SYSCTL(7) NetBSD Miscellaneous Information Manual SYSCTL(7)
NAME
sysctl -- system information variables
DESCRIPTION
The sysctl(3) library function and the sysctl(8) utility are used to get and set values of system variables, maintained by the kernel. The vari- ables are organized in a tree and identified by a sequence of numbers, conventionally separated by dots with the topmost identifier at the left side. The numbers have corresponding text names. The sysctlnametomib(3) function or the -M argument to the sysctl(8) utility can be used to con- vert the text representation to the numeric one. The individual sysctl variables are described below, both the textual and numeric form where applicable. The textual names can be used as argument to the sysctl(8) utility and in the file /etc/sysctl.conf. The numeric names are usually defined as preprocessor constants and are intended for use by programs. Every such constant expands to one integer, which iden- tifies the sysctl variable relative to the upper level of the tree. See the sysctl(3) manual page for programming examples. Top level names The top level names are defined with a CTL_ prefix in <sys/sysctl.h>, and are as follows. The next and subsequent levels down are found in the include files listed here, and described in separate sections below. Name Constant Next level names Description kern CTL_KERN <sys/sysctl.h> High kernel limits vm CTL_VM <uvm/uvm_param.h> Virtual memory vfs CTL_VFS <sys/mount.h> Filesystem net CTL_NET <sys/socket.h> Networking debug CTL_DEBUG <sys/sysctl.h> Debugging hw CTL_HW <sys/sysctl.h> Generic CPU, I/O machdep CTL_MACHDEP <sys/sysctl.h> Machine dependent user CTL_USER <sys/sysctl.h> User-level ddb CTL_DDB <sys/sysctl.h> In-kernel debugger proc CTL_PROC <sys/sysctl.h> Per-process vendor CTL_VENDOR ? Vendor specific emul CTL_EMUL <sys/sysctl.h> Emulation settings security CTL_SECURITY <sys/sysctl.h> Security settings The debug.* subtree The debugging variables vary from system to system. A debugging variable may be added or deleted without need to recompile sysctl to know about it. Each time it runs, sysctl gets the list of debugging variables from the kernel and displays their current values. The system defines twenty (struct ctldebug) variables named debug0 through debug19. They are declared as separate variables so that they can be individually initial- ized at the location of their associated variable. The loader prevents multiple use of the same variable by issuing errors if a variable is ini- tialized in more than one place. For example, to export the variable dospecialcheck as a debugging variable, the following declaration would be used: int dospecialcheck = 1; struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck }; Note that the dynamic implementation of sysctl currently in use largely makes this particular sysctl interface obsolete. See sysctl(8) for more information. The vfs.* subtree A distinguished second level name, vfs.generic (VFS_GENERIC), is used to get general information about all file systems. It has the following third level identifiers: vfs.generic.maxtypenum (VFS_MAXTYPENUM) The highest valid file system type number. vfs.generic.conf (VFS_CONF) Returns configuration information about the file system type given as a fourth level identifier. vfs.generic.usermount (VFS_USERMOUNT) Determines if non superuser mounts are allowed, defaults to 0. vfs.generic.magiclinks (VFS_MAGICLINKS) Controls if expansion of variables is going to be performed on pathnames or not. Defaults to no variable expansion, 0. Vari- ables are of the form @name and the variables supported are described in symlink(7) under ``MAGIC SYMLINKS''. A second level name for controlling the wapbl(4) (Write Ahead Physical Block Logging file system journaling) capabilities with the following third level identifiers: vfs.wapbl.flush_disk_cache Controls whether to attempt to flush the disk cache on each com- mit. It defaults to 1 and it should always be on to ensure integrity of file system metadata in the event of a power loss. For slow disks, turning it off can improve performance. vfs.wapbl.verbose_commit For each transaction log commit, print the number of bytes writ- ten and the time it took to commit as seconds.nanoseconds. The remaining second level identifiers are the file system names, identi- fied by the type number returned by a statvfs(2) call or from vfs.generic.conf. The third level identifiers available for each file system are given in the header file that defines the mount argument structure for that file system. The hw.* subtree The string and integer information available for the hw level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Second level name Type Changeable hw.alignbytes integer no hw.byteorder integer no hw.cnmagic string yes hw.disknames string no hw.diskstats struct no hw.machine string no hw.machine_arch string no hw.model string no hw.ncpu integer no hw.ncpuonline integer no hw.pagesize integer no hw.physmem integer no hw.physmem64 quad no hw.usermem integer no hw.usermem64 quad no hw.alignbytes (HW_ALIGNBYTES) Alignment constraint for all possible data types. This shows the value ALIGNBYTES in <machine/param.h>, at the kernel compilation time. hw.byteorder (HW_BYTEORDER) The byteorder (4321, or 1234). hw.cnmagic (HW_CNMAGIC) The console magic key sequence. hw.disknames (HW_DISKNAMES) The list of (space separated) disk device names on the system. hw.iostatnames (HW_IOSTATNAMES) A space separated list of devices that will have I/O statistics collected on them. hw.iostats (HW_IOSTATS) Return statistical information on the NFS mounts, disk and tape devices on the system. An array of struct io_sysctl structures is returned, whose size depends on the current number of such objects in the system. The third level name is the size of the struct io_sysctl. The type of object can be determined by exam- ining the type element of struct io_sysctl. Which can be IOSTAT_DISK (disk drive), IOSTAT_TAPE (tape drive), or IOSTAT_NFS (NFS mount). hw.machine (HW_MACHINE) The machine class. hw.machine_arch (HW_MACHINE_ARCH) The machine CPU class. hw.model (HW_MODEL) The machine model. hw.ncpu (HW_NCPU) The number of CPUs configured. hw.ncpuonline (HW_NCPUONLINE) The number of CPUs online. hw.pagesize (HW_PAGESIZE) The software page size. hw.physmem (HW_PHYSMEM) The bytes of physical memory as a 32-bit integer. hw.physmem64 (HW_PHYSMEM64) The bytes of physical memory as a 64-bit integer. hw.usermem (HW_USERMEM) The bytes of non-kernel memory as a 32-bit integer. hw.usermem64 (HW_USERMEM64) The bytes of non-kernel memory as a 64-bit integer. The kern.