name of core dump files (see also 375.Li proc.pid.corename 376in the per-process variables 377.Li proc.* , 378and 379.Xr core 5 380for format of this template). 381The default value is 382.Nm %n.core 383and can be changed with the kernel configuration option 384.Cd options DEFCORENAME 385(see 386.Xr options 4 387). 388.It Li kern.domainname ( KERN_DOMAINNAME ) 389Get or set the YP domain name. 390.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 391Perform a crash dump on system panic. 392.It Li kern.drivers ( KERN_DRIVERS ) 393Return an array of 394.Va struct kinfo_drivers 395that contains the name and major device numbers of all the device drivers 396in the current kernel. 397The 398.Va d_name 399field is always a NUL terminated string. 400The 401.Va d_bmajor 402field will be set to \-1 if the driver doesn't have a block device. 403.It Li kern.file ( KERN_FILE ) 404Return the entire file table. 405The returned data consists of a single 406.Va struct filelist 407followed by an array of 408.Va struct file , 409whose size depends on the current number of such objects in the system. 410.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 411If 412.Xr fork 2 413system call fails due to limit on number of processes (either 414the global maxproc limit or user's one), wait for this many 415milliseconds before returning 416.Er EAGAIN 417error to process. 418Useful to keep heavily forking runaway processes in bay. 419Default zero (no sleep). 420Maximum is 20 seconds. 421.It Li kern.fscale ( KERN_FSCALE ) 422The kernel fixed-point scale factor. 423.It Li kern.fsync ( KERN_FSYNC ) 424Return 1 if the POSIX 1003.1b File Synchronization Option is available 425on this system, 426otherwise 0. 427.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 428Returns the number of 429.Xr hardclock 9 430ticks. 431.It Li kern.hostid ( KERN_HOSTID ) 432Get or set the host id. 433.It Li kern.hostname ( KERN_HOSTNAME ) 434Get or set the hostname. 435.It Li kern.iov_max ( KERN_IOV_MAX ) 436Return the maximum number of 437.Va iovec 438structures that a process has available for use with 439.Xr preadv 2 , 440.Xr pwritev 2 , 441.Xr readv 2 , 442.Xr recvmsg 2 , 443.Xr sendmsg 2 444and 445.Xr writev 2 . 446.It Li kern.job_control ( KERN_JOB_CONTROL ) 447Return 1 if job control is available on this system, otherwise 0. 448.It Li kern.labeloffset ( KERN_LABELOFFSET ) 449The offset within the sector specified by KERN_LABELSECTOR of the 450.Xr disklabel 5 . 451.It Li kern.labelsector ( KERN_LABELSECTOR ) 452The sector number containing the 453.Xr disklabel 5 . 454.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 455The size of the storage required for a login name, in bytes, 456including the terminating NUL. 457.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 458If this flag is non-zero, the kernel will 459.Xr log 9 460all process exits due to signals which create a 461.Xr core 5 462file, and whether the coredump was created. 463.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 464Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 465on this system, 466otherwise 0. 467.It Li kern.maxfiles ( KERN_MAXFILES ) 468The maximum number of open files that may be open in the system. 469.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 470The maximum number of partitions allowed per disk. 471.It Li kern.maxphys ( KERN_MAXPHYS ) 472Maximum raw I/O transfer size. 473.It Li kern.maxproc ( KERN_MAXPROC ) 474The maximum number of simultaneous processes the system will allow. 475.It Li kern.maxptys ( KERN_MAXPTYS ) 476The maximum number of pseudo terminals. 477This value can be both raised and lowered, though it cannot 478be set lower than number of currently used ptys. 479See also 480.Xr pty 4 . 481.It Li kern.maxvnodes ( KERN_MAXVNODES ) 482The maximum number of vnodes available on the system. 483This can only be raised. 484.It Li kern.mbuf ( KERN_MBUF ) 485Return information about the mbuf control variables. 486Mbufs are data structures which store network packets and other data 487structures in the networking code, see 488.Xr mbuf 9 . 489The third level names for the mbuf variables are detailed below. 490The changeable column shows whether a process with appropriate 491privilege may change the value. 492.Bl -column "kern.mbuf.nmbclusters" "struct integerXXX" -offset indent 493.It Sy Third level name Type Changeable 494.\" XXX Changeable? really? 495.It kern.mbuf.mblowat integer yes 496.It kern.mbuf.mclbytes integer yes 497.It kern.mbuf.mcllowat integer yes 498.It kern.mbuf.msize integer yes 499.It kern.mbuf.nmbclusters integer yes 500.El 501.Pp 502The variables are as follows: 503.Bl -tag -width "123456" 504.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 505The mbuf low water mark. 506.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 507The mbuf cluster size. 508.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 509The mbuf cluster low water mark. 510.It Li kern.mbuf.msize ( MBUF_MSIZE ) 511The mbuf base size. 512.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 513The limit on the number of mbuf clusters. 514The variable can only be increased, and only increased on machines with 515direct-mapped pool pages. 516.El 517.It Li kern.memlock ( KERN_MEMLOCK ) 518Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 519on this system, 520otherwise 0. 521.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 522Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 523on this system, 524otherwise 0. 525.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 526Returns 1 if the POSIX 1003.1b Memory Protection Option is available 527on this system, 528otherwise 0. 529.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 530Returns the standard version the implementation of the POSIX 1003.1b 531Monotonic Clock Option conforms to, 532otherwise 0. 533.It Li kern.msgbuf ( KERN_MSGBUF ) 534The kernel message buffer, rotated so that the head of the circular kernel 535message buffer is at the start of the returned data. 536The returned data may contain NUL bytes. 537.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 538The maximum number of characters that the kernel message buffer can hold. 539.It Li kern.ngroups ( KERN_NGROUPS ) 540The maximum number of supplemental groups. 541.It Li kern.ntptime ( KERN_NTPTIME ) 542A 543.Va struct ntptimeval 544structure is returned. 545This structure contains data used by the 546.Xr ntpd 8 547program. 548.It Li kern.osrelease ( KERN_OSRELEASE ) 549The system release string. 550.It Li kern.osrevision ( KERN_OSREV ) 551The system revision string. 552.It Li kern.ostype ( KERN_OSTYPE ) 553The system type string. 554.It Li kern.pipe ( KERN_PIPE ) 555Pipe settings. 556The third level names for the integer pipe settings is detailed below. 557The changeable column shows whether a process with appropriate 558privilege may change the value. 559.Bl -column "kern.pipe.maxbigpipesXXX" "integerXXX" -offset indent 560.It Sy Third level name Type Changeable 561.It kern.pipe.kvasiz integer yes 562.It kern.pipe.maxbigpipes integer yes 563.It kern.pipe.maxkvasz integer yes 564.It kern.pipe.limitkva integer yes 565.It kern.pipe.nbigpipes integer yes 566.El 567.Pp 568The variables are as follows: 569.Bl -tag -width "123456" 570.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 571Amount of kernel memory consumed by pipe buffers. 572.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 573Maximum number of "big" pipes. 574.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 575Maximum amount of kernel memory to be used for pipes. 576.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 577Limit for direct transfers via page loan. 578.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 579Number of "big" pipes. 580.El 581.It Li kern.posix1version ( KERN_POSIX1 ) 582The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 583attempts to comply. 584.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 585The version of 586.St -p1003.1 587and its 588Barriers 589option to which the system attempts to conform, 590otherwise 0. 591.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 592The version of 593.St -p1003.1 594and its 595Read-Write Locks 596option to which the system attempts to conform, 597otherwise 0. 598.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 599The version of 600.St -p1003.1 601and its 602Semaphores 603option to which the system attempts to conform, 604otherwise 0. 605.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 606The version of 607.St -p1003.1 608and its 609Spin Locks 610option to which the system attempts to conform, 611otherwise 0. 