1.\" $NetBSD: sysctl.7,v 1.22 2009/05/18 00:41:53 snj Exp $ 2.\" 3.\" Copyright (c) 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the University nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 31.\" 32.Dd May 18, 2009 33.Dt SYSCTL 7 34.Os 35.Sh NAME 36.Nm sysctl 37.Nd system information variables 38.Sh DESCRIPTION 39The 40.Xr sysctl 3 41library function and the 42.Xr sysctl 8 43utility are used to get and set values of system variables, maintained 44by the kernel. 45The variables are organized in a tree and identified by a sequence of 46numbers, conventionally separated by dots with the topmost identifier 47at the left side. 48The numbers have corresponding text names. 49The 50.Xr sysctlnametomib 3 51function or the 52.Fl M 53argument to the 54.Xr sysctl 8 55utility can be used to convert the text representation to the 56numeric one. 57.Pp 58The individual sysctl variables are described below, both the textual 59and numeric form where applicable. 60The textual names can be used as argument to the 61.Xr sysctl 8 62utility and in the file 63.Pa /etc/sysctl.conf . 64The numeric names are usually defined as preprocessor constants and 65are intended for use by programs. 66Every such constant expands to one integer, which identifies the 67sysctl variable relative to the upper level of the tree. 68See the 69.Xr sysctl 3 70manual page for programming examples. 71.Sh Top level names 72The top level names are defined with a CTL_ prefix in 73.Aq Pa sys/sysctl.h , 74and are as follows. 75The next and subsequent levels down are found in the include files 76listed here, and described in separate sections below. 77.Bl -column security CTL_SECURITY "Next level names" "High kernel limits" 78.It Sy Name Constant Next level names Description 79.It kern CTL_KERN sys/sysctl.h High kernel limits 80.It vm CTL_VM uvm/uvm_param.h Virtual memory 81.It vfs CTL_VFS sys/mount.h Filesystem 82.It net CTL_NET sys/socket.h Networking 83.It debug CTL_DEBUG sys/sysctl.h Debugging 84.It hw CTL_HW sys/sysctl.h Generic CPU, I/O 85.It machdep CTL_MACHDEP sys/sysctl.h Machine dependent 86.It user CTL_USER sys/sysctl.h User-level 87.It ddb CTL_DDB sys/sysctl.h In-kernel debugger 88.It proc CTL_PROC sys/sysctl.h Per-process 89.It vendor CTL_VENDOR ? Vendor specific 90.It emul CTL_EMUL sys/sysctl.h Emulation settings 91.It security CTL_SECURITY sys/sysctl.h Security settings 92.El 93.Sh The debug.* subtree 94The debugging variables vary from system to system. 95A debugging variable may be added or deleted without need to recompile 96.Nm 97to know about it. 98Each time it runs, 99.Nm 100gets the list of debugging variables from the kernel and 101displays their current values. 102The system defines twenty 103.Va ( struct ctldebug ) 104variables named 105.Dv debug0 106through 107.Dv debug19 . 108They are declared as separate variables so that they can be 109individually initialized at the location of their associated variable. 110The loader prevents multiple use of the same variable by issuing errors 111if a variable is initialized in more than one place. 112For example, to export the variable 113.Dv dospecialcheck 114as a debugging variable, the following declaration would be used: 115.Bd -literal -offset indent -compact 116int dospecialcheck = 1; 117struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck }; 118.Ed 119.Pp 120Note that the dynamic implementation of 121.Nm 122currently in use largely makes this particular 123.Nm 124interface obsolete. 125See 126.Xr sysctl 8 127.\" and 128.\" .Xr sysctl 9 129for more information. 130.Sh The vfs.* subtree 131A distinguished second level name, 132.Li vfs.generic ( VFS_GENERIC ) , 133is used to get general information about all filesystems. 134One of its third level identifiers is 135.Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM ) 136that gives the highest valid filesystem type number. 137Its other third level identifier is 138.Li vfs.generic.conf ( VFS_CONF ) 139that returns configuration information about the filesystem 140type given as a fourth level identifier. 141The remaining second level identifiers are the 142filesystem type number returned by a 143.Xr statvfs 2 144call or from 145.Li vfs.generic.conf . 146The third level identifiers available for each filesystem 147are given in the header file that defines the mount 148argument structure for that filesystem. 149.Sh The hw.* subtree 150The string and integer information available for the 151.Li hw 152level is detailed below. 153The changeable column shows whether a process with appropriate 154privilege may change the value. 155.Bl -column "hw.acpi.supported_states" "integer" "Changeable" -offset indent 156.It Sy Second level name Type Changeable 157.It hw.acpi.supported_states string no 158.It hw.alignbytes integer no 159.It hw.byteorder integer no 160.It hw.cnmagic string yes 161.It hw.disknames string no 162.It hw.diskstats struct no 163.It hw.machine string no 164.It hw.machine_arch string no 165.It hw.model string no 166.It hw.ncpu integer no 167.It hw.pagesize integer no 168.It hw.physmem integer no 169.It hw.physmem64 quad no 170.It hw.usermem integer no 171.It hw.usermem64 quad no 172.El 173.Pp 174.Bl -tag -width "123456" 175.It Li hw.acpi.support_states 176List of possible 177.Tn ACPI 178sleep states. 179The list can contain the following values: 180.Bl -tag -width XS1X 181.It S0 182fully running 183.It S1 184power on suspend (CPU and hard disks are off) 185.It S2 186similar to S3, usually not implemented 187.It S3 188suspend-to-RAM 189.It S4 190suspend-to-disk (needs BIOS support) 191.It S5 192power off 193.El 194.It Li hw.alignbytes ( HW_ALIGNBYTES ) 195Alignment constraint for all possible data types. 196This shows the value 197.Dv ALIGNBYTES 198in 199.Pa /usr/include/machine/param.h , 200at the kernel compilation time. 201.It Li hw.byteorder ( HW_BYTEORDER ) 202The byteorder (4,321, or 1,234). 203.It Li hw.cnmagic ( HW_CNMAGIC ) 204The console magic key sequence. 205.It Li hw.disknames ( HW_DISKNAMES ) 206The list of (space separated) disk device names on the system. 207.It Li hw.iostatnames ( HW_IOSTATNAMES ) 208A space separated list of devices that will have I/O statistics 209collected on them. 210.It Li hw.iostats ( HW_IOSTATS ) 211Return statistical information on the NFS mounts, disk and tape 212devices on the system. 213An array of 214.Va struct io_sysctl 215structures is returned, 216whose size depends on the current number of such objects in the system. 217The third level name is the size of the 218.Va struct io_sysctl . 219The type of object can be determined by examining the 220.Va type 221element of 222.Va struct io_sysctl . 223Which can be 224.Dv IOSTAT_DISK 225(disk drive), 226.Dv IOSTAT_TAPE 227(tape drive), or 228.Dv IOSTAT_NFS 229(NFS mount). 230.It Li hw.machine ( HW_MACHINE ) 231The machine class. 232.It Li hw.machine_arch ( HW_MACHINE_ARCH ) 233The machine CPU class. 234.It Li hw.model ( HW_MODEL ) 235The machine model. 236.It Li hw.ncpu ( HW_NCPU ) 237The number of CPUs. 238.It Li hw.pagesize ( HW_PAGESIZE ) 239The software page size. 240.It Li hw.physmem ( HW_PHYSMEM ) 241The bytes of physical memory as a 32-bit integer. 242.It Li hw.physmem64 ( HW_PHYSMEM64 ) 243The bytes of physical memory as a 64-bit integer. 244.It Li hw.usermem ( HW_USERMEM ) 245The bytes of non-kernel memory as a 32-bit integer. 246.It Li hw.usermem64 ( HW_USERMEM64 ) 247The bytes of non-kernel memory as a 64-bit integer. 248.El 249.Sh The kern.* subtree 250The string and integer information available for the 251.Li kern 252level is detailed below. 253The changeable column shows whether a process with appropriate 254privilege may change the value. 255The types of data currently available are process information, 256system vnodes, the open file entries, routing table entries, 257virtual memory statistics, load average history, and clock rate 258information. 259.Bl -column "kern.posix_reader_writer_locks" "struct kinfo_drivers" "not applicable" 260.It Sy Second level name Type Changeable 261.It kern.argmax integer no 262.It kern.autonicetime integer yes 263.It kern.autoniceval integer yes 264.It kern.boottime struct timeval no 265.It kern.bufq node not applicable 266.It kern.ccpu integer no 267.It kern.clockrate struct clockinfo no 268.It kern.consdev integer no 269.It kern.cp_id struct no 270.It kern.cp_time uint64_t[\|] no 271.It kern.defcorename string yes 272.It kern.domainname string yes 273.It kern.drivers struct kinfo_drivers no 274.It kern.file struct file no 275.It kern.forkfsleep integer yes 276.It kern.fscale integer no 277.It kern.fsync integer no 278.It kern.hardclock_ticks integer no 279.It kern.hostid integer yes 280.It kern.hostname string yes 281.It kern.iov_max integer no 282.It kern.job_control integer no 283.It kern.labeloffset integer no 284.It kern.labelsector integer no 285.It kern.login_name_max integer no 286.It kern.logsigexit integer yes 287.It kern.mapped_files integer no 288.It kern.maxfiles integer yes 289.It kern.maxpartitions integer no 290.It kern.maxphys integer no 291.It kern.maxproc integer yes 292.It kern.maxptys integer yes 293.It kern.maxvnodes integer yes 294.It kern.mbuf node not applicable 295.It kern.memlock integer no 296.It kern.memlock_range integer no 297.It kern.memory_protection integer no 298.It kern.monotonic_clock integer no 299.It kern.msgbuf integer no 300.It kern.msgbufsize integer no 301.It kern.ngroups integer no 302.It kern.ntptime struct ntptimeval no 303.It kern.osrelease string no 304.It kern.osrev integer no 305.It kern.ostype string no 306.It kern.pipe node not applicable 307.It kern.posix1 integer no 308.It kern.posix_barriers integer no 309.It kern.posix_reader_writer_locks integer no 310.It kern.posix_semaphores integer no 311.It kern.posix_spin_locks integer no 312.It kern.posix_threads integer no 313.It kern.posix_timers integer no 314.It kern.proc struct kinfo_proc no 315.It kern.proc2 struct kinfo_proc2 no 316.It kern.proc_args string no 317.It kern.prof node not applicable 318.It kern.rawpartition integer no 319.It kern.root_device string no 320.It kern.root_partition integer no 321.It kern.rtc_offset integer yes 322.It kern.saved_ids integer no 323.It kern.securelevel integer raise only 324.It kern.synchronized_io integer no 325.It kern.ipc node not applicable 326.It kern.timecounter node not applicable 327.It kern.timex struct no 328.It kern.tkstat node not applicable 329.It kern.urandom integer no 330.It kern.version string no 331.It kern.vnode struct vnode no 332.El 333.Bl -tag -width "123456" 334.It Li kern.argmax ( KERN_ARGMAX ) 335The maximum bytes of argument to 336.Xr execve 2 . 