* subtree This subtree includes data generally related to the kernel. The string and integer information available for the kern level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Second level name Type Changeable kern.aio_listio_max integer yes kern.aio_max integer yes kern.arandom integer no kern.argmax integer no kern.boothowto integer no kern.boottime struct timespec no kern.buildinfo string no kern.ccpu integer no kern.clockrate struct clockinfo no kern.consdev integer no kern.coredump node not applicable kern.cp_id struct no kern.cp_time uint64_t[] no kern.cryptodevallowsoft integer yes kern.defcorename string yes kern.detachall integer yes kern.domainname string yes kern.drivers struct kinfo_drivers no kern.dump_on_panic integer yes kern.expose_address integer yes kern.file struct file no kern.forkfsleep integer yes kern.fscale integer no kern.fsync integer no kern.hardclock_ticks integer no kern.hostid integer yes kern.hostname string yes kern.iov_max integer no kern.ipc node not applicable kern.job_control integer no kern.labeloffset integer no kern.labelsector integer no kern.login_name_max integer no kern.logsigexit integer yes kern.lwp struct kinfo_lwp yes kern.mapped_files integer no kern.maxfiles integer yes kern.maxlwp integer yes kern.maxpartitions integer no kern.maxphys integer no kern.maxproc integer yes kern.maxptys integer yes kern.maxvnodes integer yes kern.messages integer yes kern.mbuf node not applicable kern.memlock integer no kern.memlock_range integer no kern.memory_protection integer no kern.module node not applicable kern.monotonic_clock integer no kern.mqueue node not applicable kern.msgbuf integer no kern.msgbufsize integer no kern.ngroups integer no kern.ntptime struct ntptimeval no kern.osrelease string no kern.osrevision integer no kern.ostype string no kern.pipe node not applicable kern.pool struct pool_sysctl no kern.posix1version integer no kern.posix_aio integer no kern.posix_barriers integer no kern.posix_reader_writer_locks integer no kern.posix_semaphores integer no kern.posix_spin_locks integer no kern.posix_threads integer no kern.posix_timers integer no kern.proc struct kinfo_proc no kern.proc2 struct kinfo_proc2 no kern.proc_args string no kern.profiling node not applicable kern.rawpartition integer no kern.root_device string no kern.root_partition integer no kern.rtc_offset integer yes kern.saved_ids integer no kern.sbmax integer yes kern.sched node not applicable kern.securelevel integer raise only kern.sofixedbuf boolean yes kern.somaxkva integer yes kern.sooptions integer yes kern.synchronized_io integer no kern.timecounter node not applicable kern.timex struct no kern.tkstat node not applicable kern.tty node not applicable kern.urandom integer no kern.usercrypto integer yes kern.userasymcrypto integer yes kern.veriexec node not applicable kern.version string no kern.vnode struct vnode no kern.aio_listio_max The maximum number of asynchronous I/O operations in a single list I/O call. Like with all variables related to aio(3), the variable may be created and removed dynamically upon loading or unloading the corresponding kernel module. kern.aio_max The maximum number of asynchronous I/O operations. kern.arandom (KERN_ARND) Returns independent uniformly distributed bytes at random each time, as many as requested up to 256, derived from the system entropy pool; see rnd(4). Reading kern.arandom is equivalent to reading up to 256 bytes at a time from /dev/urandom: reading kern.arandom never blocks, and once the system entropy pool has full entropy, output subse- quently read from kern.arandom is fit for use as cryptographic key material. For example, the arc4random(3) library routine uses kern.arandom internally to seed a cryptographic pseudorandom number generator. kern.argmax (KERN_ARGMAX) The maximum bytes of argument to execve(2). kern.boothowto Flags passed from the boot loader; see reboot(2) for the meanings of the flags. kern.boottime (KERN_BOOTTIME) A struct timespec structure is returned. This structure contains the time that the system was booted. That time is defined (for this purpose) to be the time at which the kernel first started accumulating clock ticks. kern.bufq This variable contains information on the bufq(9) subsystem. Currently, the only third level name implemented is kern.bufq.strategies which provides a list of buffer queue strategies currently available. kern.buildinfo When the kernel is built, the build environment may optionally provide arbitrary information to be stored in this variable. kern.ccpu (KERN_CCPU) The scheduler exponential decay value. kern.clockrate (KERN_CLOCKRATE) A struct clockinfo structure is returned. This structure con- tains the clock, statistics clock and profiling clock frequen- cies, the number of micro-seconds per hz tick, and the clock skew rate. Refer to hz(9) for additional details. kern.consdev (KERN_CONSDEV) Console device. kern.coredump Settings related to set-id processes coredumps. By default, set- id processes do not dump core in situations where other processes would. The settings in this node allows an administrator to change this behavior. The third level name is kern.coredump.setid and fourth level variables are described below. Fourth level name Type Changeable kern.coredump.setid.dump integer yes kern.coredump.setid.group integer yes kern.coredump.setid.mode integer yes kern.coredump.setid.owner integer yes kern.coredump.setid.path string yes kern.coredump.setid.dump If non-zero, set-id processes will dump core. kern.coredump.setid.group The group-id for the set-id processes' coredump. kern.coredump.setid.mode The mode for the set-id processes' coredump. See chmod(1). kern.coredump.setid.owner The user-id that will be used as the owner of the set-id processes' coredump. kern.coredump.setid.path The path to which set-id processes' coredumps will be saved to. Same syntax as kern.defcorename. kern.cp_id (KERN_CP_ID) Mapping of CPU number to CPU id. kern.cp_time (KERN_CP_TIME) Returns an array of CPUSTATES uint64_ts. This array contains the number of clock ticks spent in different CPU states. On multi- processor systems, the sum across all CPUs is returned unless appropriate space is given for one data set for each CPU. Data for a specific CPU can also be obtained by adding the number of the CPU at the end of the MIB, enlarging it by one. kern.cryptodevallowsoft This variable controls userland access to hardware versus soft- ware transforms in the crypto(4) system. The available values are as follows: < 0 Always force userlevel requests to use software trans- forms. = 0 If present, use hardware and grant userlevel requests for non-accelerated transforms (handling the latter in software). > 0 Allow user requests only for transforms which are hardware-accelerated. kern.defcorename (KERN_DEFCORENAME) Default template for the name of core dump files (see also proc.pid.corename in the per-process variables proc.