612.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 613The version of 614.St -p1003.1 615and its 616Threads 617option to which the system attempts to conform, 618otherwise 0. 619.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 620The version of 621.St -p1003.1 622and its 623Timers 624option to which the system attempts to conform, 625otherwise 0. 626.It Li kern.proc ( KERN_PROC ) 627Return the entire process table, or a subset of it. 628An array of 629.Va struct kinfo_proc 630structures is returned, 631whose size depends on the current number of such objects in the system. 632The third and fourth level numeric names are as follows: 633.Bl -column "Third level nameXXXXXX" "Fourth level is:XXXXXX" -offset indent 634.It Sy Third level name Fourth level is: 635.It KERN\_PROC\_ALL None 636.It KERN\_PROC\_GID A group ID 637.It KERN\_PROC\_PID A process ID 638.It KERN\_PROC\_PGRP A process group 639.It KERN\_PROC\_RGID A real group ID 640.It KERN\_PROC\_RUID A real user ID 641.It KERN\_PROC\_SESSION A session ID 642.It KERN\_PROC\_TTY A tty device 643.It KERN\_PROC\_UID A user ID 644.El 645.It Li kern.proc2 ( KERN_PROC2 ) 646As for KERN_PROC, but an array of 647.Va struct kinfo_proc2 648structures are returned. 649The fifth level name is the size of the 650.Va struct kinfo_proc2 651and the sixth level name is the number of structures to return. 652.It Li kern.proc_args ( KERN_PROC_ARGS ) 653Return the argv or environment strings (or the number thereof) 654of a process. 655Multiple strings are returned separated by NUL characters. 656The third level name is the process ID. 657The fourth level name is as follows: 658.Bl -column "Third level nameXXXXXX" -offset indent 659.It KERN\_PROC\_ARGV The argv strings 660.It KERN\_PROC\_ENV The environ strings 661.It KERN\_PROC\_NARGV The number of argv strings 662.It KERN\_PROC\_NENV The number of environ strings 663.El 664.It Li kern.profiling ( KERN_PROF ) 665Return profiling information about the kernel. 666If the kernel is not compiled for profiling, 667attempts to retrieve any of the KERN_PROF values will 668fail with 669.Er EOPNOTSUPP . 670The third level names for the string and integer profiling information 671is detailed below. 672The changeable column shows whether a process with appropriate 673privilege may change the value. 674.Bl -column "kern.profiling.gmonparam" "struct gmonparam" -offset indent 675.It Sy Third level name Type Changeable 676.It kern.profiling.count u_short[\|] yes 677.It kern.profiling.froms u_short[\|] yes 678.It kern.profiling.gmonparam struct gmonparam no 679.It kern.profiling.state integer yes 680.It kern.profiling.tos struct tostruct yes 681.El 682.Pp 683The variables are as follows: 684.Bl -tag -width "123456" 685.It Li kern.profiling.count ( GPROF_COUNT ) 686Array of statistical program counter counts. 687.It Li kern.profiling.froms ( GPROF_FROMS ) 688Array indexed by program counter of call-from points. 689.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 690Structure giving the sizes of the above arrays. 691.It Li kern.profiling.state ( GPROF_STATE ) 692Profiling state. 693If set to GMON_PROF_ON, starts profiling. 694If set to GMON_PROF_OFF, stops profiling. 695.It Li kern.profiling.tos ( GPROF_TOS ) 696Array of 697.Va struct tostruct 698describing destination of calls and their counts. 699.El 700.It Li kern.rawpartition ( KERN_RAWPARTITION ) 701The raw partition of a disk (a == 0). 702.It Li kern.root_device ( KERN_ROOT_DEVICE ) 703The name of the root device (e.g., 704.Dq wd0 ) . 705.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 706The root partition on the root device (a == 0). 707.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 708Return the offset of real time clock from UTC in minutes. 709.It Li kern.saved_ids ( KERN_SAVED_IDS ) 710Returns 1 if saved set-group and saved set-user ID is available. 711.It Li kern.sbmax ( KERN_SBMAX ) 712Maximum socket buffer size. 713.\" XXX units? 714.It Li kern.securelevel ( KERN_SECURELVL ) 715The system security level. 716This level may be raised by processes with appropriate privilege. 717It may only be lowered by process 1. 718.It Li kern.somaxkva ( KERN_SOMAXKVA ) 719Maximum amount of kernel memory to be used for socket buffers. 720.\" XXX units? 721.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 722Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 723on this system, 724otherwise 0. 725.It Li kern.ipc ( KERN_SYSVIPC ) 726Return information about the SysV IPC parameters. 727The third level names for the ipc variables are detailed below. 728.Bl -column "KERN_SYSVIPC_MSGXXX" "integerXXX" "noXXX" -offset indent 729.It Sy Third level name Type Changeable 730.It kern.ipc.sysvmsg integer no 731.It kern.ipc.sysvsem integer no 732.It kern.ipc.sysvshm integer no 733.It kern.ipc.sysvipc_info struct no 734.It kern.ipc.shmmax integer yes 735.It kern.ipc.shmmni integer yes 736.It kern.ipc.shmseg integer yes 737.It kern.ipc.shmmaxpgs integer yes 738.It kern.ipc.shm_use_phys integer yes 739.It kern.ipc.msgmni integer yes 740.It kern.ipc.msgseg integer yes 741.It kern.ipc.semmni integer yes 742.It kern.ipc.semmns integer yes 743.It kern.ipc.semmnu integer yes 744.El 745.Bl -tag -width "123456" 746.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 747Returns 1 if System V style message queue functionality is available 748on this system, 749otherwise 0. 750.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 751Returns 1 if System V style semaphore functionality is available 752on this system, 753otherwise 0. 754.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 755Returns 1 if System V style share memory functionality is available 756on this system, 757otherwise 0. 758.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 759Return System V style IPC configuration and run-time information. 760The fourth level name selects the System V style IPC facility. 761.Bl -column "KERN_SYSVIPC_MSG_INFOXXX" "struct shm_sysctl_infoXXX" -offset indent 762.It Sy Fourth level name Type 763.It KERN\_SYSVIPC\_MSG\_INFO struct msg_sysctl_info 764.It KERN\_SYSVIPC\_SEM\_INFO struct sem_sysctl_info 765.It KERN\_SYSVIPC\_SHM\_INFO struct shm_sysctl_info 766.El 767.Pp 768.Bl -tag -width "123456" 769.It Li KERN_SYSVIPC_MSG_INFO 770Return information on the System V style message facility. 771The 772.Sy msg_sysctl_info 773structure is defined in 774.Aq Pa sys/msg.h . 775.It Li KERN_SYSVIPC_SEM_INFO 776Return information on the System V style semaphore facility. 777The 778.Sy sem_sysctl_info 779structure is defined in 780.Aq Pa sys/sem.h . 781.It Li KERN_SYSVIPC_SHM_INFO 782Return information on the System V style shared memory facility. 783The 784.Sy shm_sysctl_info 785structure is defined in 786.Aq Pa sys/shm.h . 787.El 788.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 789Max shared memory segment size in bytes. 790.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 791Max number of shared memory identifiers. 792.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 793Max shared memory segments per process. 794.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 795Max amount of shared memory in pages. 796.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 797Locking of shared memory in physical memory. 798If 0, memory can be swapped 799out, otherwise it will be locked in physical memory. 800.It Li kern.ipc.msgmni 801Max number of message queue identifiers. 802.It Li kern.ipc.msgseg 803Max number of number of message segments. 804.It Li kern.ipc.semmni 805Max number of number of semaphore identifiers. 806.It Li kern.ipc.semmns 807Max number of number of semaphores in system. 808.It Li kern.ipc.semmnu 809Max number of undo structures in system. 810.El 811.It Li kern.timecounter ( dynamic ) 812Display and control the timecounter source of the system. 813.Bl -column "kern.timecounter.timestepwarnings" "string" -offset indent 814.It Sy Third level name Type Changeable 815.It kern.timecounter.choice string no 816.It kern.timecounter.hardware string yes 817.It kern.timecounter.timestepwarnings integer yes 818.El 819.Pp 820The variables are as follows: 821.Bl -tag -width "123456" 822.It Li kern.timecounter.choice ( dynamic ) 823The list of available timecounters with their quality and frequency. 824.It Li kern.timecounter.hardware ( dynamic ) 825The currently selected timecounter source. 826.It Li kern.timecounter.timestepwarnings ( dynamic ) 827If non-zero display a message each time the time is stepped. 