337.It Li kern.autonicetime ( KERN_AUTONICETIME ) 338The number of seconds of CPU-time a non-root process may accumulate before 339having its priority lowered from the default to the value of KERN_AUTONICEVAL. 340If set to 0, automatic lowering of priority is not performed, and if set to \-1 341all non-root processes are immediately lowered. 342.It Li kern.autoniceval ( KERN_AUTONICEVAL ) 343The priority assigned for automatically niced processes. 344.It Li kern.boottime ( KERN_BOOTTIME ) 345A 346.Va struct timeval 347structure is returned. 348This structure contains the time that the system was booted. 349.It Li kern.ccpu ( KERN_CCPU ) 350The scheduler exponential decay value. 351.It Li kern.clockrate ( KERN_CLOCKRATE ) 352A 353.Va struct clockinfo 354structure is returned. 355This structure contains the clock, statistics clock and profiling clock 356frequencies, the number of micro-seconds per hz tick, and the clock 357skew rate. 358.It Li kern.consdev ( KERN_CONSDEV ) 359Console device. 360.It Li kern.cp_id ( KERN_CP_ID ) 361Mapping of CPU number to CPU id. 362.It Li kern.cp_time ( KERN_CP_TIME ) 363Returns an array of CPUSTATES uint64_ts. 364This array contains the 365number of clock ticks spent in different CPU states. 366On multi-processor systems, the sum across all CPUs is returned unless 367appropriate space is given for one data set for each CPU. 368Data for a specific CPU can also be obtained by adding the number of the 369CPU at the end of the MIB, enlarging it by one. 370.It Li kern.defcorename ( KERN_DEFCORENAME ) 371Default template for the name of core dump files (see also 372.Li proc.pid.corename 373in the per-process variables 374.Li proc.* , 375and 376.Xr core 5 377for format of this template). 378The default value is 379.Nm %n.core 380and can be changed with the kernel configuration option 381.Cd options DEFCORENAME 382(see 383.Xr options 4 384). 385.It Li kern.domainname ( KERN_DOMAINNAME ) 386Get or set the YP domain name. 387.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC ) 388Perform a crash dump on system panic. 389.It Li kern.drivers ( KERN_DRIVERS ) 390Return an array of 391.Va struct kinfo_drivers 392that contains the name and major device numbers of all the device drivers 393in the current kernel. 394The 395.Va d_name 396field is always a NUL terminated string. 397The 398.Va d_bmajor 399field will be set to \-1 if the driver doesn't have a block device. 400.It Li kern.file ( KERN_FILE ) 401Return the entire file table. 402The returned data consists of a single 403.Va struct filelist 404followed by an array of 405.Va struct file , 406whose size depends on the current number of such objects in the system. 407.It Li kern.forkfsleep ( KERN_FORKFSLEEP ) 408If 409.Xr fork 2 410system call fails due to limit on number of processes (either 411the global maxproc limit or user's one), wait for this many 412milliseconds before returning 413.Er EAGAIN 414error to process. 415Useful to keep heavily forking runaway processes in bay. 416Default zero (no sleep). 417Maximum is 20 seconds. 418.It Li kern.fscale ( KERN_FSCALE ) 419The kernel fixed-point scale factor. 420.It Li kern.fsync ( KERN_FSYNC ) 421Return 1 if the POSIX 1003.1b File Synchronization Option is available 422on this system, 423otherwise 0. 424.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS ) 425Returns the number of 426.Xr hardclock 9 427ticks. 428.It Li kern.hostid ( KERN_HOSTID ) 429Get or set the host id. 430.It Li kern.hostname ( KERN_HOSTNAME ) 431Get or set the hostname. 432.It Li kern.iov_max ( KERN_IOV_MAX ) 433Return the maximum number of 434.Va iovec 435structures that a process has available for use with 436.Xr preadv 2 , 437.Xr pwritev 2 , 438.Xr readv 2 , 439.Xr recvmsg 2 , 440.Xr sendmsg 2 441and 442.Xr writev 2 . 443.It Li kern.job_control ( KERN_JOB_CONTROL ) 444Return 1 if job control is available on this system, otherwise 0. 445.It Li kern.labeloffset ( KERN_LABELOFFSET ) 446The offset within the sector specified by KERN_LABELSECTOR of the 447.Xr disklabel 5 . 448.It Li kern.labelsector ( KERN_LABELSECTOR ) 449The sector number containing the 450.Xr disklabel 5 . 451.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX ) 452The size of the storage required for a login name, in bytes, 453including the terminating NUL. 454.It Li kern.logsigexit ( KERN_LOGSIGEXIT ) 455If this flag is non-zero, the kernel will 456.Xr log 9 457all process exits due to signals which create a 458.Xr core 5 459file, and whether the coredump was created. 460.It Li kern.mapped_files ( KERN_MAPPED_FILES ) 461Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available 462on this system, 463otherwise 0. 464.It Li kern.maxfiles ( KERN_MAXFILES ) 465The maximum number of open files that may be open in the system. 466.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) 467The maximum number of partitions allowed per disk. 468.It Li kern.maxphys ( KERN_MAXPHYS ) 469Maximum raw I/O transfer size. 470.It Li kern.maxproc ( KERN_MAXPROC ) 471The maximum number of simultaneous processes the system will allow. 472.It Li kern.maxptys ( KERN_MAXPTYS ) 473The maximum number of pseudo terminals. 474This value can be both raised and lowered, though it cannot 475be set lower than number of currently used ptys. 476See also 477.Xr pty 4 . 478.It Li kern.maxvnodes ( KERN_MAXVNODES ) 479The maximum number of vnodes available on the system. 480This can only be raised. 481.It Li kern.mbuf ( KERN_MBUF ) 482Return information about the mbuf control variables. 483Mbufs are data structures which store network packets and other data 484structures in the networking code, see 485.Xr mbuf 9 . 486The third level names for the mbuf variables are detailed below. 487The changeable column shows whether a process with appropriate 488privilege may change the value. 489.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent 490.It Sy Third level name Type Changeable 491.\" XXX Changeable? really? 492.It kern.mbuf.mblowat integer yes 493.It kern.mbuf.mclbytes integer yes 494.It kern.mbuf.mcllowat integer yes 495.It kern.mbuf.msize integer yes 496.It kern.mbuf.nmbclusters integer yes 497.El 498.Pp 499The variables are as follows: 500.Bl -tag -width "123456" 501.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT ) 502The mbuf low water mark. 503.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES ) 504The mbuf cluster size. 505.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT ) 506The mbuf cluster low water mark. 507.It Li kern.mbuf.msize ( MBUF_MSIZE ) 508The mbuf base size. 509.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS ) 510The limit on the number of mbuf clusters. 511The variable can only be increased, and only increased on machines with 512direct-mapped pool pages. 513.El 514.It Li kern.memlock ( KERN_MEMLOCK ) 515Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available 516on this system, 517otherwise 0. 518.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE ) 519Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available 520on this system, 521otherwise 0. 522.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION ) 523Returns 1 if the POSIX 1003.1b Memory Protection Option is available 524on this system, 525otherwise 0. 526.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK ) 527Returns the standard version the implementation of the POSIX 1003.1b 528Monotonic Clock Option conforms to, 529otherwise 0. 530.It Li kern.msgbuf ( KERN_MSGBUF ) 531The kernel message buffer, rotated so that the head of the circular kernel 532message buffer is at the start of the returned data. 533The returned data may contain NUL bytes. 534.It Li kern.msgbufsize ( KERN_MSGBUFSIZE ) 535The maximum number of characters that the kernel message buffer can hold. 536.It Li kern.ngroups ( KERN_NGROUPS ) 537The maximum number of supplemental groups. 538.It Li kern.ntptime ( KERN_NTPTIME ) 539A 540.Va struct ntptimeval 541structure is returned. 542This structure contains data used by the 543.Xr ntpd 8 544program. 545.It Li kern.osrelease ( KERN_OSRELEASE ) 546The system release string. 547.It Li kern.osrevision ( KERN_OSREV ) 548The system revision string. 549.It Li kern.ostype ( KERN_OSTYPE ) 550The system type string. 551.It Li kern.pipe ( KERN_PIPE ) 552Pipe settings. 553The third level names for the integer pipe settings is detailed below. 554The changeable column shows whether a process with appropriate 555privilege may change the value. 556.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent 557.It Sy Third level name Type Changeable 558.It kern.pipe.kvasiz integer yes 559.It kern.pipe.maxbigpipes integer yes 560.It kern.pipe.maxkvasz integer yes 561.It kern.pipe.limitkva integer yes 562.It kern.pipe.nbigpipes integer yes 563.El 564.Pp 565The variables are as follows: 566.Bl -tag -width "123456" 567.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ ) 568Amount of kernel memory consumed by pipe buffers. 569.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES ) 570Maximum number of "big" pipes. 571.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ ) 572Maximum amount of kernel memory to be used for pipes. 573.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA ) 574Limit for direct transfers via page loan. 575.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES ) 576Number of "big" pipes. 577.El 578.It Li kern.posix1version ( KERN_POSIX1 ) 579The version of ISO/IEC 9945 (POSIX 1003.1) with which the system 580attempts to comply. 581.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS ) 582The version of 583.St -p1003.1 584and its 585Barriers 586option to which the system attempts to conform, 587otherwise 0. 