*, and core(5) for format of this template). The default value is %n.core and can be changed with the kernel configuration option options DEFCORENAME (see options(4) ). kern.detachall Detach all devices at shutdown. kern.domainname (KERN_DOMAINNAME) Get or set the YP domain name. kern.drivers (KERN_DRIVERS) Return an array of struct kinfo_drivers that contains the name and major device numbers of all the device drivers in the current kernel. The d_name field is always a NUL terminated string. The d_bmajor field will be set to -1 if the driver doesn't have a block device. kern.expose_address Expose kernel addresses in sysctl(3) calls used by fstat(1) and sockstat(1). If it is set to 0 access is not allowed. If it is set to 1 then only processes that have opened /dev/kmem can have access. If it is set to 2 every process is allowed. Defaults to 0 for KASLR kernels and 1 otherwise. Allowing general access renders KASLR ineffective; allowing only kmem accessing programs weakens KASLR if those programs can be subverted to leak the addresses. kern.dump_on_panic (KERN_DUMP_ON_PANIC) Perform a crash dump on system panic(9). kern.file (KERN_FILE) Return the entire file table. The returned data consists of a single struct filelist followed by an array of struct file, whose size depends on the current number of such objects in the system. kern.forkfsleep (KERN_FORKFSLEEP) If fork(2) system call fails due to limit on number of processes (either the global maxproc limit or user's one), wait for this many milliseconds before returning EAGAIN error to process. Use- ful to keep heavily forking runaway processes in bay. Default zero (no sleep). Maximum is 20 seconds. kern.fscale (KERN_FSCALE) The kernel fixed-point scale factor. kern.fsync (KERN_FSYNC) Return 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') File Synchro- nization Option is available on this system, otherwise 0. kern.hardclock_ticks (KERN_HARDCLOCK_TICKS) Returns the number of hardclock(9) ticks. kern.hist This variable contains kernel history data if the kernel was con- figured for any of the options UVHMIST, USB_DEBUG, BIOHIST, or SCDEBUG. (See options(4) for more details.) The third-level names correspond to each available history table. The values of the history tables are in an internal format, and can be decoded by the vmstat(1) utility's -U and -u options; the -l option can be used to see which tables are available. kern.hostid (KERN_HOSTID) Get or set the host identifier. This is aimed to replace the legacy gethostid(3) and sethostid(3) system calls. kern.hostname (KERN_HOSTNAME) Get or set the hostname(1). kern.iov_max (KERN_IOV_MAX) Return the maximum number of iovec structures that a process has available for use with preadv(2), pwritev(2), readv(2), recvmsg(2), sendmsg(2) and writev(2). kern.ipc (KERN_SYSVIPC) Return information about the SysV IPC parameters. The third level names for the ipc variables are detailed below. Third level name Type Changeable kern.ipc.sysvmsg integer no kern.ipc.sysvsem integer no kern.ipc.sysvshm integer no kern.ipc.sysvipc_info struct no kern.ipc.shmmax integer yes kern.ipc.shmmni integer yes kern.ipc.shmseg integer yes kern.ipc.shmmaxpgs integer yes kern.ipc.shm_use_phys integer yes kern.ipc.msgmni integer yes kern.ipc.msgseg integer yes kern.ipc.semmni integer yes kern.ipc.semmns integer yes kern.ipc.semmnu integer yes kern.ipc.sysvmsg (KERN_SYSVIPC_MSG) Returns 1 if System V style message queue functionality is available on this system, otherwise 0. kern.ipc.sysvsem (KERN_SYSVIPC_SEM) Returns 1 if System V style semaphore functionality is available on this system, otherwise 0. kern.ipc.sysvshm (KERN_SYSVIPC_SHM) Returns 1 if System V style share memory functionality is available on this system, otherwise 0. kern.ipc.sysvipc_info (KERN_SYSVIPC_INFO) Return System V style IPC configuration and run-time information. The fourth level name selects the System V style IPC facility. Fourth level name Type KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info KERN_SYSVIPC_MSG_INFO Return information on the System V style message facility. The msg_sysctl_info structure is defined in <sys/msg.h>. KERN_SYSVIPC_SEM_INFO Return information on the System V style sema- phore facility. The sem_sysctl_info structure is defined in <sys/sem.h>. KERN_SYSVIPC_SHM_INFO Return information on the System V style shared memory facility. The shm_sysctl_info structure is defined in <sys/shm.h>. kern.ipc.shmmax (KERN_SYSVIPC_SHMMAX) Max shared memory segment size in bytes. kern.ipc.shmmni (KERN_SYSVIPC_SHMMNI) Max number of shared memory identifiers. kern.ipc.shmseg (KERN_SYSVIPC_SHMSEG) Max shared memory segments per process. kern.ipc.shmmaxpgs (KERN_SYSVIPC_SHMMAXPGS) Max amount of shared memory in pages. kern.ipc.shm_use_phys (KERN_SYSVIPC_SHMUSEPHYS) Locking of shared memory in physical memory. If 0, mem- ory can be swapped out, otherwise it will be locked in physical memory. kern.ipc.msgmni Max number of message queue identifiers. kern.ipc.msgseg Max number of number of message segments. kern.ipc.semmni Max number of number of semaphore identifiers. kern.ipc.semmns Max number of number of semaphores in system. kern.ipc.semmnu Max number of undo structures in system. kern.job_control (KERN_JOB_CONTROL) Return 1 if job control is available on this system, otherwise 0. kern.labeloffset (KERN_LABELOFFSET) The offset within the sector specified by KERN_LABELSECTOR of the disklabel(5). kern.labelsector (KERN_LABELSECTOR) The sector number containing the disklabel(5). kern.login_name_max (KERN_LOGIN_NAME_MAX) The size of the storage required for a login name, in bytes, including the terminating NUL. kern.logsigexit (KERN_LOGSIGEXIT) If this flag is non-zero, the kernel will log(9) all process exits due to signals which create a core(5) file, and whether the coredump was created. kern.lwp (KERN_LWP) Returns information about the current light-weight process. The kinfo_lwp structure is defined in <sys/sysctl.h>. kern.mapped_files (KERN_MAPPED_FILES) Returns 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') Memory Mapped Files Option is available on this system, otherwise 0. kern.maxfiles (KERN_MAXFILES) The maximum number of open files that may be open in the system. This also controls the maximum file locks per unprivileged user enforced by fcntl(2) and flock(2). kern.maxpartitions (KERN_MAXPARTITIONS) The maximum number of partitions allowed per disk. kern.maxlwp The maximum number of Lightweight Processes (threads) the system allows per uid. kern.maxphys (KERN_MAXPHYS) Maximum raw I/O transfer size. kern.maxproc (KERN_MAXPROC) The maximum number of simultaneous processes the system will allow. kern.maxptys (KERN_MAXPTYS) The maximum number of pseudo terminals. This value can be both raised and lowered, though it cannot be set lower than number of currently used ptys. See also pty(4). kern.maxvnodes (KERN_MAXVNODES) The maximum number of vnodes available on the system. This can- not be lowered below the number of currently active vnodes. kern.mbuf (KERN_MBUF) Return information about the mbuf control variables. Mbufs are data structures which store network packets and other data struc- tures in the networking code, see mbuf(9). The third level names for the mbuf variables are detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Third level name Type Changeable kern.mbuf.mblowat integer yes kern.mbuf.mclbytes integer yes kern.mbuf.mcllowat integer yes kern.mbuf.msize integer yes kern.mbuf.nmbclusters integer yes kern.mbuf.nmbclusters_limit integer no The variables are as follows: kern.mbuf.mblowat (MBUF_MBLOWAT) The mbuf low water mark. kern.mbuf.mclbytes (MBUF_MCLBYTES) The mbuf cluster size. kern.mbuf.mcllowat (MBUF_MCLLOWAT) The mbuf cluster low water mark. kern.mbuf.msize (MBUF_MSIZE) The mbuf base size. kern.mbuf.nmbclusters (MBUF_NMBCLUSTERS) The limit on the number of mbuf clusters. The variable