828.El 829.It Li kern.timex ( KERN_TIMEX ) 830Not available. 831.It Li kern.tkstat ( KERN_TKSTAT ) 832Return information about the number of characters sent and received 833on ttys. 834The third level names for the tty statistic variables are detailed below. 835The changeable column shows whether a process 836with appropriate privilege may change the value. 837.Bl -column "KERNXTKSTATXRAWCCXXX" "struct integerXXX" -offset indent 838.It Sy Third level name Type Changeable 839.It kern.tkstat.cancc quad no 840.It kern.tkstat.nin quad no 841.It kern.tkstat.nout quad no 842.It kern.tkstat.rawcc quad no 843.El 844.Pp 845The variables are as follows: 846.Bl -tag -width "123456" 847.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 848The number of canonical input characters. 849.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 850The total number of input characters. 851.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 852The total number of output characters. 853.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 854The number of raw input characters. 855.El 856.It Li kern.urandom ( KERN_URND ) 857Random integer value. 858.It Li kern.veriexec 859Tunings for Verixec. 860.Bl -tag -width "123456" 861.It Li kern.veriexec.algorithms 862Returns a string with the supported algorithms in Veriexec. 863.It Li kern.veriexec.count 864Sub-nodes are added to this node as new mounts are monitored by Veriexec. 865Each mount will be under its own 866.No tableN 867node. 868Under each node there will be three variables, indicating the mount 869point, the file-system type, and the number of entries. 870.It Li kern.veriexec.strict 871Controls the strict level of Veriexec. 872See 873.Xr security 8 874for more information on each level's implications. 875.It Li kern.veriexec.verbose 876Controls the verbosity level of Veriexec. 877If 0, only the minimal 878indication required will be given about what's happening - fingerprint 879mismatches, removal of entries from the tables, modification of a 880fingerprinted file. 881If 1, more messages will be printed (ie., when a file with a valid 882fingerprint is accessed). 883Verbose level 2 is debug mode. 884.El 885.It Li kern.version ( KERN_VERSION ) 886The system version string. 887.It Li kern.vnode ( KERN_VNODE ) 888Return the entire vnode table. 889Note, the vnode table is not necessarily a consistent snapshot of 890the system. 891The returned data consists of an array whose size depends on the 892current number of such objects in the system. 893Each element of the array contains the kernel address of a vnode 894.Va struct vnode * 895followed by the vnode itself 896.Va struct vnode . 897.It Li kern.coredump.setid 898Settings related to set-id processes coredumps. 899By default, set-id processes do not dump core in situations where 900other processes would. 901The settings in this node allows an administrator to change this 902behavior. 903.Pp 904.Bl -tag -width "123456" 905.It Li kern.coredump.setid.dump 906If non-zero, set-id processes will dump core. 907.It Li kern.coredump.setid.group 908The group-id for the set-id processes' coredump. 909.It Li kern.coredump.setid.mode 910The mode for the set-id processes' coredump. 911See 912.Xr chmod 1 . 913.It Li kern.coredump.setid.owner 914The user-id that will be used as the owner of the set-id processes' 915coredump. 916.It Li kern.coredump.setid.path 917The path to which set-id processes' coredumps will be saved to. 918Same syntax as kern.defcorename. 919.El 920.\" XXX kern.lwp 921.El 922.Sh The machdep.* subtree 923The set of variables defined is architecture dependent. 924Most architectures define at least the following variables. 925.Bl -column "CONSOLE_DEVICEXXX" "integerXXX" -offset indent 926.It Sy Second level name Type Changeable 927.It Li CPU_CONSDEV dev_t no 928.El 929.Sh The net.* subtree 930The string and integer information available for the 931.Li net 932level is detailed below. 933The changeable column shows whether a process with appropriate 934privilege may change the value. 935The second and third levels are typically the protocol family and 936protocol number, though this is not always the case. 937.Bl -column "Second level nameX" "IPsec key management valuesX" -offset indent 938.It Sy Second level name Type Changeable 939.It net.route routing messages no 940.It net.inet IPv4 values yes 941.It net.inet6 IPv6 values yes 942.It net.key IPsec key management values yes 943.El 944.Pp 945.Bl -tag -width "123456" 946.It Li net.route ( PF_ROUTE ) 947.\" XXX really? 948Return the entire routing table or a subset of it. 949The data is returned as a sequence of routing messages (see 950.Xr route 4 951for the header file, format and meaning). 952The length of each message is contained in the message header. 953.Pp 954The third level name is a protocol number, which is currently always 0. 955The fourth level name is an address family, which may be set to 0 to 956select all address families. 957The fifth and sixth level names are as follows: 958.Bl -column "Fifth level nameXXXXXX" "Sixth level is:XXX" -offset indent 959.It Sy Fifth level name Sixth level is: 960.It NET\_RT\_FLAGS rtflags 961.It NET\_RT\_DUMP None 962.It NET\_RT\_IFLIST None 963.El 964.It Li net.inet ( PF_INET ) 965Get or set various global information about the IPv4 966.Pq Internet Protocol version 4 . 967The third level name is the protocol. 968The fourth level name is the variable name. 969The currently defined protocols and names are: 970.Bl -column "Protocol name" "sack.globalmaxholes" "integer" -offset 4n 971.It Sy Protocol name Variable name Type Changeable 972.It arp down integer yes 973.It arp keep integer yes 974.It arp prune integer yes 975.It arp refresh integer yes 976.It carp allow integer yes 977.It carp preempt integer yes 978.It carp log integer yes 979.It carp arpbalance integer yes 980.It icmp errppslimit integer yes 981.It icmp maskrepl integer yes 982.It icmp rediraccept integer yes 983.It icmp redirtimeout integer yes 984.It ip allowsrcrt integer yes 985.It ip anonportmax integer yes 986.It ip anonportmin integer yes 987.It ip checkinterface integer yes 988.It ip directed-broadcast integer yes 989.It ip do_loopback_cksum integer yes 990.It ip forwarding integer yes 991.It ip forwsrcrt integer yes 992.It ip gifttl integer yes 993.It ip grettl integer yes 994.It ip hashsize integer yes 995.It ip hostzerobroadcast integer yes 996.It ip lowportmin integer yes 997.It ip lowportmax integer yes 998.It ip maxflows integer yes 999.It ip maxfragpackets integer yes 1000.It ip mtudisc integer yes 1001.It ip mtudisctimeout integer yes 1002.It ip random_id integer yes 1003.It ip redirect integer yes 1004.It ip subnetsarelocal integer yes 1005.It ip ttl integer yes 1006.It tcp rfc1323 integer yes 1007.It tcp sendspace integer yes 1008.It tcp recvspace integer yes 1009.It tcp mssdflt integer yes 1010.It tcp syn_cache_limit integer yes 1011.It tcp syn_bucket_limit integer yes 1012.It tcp syn_cache_interval integer yes 1013.It tcp init_win integer yes 1014.It tcp init_win_local integer yes 1015.It tcp mss_ifmtu integer yes 1016.It tcp win_scale integer yes 1017.It tcp timestamps integer yes 1018.It tcp compat_42 integer yes 1019.It tcp cwm integer yes 1020.It tcp cwm_burstsize integer yes 1021.It tcp ack_on_push integer yes 1022.It tcp keepidle integer yes 1023.It tcp keepintvl integer yes 1024.It tcp keepcnt integer yes 1025.It tcp slowhz integer no 1026.It tcp keepinit integer yes 1027.It tcp log_refused integer yes 1028.It tcp rstppslimit integer yes 1029.It tcp ident struct no 1030.It tcp drop struct no 1031.It tcp sack.enable integer yes 1032.It tcp sack.globalholes integer no 1033.It tcp sack.globalmaxholes integer yes 1034.It tcp sack.maxholes integer yes 1035.It tcp ecn.enable integer yes 1036.It tcp ecn.maxretries integer yes 1037.It tcp congctl.selected string yes 1038.It tcp congctl.available string yes 1039.It tcp abc.enable integer yes 1040.It tcp abc.aggressive integer yes 1041.It udp checksum integer yes 1042.It udp do_loopback_cksum integer yes 1043.It udp recvspace integer yes 1044.It udp sendspace integer yes 1045.El 1046.Pp 1047The variables are as follows: 1048.Bl -tag -width "123456" 1049.It Li arp.down 1050Failed ARP entry lifetime. 1051.It Li arp.keep 1052Valid ARP entry lifetime. 1053.It Li arp.prune 1054ARP cache pruning interval. 1055.It Li arp.refresh 1056ARP entry refresh interval. 1057.It Li carp.allow 1058If set to 0, incoming 1059.Xr carp 4 1060packets will not be processed. 1061If set to any other value, processing will occur. 1062Enabled by default. 