588.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS ) 589The version of 590.St -p1003.1 591and its 592Read-Write Locks 593option to which the system attempts to conform, 594otherwise 0. 595.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES ) 596The version of 597.St -p1003.1 598and its 599Semaphores 600option to which the system attempts to conform, 601otherwise 0. 602.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS ) 603The version of 604.St -p1003.1 605and its 606Spin Locks 607option to which the system attempts to conform, 608otherwise 0. 609.It Li kern.posix_threads ( KERN_POSIX_THREADS ) 610The version of 611.St -p1003.1 612and its 613Threads 614option to which the system attempts to conform, 615otherwise 0. 616.It Li kern.posix_timers ( KERN_POSIX_TIMERS ) 617The version of 618.St -p1003.1 619and its 620Timers 621option to which the system attempts to conform, 622otherwise 0. 623.It Li kern.proc ( KERN_PROC ) 624Return the entire process table, or a subset of it. 625An array of 626.Va struct kinfo_proc 627structures is returned, 628whose size depends on the current number of such objects in the system. 629The third and fourth level numeric names are as follows: 630.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent 631.It Sy Third level name Fourth level is: 632.It KERN_PROC_ALL None 633.It KERN_PROC_GID A group ID 634.It KERN_PROC_PID A process ID 635.It KERN_PROC_PGRP A process group 636.It KERN_PROC_RGID A real group ID 637.It KERN_PROC_RUID A real user ID 638.It KERN_PROC_SESSION A session ID 639.It KERN_PROC_TTY A tty device 640.It KERN_PROC_UID A user ID 641.El 642.It Li kern.proc2 ( KERN_PROC2 ) 643As for KERN_PROC, but an array of 644.Va struct kinfo_proc2 645structures are returned. 646The fifth level name is the size of the 647.Va struct kinfo_proc2 648and the sixth level name is the number of structures to return. 649.It Li kern.proc_args ( KERN_PROC_ARGS ) 650Return the argv or environment strings (or the number thereof) 651of a process. 652Multiple strings are returned separated by NUL characters. 653The third level name is the process ID. 654The fourth level name is as follows: 655.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent 656.It KERN_PROC_ARGV The argv strings 657.It KERN_PROC_ENV The environ strings 658.It KERN_PROC_NARGV The number of argv strings 659.It KERN_PROC_NENV The number of environ strings 660.El 661.It Li kern.profiling ( KERN_PROF ) 662Return profiling information about the kernel. 663If the kernel is not compiled for profiling, 664attempts to retrieve any of the KERN_PROF values will 665fail with 666.Er EOPNOTSUPP . 667The third level names for the string and integer profiling information 668is detailed below. 669The changeable column shows whether a process with appropriate 670privilege may change the value. 671.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent 672.It Sy Third level name Type Changeable 673.It kern.profiling.count u_short[\|] yes 674.It kern.profiling.froms u_short[\|] yes 675.It kern.profiling.gmonparam struct gmonparam no 676.It kern.profiling.state integer yes 677.It kern.profiling.tos struct tostruct yes 678.El 679.Pp 680The variables are as follows: 681.Bl -tag -width "123456" 682.It Li kern.profiling.count ( GPROF_COUNT ) 683Array of statistical program counter counts. 684.It Li kern.profiling.froms ( GPROF_FROMS ) 685Array indexed by program counter of call-from points. 686.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM ) 687Structure giving the sizes of the above arrays. 688.It Li kern.profiling.state ( GPROF_STATE ) 689Profiling state. 690If set to GMON_PROF_ON, starts profiling. 691If set to GMON_PROF_OFF, stops profiling. 692.It Li kern.profiling.tos ( GPROF_TOS ) 693Array of 694.Va struct tostruct 695describing destination of calls and their counts. 696.El 697.It Li kern.rawpartition ( KERN_RAWPARTITION ) 698The raw partition of a disk (a == 0). 699.It Li kern.root_device ( KERN_ROOT_DEVICE ) 700The name of the root device (e.g., 701.Dq wd0 ) . 702.It Li kern.root_partition ( KERN_ROOT_PARTITION ) 703The root partition on the root device (a == 0). 704.It Li kern.rtc_offset ( KERN_RTC_OFFSET ) 705Return the offset of real time clock from UTC in minutes. 706.It Li kern.saved_ids ( KERN_SAVED_IDS ) 707Returns 1 if saved set-group and saved set-user ID is available. 708.It Li kern.sbmax ( KERN_SBMAX ) 709Maximum socket buffer size. 710.\" XXX units? 711.It Li kern.securelevel ( KERN_SECURELVL ) 712The system security level. 713This level may be raised by processes with appropriate privilege. 714It may only be lowered by process 1. 715.It Li kern.somaxkva ( KERN_SOMAXKVA ) 716Maximum amount of kernel memory to be used for socket buffers. 717.\" XXX units? 718.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO ) 719Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available 720on this system, 721otherwise 0. 722.It Li kern.ipc ( KERN_SYSVIPC ) 723Return information about the SysV IPC parameters. 724The third level names for the ipc variables are detailed below. 725.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent 726.It Sy Third level name Type Changeable 727.It kern.ipc.sysvmsg integer no 728.It kern.ipc.sysvsem integer no 729.It kern.ipc.sysvshm integer no 730.It kern.ipc.sysvipc_info struct no 731.It kern.ipc.shmmax integer yes 732.It kern.ipc.shmmni integer yes 733.It kern.ipc.shmseg integer yes 734.It kern.ipc.shmmaxpgs integer yes 735.It kern.ipc.shm_use_phys integer yes 736.It kern.ipc.msgmni integer yes 737.It kern.ipc.msgseg integer yes 738.It kern.ipc.semmni integer yes 739.It kern.ipc.semmns integer yes 740.It kern.ipc.semmnu integer yes 741.El 742.Bl -tag -width "123456" 743.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG ) 744Returns 1 if System V style message queue functionality is available 745on this system, 746otherwise 0. 747.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM ) 748Returns 1 if System V style semaphore functionality is available 749on this system, 750otherwise 0. 751.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM ) 752Returns 1 if System V style share memory functionality is available 753on this system, 754otherwise 0. 755.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO ) 756Return System V style IPC configuration and run-time information. 757The fourth level name selects the System V style IPC facility. 758.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent 759.It Sy Fourth level name Type 760.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info 761.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info 762.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info 763.El 764.Pp 765.Bl -tag -width "123456" 766.It Li KERN_SYSVIPC_MSG_INFO 767Return information on the System V style message facility. 768The 769.Sy msg_sysctl_info 770structure is defined in 771.Aq Pa sys/msg.h . 772.It Li KERN_SYSVIPC_SEM_INFO 773Return information on the System V style semaphore facility. 774The 775.Sy sem_sysctl_info 776structure is defined in 777.Aq Pa sys/sem.h . 778.It Li KERN_SYSVIPC_SHM_INFO 779Return information on the System V style shared memory facility. 780The 781.Sy shm_sysctl_info 782structure is defined in 783.Aq Pa sys/shm.h . 784.El 785.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX ) 786Max shared memory segment size in bytes. 787.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI ) 788Max number of shared memory identifiers. 789.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG ) 790Max shared memory segments per process. 791.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS ) 792Max amount of shared memory in pages. 793.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS ) 794Locking of shared memory in physical memory. 795If 0, memory can be swapped 796out, otherwise it will be locked in physical memory. 797.It Li kern.ipc.msgmni 798Max number of message queue identifiers. 799.It Li kern.ipc.msgseg 800Max number of number of message segments. 801.It Li kern.ipc.semmni 802Max number of number of semaphore identifiers. 803.It Li kern.ipc.semmns 804Max number of number of semaphores in system. 805.It Li kern.ipc.semmnu 806Max number of undo structures in system. 807.El 808.It Li kern.timecounter ( dynamic ) 809Display and control the timecounter source of the system. 810.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent 811.It Sy Third level name Type Changeable 812.It kern.timecounter.choice string no 813.It kern.timecounter.hardware string yes 814.It kern.timecounter.timestepwarnings integer yes 815.El 816.Pp 817The variables are as follows: 818.Bl -tag -width "123456" 819.It Li kern.timecounter.choice ( dynamic ) 820The list of available timecounters with their quality and frequency. 821.It Li kern.timecounter.hardware ( dynamic ) 822The currently selected timecounter source. 823.It Li kern.timecounter.timestepwarnings ( dynamic ) 824If non-zero display a message each time the time is stepped. 825.El 826.It Li kern.timex ( KERN_TIMEX ) 827Not available. 828.It Li kern.tkstat ( KERN_TKSTAT ) 829Return information about the number of characters sent and received 830on ttys. 831The third level names for the tty statistic variables are detailed below. 832The changeable column shows whether a process 833with appropriate privilege may change the value. 834.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent 835.It Sy Third level name Type Changeable 836.It kern.tkstat.cancc quad no 837.It kern.tkstat.nin quad no 838.It kern.tkstat.nout quad no 839.It kern.tkstat.rawcc quad no 840.El 841.Pp 842The variables are as follows: 843.Bl -tag -width "123456" 844.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC ) 845The number of canonical input characters. 846.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN ) 847The total number of input characters. 848.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT ) 849The total number of output characters. 850.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) 851The number of raw input characters. 