can only be increased, and only increased on machines with direct-mapped pool pages. kern.mbuf.nmbclusters_limit (MBUF_NMBCLUSTERS_LIMIT) The limit of nmbclusters. kern.memlock (KERN_MEMLOCK) Returns 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') Process Mem- ory Locking Option is available on this system, otherwise 0. kern.memlock_range (KERN_MEMLOCK_RANGE) Returns 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') Range Memory Locking Option is available on this system, otherwise 0. kern.memory_protection (KERN_MEMORY_PROTECTION) Returns 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') Memory Pro- tection Option is available on this system, otherwise 0. kern.messages Kernel console message verbosity. See <sys/reboot.h> Value Verbosity sys/reboot.h equivalent 0 Silent AB_SILENT 1 Quiet AB_QUIET 2 Normal AB_NORMAL 3 Verbose AB_VERBOSE 4 Debug AB_DEBUG kern.module Settings related to kernel modules. The third level names for the settings are described below. Third level name Type Changeable kern.module.autoload integer yes kern.module.autounload_unsafe integer yes kern.module.autotime integer yes kern.module.verbose boolean yes The variables are as follows: kern.module.autoload A boolean that controls whether kernel modules are loaded automatically. See module(7) for details. kern.module.autounload_unsafe A boolean that controls whether the kernel will autoun- load modules that were automatically loaded and have not been audited for autounload. By default, only modules that have been audited will be autounloaded, and only if they were autoloaded to begin with. kern.module.autotime An integer that controls the delay before an attempt is made to automatically unload a module that was auto- loaded. Setting this value to zero disables the auto- unload function. kern.module.verbose A boolean that enables or disables verbose debug messages related to kernel modules. kern.monotonic_clock (KERN_MONOTONIC_CLOCK) Returns the standard version the implementation of the IEEE Std 1003.1b-1993 (``POSIX.1'') Monotonic Clock Option conforms to, otherwise 0. kern.mqueue Settings related to POSIX message queues; see mqueue(3). This node is created dynamically when the corresponding kernel module is loaded. The third level names for the settings are described below. Third level name Type Changeable kern.mqueue.mq_open_max integer yes kern.mqueue.mq_prio_max integer yes kern.mqueue.mq_max_msgsize integer yes kern.mqueue.mq_def_maxmsg integer yes kern.mqueue.mq_max_maxmsg integer yes The variables are: kern.mqueue.mq_open_max The maximum number of message queue descriptors any sin- gle process can open. kern.mqueue.mq_prio_max The maximum priority of a message. kern.mqueue.mq_max_msgsize The maximum size of a message in a message queue. kern.mqueue.mq_def_maxmsg The default maximum message count. kern.mqueue.mq_max_maxmsg The maximum number of messages in a message queue. kern.msgbuf (KERN_MSGBUF) The kernel message buffer, rotated so that the head of the circu- lar kernel message buffer is at the start of the returned data. The returned data may contain NUL bytes. kern.msgbufsize (KERN_MSGBUFSIZE) The maximum number of characters that the kernel message buffer can hold. kern.ngroups (KERN_NGROUPS) The maximum number of supplemental groups. kern.ntptime (KERN_NTPTIME) A struct ntptimeval structure is returned. This structure con- tains data used by the ntpd(8) program. kern.osrelease (KERN_OSRELEASE) The system release string. kern.osrevision (KERN_OSREV) The system revision string. kern.ostype (KERN_OSTYPE) The system type string. kern.pipe (KERN_PIPE) Pipe settings. The third level names for the integer pipe set- tings is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Third level name Type Changeable kern.pipe.kvasiz integer yes kern.pipe.maxbigpipes integer yes kern.pipe.maxkvasz integer yes kern.pipe.limitkva integer yes kern.pipe.nbigpipes integer yes The variables are as follows: kern.pipe.kvasiz (KERN_PIPE_KVASIZ) Amount of kernel memory consumed by pipe buffers. kern.pipe.maxbigpipes (KERN_PIPE_MAXBIGPIPES) Maximum number of ``big'' pipes. kern.pipe.maxkvasz (KERN_PIPE_MAXKVASZ) Maximum amount of kernel memory to be used for pipes. kern.pipe.limitkva (KERN_PIPE_LIMITKVA) Limit for direct transfers via page loan. kern.pipe.nbigpipes (KERN_PIPE_NBIGPIPES) Number of ``big'' pipes. kern.pool Provides statistics about the pool(9) and pool_cache(9) subsys- tems. kern.posix1version (KERN_POSIX1) The version of ISO/IEC 9945 (IEEE Std 1003.1 (``POSIX.1'')) with which the system attempts to comply. kern.posix_aio The version of IEEE Std 1003.1 (``POSIX.1'') and its Asynchronous I/O option to which the system attempts to conform. kern.posix_barriers (KERN_POSIX_BARRIERS) The version of IEEE Std 1003.1 (``POSIX.1'') and its Barriers option to which the system attempts to conform, otherwise 0. kern.posix_reader_writer_locks (KERN_POSIX_READER_WRITER_LOCKS) The version of IEEE Std 1003.1 (``POSIX.1'') and its Read-Write Locks option to which the system attempts to conform, other- wise 0. kern.posix_semaphores (KERN_POSIX_SEMAPHORES) The version of IEEE Std 1003.1 (``POSIX.1'') and its Semaphores option to which the system attempts to conform, otherwise 0. kern.posix_spin_locks (KERN_POSIX_SPIN_LOCKS) The version of IEEE Std 1003.1 (``POSIX.1'') and its Spin Locks option to which the system attempts to conform, otherwise 0. kern.posix_threads (KERN_POSIX_THREADS) The version of IEEE Std 1003.1 (``POSIX.1'') and its Threads option to which the system attempts to conform, otherwise 0. kern.posix_timers (KERN_POSIX_TIMERS) The version of IEEE Std 1003.1 (``POSIX.1'') and its Timers option to which the system attempts to conform, otherwise 0. kern.proc (KERN_PROC) Return the entire process table, or a subset of it. An array of struct kinfo_proc structures is returned, whose size depends on the current number of such objects in the system. The third and fourth level numeric names are as follows: Third level name Fourth level is: KERN_PROC_ALL None KERN_PROC_GID A group ID KERN_PROC_PID A process ID KERN_PROC_PGRP A process group KERN_PROC_RGID A real group ID KERN_PROC_RUID A real user ID KERN_PROC_SESSION A session ID KERN_PROC_TTY A tty device KERN_PROC_UID A user ID kern.proc2 (KERN_PROC2) As for KERN_PROC, but an array of struct kinfo_proc2 structures are returned. The fifth level name is the size of the struct kinfo_proc2 and the sixth level name is the number of structures to return. kern.proc_args (KERN_PROC_ARGS) Return the argv or environment strings (or the number thereof) of a process. Multiple strings are returned separated by NUL char- acters. The third level name is the process ID. The fourth level name is as follows: KERN_PROC_ARGV The argv strings KERN_PROC_ENV The environ strings KERN_PROC_NARGV The number of argv strings KERN_PROC_NENV The number of environ strings KERN_PROC_PATHNAME The full pathname of the executable KERN_PROC_CWD The current working directory kern.profiling (KERN_PROF) Return profiling information about the kernel. If the kernel is not compiled for profiling, attempts to retrieve any of the KERN_PROF values will