1063.It Li carp.arpbalance 1064If set to any value other than 0, the ARP balancing functionality of 1065.Xr carp 4 1066is enabled. 1067When ARP requests are received for an IP address which is part of any virtual 1068host, carp will hash the source IP in the ARP request to select one of the 1069virtual hosts from the set of all the virtual hosts which have that IP address. 1070The master of that host will respond with the correct virtual MAC address. 1071Disabled by default. 1072.It Li carp.log 1073If set to any value other than 0, 1074.Xr carp 4 1075will log errors. 1076Disabled by default. 1077.It Li carp.preempt 1078If set to 0, 1079.Xr carp 4 1080will not attempt to become master if it is receiving advertisements from 1081another active master. 1082If set to any other value, carp will become master of the virtual host if it 1083believes it can send advertisements more frequently than the current master. 1084Disabled by default. 1085.It Li ip.allowsrcrt 1086If set to 1, the host accepts source routed packets. 1087.It Li ip.anonportmax 1088The highest port number to use for TCP and UDP ephemeral port allocation. 1089This cannot be set to less than 1024 or greater than 65535, and must 1090be greater than 1091.Li ip.anonportmin . 1092.It Li ip.anonportmin 1093The lowest port number to use for TCP and UDP ephemeral port allocation. 1094This cannot be set to less than 1024 or greater than 65535. 1095.It Li ip.checkinterface 1096If set to non-zero, the host will reject packets addressed to it 1097that arrive on an interface not bound to that address. 1098Currently, this must be disabled if ipnat is used to translate the 1099destination address to another local interface, or if addresses 1100are added to the loopback interface instead of the interface where 1101the packets for those packets are received. 1102.It Li ip.directed-broadcast 1103If set to 1, enables directed broadcast behavior for the host. 1104.It Li ip.do_loopback_cksum 1105Perform IP checksum on loopback. 1106.It Li ip.forwarding 1107If set to 1, enables IP forwarding for the host, 1108meaning that the host is acting as a router. 1109.It Li ip.forwsrcrt 1110If set to 1, enables forwarding of source-routed packets for the host. 1111This value may only be changed if the kernel security level is less than 1. 1112.It Li ip.gifttl 1113The maximum time-to-live (hop count) value for an IPv4 packet generated by 1114.Xr gif 4 1115tunnel interface. 1116.It Li ip.grettl 1117The maximum time-to-live (hop count) value for an IPv4 packet generated by 1118.Xr gre 4 1119tunnel interface. 1120.It Li ip.hashsize 1121The size of IPv4 Fast Forward hash table. 1122This value must be a power of 2 (64, 256...). 1123A larger hash table size results in fewer collisions. 1124Also see 1125.Li ip.maxflows . 1126.It Li ip.hostzerobroadcast 1127All zeroes address is broadcast address. 1128.It Li ip.lowportmax 1129The highest port number to use for TCP and UDP reserved port allocation. 1130This cannot be set to less than 0 or greater than 1024, and must 1131be greater than 1132.Li ip.lowportmin . 1133.It Li ip.lowportmin 1134The lowest port number to use for TCP and UDP reserved port allocation. 1135This cannot be set to less than 0 or greater than 1024, and must 1136be smaller than 1137.Li ip.lowportmax . 1138.It Li ip.maxflows 1139IPv4 Fast Forwarding is enabled by default. 1140If set to 0, IPv4 Fast Forwarding is disabled. 1141.Li ip.maxflows 1142controls the maximum amount of flows which can be created. 1143The default value is 256. 1144.It Li ip.maxfragpackets 1145The maximum number of fragmented packets the node will accept. 11460 means that the node will not accept any fragmented packets. 1147\-1 means that the node will accept as many fragmented packets as it receives. 1148The flag is provided basically for avoiding possible DoS attacks. 1149.It Li ip.mtudisc 1150If set to 1, enables Path MTU Discovery (RFC 1191). 1151When Path MTU Discovery is enabled, the transmitted TCP segment 1152size will be determined by the advertised maximum segment size 1153(MSS) from the remote end, as constrained by the path MTU. 1154If MTU Discovery is disabled, the transmitted segment size will 1155never be greater than 1156.Li tcp.mssdflt 1157(the local maximum segment size). 1158.It Li ip.mtudisctimeout 1159The number of seconds in which a route added by the Path MTU 1160Discovery engine will time out. 1161When the route times out, the Path 1162MTU Discovery engine will attempt to probe a larger path MTU. 1163.It Li ip.random_id 1164Assign random ip_id values. 1165.It Li ip.redirect 1166If set to 1, ICMP redirects may be sent by the host. 1167This option is ignored unless the host is routing IP packets, 1168and should normally be enabled on all systems. 1169.It Li ip.subnetsarelocal 1170If set to 1, subnets are to be considered local addresses. 1171.It Li ip.ttl 1172The maximum time-to-live (hop count) value for an IP packet sourced by 1173the system. 1174This value applies to normal transport protocols, not to ICMP. 1175.It Li icmp.errppslimit 1176The variable specifies the maximum number of outgoing ICMP error messages, 1177per second. 1178ICMP error messages that exceeded the value are subject to rate limitation 1179and will not go out from the node. 1180Negative value disables rate limitation. 1181.It Li icmp.maskrepl 1182If set to 1, ICMP network mask requests are to be answered. 1183.It Li icmp.rediraccept 1184If set to non-zero, the host will accept ICMP redirect packets. 1185Note that routers will never accept ICMP redirect packets, 1186and the variable is meaningful on IP hosts only. 1187.It Li icmp.redirtimeout 1188The variable specifies lifetime of routing entries generated by incoming 1189ICMP redirect. 1190This defaults to 600 seconds. 1191.It Li icmp.returndatabytes 1192Number of bytes to return in an ICMP error message. 1193.It Li tcp.ack_on_push 1194If set to 1, TCP is to immediately transmit an ACK upon reception of 1195a packet with PUSH set. 1196This can avoid losing a round trip time in some rare situations, 1197but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1198Use of this option is generally not recommended, but 1199the variable exists in case your configuration really needs it. 1200.It Li tcp.compat_42 1201If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1202Use of this option is not recommended, although it may be 1203required in order to communicate with extremely old TCP implementations. 1204.It Li tcp.cwm 1205If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1206Monitoring algorithm. 1207This algorithm prevents line-rate bursts of packets that could 1208otherwise occur when data begins flowing on an idle TCP connection. 1209These line-rate bursts can contribute to network and router congestion. 1210This can be particularly useful on World Wide Web servers 1211which support HTTP/1.1, which has lingering connections. 1212.It Li tcp.cwm_burstsize 1213The Congestion Window Monitoring allowed burst size, in terms 1214of packet count. 1215.It Li tcp.delack_ticks 1216Number of ticks to delay sending an ACK. 1217.It Li tcp.do_loopback_cksum 1218Perform TCP checksum on loopback. 1219.It Li tcp.init_win 1220A value indicating the TCP initial congestion window. 1221If this value is 0, an auto-tuning algorithm designed to use an initial 1222window of approximately 4K bytes is in use. 1223Otherwise, this value indicates a fixed number of packets. 1224.It Li tcp.init_win_local 1225Like 1226.Li tcp.init_win , 1227but used when communicating with hosts on a local network. 1228.It Li tcp.keepcnt 1229Number of keepalive probes sent before declaring a connection dead. 1230If set to zero, there is no limit; 1231keepalives will be sent until some kind of 1232response is received from the peer. 1233.It Li tcp.keepidle 1234Time a connection must be idle before keepalives are sent (if keepalives 1235are enabled for the connection). 1236See also tcp.slowhz. 1237.It Li tcp.keepintvl 1238Time after a keepalive probe is sent until, in the absence of any response, 1239another probe is sent. 1240See also tcp.slowhz. 1241.It Li tcp.log_refused 1242If set to 1, refused TCP connections to the host will be logged. 1243.It Li tcp.keepinit 1244Timeout in seconds during connection establishment. 1245.It Li tcp.mss_ifmtu 1246If set to 1, TCP calculates the outgoing maximum segment size based on 1247the MTU of the appropriate interface. 1248If set to 0, it is calculated based on the greater of the MTU of the 1249interface, and the largest (non-loopback) interface MTU on the system. 