852.El 853.It Li kern.urandom ( KERN_URND ) 854Random integer value. 855.It Li kern.veriexec 856Tunings for Verixec. 857.Bl -tag -width "123456" 858.It Li kern.veriexec.algorithms 859Returns a string with the supported algorithms in Veriexec. 860.It Li kern.veriexec.count 861Sub-nodes are added to this node as new mounts are monitored by Veriexec. 862Each mount will be under its own 863.No tableN 864node. 865Under each node there will be three variables, indicating the mount 866point, the file-system type, and the number of entries. 867.It Li kern.veriexec.strict 868Controls the strict level of Veriexec. 869See 870.Xr security 8 871for more information on each level's implications. 872.It Li kern.veriexec.verbose 873Controls the verbosity level of Veriexec. 874If 0, only the minimal 875indication required will be given about what's happening - fingerprint 876mismatches, removal of entries from the tables, modification of a 877fingerprinted file. 878If 1, more messages will be printed (ie., when a file with a valid 879fingerprint is accessed). 880Verbose level 2 is debug mode. 881.El 882.It Li kern.version ( KERN_VERSION ) 883The system version string. 884.It Li kern.vnode ( KERN_VNODE ) 885Return the entire vnode table. 886Note, the vnode table is not necessarily a consistent snapshot of 887the system. 888The returned data consists of an array whose size depends on the 889current number of such objects in the system. 890Each element of the array contains the kernel address of a vnode 891.Va struct vnode * 892followed by the vnode itself 893.Va struct vnode . 894.It Li kern.coredump.setid 895Settings related to set-id processes coredumps. 896By default, set-id processes do not dump core in situations where 897other processes would. 898The settings in this node allows an administrator to change this 899behavior. 900.Pp 901.Bl -tag -width "123456" 902.It Li kern.coredump.setid.dump 903If non-zero, set-id processes will dump core. 904.It Li kern.coredump.setid.group 905The group-id for the set-id processes' coredump. 906.It Li kern.coredump.setid.mode 907The mode for the set-id processes' coredump. 908See 909.Xr chmod 1 . 910.It Li kern.coredump.setid.owner 911The user-id that will be used as the owner of the set-id processes' 912coredump. 913.It Li kern.coredump.setid.path 914The path to which set-id processes' coredumps will be saved to. 915Same syntax as kern.defcorename. 916.El 917.\" XXX kern.lwp 918.El 919.Sh The machdep.* subtree 920The set of variables defined is architecture dependent. 921Most architectures define at least the following variables. 922.Bl -column "Second level name" "Type" "Changeable" -offset indent 923.It Sy Second level name Type Changeable 924.It Li CPU_CONSDEV dev_t no 925.El 926.Sh The net.* subtree 927The string and integer information available for the 928.Li net 929level is detailed below. 930The changeable column shows whether a process with appropriate 931privilege may change the value. 932The second and third levels are typically the protocol family and 933protocol number, though this is not always the case. 934.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent 935.It Sy Second level name Type Changeable 936.It net.route routing messages no 937.It net.inet IPv4 values yes 938.It net.inet6 IPv6 values yes 939.It net.key IPsec key management values yes 940.El 941.Pp 942.Bl -tag -width "123456" 943.It Li net.route ( PF_ROUTE ) 944.\" XXX really? 945Return the entire routing table or a subset of it. 946The data is returned as a sequence of routing messages (see 947.Xr route 4 948for the header file, format and meaning). 949The length of each message is contained in the message header. 950.Pp 951The third level name is a protocol number, which is currently always 0. 952The fourth level name is an address family, which may be set to 0 to 953select all address families. 954The fifth and sixth level names are as follows: 955.Bl -column "Fifth level name" "Sixth level is:" -offset indent 956.It Sy Fifth level name Sixth level is: 957.It NET_RT_FLAGS rtflags 958.It NET_RT_DUMP None 959.It NET_RT_IFLIST None 960.El 961.It Li net.inet ( PF_INET ) 962Get or set various global information about the IPv4 963.Pq Internet Protocol version 4 . 964The third level name is the protocol. 965The fourth level name is the variable name. 966The currently defined protocols and names are: 967.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n 968.It Sy Protocol name Variable name Type Changeable 969.It arp down integer yes 970.It arp keep integer yes 971.It arp prune integer yes 972.It arp refresh integer yes 973.It carp allow integer yes 974.It carp preempt integer yes 975.It carp log integer yes 976.It carp arpbalance integer yes 977.It icmp errppslimit integer yes 978.It icmp maskrepl integer yes 979.It icmp rediraccept integer yes 980.It icmp redirtimeout integer yes 981.It ip allowsrcrt integer yes 982.It ip anonportmax integer yes 983.It ip anonportmin integer yes 984.It ip checkinterface integer yes 985.It ip directed-broadcast integer yes 986.It ip do_loopback_cksum integer yes 987.It ip forwarding integer yes 988.It ip forwsrcrt integer yes 989.It ip gifttl integer yes 990.It ip grettl integer yes 991.It ip hashsize integer yes 992.It ip hostzerobroadcast integer yes 993.It ip lowportmin integer yes 994.It ip lowportmax integer yes 995.It ip maxflows integer yes 996.It ip maxfragpackets integer yes 997.It ip mtudisc integer yes 998.It ip mtudisctimeout integer yes 999.It ip random_id integer yes 1000.It ip redirect integer yes 1001.It ip subnetsarelocal integer yes 1002.It ip ttl integer yes 1003.It tcp rfc1323 integer yes 1004.It tcp sendspace integer yes 1005.It tcp recvspace integer yes 1006.It tcp mssdflt integer yes 1007.It tcp syn_cache_limit integer yes 1008.It tcp syn_bucket_limit integer yes 1009.It tcp syn_cache_interval integer yes 1010.It tcp init_win integer yes 1011.It tcp init_win_local integer yes 1012.It tcp mss_ifmtu integer yes 1013.It tcp win_scale integer yes 1014.It tcp timestamps integer yes 1015.It tcp compat_42 integer yes 1016.It tcp cwm integer yes 1017.It tcp cwm_burstsize integer yes 1018.It tcp ack_on_push integer yes 1019.It tcp keepidle integer yes 1020.It tcp keepintvl integer yes 1021.It tcp keepcnt integer yes 1022.It tcp slowhz integer no 1023.It tcp keepinit integer yes 1024.It tcp log_refused integer yes 1025.It tcp rstppslimit integer yes 1026.It tcp ident struct no 1027.It tcp drop struct no 1028.It tcp sack.enable integer yes 1029.It tcp sack.globalholes integer no 1030.It tcp sack.globalmaxholes integer yes 1031.It tcp sack.maxholes integer yes 1032.It tcp ecn.enable integer yes 1033.It tcp ecn.maxretries integer yes 1034.It tcp congctl.selected string yes 1035.It tcp congctl.available string yes 1036.It tcp abc.enable integer yes 1037.It tcp abc.aggressive integer yes 1038.It udp checksum integer yes 1039.It udp do_loopback_cksum integer yes 1040.It udp recvspace integer yes 1041.It udp sendspace integer yes 1042.El 1043.Pp 1044The variables are as follows: 1045.Bl -tag -width "123456" 1046.It Li arp.down 1047Failed ARP entry lifetime. 1048.It Li arp.keep 1049Valid ARP entry lifetime. 1050.It Li arp.prune 1051ARP cache pruning interval. 1052.It Li arp.refresh 1053ARP entry refresh interval. 1054.It Li carp.allow 1055If set to 0, incoming 1056.Xr carp 4 1057packets will not be processed. 1058If set to any other value, processing will occur. 1059Enabled by default. 1060.It Li carp.arpbalance 1061If set to any value other than 0, the ARP balancing functionality of 1062.Xr carp 4 1063is enabled. 1064When ARP requests are received for an IP address which is part of any virtual 1065host, carp will hash the source IP in the ARP request to select one of the 1066virtual hosts from the set of all the virtual hosts which have that IP address. 1067The master of that host will respond with the correct virtual MAC address. 1068Disabled by default. 1069.It Li carp.log 1070If set to any value other than 0, 1071.Xr carp 4 1072will log errors. 1073Disabled by default. 1074.It Li carp.preempt 1075If set to 0, 1076.Xr carp 4 1077will not attempt to become master if it is receiving advertisements from 1078another active master. 1079If set to any other value, carp will become master of the virtual host if it 1080believes it can send advertisements more frequently than the current master. 1081Disabled by default. 1082.It Li ip.allowsrcrt 1083If set to 1, the host accepts source routed packets. 1084.It Li ip.anonportmax 1085The highest port number to use for TCP and UDP ephemeral port allocation. 1086This cannot be set to less than 1024 or greater than 65535, and must 1087be greater than 1088.Li ip.anonportmin . 1089.It Li ip.anonportmin 1090The lowest port number to use for TCP and UDP ephemeral port allocation. 1091This cannot be set to less than 1024 or greater than 65535. 1092.It Li ip.checkinterface 1093If set to non-zero, the host will reject packets addressed to it 1094that arrive on an interface not bound to that address. 1095Currently, this must be disabled if ipnat is used to translate the 1096destination address to another local interface, or if addresses 1097are added to the loopback interface instead of the interface where 1098the packets for those packets are received. 1099.It Li ip.directed-broadcast 1100If set to 1, enables directed broadcast behavior for the host. 1101.It Li ip.do_loopback_cksum 1102Perform IP checksum on loopback. 1103.It Li ip.forwarding 1104If set to 1, enables IP forwarding for the host, 1105meaning that the host is acting as a router. 1106.It Li ip.forwsrcrt 1107If set to 1, enables forwarding of source-routed packets for the host. 1108This value may only be changed if the kernel security level is less than 1. 1109.It Li ip.gifttl 1110The maximum time-to-live (hop count) value for an IPv4 packet generated by 1111.Xr gif 4 1112tunnel interface. 1113.It Li ip.grettl 1114The maximum time-to-live (hop count) value for an IPv4 packet generated by 1115.Xr gre 4 1116tunnel interface. 1117.It Li ip.hashsize 1118The size of IPv4 Fast Forward hash table. 