fail with EOPNOTSUPP. The third level names for the string and integer profiling information is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Third level name Type Changeable kern.profiling.count u_short[] yes kern.profiling.froms u_short[] yes kern.profiling.gmonparam struct gmonparam no kern.profiling.state integer yes kern.profiling.tos struct tostruct yes The variables are as follows: kern.profiling.count (GPROF_COUNT) Array of statistical program counter counts. kern.profiling.froms (GPROF_FROMS) Array indexed by program counter of call-from points. kern.profiling.gmonparams (GPROF_GMONPARAM) Structure giving the sizes of the above arrays. kern.profiling.state (GPROF_STATE) Profiling state. If set to GMON_PROF_ON, starts profil- ing. If set to GMON_PROF_OFF, stops profiling. kern.profiling.tos (GPROF_TOS) Array of struct tostruct describing destination of calls and their counts. kern.rawpartition (KERN_RAWPARTITION) The raw partition of a disk (a == 0). kern.root_device (KERN_ROOT_DEVICE) The name of the root device (e.g., ``wd0''). kern.root_partition (KERN_ROOT_PARTITION) The root partition on the root device (a == 0). kern.rtc_offset (KERN_RTC_OFFSET) Return the offset of real time clock from UTC in minutes. kern.saved_ids (KERN_SAVED_IDS) Returns 1 if saved set-group and saved set-user ID is available. kern.sbmax (KERN_SBMAX) Maximum socket buffer size in bytes. kern.securelevel (KERN_SECURELVL) See secmodel_securelevel(9). kern.sched (dynamic) Influence the scheduling of LWPs, their priorisation and how they are distributed on and moved between CPUs. Third level name Type Changeable kern.sched.cacheht_time integer yes kern.sched.balance_period integer yes kern.sched.average_weight integer yes kern.sched.min_catch integer yes kern.sched.timesoftints integer yes kern.sched.kpreempt_pri integer yes kern.sched.upreempt_pri integer yes kern.sched.maxts integer yes kern.sched.mints integer yes kern.sched.name string no kern.sched.rtts integer no kern.sched.pri_min integer no kern.sched.pri_max integer no The variables are as follows: kern.sched.cacheht_time (dynamic) Cache hotness time in which a LWP is kept on one particu- lar CPU and not moved to another CPU. This reduces the overhead of flushing and reloading caches. Defaults to 3ms. Needs to be given in ``hz'' units, see mstohz(9). kern.sched.balance_period (dynamic) Interval at which the CPU queues are checked for re-bal- ancing. Defaults to 300ms. Needs to be given in ``hz'' units, see mstohz(9). kern.sched.average_weight (dynamic) Can be used to influence how likely LWPs are to be migrated from one CPU's queue of LWPs that are ready to run to a different, idle CPU. The value gives the per- centage for weighting the average count of migratable threads from the past against the current number of migratable threads. A small value gives more weight to the past, a larger values more weight on the current sit- uation. Defaults to 50 and must be between 0 and 100. kern.sched.min_catch (dynamic) Minimum count of migratable (runnable) threads for catch- ing (stealing) from another CPU. Defaults to 1 but can be increased to decrease chance of thread migration between CPUs. kern.sched.timesoftints (dynamic) Enable tracking of CPU time for soft interrupts as part of a LWP's real execution time. Set to a non-zero value to enable, and see ps(1) for printing CPU times. kern.sched.kpreempt_pri (dynamic) Minimum priority to trigger kernel preemption. kern.sched.upreempt_pri (dynamic) Minimum priority to trigger user preemption. kern.sched.maxts (dynamic) Scheduler specific maximal time quantum (in millisec- onds). Must be set to a value larger than ``mints'' and between 10 and ``hz'' as given by the kern.clockrate sysctl. Provided by the M2 scheduler. kern.sched.mints (dynamic) Scheduler specific minimal time quantum (in millisec- onds). Must be set to a value smaller than ``maxts'' and between 1 and ``hz'' as given by the ``kern.clockrate'' sysctl. Provided by the M2 scheduler. kern.sched.name (dynamic) Scheduler name. Provided both by the M2 and the 4BSD scheduler. kern.sched.rtts (dynamic) Fixed scheduler specific round-robin time quantum in mil- liseconds. Provided both by the M2 and the 4BSD sched- uler. kern.sched.pri_min (dynamic) Minimal POSIX real-time priority. See sched(3). kern.sched.pri_max (dynamic) Maximal POSIX real-time priority. See sched(3). kern.sofixedbuf (KERN_SOFIXEDBUF) Prevent socket buffer autoscaling when a size is set with SO_SNDBUF or SO_RCVBUF. kern.somaxkva (KERN_SOMAXKVA) Maximum amount of kernel memory to be used for socket buffers in bytes. kern.sooptions Set the default socket option flags for socket(2) creation. See setsockopt(2) for a list of supported flags. kern.synchronized_io (KERN_SYNCHRONIZED_IO) Returns 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') Synchronized I/O Option is available on this system, otherwise 0. kern.timecounter (dynamic) Display and control the timecounter source of the system. Third level name Type Changeable kern.timecounter.choice string no kern.timecounter.hardware string yes kern.timecounter.timestepwarnings integer yes The variables are as follows: kern.timecounter.choice (dynamic) The list of available timecounters with their quality and frequency. kern.timecounter.hardware (dynamic) The currently selected timecounter source. kern.timecounter.timestepwarnings (dynamic) If non-zero display a message each time the time is stepped. kern.timex (KERN_TIMEX) Not available. kern.tkstat (KERN_TKSTAT) Return information about the number of characters sent and received on ttys. The third level names for the tty statistic variables are detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Third level name Type Changeable kern.tkstat.cancc quad no kern.tkstat.nin quad no kern.tkstat.nout quad no kern.tkstat.rawcc quad no The variables are as follows: kern.tkstat.cancc (KERN_TKSTAT_CANCC) The number of canonical input characters. kern.tkstat.nin (KERN_TKSTAT_NIN) The total number of input characters. kern.tkstat.nout (KERN_TKSTAT_NOUT) The total number of output characters. kern.tkstat.rawcc (KERN_TKSTAT_RAWCC) The number of raw input characters. kern.tty The third level names for the tty setup variables are detailed below. The changeable column shows whether a process with appro- priate privilege may change the value. Third level name Type Changeable kern.tty.qsize int yes The variables are as follows: kern.tty.qsize Control/display the size of the default input and output queues selected during tty creation. Is converted to a power of two and its range is between 1024 and 65536. kern.uidinfo Resource usage for the current user. Third level name Type Changeable kern.uidinfo.proccnt integer no kern.uidinfo.lwpcnt integer no kern.uidinfo.lockcnt integer no kern.uidinfo.semcnt integer no kern.uidinfo.sbsize integer no kern.uidinfo.proccnt Returns the number of active processes for the current user. kern.uidinfo.lwpcnt Returns the number of active threads for the current user; the first thread of each process is not counted. kern.uidinfo.lockcnt Number of locks held by the current user. kern.uidinfo.semcnt Number of semaphores