1250.It Li tcp.mssdflt 1251The default maximum segment size both advertised to the peer 1252and to use when either the peer does not advertise a maximum segment size to 1253us during connection setup or Path MTU Discovery 1254.Li ( ip.mtudisc ) 1255is disabled. 1256Do not change this value unless you really know what you are doing. 1257.It Li tcp.recvspace 1258The default TCP receive buffer size. 1259.It Li tcp.rfc1323 1260If set to 1, enables RFC 1323 extensions to TCP. 1261.It Li tcp.rstppslimit 1262The variable specifies the maximum number of outgoing TCP RST packets, 1263per second. 1264TCP RST packet that exceeded the value are subject to rate limitation 1265and will not go out from the node. 1266Negative value disables rate limitation. 1267.It Li tcp.ident 1268Return the user ID of a connected socket pair. 1269(RFC1413 Identification Protocol lookups.) 1270.It Li tcp.drop 1271Drop a TCP socket pair connection. 1272.It Li tcp.sack.enable 1273If set to 1, enables RFC 2018 Selective ACKnowledgement. 1274.It Li tcp.sack.globalholes 1275Global number of TCP SACK holes. 1276.It Li tcp.sack.globalmaxholes 1277Global maximum number of TCP SACK holes. 1278.It Li tcp.sack.maxholes 1279Maximum number of TCP SACK holes allowed per connection. 1280.It Li tcp.ecn.enable 1281If set to 1, enables RFC 3168 Explicit Congestion Notification. 1282.It Li tcp.ecn.maxretries 1283Number of times to retry sending the ECN-setup packet. 1284.It Li tcp.sendspace 1285The default TCP send buffer size. 1286.It Li tcp.slowhz 1287The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1288of a clock that ticks tcp.slowhz times per second. 1289(That is, their values 1290must be divided by the tcp.slowhz value to get times in seconds.) 1291.It Li tcp.syn_bucket_limit 1292The maximum number of entries allowed per hash bucket in the TCP 1293compressed state engine. 1294.It Li tcp.syn_cache_limit 1295The maximum number of entries allowed in the TCP compressed state 1296engine. 1297.It Li tcp.timestamps 1298If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1299used for measuring TCP round trip times, are enabled. 1300.It Li tcp.win_scale 1301If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1302for increasing the TCP window size, are enabled. 1303.It Li tcp.congctl.available 1304The available TCP congestion control algorithms. 1305.It Li tcp.congctl.selected 1306The currently selected TCP congestion control algorithm. 1307.It Li tcp.abc.enable 1308If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1309If set to 0, use traditional Packet Counting. 1310.It Li tcp.abc.aggressive 1311Choose the L parameter found in RFC 3465. 1312L is the maximum cwnd increase for an ack during slow start. 1313If set to 1, use L=2*SMSS. 1314If set to 0, use L=1*SMSS. 1315It has no effect unless tcp.abc.enable is set to 1. 1316.It Li udp.checksum 1317If set to 1, UDP checksums are being computed. 1318Received non-zero UDP checksums are always checked. 1319Disabling UDP checksums is strongly discouraged. 1320.It Li udp.sendspace 1321The default UDP send buffer size. 1322.It Li udp.recvspace 1323The default UDP receive buffer size. 1324.El 1325.Pp 1326For variables net.*.ipsec, please refer to 1327.Xr ipsec 4 . 1328.It Li net.inet6 ( PF_INET6 ) 1329Get or set various global information about the IPv6 1330.Pq Internet Protocol version 6 . 1331The third level name is the protocol. 1332The fourth level name is the variable name. 1333The currently defined protocols and names are: 1334.Bl -column "Protocol name" "Variable nameXX" "integer" "yes" -offset indent 1335.It Sy Protocol name Variable name Type Changeable 1336.It icmp6 errppslimit integer yes 1337.It icmp6 mtudisc_hiwat integer yes 1338.It icmp6 mtudisc_lowat integer yes 1339.It icmp6 nd6_debug integer yes 1340.It icmp6 nd6_delay integer yes 1341.It icmp6 nd6_maxnudhint integer yes 1342.It icmp6 nd6_mmaxtries integer yes 1343.It icmp6 nd6_prune integer yes 1344.It icmp6 nd6_umaxtries integer yes 1345.It icmp6 nd6_useloopback integer yes 1346.It icmp6 nodeinfo integer yes 1347.It icmp6 rediraccept integer yes 1348.It icmp6 redirtimeout integer yes 1349.It ip6 accept_rtadv integer yes 1350.It ip6 anonportmax integer yes 1351.It ip6 anonportmin integer yes 1352.It ip6 auto_flowlabel integer yes 1353.It ip6 dad_count integer yes 1354.It ip6 defmcasthlim integer yes 1355.It ip6 forwarding integer yes 1356.It ip6 gifhlim integer yes 1357.It ip6 hashsize integer yes 1358.It ip6 hlim integer yes 1359.It ip6 hdrnestlimit integer yes 1360.It ip6 kame_version string no 1361.It ip6 keepfaith integer yes 1362.It ip6 log_interval integer yes 1363.It ip6 lowportmax integer yes 1364.It ip6 lowportmin integer yes 1365.It ip6 maxflows integer yes 1366.It ip6 maxfragpackets integer yes 1367.It ip6 maxfrags integer yes 1368.It ip6 redirect integer yes 1369.It ip6 rr_prune integer yes 1370.It ip6 use_deprecated integer yes 1371.It ip6 v6only integer yes 1372.It udp6 do_loopback_cksum integer yes 1373.It udp6 recvspace integer yes 1374.It udp6 sendspace integer yes 1375.El 1376.Pp 1377The variables are as follows: 1378.Bl -tag -width "123456" 1379.It Li ip6.accept_rtadv 1380If set to non-zero, the node will accept ICMPv6 router advertisement packets 1381and autoconfigures address prefixes and default routers. 1382The node must be a host 1383.Pq not a router 1384for the option to be meaningful. 1385.It Li ip6.anonportmax 1386The highest port number to use for TCP and UDP ephemeral port allocation. 1387This cannot be set to less than 1024 or greater than 65535, and must 1388be greater than 1389.Li ip6.anonportmin . 1390.It Li ip6.anonportmin 1391The lowest port number to use for TCP and UDP ephemeral port allocation. 1392This cannot be set to less than 1024 or greater than 65535. 1393.It Li ip6.auto_flowlabel 1394On connected transport protocol packets, 1395fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1396.It Li ip6.dad_count 1397The variable configures number of IPv6 DAD 1398.Pq duplicated address detection 1399probe packets. 1400The packets will be generated when IPv6 interface addresses are configured. 1401.It Li ip6.defmcasthlim 1402The default hop limit value for an IPv6 multicast packet sourced by the node. 1403This value applies to all the transport protocols on top of IPv6. 1404There are APIs to override the value, as documented in 1405.Xr ip6 4 . 1406.It Li ip6.forwarding 1407If set to 1, enables IPv6 forwarding for the node, 1408meaning that the node is acting as a router. 1409If set to 0, disables IPv6 forwarding for the node, 1410meaning that the node is acting as a host. 1411IPv6 specification defines node behavior for 1412.Dq router 1413case and 1414.Dq host 1415case quite differently, and changing this variable during operation 1416may cause serious trouble. 1417It is recommended to configure the variable at bootstrap time, 1418and bootstrap time only. 1419.It Li ip6.gifhlim 1420The maximum hop limit value for an IPv6 packet generated by 1421.Xr gif 4 1422tunnel interface. 1423.It Li ip6.hdrnestlimit 1424The number of IPv6 extension headers permitted on incoming IPv6 packets. 1425If set to 0, the node will accept as many extension headers as possible. 1426.It Li ip6.hashsize 1427The size of IPv6 Fast Forward hash table. 1428This value must be a power of 2 (64, 256...). 1429A larger hash table size results in fewer collisions. 1430Also see 1431.Li ip6.maxflows . 1432.It Li ip6.hlim 1433The default hop limit value for an IPv6 unicast packet sourced by the node. 1434This value applies to all the transport protocols on top of IPv6. 1435There are APIs to override the value, as documented in 1436.Xr ip6 4 . 1437.It Li ip6.kame_version 1438The string identifies the version of KAME IPv6 stack implemented in the kernel. 1439.It Li ip6.keepfaith 1440If set to non-zero, it enables 1441.Dq FAITH 1442TCP relay IPv6-to-IPv4 translator code in the kernel. 1443Refer 1444.Xr faith 4 1445and 1446.Xr faithd 8 1447for detail. 1448.It Li ip6.log_interval 1449The variable controls amount of logs generated by IPv6 packet 1450forwarding engine, by setting interval between log output 1451.Pq in seconds . 1452.It Li ip6.lowportmax 1453The highest port number to use for TCP and UDP reserved port allocation. 1454This cannot be set to less than 0 or greater than 1024, and must 1455be greater than 1456.Li ip6.lowportmin . 1457.It Li ip6.lowportmin 1458The lowest port number to use for TCP and UDP reserved port allocation. 1459This cannot be set to less than 0 or greater than 1024, and must 1460be smaller than 1461.Li ip6.lowportmax . 