1119This value must be a power of 2 (64, 256...). 1120A larger hash table size results in fewer collisions. 1121Also see 1122.Li ip.maxflows . 1123.It Li ip.hostzerobroadcast 1124All zeroes address is broadcast address. 1125.It Li ip.lowportmax 1126The highest port number to use for TCP and UDP reserved port allocation. 1127This cannot be set to less than 0 or greater than 1024, and must 1128be greater than 1129.Li ip.lowportmin . 1130.It Li ip.lowportmin 1131The lowest port number to use for TCP and UDP reserved port allocation. 1132This cannot be set to less than 0 or greater than 1024, and must 1133be smaller than 1134.Li ip.lowportmax . 1135.It Li ip.maxflows 1136IPv4 Fast Forwarding is enabled by default. 1137If set to 0, IPv4 Fast Forwarding is disabled. 1138.Li ip.maxflows 1139controls the maximum amount of flows which can be created. 1140The default value is 256. 1141.It Li ip.maxfragpackets 1142The maximum number of fragmented packets the node will accept. 11430 means that the node will not accept any fragmented packets. 1144\-1 means that the node will accept as many fragmented packets as it receives. 1145The flag is provided basically for avoiding possible DoS attacks. 1146.It Li ip.mtudisc 1147If set to 1, enables Path MTU Discovery (RFC 1191). 1148When Path MTU Discovery is enabled, the transmitted TCP segment 1149size will be determined by the advertised maximum segment size 1150(MSS) from the remote end, as constrained by the path MTU. 1151If MTU Discovery is disabled, the transmitted segment size will 1152never be greater than 1153.Li tcp.mssdflt 1154(the local maximum segment size). 1155.It Li ip.mtudisctimeout 1156The number of seconds in which a route added by the Path MTU 1157Discovery engine will time out. 1158When the route times out, the Path 1159MTU Discovery engine will attempt to probe a larger path MTU. 1160.It Li ip.random_id 1161Assign random ip_id values. 1162.It Li ip.redirect 1163If set to 1, ICMP redirects may be sent by the host. 1164This option is ignored unless the host is routing IP packets, 1165and should normally be enabled on all systems. 1166.It Li ip.subnetsarelocal 1167If set to 1, subnets are to be considered local addresses. 1168.It Li ip.ttl 1169The maximum time-to-live (hop count) value for an IP packet sourced by 1170the system. 1171This value applies to normal transport protocols, not to ICMP. 1172.It Li icmp.errppslimit 1173The variable specifies the maximum number of outgoing ICMP error messages, 1174per second. 1175ICMP error messages that exceeded the value are subject to rate limitation 1176and will not go out from the node. 1177Negative value disables rate limitation. 1178.It Li icmp.maskrepl 1179If set to 1, ICMP network mask requests are to be answered. 1180.It Li icmp.rediraccept 1181If set to non-zero, the host will accept ICMP redirect packets. 1182Note that routers will never accept ICMP redirect packets, 1183and the variable is meaningful on IP hosts only. 1184.It Li icmp.redirtimeout 1185The variable specifies lifetime of routing entries generated by incoming 1186ICMP redirect. 1187This defaults to 600 seconds. 1188.It Li icmp.returndatabytes 1189Number of bytes to return in an ICMP error message. 1190.It Li tcp.ack_on_push 1191If set to 1, TCP is to immediately transmit an ACK upon reception of 1192a packet with PUSH set. 1193This can avoid losing a round trip time in some rare situations, 1194but has the caveat of potentially defeating TCP's delayed ACK algorithm. 1195Use of this option is generally not recommended, but 1196the variable exists in case your configuration really needs it. 1197.It Li tcp.compat_42 1198If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. 1199Use of this option is not recommended, although it may be 1200required in order to communicate with extremely old TCP implementations. 1201.It Li tcp.cwm 1202If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window 1203Monitoring algorithm. 1204This algorithm prevents line-rate bursts of packets that could 1205otherwise occur when data begins flowing on an idle TCP connection. 1206These line-rate bursts can contribute to network and router congestion. 1207This can be particularly useful on World Wide Web servers 1208which support HTTP/1.1, which has lingering connections. 1209.It Li tcp.cwm_burstsize 1210The Congestion Window Monitoring allowed burst size, in terms 1211of packet count. 1212.It Li tcp.delack_ticks 1213Number of ticks to delay sending an ACK. 1214.It Li tcp.do_loopback_cksum 1215Perform TCP checksum on loopback. 1216.It Li tcp.init_win 1217A value indicating the TCP initial congestion window. 1218If this value is 0, an auto-tuning algorithm designed to use an initial 1219window of approximately 4K bytes is in use. 1220Otherwise, this value indicates a fixed number of packets. 1221.It Li tcp.init_win_local 1222Like 1223.Li tcp.init_win , 1224but used when communicating with hosts on a local network. 1225.It Li tcp.keepcnt 1226Number of keepalive probes sent before declaring a connection dead. 1227If set to zero, there is no limit; 1228keepalives will be sent until some kind of 1229response is received from the peer. 1230.It Li tcp.keepidle 1231Time a connection must be idle before keepalives are sent (if keepalives 1232are enabled for the connection). 1233See also tcp.slowhz. 1234.It Li tcp.keepintvl 1235Time after a keepalive probe is sent until, in the absence of any response, 1236another probe is sent. 1237See also tcp.slowhz. 1238.It Li tcp.log_refused 1239If set to 1, refused TCP connections to the host will be logged. 1240.It Li tcp.keepinit 1241Timeout in seconds during connection establishment. 1242.It Li tcp.mss_ifmtu 1243If set to 1, TCP calculates the outgoing maximum segment size based on 1244the MTU of the appropriate interface. 1245If set to 0, it is calculated based on the greater of the MTU of the 1246interface, and the largest (non-loopback) interface MTU on the system. 1247.It Li tcp.mssdflt 1248The default maximum segment size both advertised to the peer 1249and to use when either the peer does not advertise a maximum segment size to 1250us during connection setup or Path MTU Discovery 1251.Li ( ip.mtudisc ) 1252is disabled. 1253Do not change this value unless you really know what you are doing. 1254.It Li tcp.recvspace 1255The default TCP receive buffer size. 1256.It Li tcp.rfc1323 1257If set to 1, enables RFC 1323 extensions to TCP. 1258.It Li tcp.rstppslimit 1259The variable specifies the maximum number of outgoing TCP RST packets, 1260per second. 1261TCP RST packet that exceeded the value are subject to rate limitation 1262and will not go out from the node. 1263Negative value disables rate limitation. 1264.It Li tcp.ident 1265Return the user ID of a connected socket pair. 1266(RFC1413 Identification Protocol lookups.) 1267.It Li tcp.drop 1268Drop a TCP socket pair connection. 1269.It Li tcp.sack.enable 1270If set to 1, enables RFC 2018 Selective ACKnowledgement. 1271.It Li tcp.sack.globalholes 1272Global number of TCP SACK holes. 1273.It Li tcp.sack.globalmaxholes 1274Global maximum number of TCP SACK holes. 1275.It Li tcp.sack.maxholes 1276Maximum number of TCP SACK holes allowed per connection. 1277.It Li tcp.ecn.enable 1278If set to 1, enables RFC 3168 Explicit Congestion Notification. 1279.It Li tcp.ecn.maxretries 1280Number of times to retry sending the ECN-setup packet. 1281.It Li tcp.sendspace 1282The default TCP send buffer size. 1283.It Li tcp.slowhz 1284The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks 1285of a clock that ticks tcp.slowhz times per second. 1286(That is, their values 1287must be divided by the tcp.slowhz value to get times in seconds.) 1288.It Li tcp.syn_bucket_limit 1289The maximum number of entries allowed per hash bucket in the TCP 1290compressed state engine. 1291.It Li tcp.syn_cache_limit 1292The maximum number of entries allowed in the TCP compressed state 1293engine. 1294.It Li tcp.timestamps 1295If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, 1296used for measuring TCP round trip times, are enabled. 1297.It Li tcp.win_scale 1298If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, 1299for increasing the TCP window size, are enabled. 1300.It Li tcp.congctl.available 1301The available TCP congestion control algorithms. 1302.It Li tcp.congctl.selected 1303The currently selected TCP congestion control algorithm. 1304.It Li tcp.abc.enable 1305If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). 1306If set to 0, use traditional Packet Counting. 1307.It Li tcp.abc.aggressive 1308Choose the L parameter found in RFC 3465. 1309L is the maximum cwnd increase for an ack during slow start. 1310If set to 1, use L=2*SMSS. 1311If set to 0, use L=1*SMSS. 1312It has no effect unless tcp.abc.enable is set to 1. 1313.It Li udp.checksum 1314If set to 1, UDP checksums are being computed. 1315Received non-zero UDP checksums are always checked. 1316Disabling UDP checksums is strongly discouraged. 1317.It Li udp.sendspace 1318The default UDP send buffer size. 1319.It Li udp.recvspace 1320The default UDP receive buffer size. 1321.El 1322.Pp 1323For variables net.*.ipsec, please refer to 1324.Xr ipsec 4 . 1325.It Li net.inet6 ( PF_INET6 ) 1326Get or set various global information about the IPv6 1327.Pq Internet Protocol version 6 . 1328The third level name is the protocol. 1329The fourth level name is the variable name. 1330The currently defined protocols and names are: 1331.