held by the current user. kern.uidinfo.sbsize Number of bytes in socket buffers allocated to the cur- rent user. kern.urandom (KERN_URND) Random integer value. kern.usercrypto When enabled, allows userland to open(2) the /dev/crypto special device, used by the crypto(4) system. kern.userasymcrypto Enables or disables the use of software asymmetric crypto support in the crypto(4) system. kern.veriexec Runtime information for veriexec(8). Third level name Type Changeable kern.veriexec.algorithms string no kern.veriexec.count node not applicable kern.veriexec.strict integer yes kern.veriexec.verbose integer yes kern.veriexec.algorithms Returns a string with the supported algorithms in Ver- iexec. kern.veriexec.count Sub-nodes are added to this node as new mounts are moni- tored by Veriexec. Each mount will be under its own tableN node. Under each node there will be three vari- ables, indicating the mount point, the file system type, and the number of entries. kern.veriexec.strict Controls the strict level of Veriexec. See security(7) for more information on each level's implications. kern.veriexec.verbose Controls the verbosity level of Veriexec. If 0, only the minimal indication required will be given about what's happening - fingerprint mismatches, removal of entries from the tables, modification of a fingerprinted file. If 1, more messages will be printed (ie., when a file with a valid fingerprint is accessed). Verbose level 2 is debug mode. kern.version (KERN_VERSION) The system version string. kern.vnode (KERN_VNODE) Return the entire vnode table. Note, the vnode table is not nec- essarily a consistent snapshot of the system. The returned data consists of an array whose size depends on the current number of such objects in the system. Each element of the array contains the kernel address of a vnode struct vnode * followed by the vnode itself struct vnode. The machdep.* subtree The set of variables defined is architecture dependent. Most architec- tures define at least the following variables. Second level name Type Changeable machdep.booted_kernel string no The net.* subtree The string and integer information available for the net level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. The second and third levels are typically the protocol family and protocol number, though this is not always the case. Second level name Type Changeable net.route routing messages no net.inet IPv4 values yes net.inet6 IPv6 values yes net.key IPsec key management values yes net.route (PF_ROUTE) Return the entire routing table or a subset of it. The data is returned as a sequence of routing messages (see route(4) for the header file, format and meaning). The length of each message is contained in the message header. The third level name is a protocol number, which is currently always 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows: Fifth level name Sixth level is: NET_RT_FLAGS rtflags NET_RT_DUMP None NET_RT_IFLIST None net.inet (PF_INET) Get or set various global information about the IPv4 (Internet Protocol version 4). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: Protocol Variable Type Changeable arp nd_delay integer yes arp nd_bmaxtries integer yes arp nd_umaxtries integer yes arp nd_basereachable integer yes arp nd_retrans integer yes arp nd_nud integer yes arp nd_maxnudhint integer yes arp log_movements integer yes arp log_permanent_modify integer yes arp log_unknown_network integer yes arp log_wrong_iface integer yes carp allow integer yes carp preempt integer yes carp log integer yes carp arpbalance integer yes icmp errppslimit integer yes icmp maskrepl integer yes icmp rediraccept integer yes icmp redirtimeout integer yes icmp bmcastecho integer yes icmp dynamic_rt_msg boolean yes ip allowsrcrt integer yes ip anonportalgo.selected string yes ip anonportalgo.available string yes ip anonportalgo.reserve struct yes ip anonportmax integer yes ip anonportmin integer yes ip checkinterface integer yes ip dad_count integer yes ip directed-broadcast integer yes ip do_loopback_cksum integer yes ip forwarding integer yes ip forwsrcrt integer yes ip gifttl integer yes ip grettl integer yes ip hashsize integer yes ip hostzerobroadcast integer yes ip lowportmin integer yes ip lowportmax integer yes ip maxflows integer yes ip maxfragpackets integer yes ip mtudisc integer yes ip mtudisctimeout integer yes ip random_id integer yes ip redirect integer yes ip subnetsarelocal integer yes ip ttl integer yes tcp rfc1323 integer yes tcp sendspace integer yes tcp recvspace integer yes tcp mssdflt integer yes tcp syn_cache_limit integer yes tcp syn_bucket_limit integer yes tcp syn_cache_interval integer yes tcp init_win integer yes tcp init_win_local integer yes tcp mss_ifmtu integer yes tcp win_scale integer yes tcp timestamps integer yes tcp cwm integer yes tcp cwm_burstsize integer yes tcp ack_on_push integer yes tcp keepidle integer yes tcp keepintvl integer yes tcp keepcnt integer yes tcp slowhz integer no tcp keepinit integer yes tcp log_refused integer yes tcp rstppslimit integer yes tcp ident struct no tcp drop struct no tcp sack.enable integer yes tcp sack.globalholes integer no tcp sack.globalmaxholes integer yes tcp sack.maxholes integer yes tcp ecn.enable integer yes tcp ecn.maxretries integer yes tcp congctl.selected string yes tcp congctl.available string yes tcp abc.enable integer yes tcp abc.aggressive integer yes udp checksum integer yes udp do_loopback_cksum integer yes udp recvspace integer yes udp sendspace integer yes The variables are as follows: arp.nd_delay The delay in seconds before sending the first probe, after it has been decided that the entry is stale. arp.nd_bmaxtries The maximum number of broadcasts send to discover the hardware address claiming an IP address. arp.nd_umaxtries The maximum number of unicasts send to the hardware address to ensure it still claims an IP address. arp.nd_basereachable The number of milliseconds the ARP entry is considered reachable before probing reachability. arp.nd_retrans The number of milliseconds between ARP probes. arp.nd_nud If set to non-zero, perform Neighor Unreachability Detec- tion. arp.nd_maxnudhint Neighbor discovery permits upper layer protocols to sup- ply reachability hints, to avoid unnecessary neighbor discovery exchanges. The variable defines the number of consecutive hints the neighbor discovery layer will take. For example, by setting the variable to 3, neighbor dis- covery layer will take 3 consecutive hints in maximum. After receiving 3 hints, neighbor discovery layer will perform normal neighbor discovery process. carp.allow If set to 0, incoming carp(4) packets will not be pro- cessed. If set to any other value, processing will occur. Enabled by default. carp.arpbalance If set to any value other than 0, the ARP balancing func- tionality of carp(4) is enabled. When ARP requests are received for an IP address which is part of any virtual host, carp will hash the source IP in the ARP request to select one of the virtual hosts from the set of all the virtual hosts which have that IP address. The master of that host will respond with the correct virtual MAC address. Disabled