1462.It Li ip6.maxflows 1463IPv6 Fast Forwarding is enabled by default. 1464If set to 0, IPv6 Fast Forwarding is disabled. 1465.Li ip6.maxflows 1466controls the maximum amount of flows which can be created. 1467The default value is 256. 1468.It Li ip6.maxfragpackets 1469The maximum number of fragmented packets the node will accept. 14700 means that the node will not accept any fragmented packets. 1471\-1 means that the node will accept as many fragmented packets as it receives. 1472The flag is provided basically for avoiding possible DoS attacks. 1473.It Li ip6.maxfrags 1474The maximum number of fragments the node will accept. 14750 means that the node will not accept any fragments. 1476\-1 means that the node will accept as many fragments as it receives. 1477The flag is provided basically for avoiding possible DoS attacks. 1478.It Li ip6.redirect 1479If set to 1, ICMPv6 redirects may be sent by the node. 1480This option is ignored unless the node is routing IP packets, 1481and should normally be enabled on all systems. 1482.It Li ip6.rr_prune 1483The variable specifies interval between IPv6 router renumbering prefix 1484babysitting, in seconds. 1485.It Li ip6.use_deprecated 1486The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1487.It Li ip6.v6only 1488The variable specifies initial value for 1489.Dv IPV6_V6ONLY 1490socket option for 1491.Dv AF_INET6 1492socket. 1493Please refer to 1494.Xr ip6 4 1495for detail. 1496.It Li icmp6.errppslimit 1497The variable specifies the maximum number of outgoing ICMPv6 error messages, 1498per second. 1499ICMPv6 error messages that exceeded the value are subject to rate limitation 1500and will not go out from the node. 1501Negative value disables rate limitation. 1502.It Li icmp6.mtudisc_hiwat 1503.It Li icmp6.mtudisc_lowat 1504The variables define the maximum number of routing table entries, 1505created due to path MTU discovery 1506.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1507When IPv6 path MTU discovery happens, we keep path MTU information into 1508the routing table. 1509If the number of routing table entries exceed the value, 1510the kernel will not attempt to keep the path MTU information. 1511.Li icmp6.mtudisc_hiwat 1512is used when we have verified ICMPv6 too big messages. 1513.Li icmp6.mtudisc_lowat 1514is used when we have unverified ICMPv6 too big messages. 1515Verification is performed by using address/port pairs kept in connected pcbs. 1516Negative value disables the upper limit. 1517.It Li icmp6.nd6_debug 1518If set to non-zero, kernel IPv6 neighbor discovery code will generate 1519debugging messages. 1520The debug outputs are useful to diagnose IPv6 interoperability issues. 1521The flag must be set to 0 for normal operation. 1522.It Li icmp6.nd6_delay 1523The variable specifies 1524.Dv DELAY_FIRST_PROBE_TIME 1525timing constant in IPv6 neighbor discovery specification 1526.Pq RFC 2461 , 1527in seconds. 1528.It Li icmp6.nd6_maxnudhint 1529IPv6 neighbor discovery permits upper layer protocols to supply reachability 1530hints, to avoid unnecessary neighbor discovery exchanges. 1531The variable defines the number of consecutive hints the neighbor discovery 1532layer will take. 1533For example, by setting the variable to 3, neighbor discovery layer 1534will take 3 consecutive hints in maximum. 1535After receiving 3 hints, neighbor discovery layer will perform 1536normal neighbor discovery process. 1537.It Li icmp6.nd6_mmaxtries 1538The variable specifies 1539.Dv MAX_MULTICAST_SOLICIT 1540constant in IPv6 neighbor discovery specification 1541.Pq RFC 2461 . 1542.It Li icmp6.nd6_prune 1543The variable specifies interval between IPv6 neighbor cache babysitting, 1544in seconds. 1545.It Li icmp6.nd6_umaxtries 1546The variable specifies 1547.Dv MAX_UNICAST_SOLICIT 1548constant in IPv6 neighbor discovery specification 1549.Pq RFC 2461 . 1550.It Li icmp6.nd6_useloopback 1551If set to non-zero, kernel IPv6 stack will use loopback interface for 1552local traffic. 1553.It Li icmp6.nodeinfo 1554The variable enables responses to ICMPv6 node information queries. 1555If you set the variable to 0, responses will not be generated for 1556ICMPv6 node information queries. 1557Since node information queries can have a security impact, it is 1558possible to fine tune which responses should be answered. 1559Two separate bits can be set. 1560.Bl -tag -width "12345" 1561.It 1 1562Respond to ICMPv6 FQDN queries, e.g. 1563.Li ping6 -w . 1564.It 2 1565Respond to ICMPv6 node addresses queries, e.g. 1566.Li ping6 -a . 1567.El 1568.It Li icmp6.rediraccept 1569If set to non-zero, the host will accept ICMPv6 redirect packets. 1570Note that IPv6 routers will never accept ICMPv6 redirect packets, 1571and the variable is meaningful on IPv6 hosts 1572.Pq non-router 1573only. 1574.It Li icmp6.redirtimeout 1575The variable specifies lifetime of routing entries generated by incoming 1576ICMPv6 redirect. 1577.It Li udp6.do_loopback_cksum 1578Perform UDP checksum on loopback. 1579.It Li udp6.recvspace 1580Default UDP receive buffer size. 1581.It Li udp6.sendspace 1582Default UDP send buffer size. 1583.El 1584.Pp 1585We reuse net.*.tcp for 1586.Tn TCP 1587over 1588.Tn IPv6 , 1589and therefore we do not have variables net.*.tcp6. 1590Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1591Please refer to 1592.Li PF_INET 1593section above. 1594For variables net.*.ipsec6, please refer to 1595.Xr ipsec 4 . 1596.It Li net.key ( PF_KEY ) 1597Get or set various global information about the IPsec key management. 1598The third level name is the variable name. 1599The currently defined variable and names are: 1600.Bl -column "blockacq_lifetime" "integer" "yes" -offset indent 1601.It Sy Variable name Type Changeable 1602.It debug integer yes 1603.It spi_try integer yes 1604.It spi_min_value integer yes 1605.It spi_max_value integer yes 1606.It larval_lifetime integer yes 1607.It blockacq_count integer yes 1608.It blockacq_lifetime integer yes 1609.It esp_keymin integer yes 1610.It esp_auth integer yes 1611.It ah_keymin integer yes 1612.El 1613The variables are as follows: 1614.Bl -tag -width "123456" 1615.It Li debug 1616Turn on debugging message from within the kernel. 1617The value is a bitmap, as defined in 1618.Pa /usr/include/netkey/key_debug.h . 1619.It Li spi_try 1620The number of times the kernel will try to obtain an unique SPI 1621when it generates it from random number generator. 1622.It Li spi_min_value 1623Minimum SPI value when generating it within the kernel. 1624.It Li spi_max_value 1625Maximum SPI value when generating it within the kernel. 1626.It Li larval_lifetime 1627Lifetime for LARVAL SAD entries, in seconds. 1628.It Li blockacq_count 1629Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1630It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1631key management daemon. 1632.It Li blockacq_lifetime 1633Lifetime of ACQUIRE PF_KEY message. 1634.It Li esp_keymin 1635Minimum ESP key length, in bits. 1636The value is used when the kernel creates proposal payload 1637on ACQUIRE PF_KEY message. 1638.It Li esp_auth 1639Whether ESP authentication should be used or not. 1640Non-zero value indicates that ESP authentication should be used. 1641The value is used when the kernel creates proposal payload 1642on ACQUIRE PF_KEY message. 1643.It Li ah_keymin 1644Minimum AH key length, in bits, 1645The value is used when the kernel creates proposal payload 1646on ACQUIRE PF_KEY message. 1647.El 1648.El 1649.Sh The proc.* subtree 1650The string and integer information available for the 1651.Li proc 1652level is detailed below. 1653The changeable column shows whether a process with appropriate 1654privilege may change the value. 1655These values are per-process, 1656and as such may change from one process to another. 1657When a process is created, 1658the default values are inherited from its parent. 1659When a set-user-ID or set-group-ID binary is executed, the 1660value of PROC_PID_CORENAME is reset to the system default value. 1661The second level name is either the magic value PROC_CURPROC, which 1662points to the current process, or the PID of the target process. 1663.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" "yes" -offset indent 1664.It Sy Third level name Type Changeable 1665.It proc.pid.corename string yes 1666.It proc.pid.rlimit node not applicable 1667.It proc.pid.stopfork int yes 1668.It proc.pid.stopexec int yes 1669.It proc.pid.stopexit int yes 1670.El 1671.Bl -tag -width "123456" 1672.Pp 1673.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1674The template used for the core dump file name (see 1675.Xr core 5 1676for details). 