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent 1332.It Sy Protocol name Variable name Type Changeable 1333.It icmp6 errppslimit integer yes 1334.It icmp6 mtudisc_hiwat integer yes 1335.It icmp6 mtudisc_lowat integer yes 1336.It icmp6 nd6_debug integer yes 1337.It icmp6 nd6_delay integer yes 1338.It icmp6 nd6_maxnudhint integer yes 1339.It icmp6 nd6_mmaxtries integer yes 1340.It icmp6 nd6_prune integer yes 1341.It icmp6 nd6_umaxtries integer yes 1342.It icmp6 nd6_useloopback integer yes 1343.It icmp6 nodeinfo integer yes 1344.It icmp6 rediraccept integer yes 1345.It icmp6 redirtimeout integer yes 1346.It ip6 accept_rtadv integer yes 1347.It ip6 anonportmax integer yes 1348.It ip6 anonportmin integer yes 1349.It ip6 auto_flowlabel integer yes 1350.It ip6 dad_count integer yes 1351.It ip6 defmcasthlim integer yes 1352.It ip6 forwarding integer yes 1353.It ip6 gifhlim integer yes 1354.It ip6 hashsize integer yes 1355.It ip6 hlim integer yes 1356.It ip6 hdrnestlimit integer yes 1357.It ip6 kame_version string no 1358.It ip6 keepfaith integer yes 1359.It ip6 log_interval integer yes 1360.It ip6 lowportmax integer yes 1361.It ip6 lowportmin integer yes 1362.It ip6 maxflows integer yes 1363.It ip6 maxfragpackets integer yes 1364.It ip6 maxfrags integer yes 1365.It ip6 redirect integer yes 1366.It ip6 rr_prune integer yes 1367.It ip6 use_deprecated integer yes 1368.It ip6 v6only integer yes 1369.It udp6 do_loopback_cksum integer yes 1370.It udp6 recvspace integer yes 1371.It udp6 sendspace integer yes 1372.El 1373.Pp 1374The variables are as follows: 1375.Bl -tag -width "123456" 1376.It Li ip6.accept_rtadv 1377If set to non-zero, the node will accept ICMPv6 router advertisement packets 1378and autoconfigures address prefixes and default routers. 1379The node must be a host 1380.Pq not a router 1381for the option to be meaningful. 1382.It Li ip6.anonportmax 1383The highest port number to use for TCP and UDP ephemeral port allocation. 1384This cannot be set to less than 1024 or greater than 65535, and must 1385be greater than 1386.Li ip6.anonportmin . 1387.It Li ip6.anonportmin 1388The lowest port number to use for TCP and UDP ephemeral port allocation. 1389This cannot be set to less than 1024 or greater than 65535. 1390.It Li ip6.auto_flowlabel 1391On connected transport protocol packets, 1392fill IPv6 flowlabel field to help intermediate routers to identify packet flows. 1393.It Li ip6.dad_count 1394The variable configures number of IPv6 DAD 1395.Pq duplicated address detection 1396probe packets. 1397The packets will be generated when IPv6 interface addresses are configured. 1398.It Li ip6.defmcasthlim 1399The default hop limit value for an IPv6 multicast packet sourced by the node. 1400This value applies to all the transport protocols on top of IPv6. 1401There are APIs to override the value, as documented in 1402.Xr ip6 4 . 1403.It Li ip6.forwarding 1404If set to 1, enables IPv6 forwarding for the node, 1405meaning that the node is acting as a router. 1406If set to 0, disables IPv6 forwarding for the node, 1407meaning that the node is acting as a host. 1408IPv6 specification defines node behavior for 1409.Dq router 1410case and 1411.Dq host 1412case quite differently, and changing this variable during operation 1413may cause serious trouble. 1414It is recommended to configure the variable at bootstrap time, 1415and bootstrap time only. 1416.It Li ip6.gifhlim 1417The maximum hop limit value for an IPv6 packet generated by 1418.Xr gif 4 1419tunnel interface. 1420.It Li ip6.hdrnestlimit 1421The number of IPv6 extension headers permitted on incoming IPv6 packets. 1422If set to 0, the node will accept as many extension headers as possible. 1423.It Li ip6.hashsize 1424The size of IPv6 Fast Forward hash table. 1425This value must be a power of 2 (64, 256...). 1426A larger hash table size results in fewer collisions. 1427Also see 1428.Li ip6.maxflows . 1429.It Li ip6.hlim 1430The default hop limit value for an IPv6 unicast packet sourced by the node. 1431This value applies to all the transport protocols on top of IPv6. 1432There are APIs to override the value, as documented in 1433.Xr ip6 4 . 1434.It Li ip6.kame_version 1435The string identifies the version of KAME IPv6 stack implemented in the kernel. 1436.It Li ip6.keepfaith 1437If set to non-zero, it enables 1438.Dq FAITH 1439TCP relay IPv6-to-IPv4 translator code in the kernel. 1440Refer 1441.Xr faith 4 1442and 1443.Xr faithd 8 1444for detail. 1445.It Li ip6.log_interval 1446The variable controls amount of logs generated by IPv6 packet 1447forwarding engine, by setting interval between log output 1448.Pq in seconds . 1449.It Li ip6.lowportmax 1450The highest port number to use for TCP and UDP reserved port allocation. 1451This cannot be set to less than 0 or greater than 1024, and must 1452be greater than 1453.Li ip6.lowportmin . 1454.It Li ip6.lowportmin 1455The lowest port number to use for TCP and UDP reserved port allocation. 1456This cannot be set to less than 0 or greater than 1024, and must 1457be smaller than 1458.Li ip6.lowportmax . 1459.It Li ip6.maxflows 1460IPv6 Fast Forwarding is enabled by default. 1461If set to 0, IPv6 Fast Forwarding is disabled. 1462.Li ip6.maxflows 1463controls the maximum amount of flows which can be created. 1464The default value is 256. 1465.It Li ip6.maxfragpackets 1466The maximum number of fragmented packets the node will accept. 14670 means that the node will not accept any fragmented packets. 1468\-1 means that the node will accept as many fragmented packets as it receives. 1469The flag is provided basically for avoiding possible DoS attacks. 1470.It Li ip6.maxfrags 1471The maximum number of fragments the node will accept. 14720 means that the node will not accept any fragments. 1473\-1 means that the node will accept as many fragments as it receives. 1474The flag is provided basically for avoiding possible DoS attacks. 1475.It Li ip6.redirect 1476If set to 1, ICMPv6 redirects may be sent by the node. 1477This option is ignored unless the node is routing IP packets, 1478and should normally be enabled on all systems. 1479.It Li ip6.rr_prune 1480The variable specifies interval between IPv6 router renumbering prefix 1481babysitting, in seconds. 1482.It Li ip6.use_deprecated 1483The variable controls use of deprecated address, specified in RFC 2462 5.5.4. 1484.It Li ip6.v6only 1485The variable specifies initial value for 1486.Dv IPV6_V6ONLY 1487socket option for 1488.Dv AF_INET6 1489socket. 1490Please refer to 1491.Xr ip6 4 1492for detail. 1493.It Li icmp6.errppslimit 1494The variable specifies the maximum number of outgoing ICMPv6 error messages, 1495per second. 1496ICMPv6 error messages that exceeded the value are subject to rate limitation 1497and will not go out from the node. 1498Negative value disables rate limitation. 1499.It Li icmp6.mtudisc_hiwat 1500.It Li icmp6.mtudisc_lowat 1501The variables define the maximum number of routing table entries, 1502created due to path MTU discovery 1503.Pq prevents denial-of-service attacks with ICMPv6 too big messages . 1504When IPv6 path MTU discovery happens, we keep path MTU information into 1505the routing table. 1506If the number of routing table entries exceed the value, 1507the kernel will not attempt to keep the path MTU information. 1508.Li icmp6.mtudisc_hiwat 1509is used when we have verified ICMPv6 too big messages. 1510.Li icmp6.mtudisc_lowat 1511is used when we have unverified ICMPv6 too big messages. 1512Verification is performed by using address/port pairs kept in connected pcbs. 1513Negative value disables the upper limit. 1514.It Li icmp6.nd6_debug 1515If set to non-zero, kernel IPv6 neighbor discovery code will generate 1516debugging messages. 1517The debug outputs are useful to diagnose IPv6 interoperability issues. 1518The flag must be set to 0 for normal operation. 1519.It Li icmp6.nd6_delay 1520The variable specifies 1521.Dv DELAY_FIRST_PROBE_TIME 1522timing constant in IPv6 neighbor discovery specification 1523.Pq RFC 2461 , 1524in seconds. 1525.It Li icmp6.nd6_maxnudhint 1526IPv6 neighbor discovery permits upper layer protocols to supply reachability 1527hints, to avoid unnecessary neighbor discovery exchanges. 1528The variable defines the number of consecutive hints the neighbor discovery 1529layer will take. 1530For example, by setting the variable to 3, neighbor discovery layer 1531will take 3 consecutive hints in maximum. 1532After receiving 3 hints, neighbor discovery layer will perform 1533normal neighbor discovery process. 1534.It Li icmp6.nd6_mmaxtries 1535The variable specifies 1536.Dv MAX_MULTICAST_SOLICIT 1537constant in IPv6 neighbor discovery specification 1538.Pq RFC 2461 . 1539.It Li icmp6.nd6_prune 1540The variable specifies interval between IPv6 neighbor cache babysitting, 1541in seconds. 1542.It Li icmp6.nd6_umaxtries 1543The variable specifies 1544.Dv MAX_UNICAST_SOLICIT 1545constant in IPv6 neighbor discovery specification 1546.Pq RFC 2461 . 1547.It Li icmp6.nd6_useloopback 1548If set to non-zero, kernel IPv6 stack will use loopback interface for 1549local traffic. 1550.It Li icmp6.nodeinfo 1551The variable enables responses to ICMPv6 node information queries. 1552If you set the variable to 0, responses will not be generated for 1553ICMPv6 node information queries. 1554Since node information queries can have a security impact, it is 1555possible to fine tune which responses should be answered. 1556Two separate bits can be set. 1557.Bl -tag -width "12345" 1558.It 1 1559Respond to ICMPv6 FQDN queries, e.g. 1560.Li ping6 -w . 1561.It 2 1562Respond to ICMPv6 node addresses queries, e.g. 1563.Li ping6 -a . 1564.El 1565.It Li icmp6.rediraccept 1566If set to non-zero, the host will accept ICMPv6 redirect packets. 1567Note that IPv6 routers will never accept ICMPv6 redirect packets, 1568and the variable is meaningful on IPv6 hosts 1569.Pq non-router 1570only. 1571.It Li icmp6.redirtimeout 1572The variable specifies lifetime of routing entries generated by incoming 1573ICMPv6 redirect. 1574.It Li udp6.do_loopback_cksum 1575Perform UDP checksum on loopback. 1576.It Li udp6.recvspace 1577Default UDP receive buffer size. 1578.It Li udp6.sendspace 1579Default UDP send buffer size. 1580.El 1581.Pp 1582We reuse net.*.tcp for 1583.Tn TCP 1584over 1585.Tn IPv6 , 1586and therefore we do not have variables net.*.tcp6. 1587Variables net.inet6.udp6 have identical meaning to net.inet.udp. 1588Please refer to 1589.Li PF_INET 1590section above. 1591For variables net.*.ipsec6, please refer to 1592.Xr ipsec 4 . 1593.It Li net.key ( PF_KEY ) 1594Get or set various global information about the IPsec key management. 1595The third level name is the variable name. 1596The currently defined variable and names are: 1597.