by default. carp.log If set to any value other than 0, carp(4) will log errors. Disabled by default. carp.preempt If set to 0, carp(4) will not attempt to become master if it is receiving advertisements from another active mas- ter. If set to any other value, carp will become master of the virtual host if it believes it can send advertise- ments more frequently than the current master. Disabled by default. ip.allowsrcrt If set to 1, the host accepts source routed packets. ip.anonportalgo.available The available RFC 6056 port randomization algorithms. ip.anonportalgo.reserve A bitmask of ports that will not be used during anonymous or privileged port selection. ip.anonportalgo.selected The currently selected RFC 6056 port randomization algo- rithm; see rfc6056(7) for details. ip.anonportmax The highest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535, and must be greater than ip.anonportmin. ip.anonportmin The lowest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535. ip.checkinterface If set to non-zero, the host will reject packets addressed to it that arrive on an interface not bound to that address. Currently, this must be disabled if NAT is used to translate the destination address to another local interface, or if addresses are added to the loop- back interface instead of the interface where the packets for those packets are received. ip.dad_count The number of arp(4) probes sent for Address Conflict Detection. Set to 0 to disable this. ip.directed-broadcast If set to 1, enables directed broadcast behavior for the host. ip.do_loopback_cksum Perform IP checksum on loopback. ip.forwarding If set to 1, enables IP forwarding for the host, meaning that the host is acting as a router. ip.forwsrcrt If set to 1, enables forwarding of source-routed packets for the host. This value may only be changed if the ker- nel security level is less than 1. ip.gifttl The maximum time-to-live (hop count) value for an IPv4 packet generated by gif(4) tunnel interface. ip.grettl The maximum time-to-live (hop count) value for an IPv4 packet generated by gre(4) tunnel interface. ip.hashsize The size of IPv4 Fast Forward hash table. This value must be a power of 2 (64, 256...). A larger hash table size results in fewer collisions. Also see ip.maxflows. ip.hostzerobroadcast All zeroes address is broadcast address. ip.lowportmax The highest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be greater than ip.lowportmin. ip.lowportmin The lowest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be smaller than ip.lowportmax. ip.maxflows IPv4 Fast Forwarding is enabled by default. If set to 0, IPv4 Fast Forwarding is disabled. ip.maxflows controls the maximum amount of flows which can be created. The default value is 256. ip.maxfragpackets The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any frag- mented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is pro- vided basically for avoiding possible DoS attacks. ip.mtudisc If set to 1, enables Path MTU Discovery (RFC 1191). When Path MTU Discovery is enabled, the transmitted TCP seg- ment size will be determined by the advertised maximum segment size (MSS) from the remote end, as constrained by the path MTU. If MTU Discovery is disabled, the trans- mitted segment size will never be greater than tcp.mssdflt (the local maximum segment size). ip.mtudisctimeout The number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will attempt to probe a larger path MTU. ip.random_id Assign random ip_id values. ip.redirect If set to 1, ICMP redirects may be sent by the host. This option is ignored unless the host is routing IP packets, and should normally be enabled on all systems. ip.subnetsarelocal If set to 1, subnets are to be considered local addresses. ip.ttl The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to nor- mal transport protocols, not to ICMP. icmp.errppslimit The variable specifies the maximum number of outgoing ICMP error messages, per second. ICMP error messages that exceeded the value are subject to rate limitation and will not go out from the node. Negative value dis- ables rate limitation. icmp.maskrepl If set to 1, ICMP network mask requests are to be answered. icmp.rediraccept If set to non-zero, the host will accept ICMP redirect packets. Note that routers will never accept ICMP redi- rect packets, and the variable is meaningful on IP hosts only. icmp.redirtimeout The variable specifies lifetime of routing entries gener- ated by incoming ICMP redirect. This defaults to 600 seconds. icmp.returndatabytes Number of bytes to return in an ICMP error message. icmp.bmcastecho If set to 1, enables responding to ICMP echo or timestamp request to the broadcast address. icmp.dynamic_rt_msg A boolean that the kernel sends routing message for RTM_DYNAMIC or not. If set to true, sends such routing message. tcp.ack_on_push If set to 1, TCP is to immediately transmit an ACK upon reception of a packet with PUSH set. This can avoid los- ing a round trip time in some rare situations, but has the caveat of potentially defeating TCP's delayed ACK algorithm. Use of this option is generally not recom- mended, but the variable exists in case your configura- tion really needs it. tcp.cwm If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window Monitoring algorithm. This algorithm prevents line-rate bursts of packets that could otherwise occur when data begins flowing on an idle TCP connection. These line-rate bursts can contribute to network and router congestion. This can be particularly useful on World Wide Web servers which support HTTP/1.1, which has lingering connections. tcp.cwm_burstsize The Congestion Window Monitoring allowed burst size, in terms of packet count. tcp.delack_ticks Number of ticks to delay sending an ACK. tcp.do_loopback_cksum Perform TCP checksum on loopback. tcp.init_win A value indicating the TCP initial congestion window. The valid range is 0 to 10 (maximum specified by RFC6928), with a default of 4 (approximately 4K per RFC3390). tcp.init_win_local Like tcp.init_win, but used when communicating with hosts on a local network. tcp.keepcnt Number of keepalive probes sent before declaring a con- nection dead. If set to zero, there is no limit; keepalives will be sent until some kind of response is received from the peer. tcp.keepidle Time a connection must be idle before keepalives are sent (if keepalives are enabled for the connection). See also tcp.slowhz. tcp.keepintvl Time after a keepalive probe is sent until, in the absence of any response, another probe is sent. See also tcp.slowhz. tcp.log_refused If set to 1, refused TCP connections to the host will be logged. tcp.keepinit Timeout in seconds during connection establishment. tcp.mss_ifmtu If set to 1, TCP calculates the outgoing maximum segment size based on the MTU of the appropriate interface. If set to 0, it is calculated based on the greater of the MTU of the interface, and the largest (non-loopback) interface MTU on the system. tcp.mssdflt The default maximum segment size both advertised to the peer and to use when either the peer does not advertise a maximum segment size to us during connection setup or Path