1677The base name must either be 1678.Nm core 1679or end with the suffix ``.core'' (the super-user may set arbitrary names). 1680By default it points to KERN_DEFCORENAME. 1681.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1682Return resources limits, as defined for the 1683.Xr getrlimit 2 1684and 1685.Xr setrlimit 2 1686system calls. 1687The fourth level name is one of: 1688.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1689.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1690The maximum amount of CPU time (in seconds) to be used by each process. 1691.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1692The largest size (in bytes) file that may be created. 1693.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1694The maximum size (in bytes) of the data segment for a process; 1695this defines how far a program may extend its break with the 1696.Xr sbrk 2 1697system call. 1698.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1699The maximum size (in bytes) of the stack segment for a process; 1700this defines how far a program's stack segment may be extended. 1701Stack extension is performed automatically by the system. 1702.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1703The largest size (in bytes) 1704.Pa core 1705file that may be created. 1706.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1707The maximum size (in bytes) to which a process's resident set size may 1708grow. 1709This imposes a limit on the amount of physical memory to be given to 1710a process; if memory is tight, the system will prefer to take memory 1711from processes that are exceeding their declared resident set size. 1712.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1713The maximum size (in bytes) which a process may lock into memory 1714using the 1715.Xr mlock 2 1716function. 1717.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1718The maximum number of simultaneous processes for this user id. 1719.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1720The maximum number of open files for this process. 1721.\" XXX proc.pid.rlimit.sbsize 1722.El 1723.Pp 1724The fifth level name is one of 1725.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or 1726.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1727to select respectively the soft or hard limit. 1728Both are of type integer. 1729.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1730If non zero, the process' children will be stopped after 1731.Xr fork 2 1732calls. 1733The children is created in the SSTOP state and is never scheduled 1734for running before being stopped. 1735This feature helps attaching a process with a debugger such as 1736.Xr gdb 1 1737before it had the opportunity to actually do anything. 1738.Pp 1739This value is inherited by the process's children, and it also 1740apply to emulation specific system calls that fork a new process, such as 1741.Fn sproc 1742or 1743.Fn clone . 1744.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1745If non zero, the process will be stopped on next 1746.Xr exec 3 1747call. 1748The process created by 1749.Xr exec 3 1750is created in the SSTOP state and is never scheduled for running 1751before being stopped. 1752This feature helps attaching a process with a debugger such as 1753.Xr gdb 1 1754before it had the opportunity to actually do anything. 1755.Pp 1756This value is inherited by the process's children. 1757.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1758If non zero, the process will be stopped on when it has cause to exit, 1759either by way of calling 1760.Xr exit 3 , 1761.Xr _exit 2 , 1762or by the receipt of a specific signal. 1763The process is stopped before any of its resources or vm space is 1764released allowing examination of the termination state of a process 1765before it disappears. 1766This feature can be used to examine the final conditions of the 1767process's vmspace via 1768.Xr pmap 1 1769or its resource settings with 1770.Xr sysctl 8 1771before it disappears. 1772.Pp 1773This value is also inherited by the process's children. 1774.El 1775.Sh The user.* subtree ( CTL_USER ) 1776The string and integer information available for the 1777.Li user 1778level is detailed below. 1779The changeable column shows whether a process with appropriate 1780privilege may change the value. 1781.Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" -offset indent 1782.It Sy Second level name Type Changeable 1783.It user.atexit_max integer no 1784.It user.bc_base_max integer no 1785.It user.bc_dim_max integer no 1786.It user.bc_scale_max integer no 1787.It user.bc_string_max integer no 1788.It user.coll_weights_max integer no 1789.It user.cs_path string no 1790.It user.expr_nest_max integer no 1791.It user.line_max integer no 1792.It user.posix2_c_bind integer no 1793.It user.posix2_c_dev integer no 1794.It user.posix2_char_term integer no 1795.It user.posix2_fort_dev integer no 1796.It user.posix2_fort_run integer no 1797.It user.posix2_localedef integer no 1798.It user.posix2_sw_dev integer no 1799.It user.posix2_upe integer no 1800.It user.posix2_version integer no 1801.It user.re_dup_max integer no 1802.It user.stream_max integer no 1803.It user.stream_max integer no 1804.It user.tzname_max integer no 1805.El 1806.Bl -tag -width "123456" 1807.Pp 1808.It Li user.atexit_max ( USER_ATEXIT_MAX ) 1809The maximum number of functions that may be registered with 1810.Xr atexit 3 . 1811.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 1812The maximum ibase/obase values in the 1813.Xr bc 1 1814utility. 1815.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 1816The maximum array size in the 1817.Xr bc 1 1818utility. 1819.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 1820The maximum scale value in the 1821.Xr bc 1 1822utility. 1823.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 1824The maximum string length in the 1825.Xr bc 1 1826utility. 1827.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 1828The maximum number of weights that can be assigned to any entry of 1829the LC_COLLATE order keyword in the locale definition file. 1830.It Li user.cs_path ( USER_CS_PATH ) 1831Return a value for the 1832.Ev PATH 1833environment variable that finds all the standard utilities. 1834.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 1835The maximum number of expressions that can be nested within 1836parenthesis by the 1837.Xr expr 1 1838utility. 1839.It Li user.line_max ( USER_LINE_MAX ) 1840The maximum length in bytes of a text-processing utility's input 1841line. 1842.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 1843Return 1 if the system supports at least one terminal type capable of 1844all operations described in POSIX 1003.2, otherwise 0. 1845.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 1846Return 1 if the system's C-language development facilities support the 1847C-Language Bindings Option, otherwise 0. 1848.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 1849Return 1 if the system supports the C-Language Development Utilities Option, 1850otherwise 0. 1851.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 1852Return 1 if the system supports the FORTRAN Development Utilities Option, 1853otherwise 0. 1854.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 1855Return 1 if the system supports the FORTRAN Runtime Utilities Option, 1856otherwise 0. 1857.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 1858Return 1 if the system supports the creation of locales, otherwise 0. 1859.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 1860Return 1 if the system supports the Software Development Utilities Option, 1861otherwise 0. 1862.It Li user.posix2_upe ( USER_POSIX2_UPE ) 1863Return 1 if the system supports the User Portability Utilities Option, 1864otherwise 0. 1865.It Li user.posix2_version ( USER_POSIX2_VERSION ) 1866The version of POSIX 1003.2 with which the system attempts to comply. 1867.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 1868The maximum number of repeated occurrences of a regular expression 1869permitted when using interval notation. 1870.It Li user.stream_max ( USER_STREAM_MAX ) 1871The minimum maximum number of streams that a process may have open 1872at any one time. 1873.It Li user.tzname_max ( USER_TZNAME_MAX ) 1874The minimum maximum number of types supported for the name of a 1875timezone. 1876.El 1877.Sh The vm.* subtree ( CTL_VM ) 1878The string and integer information available for the 1879.Li vm 1880level is detailed below. 