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent 1598.It Sy Variable name Type Changeable 1599.It debug integer yes 1600.It spi_try integer yes 1601.It spi_min_value integer yes 1602.It spi_max_value integer yes 1603.It larval_lifetime integer yes 1604.It blockacq_count integer yes 1605.It blockacq_lifetime integer yes 1606.It esp_keymin integer yes 1607.It esp_auth integer yes 1608.It ah_keymin integer yes 1609.El 1610.Pp 1611The variables are as follows: 1612.Bl -tag -width "123456" 1613.It Li debug 1614Turn on debugging message from within the kernel. 1615The value is a bitmap, as defined in 1616.Pa /usr/include/netkey/key_debug.h . 1617.It Li spi_try 1618The number of times the kernel will try to obtain an unique SPI 1619when it generates it from random number generator. 1620.It Li spi_min_value 1621Minimum SPI value when generating it within the kernel. 1622.It Li spi_max_value 1623Maximum SPI value when generating it within the kernel. 1624.It Li larval_lifetime 1625Lifetime for LARVAL SAD entries, in seconds. 1626.It Li blockacq_count 1627Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. 1628It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the 1629key management daemon. 1630.It Li blockacq_lifetime 1631Lifetime of ACQUIRE PF_KEY message. 1632.It Li esp_keymin 1633Minimum ESP key length, in bits. 1634The value is used when the kernel creates proposal payload 1635on ACQUIRE PF_KEY message. 1636.It Li esp_auth 1637Whether ESP authentication should be used or not. 1638Non-zero value indicates that ESP authentication should be used. 1639The value is used when the kernel creates proposal payload 1640on ACQUIRE PF_KEY message. 1641.It Li ah_keymin 1642Minimum AH key length, in bits, 1643The value is used when the kernel creates proposal payload 1644on ACQUIRE PF_KEY message. 1645.El 1646.El 1647.Sh The proc.* subtree 1648The string and integer information available for the 1649.Li proc 1650level is detailed below. 1651The changeable column shows whether a process with appropriate 1652privilege may change the value. 1653These values are per-process, 1654and as such may change from one process to another. 1655When a process is created, 1656the default values are inherited from its parent. 1657When a set-user-ID or set-group-ID binary is executed, the 1658value of PROC_PID_CORENAME is reset to the system default value. 1659The second level name is either the magic value PROC_CURPROC, which 1660points to the current process, or the PID of the target process. 1661.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent 1662.It Sy Third level name Type Changeable 1663.It proc.pid.corename string yes 1664.It proc.pid.rlimit node not applicable 1665.It proc.pid.stopfork int yes 1666.It proc.pid.stopexec int yes 1667.It proc.pid.stopexit int yes 1668.El 1669.Bl -tag -width "123456" 1670.It Li proc.pid.corename ( PROC_PID_CORENAME ) 1671The template used for the core dump file name (see 1672.Xr core 5 1673for details). 1674The base name must either be 1675.Nm core 1676or end with the suffix ``.core'' (the super-user may set arbitrary names). 1677By default it points to KERN_DEFCORENAME. 1678.It Li proc.pid.rlimit ( PROC_PID_LIMIT ) 1679Return resources limits, as defined for the 1680.Xr getrlimit 2 1681and 1682.Xr setrlimit 2 1683system calls. 1684The fourth level name is one of: 1685.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA 1686.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU ) 1687The maximum amount of CPU time (in seconds) to be used by each process. 1688.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE ) 1689The largest size (in bytes) file that may be created. 1690.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA ) 1691The maximum size (in bytes) of the data segment for a process; 1692this defines how far a program may extend its break with the 1693.Xr sbrk 2 1694system call. 1695.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK ) 1696The maximum size (in bytes) of the stack segment for a process; 1697this defines how far a program's stack segment may be extended. 1698Stack extension is performed automatically by the system. 1699.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE ) 1700The largest size (in bytes) 1701.Pa core 1702file that may be created. 1703.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS ) 1704The maximum size (in bytes) to which a process's resident set size may 1705grow. 1706This imposes a limit on the amount of physical memory to be given to 1707a process; if memory is tight, the system will prefer to take memory 1708from processes that are exceeding their declared resident set size. 1709.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK ) 1710The maximum size (in bytes) which a process may lock into memory 1711using the 1712.Xr mlock 2 1713function. 1714.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC ) 1715The maximum number of simultaneous processes for this user id. 1716.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE ) 1717The maximum number of open files for this process. 1718.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE ) 1719The maximum size (in bytes) of the socket buffers 1720set by the 1721.Xr setsockopt 2 1722.Dv SO_RCVBUF 1723and 1724.Dv SO_SNDBUF 1725options. 1726.El 1727.Pp 1728The fifth level name is one of 1729.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or 1730.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) , 1731to select respectively the soft or hard limit. 1732Both are of type integer. 1733.It Li proc.pid.stopfork ( PROC_PID_STOPFORK ) 1734If non zero, the process' children will be stopped after 1735.Xr fork 2 1736calls. 1737The children is created in the SSTOP state and is never scheduled 1738for running before being stopped. 1739This feature helps attaching a process with a debugger such as 1740.Xr gdb 1 1741before it had the opportunity to actually do anything. 1742.Pp 1743This value is inherited by the process's children, and it also 1744apply to emulation specific system calls that fork a new process, such as 1745.Fn sproc 1746or 1747.Fn clone . 1748.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC ) 1749If non zero, the process will be stopped on next 1750.Xr exec 3 1751call. 1752The process created by 1753.Xr exec 3 1754is created in the SSTOP state and is never scheduled for running 1755before being stopped. 1756This feature helps attaching a process with a debugger such as 1757.Xr gdb 1 1758before it had the opportunity to actually do anything. 1759.Pp 1760This value is inherited by the process's children. 1761.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT ) 1762If non zero, the process will be stopped on when it has cause to exit, 1763either by way of calling 1764.Xr exit 3 , 1765.Xr _exit 2 , 1766or by the receipt of a specific signal. 1767The process is stopped before any of its resources or vm space is 1768released allowing examination of the termination state of a process 1769before it disappears. 1770This feature can be used to examine the final conditions of the 1771process's vmspace via 1772.Xr pmap 1 1773or its resource settings with 1774.Xr sysctl 8 1775before it disappears. 1776.Pp 1777This value is also inherited by the process's children. 1778.El 1779.Sh The user.* subtree ( CTL_USER ) 1780The string and integer information available for the 1781.Li user 1782level is detailed below. 1783The changeable column shows whether a process with appropriate 1784privilege may change the value. 1785.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent 1786.It Sy Second level name Type Changeable 1787.It user.atexit_max integer no 1788.It user.bc_base_max integer no 1789.It user.bc_dim_max integer no 1790.It user.bc_scale_max integer no 1791.It user.bc_string_max integer no 1792.It user.coll_weights_max integer no 1793.It user.cs_path string no 1794.It user.expr_nest_max integer no 1795.It user.line_max integer no 1796.It user.posix2_c_bind integer no 1797.It user.posix2_c_dev integer no 1798.It user.posix2_char_term integer no 1799.It user.posix2_fort_dev integer no 1800.It user.posix2_fort_run integer no 1801.It user.posix2_localedef integer no 1802.It user.posix2_sw_dev integer no 1803.It user.posix2_upe integer no 1804.It user.posix2_version integer no 1805.It user.re_dup_max integer no 1806.It user.stream_max integer no 1807.It user.stream_max integer no 1808.It user.tzname_max integer no 1809.El 1810.Bl -tag -width "123456" 1811.It Li user.atexit_max ( USER_ATEXIT_MAX ) 1812The maximum number of functions that may be registered with 1813.Xr atexit 3 . 1814.It Li user.bc_base_max ( USER_BC_BASE_MAX ) 1815The maximum ibase/obase values in the 1816.Xr bc 1 1817utility. 1818.It Li user.bc_dim_max ( USER_BC_DIM_MAX ) 1819The maximum array size in the 1820.Xr bc 1 1821utility. 1822.It Li user.bc_scale_max ( USER_BC_SCALE_MAX ) 1823The maximum scale value in the 1824.Xr bc 1 1825utility. 1826.It Li user.bc_string_max ( USER_BC_STRING_MAX ) 1827The maximum string length in the 1828.Xr bc 1 1829utility. 1830.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX ) 1831The maximum number of weights that can be assigned to any entry of 1832the LC_COLLATE order keyword in the locale definition file. 1833.It Li user.cs_path ( USER_CS_PATH ) 1834Return a value for the 1835.Ev PATH 1836environment variable that finds all the standard utilities. 1837.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX ) 1838The maximum number of expressions that can be nested within 1839parenthesis by the 1840.Xr expr 1 1841utility. 1842.It Li user.line_max ( USER_LINE_MAX ) 1843The maximum length in bytes of a text-processing utility's input 1844line. 1845.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM ) 1846Return 1 if the system supports at least one terminal type capable of 1847all operations described in POSIX 1003.2, otherwise 0. 1848.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND ) 1849Return 1 if the system's C-language development facilities support the 1850C-Language Bindings Option, otherwise 0. 1851.