1881The changeable column shows whether a process with appropriate 1882privilege may change the value. 1883.Bl -column "Second level nameXXXXXX" "struct uvmexp_sysctlXXX" -offset indent 1884.It Sy Second level name Type Changeable 1885.It vm.anonmax int yes 1886.It vm.anonmin int yes 1887.It vm.bufcache int yes 1888.It vm.bufmem int no 1889.It vm.bufmem_hiwater int yes 1890.It vm.bufmem_lowater int yes 1891.It vm.execmax int yes 1892.It vm.execmin int yes 1893.It vm.filemax int yes 1894.It vm.filemin int yes 1895.It vm.loadavg struct loadavg no 1896.It vm.maxslp int no 1897.It vm.nkmempages int no 1898.It vm.uspace int no 1899.It vm.uvmexp struct uvmexp no 1900.It vm.uvmexp2 struct uvmexp_sysctl no 1901.It vm.vmmeter struct vmtotal no 1902.El 1903.Pp 1904.Bl -tag -width "123456" 1905.It Li vm.anonmax ( VM_ANONMAX ) 1906The percentage of physical memory which will be reclaimed 1907from other types of memory usage to store anonymous application data. 1908.It Li vm.anonmin ( VM_ANONMIN ) 1909The percentage of physical memory which will be always be available for 1910anonymous application data. 1911.It Li vm.bufcache ( VM_BUFCACHE ) 1912The percentage of physical memory which will be available 1913for the buffer cache. 1914.It Li vm.bufmem ( VM_BUFMEM ) 1915The amount of kernel memory that is being used by the buffer cache. 1916.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 1917The minimum amount of kernel memory to reserve for the 1918buffer cache. 1919.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 1920The maximum amount of kernel memory to be used for the 1921buffer cache. 1922.It Li vm.execmax ( VM_EXECMAX ) 1923The percentage of physical memory which will be reclaimed 1924from other types of memory usage to store cached executable data. 1925.It Li vm.execmin ( VM_EXECMIN ) 1926The percentage of physical memory which will be always be available for 1927cached executable data. 1928.It Li vm.filemax ( VM_FILEMAX ) 1929The percentage of physical memory which will be reclaimed 1930from other types of memory usage to store cached file data. 1931.It Li vm.filemin ( VM_FILEMIN ) 1932The percentage of physical memory which will be always be available for 1933cached file data. 1934.It Li vm.loadavg ( VM_LOADAVG ) 1935Return the load average history. 1936The returned data consists of a 1937.Va struct loadavg . 1938.It Li vm.maxslp ( VM_MAXSLP ) 1939The value of the maxslp kernel global variable. 1940.It Li vm.vmmeter ( VM_METER ) 1941Return system wide virtual memory statistics. 1942The returned data consists of a 1943.Va struct vmtotal . 1944.It Li vm.uspace ( VM_USPACE ) 1945The number of bytes allocated for each kernel stack. 1946.It Li vm.uvmexp ( VM_UVMEXP ) 1947Return system wide virtual memory statistics. 1948The returned data consists of a 1949.Va struct uvmexp . 1950.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 1951Return system wide virtual memory statistics. 1952The returned data consists of a 1953.Va struct uvmexp_sysctl . 1954.\" XXX vm.idlezero 1955.El 1956.Sh The ddb.* subtree ( CTL_DDB ) 1957The integer information available for the 1958.Li ddb 1959level is detailed below. 1960The changeable column shows whether a process with appropriate 1961privilege may change the value. 1962.\" XXX sort 1963.Bl -column "ddb.fromconsoleXXX" "integerXXX" -offset indent 1964.It Sy Second level name Type Changeable 1965.It ddb.radix integer yes 1966.It ddb.maxoff integer yes 1967.It ddb.lines integer yes 1968.It ddb.tabstops integer yes 1969.It ddb.onpanic integer yes 1970.It ddb.fromconsole integer yes 1971.El 1972.Pp 1973.Bl -tag -width "123456" 1974.It Li ddb.radix ( DBCTL_RADIX ) 1975The input and output radix. 1976.It Li ddb.maxoff ( DBCTL_MAXOFF ) 1977The maximum symbol offset. 1978.It Li ddb.lines ( DBCTL_LINES ) 1979Number of display lines. 1980.It Li ddb.tabstops ( DBCTL_TABSTOPS ) 1981Tab width. 1982.It Li ddb.onpanic ( DBCTL_ONPANIC ) 1983If non-zero, DDB will be entered if the kernel panics. 1984.It Li ddb.fromconsole ( DBCTL_FROMCONSOLE ) 1985If not zero, DDB may be entered by sending a break on a serial 1986console or by a special key sequence on a graphics console. 1987.\" XXX tee_msgbuf maxwidth commandonenter 1988.El 1989.Pp 1990These MIB nodes are also available as variables from within the DDB. 1991See 1992.Xr ddb 4 1993for more details. 1994.Sh The security.* subtree ( CTL_SECURITY ) 1995The 1996.Li security 1997level contains various security-related settings for 1998the system. 1999Available settings are detailed below. 2000.Pp 2001.Bl -tag -width "123456" 2002.It Li security.curtain 2003If non-zero, will filter return objects according to the user-id 2004requesting information about them, preventing from users any 2005access to objects they don't own. 2006.Pp 2007At the moment, it affects 2008.Xr ps 1 , 2009.Xr netstat 1 2010(for 2011.Dv PF_INET , 2012.Dv PF_INET6 , 2013and 2014.Dv PF_UNIX 2015PCBs), and 2016.Xr w 1 . 2017.It Li security.models 2018.Nx 2019supports pluggable security models. 2020Every security model used, whether if loaded as a module or built with the system, 2021is required to add an entry to this node with at least one element, 2022.Dq name , 2023indicating the name of the security model. 2024.Pp 2025In addition to the name, any settings and other information private to the 2026security model will be available under this node. 2027See 2028.Xr secmodel 9 2029for more information. 2030.It Li security.pax 2031Settings for PaX -- exploit mitigation features. 2032For more information on any of the PaX features, please see 2033.Xr paxctl 8 2034and 2035.Xr security 8 . 2036.Pp 2037.Bl -tag -width "123456" 2038.It Li security.pax.aslr.enable 2039Enable PaX ASLR (Address Space Layout Randomization). 2040.Pp 2041The value of this 2042knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2043explicit enable. 2044.It Li security.pax.aslr.global 2045Specifies the default global policy for programs without an 2046explicit enable/disable flag. 2047.Pp 2048When non-zero, all programs will get PaX ASLR, except those exempted with 2049.Xr paxctl 8 . 2050Otherwise, all programs will not get PaX ASLR, except those specifically 2051marked as such with 2052.Xr paxctl 8 . 2053.It Li security.pax.mprotect.enable 2054Enable PaX MPROTECT restrictions. 2055.Pp 2056These are 2057.Xr mprotect 2 2058restrictions to better enforce a W^X policy. 2059The value of this 2060knob must be non-zero for PaX MPROTECT to be enabled, even if a 2061program is set to explicit enable. 2062.It Li security.pax.mprotect.global 2063Specifies the default global policy for programs without an 2064explicit enable/disable flag. 2065.Pp 2066When non-zero, all programs will get the PaX MPROTECT restrictions, 2067except those exempted with 2068.Xr paxctl 8 . 2069Otherwise, all programs will not get the PaX MPROTECT restrictions, 2070except those specifically marked as such with 2071.Xr paxctl 8 . 2072.It Li security.pax.segvguard.enable 2073Enable PaX Segvguard. 2074.Pp 2075PaX Segvguard can detect and prevent certain exploitation attempts, where 2076an attacker may try for example to brute-force function return addresses 2077of respawning daemons. 2078.Pp 2079.Em Note : 2080The 2081.Nx 2082interface and implementation of the Segvguard is still experimental, and may 2083change in future releases. 2084.It Li security.pax.segvguard.global 2085Specifies the default global policy for programs without an 2086explicit enable/disable flag. 2087.Pp 2088When non-zero, all programs will get the PaX Segvguard, 2089except those exempted with 2090.Xr paxctl 8 . 2091Otherwise, no program will get the PaX Segvguard restrictions, 2092except those specifically marked as such with 2093.Xr paxctl 8 . 2094.It Li security.pax.segvguard.expiry_timeout 2095If the max number was not reached within this timeout (in seconds), the entry 2096will expire. 2097.It Li security.pax.segvguard.suspend_timeout 2098Number of seconds to suspend a user from running a faulting program when the 2099limit was exceeded. 2100.It Li security.pax.segvguard.max_crashes 2101Max number of segfaults a program can receive before suspension. 2102.El 2103.El 2104.Sh The vendor.* subtree ( CTL_VENDOR ) 2105The 2106.Li vendor 2107toplevel name is reserved to be used by vendors who wish to 2108have their own private MIB tree. 2109Intended use is to store values under 2110.Dq vendor.\*[Lt]yourname\*[Gt].* . 2111.Sh SEE ALSO 2112.Xr sysctl 3 , 2113.Xr ipsec 4 , 2114.Xr tcp 4 , 2115.Xr security 8 , 2116.Xr sysctl 8 2117.Sh HISTORY 2118The 2119.Nm 2120variables first appeared in 2121.Bx 4.4 . 2122