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV ) 1852Return 1 if the system supports the C-Language Development Utilities Option, 1853otherwise 0. 1854.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV ) 1855Return 1 if the system supports the FORTRAN Development Utilities Option, 1856otherwise 0. 1857.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN ) 1858Return 1 if the system supports the FORTRAN Runtime Utilities Option, 1859otherwise 0. 1860.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF ) 1861Return 1 if the system supports the creation of locales, otherwise 0. 1862.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV ) 1863Return 1 if the system supports the Software Development Utilities Option, 1864otherwise 0. 1865.It Li user.posix2_upe ( USER_POSIX2_UPE ) 1866Return 1 if the system supports the User Portability Utilities Option, 1867otherwise 0. 1868.It Li user.posix2_version ( USER_POSIX2_VERSION ) 1869The version of POSIX 1003.2 with which the system attempts to comply. 1870.It Li user.re_dup_max ( USER_RE_DUP_MAX ) 1871The maximum number of repeated occurrences of a regular expression 1872permitted when using interval notation. 1873.It Li user.stream_max ( USER_STREAM_MAX ) 1874The minimum maximum number of streams that a process may have open 1875at any one time. 1876.It Li user.tzname_max ( USER_TZNAME_MAX ) 1877The minimum maximum number of types supported for the name of a 1878timezone. 1879.El 1880.Sh The vm.* subtree ( CTL_VM ) 1881The string and integer information available for the 1882.Li vm 1883level is detailed below. 1884The changeable column shows whether a process with appropriate 1885privilege may change the value. 1886.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent 1887.It Sy Second level name Type Changeable 1888.It vm.anonmax int yes 1889.It vm.anonmin int yes 1890.It vm.bufcache int yes 1891.It vm.bufmem int no 1892.It vm.bufmem_hiwater int yes 1893.It vm.bufmem_lowater int yes 1894.It vm.execmax int yes 1895.It vm.execmin int yes 1896.It vm.filemax int yes 1897.It vm.filemin int yes 1898.It vm.loadavg struct loadavg no 1899.It vm.maxslp int no 1900.It vm.nkmempages int no 1901.It vm.uspace int no 1902.It vm.uvmexp struct uvmexp no 1903.It vm.uvmexp2 struct uvmexp_sysctl no 1904.It vm.vmmeter struct vmtotal no 1905.El 1906.Pp 1907.Bl -tag -width "123456" 1908.It Li vm.anonmax ( VM_ANONMAX ) 1909The percentage of physical memory which will be reclaimed 1910from other types of memory usage to store anonymous application data. 1911.It Li vm.anonmin ( VM_ANONMIN ) 1912The percentage of physical memory which will be always be available for 1913anonymous application data. 1914.It Li vm.bufcache ( VM_BUFCACHE ) 1915The percentage of physical memory which will be available 1916for the buffer cache. 1917.It Li vm.bufmem ( VM_BUFMEM ) 1918The amount of kernel memory that is being used by the buffer cache. 1919.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER ) 1920The minimum amount of kernel memory to reserve for the 1921buffer cache. 1922.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER ) 1923The maximum amount of kernel memory to be used for the 1924buffer cache. 1925.It Li vm.execmax ( VM_EXECMAX ) 1926The percentage of physical memory which will be reclaimed 1927from other types of memory usage to store cached executable data. 1928.It Li vm.execmin ( VM_EXECMIN ) 1929The percentage of physical memory which will be always be available for 1930cached executable data. 1931.It Li vm.filemax ( VM_FILEMAX ) 1932The percentage of physical memory which will be reclaimed 1933from other types of memory usage to store cached file data. 1934.It Li vm.filemin ( VM_FILEMIN ) 1935The percentage of physical memory which will be always be available for 1936cached file data. 1937.It Li vm.loadavg ( VM_LOADAVG ) 1938Return the load average history. 1939The returned data consists of a 1940.Va struct loadavg . 1941.It Li vm.maxslp ( VM_MAXSLP ) 1942The value of the maxslp kernel global variable. 1943.It Li vm.vmmeter ( VM_METER ) 1944Return system wide virtual memory statistics. 1945The returned data consists of a 1946.Va struct vmtotal . 1947.It Li vm.uspace ( VM_USPACE ) 1948The number of bytes allocated for each kernel stack. 1949.It Li vm.uvmexp ( VM_UVMEXP ) 1950Return system wide virtual memory statistics. 1951The returned data consists of a 1952.Va struct uvmexp . 1953.It Li vm.uvmexp2 ( VM_UVMEXP2 ) 1954Return system wide virtual memory statistics. 1955The returned data consists of a 1956.Va struct uvmexp_sysctl . 1957.\" XXX vm.idlezero 1958.El 1959.Sh The ddb.* subtree ( CTL_DDB ) 1960The integer information available for the 1961.Li ddb 1962level is detailed below. 1963The changeable column shows whether a process with appropriate 1964privilege may change the value. 1965.\" XXX sort 1966.Bl -column "Second level name" "integer" "Changeable" -offset indent 1967.It Sy Second level name Type Changeable 1968.It ddb.radix integer yes 1969.It ddb.maxoff integer yes 1970.It ddb.lines integer yes 1971.It ddb.tabstops integer yes 1972.It ddb.onpanic integer yes 1973.It ddb.fromconsole integer yes 1974.El 1975.Pp 1976.Bl -tag -width "123456" 1977.It Li ddb.radix ( DBCTL_RADIX ) 1978The input and output radix. 1979.It Li ddb.maxoff ( DBCTL_MAXOFF ) 1980The maximum symbol offset. 1981.It Li ddb.lines ( DBCTL_LINES ) 1982Number of display lines. 1983.It Li ddb.tabstops ( DBCTL_TABSTOPS ) 1984Tab width. 1985.It Li ddb.onpanic ( DBCTL_ONPANIC ) 1986If non-zero, DDB will be entered if the kernel panics. 1987.It Li ddb.fromconsole ( DBCTL_FROMCONSOLE ) 1988If not zero, DDB may be entered by sending a break on a serial 1989console or by a special key sequence on a graphics console. 1990.\" XXX tee_msgbuf maxwidth commandonenter 1991.El 1992.Pp 1993These MIB nodes are also available as variables from within the DDB. 1994See 1995.Xr ddb 4 1996for more details. 1997.Sh The security.* subtree ( CTL_SECURITY ) 1998The 1999.Li security 2000level contains various security-related settings for 2001the system. 2002Available settings are detailed below. 2003.Pp 2004.Bl -tag -width "123456" 2005.It Li security.curtain 2006If non-zero, will filter return objects according to the user-id 2007requesting information about them, preventing from users any 2008access to objects they don't own. 2009.Pp 2010At the moment, it affects 2011.Xr ps 1 , 2012.Xr netstat 1 2013(for 2014.Dv PF_INET , 2015.Dv PF_INET6 , 2016and 2017.Dv PF_UNIX 2018PCBs), and 2019.Xr w 1 . 2020.It Li security.models 2021.Nx 2022supports pluggable security models. 2023Every security model used, whether if loaded as a module or built with the system, 2024is required to add an entry to this node with at least one element, 2025.Dq name , 2026indicating the name of the security model. 2027.Pp 2028In addition to the name, any settings and other information private to the 2029security model will be available under this node. 2030See 2031.Xr secmodel 9 2032for more information. 2033.It Li security.pax 2034Settings for PaX -- exploit mitigation features. 2035For more information on any of the PaX features, please see 2036.Xr paxctl 8 2037and 2038.Xr security 8 . 2039.Pp 2040.Bl -tag -width "123456" 2041.It Li security.pax.aslr.enable 2042Enable PaX ASLR (Address Space Layout Randomization). 2043.Pp 2044The value of this 2045knob must be non-zero for PaX ASLR to be enabled, even if a program is set to 2046explicit enable. 2047.It Li security.pax.aslr.global 2048Specifies the default global policy for programs without an 2049explicit enable/disable flag. 2050.Pp 2051When non-zero, all programs will get PaX ASLR, except those exempted with 2052.Xr paxctl 8 . 2053Otherwise, all programs will not get PaX ASLR, except those specifically 2054marked as such with 2055.Xr paxctl 8 . 2056.It Li security.pax.mprotect.enable 2057Enable PaX MPROTECT restrictions. 2058.Pp 2059These are 2060.Xr mprotect 2 2061restrictions to better enforce a W^X policy. 2062The value of this 2063knob must be non-zero for PaX MPROTECT to be enabled, even if a 2064program is set to explicit enable. 2065.It Li security.pax.mprotect.global 2066Specifies the default global policy for programs without an 2067explicit enable/disable flag. 2068.Pp 2069When non-zero, all programs will get the PaX MPROTECT restrictions, 2070except those exempted with 2071.Xr paxctl 8 . 2072Otherwise, all programs will not get the PaX MPROTECT restrictions, 2073except those specifically marked as such with 2074.Xr paxctl 8 . 2075.It Li security.pax.segvguard.enable 2076Enable PaX Segvguard. 2077.Pp 2078PaX Segvguard can detect and prevent certain exploitation attempts, where 2079an attacker may try for example to brute-force function return addresses 2080of respawning daemons. 2081.Pp 2082.Em Note : 2083The 2084.Nx 2085interface and implementation of the Segvguard is still experimental, and may 2086change in future releases. 2087.It Li security.pax.segvguard.global 2088Specifies the default global policy for programs without an 2089explicit enable/disable flag. 2090.Pp 2091When non-zero, all programs will get the PaX Segvguard, 2092except those exempted with 2093.Xr paxctl 8 . 2094Otherwise, no program will get the PaX Segvguard restrictions, 2095except those specifically marked as such with 2096.Xr paxctl 8 . 2097.It Li security.pax.segvguard.expiry_timeout 2098If the max number was not reached within this timeout (in seconds), the entry 2099will expire. 2100.It Li security.pax.segvguard.suspend_timeout 2101Number of seconds to suspend a user from running a faulting program when the 2102limit was exceeded. 2103.It Li security.pax.segvguard.max_crashes 2104Max number of segfaults a program can receive before suspension. 2105.El 2106.El 2107.Sh The vendor.* subtree ( CTL_VENDOR ) 2108The 2109.Li vendor 2110toplevel name is reserved to be used by vendors who wish to 2111have their own private MIB tree. 2112Intended use is to store values under 2113.Dq vendor.\*[Lt]yourname\*[Gt].* . 2114.Sh SEE ALSO 2115.Xr sysctl 3 , 2116.Xr ipsec 4 , 2117.Xr tcp 4 , 2118.Xr security 8 , 2119.Xr sysctl 8 2120.Sh HISTORY 2121The 2122.Nm 2123variables first appeared in 2124.Bx 4.4 . 2125