MTU Discovery (ip.mtudisc) is disabled. Do not change this value unless you really know what you are doing. tcp.recvspace The default TCP receive buffer size. tcp.rfc1323 If set to 1, enables RFC 1323 extensions to TCP. tcp.rstppslimit The variable specifies the maximum number of outgoing TCP RST packets, per second. TCP RST packet that exceeded the value are subject to rate limitation and will not go out from the node. Negative value disables rate limita- tion. tcp.ident Return the user ID of a connected socket pair. (RFC1413 Identification Protocol lookups.) tcp.drop Drop a TCP socket pair connection. tcp.sack.enable If set to 1, enables RFC 2018 Selective ACKnowledgement. tcp.sack.globalholes Global number of TCP SACK holes. tcp.sack.globalmaxholes Global maximum number of TCP SACK holes. tcp.sack.maxholes Maximum number of TCP SACK holes allowed per connection. tcp.ecn.enable If set to 1, enables RFC 3168 Explicit Congestion Notifi- cation. tcp.ecn.maxretries Number of times to retry sending the ECN-setup packet. tcp.sendspace The default TCP send buffer size. tcp.slowhz The units for tcp.keepidle and tcp.keepintvl; those vari- ables are in ticks of a clock that ticks tcp.slowhz times per second. (That is, their values must be divided by the tcp.slowhz value to get times in seconds.) tcp.syn_bucket_limit The maximum number of entries allowed per hash bucket in the TCP compressed state engine. tcp.syn_cache_limit The maximum number of entries allowed in the TCP com- pressed state engine. tcp.timestamps If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, used for measuring TCP round trip times, are enabled. tcp.win_scale If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, for increasing the TCP window size, are enabled. tcp.congctl.available The available TCP congestion control algorithms. tcp.congctl.selected The currently selected TCP congestion control algorithm. tcp.abc.enable If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). If set to 0, use traditional Packet Counting. tcp.abc.aggressive Choose the L parameter found in RFC 3465. L is the maxi- mum cwnd increase for an ack during slow start. If set to 1, use L=2*SMSS. If set to 0, use L=1*SMSS. It has no effect unless tcp.abc.enable is set to 1. udp.checksum If set to 1, UDP checksums are being computed. Received non-zero UDP checksums are always checked. Disabling UDP checksums is strongly discouraged. udp.recvspace The default UDP receive buffer size. udp.sendspace The default UDP send buffer size. For variables net.*.ipsec, please refer to ipsec(4). net.inet6 (PF_INET6) Get or set various global information about the IPv6 (Internet Protocol version 6). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: Protocol Variable Type Changeable icmp6 errppslimit integer yes icmp6 mtudisc_hiwat integer yes icmp6 mtudisc_lowat integer yes icmp6 nd6_debug integer yes icmp6 nd6_delay integer yes icmp6 nd6_maxnudhint integer yes icmp6 nd6_mmaxtries integer yes icmp6 nd6_prune integer yes icmp6 nd6_umaxtries integer yes icmp6 nd6_useloopback integer yes icmp6 nodeinfo integer yes icmp6 rediraccept integer yes icmp6 redirtimeout integer yes icmp6 reflect_pmtu boolean yes icmp6 dynamic_rt_msg boolean yes ip6 accept_rtadv integer yes ip6 addctlpolicy struct in6_addrpolicy no ip6 anonportalgo.selected string yes ip6 anonportalgo.available string yes ip6 anonportalgo.reserve struct yes ip6 anonportmax integer yes ip6 anonportmin integer yes ip6 auto_flowlabel integer yes ip6 dad_count integer yes ip6 defmcasthlim integer yes ip6 forwarding integer yes ip6 gifhlim integer yes ip6 hashsize integer yes ip6 hlim integer yes ip6 hdrnestlimit integer yes ip6 kame_version string no ip6 keepfaith integer yes ip6 log_interval integer yes ip6 lowportmax integer yes ip6 lowportmin integer yes ip6 maxdynroutes integer yes ip6 maxifprefixes integer yes ip6 maxifdefrouters integer yes ip6 maxflows integer yes ip6 maxfragpackets integer yes ip6 maxfrags integer yes ip6 neighborgcthresh integer yes ip6 param_rt_msg integer yes ip6 redirect integer yes ip6 rr_prune integer yes ip6 use_deprecated integer yes ip6 v6only integer yes udp6 do_loopback_cksum integer yes udp6 recvspace integer yes udp6 sendspace integer yes The variables are as follows: ip6.accept_rtadv If set to non-zero, the node will accept ICMPv6 router advertisement packets and autoconfigures address prefixes and default routers. The node must be a host (not a router) for the option to be meaningful. ip6.anonportalgo.available The available RFC 6056 port randomization algorithms. ip6.anonportalgo.reserve A bitmask of ports that will not be used during anonymous or privileged port selection. ip6.anonportalgo.selected The currently selected RFC 6056 port randomization algo- rithm; see rfc6056(7) for details. ip6.anonportmax The highest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535, and must be greater than ip6.anonportmin. ip6.anonportmin The lowest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535. ip6.auto_flowlabel On connected transport protocol packets, fill IPv6 flowlabel field to help intermediate routers to identify packet flows. ip6.dad_count The variable configures number of IPv6 DAD (duplicated address detection) probe packets. The packets will be generated when IPv6 interface addresses are configured. ip6.defmcasthlim The default hop limit value for an IPv6 multicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. There are APIs to override the value, as documented in ip6(4). ip6.forwarding If set to 1, enables IPv6 forwarding for the node, mean- ing that the node is acting as a router. If set to 0, disables IPv6 forwarding for the node, meaning that the node is acting as a host. IPv6 specification defines node behavior for ``router'' case and ``host'' case quite differently, and changing this variable during operation may cause serious trouble. It is recommended to config- ure the variable at bootstrap time, and bootstrap time only. ip6.gifhlim The maximum hop limit value for an IPv6 packet generated by gif(4) tunnel interface. ip6.hdrnestlimit The number of IPv6 extension headers permitted on incom- ing IPv6 packets. If set to 0, the node will accept as many extension headers as possible. ip6.hashsize The size of IPv6 Fast Forward hash table. This value must be a power of 2 (64, 256, ...). A larger hash table size results in fewer collisions. Also see ip6.maxflows. ip6.hlim The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. There are APIs to override the value, as documented in ip6(4). ip6.kame_version The string identifies the version of KAME IPv6 stack implemented in the kernel. ip6.keepfaith If set to non-zero, it enables ``FAITH'' TCP relay IPv6-to-IPv4 translator code in the kernel. Refer faith(4) and faithd(8) for detail. ip6.log_interval The variable controls amount of logs generated by IPv6 packet forwarding engine, by setting interval between log output (in seconds). ip6.lowportmax The highest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be greater than ip6.lowportmin. ip6.lowportmin The lowest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be smaller than ip6.lowportmax. ip6.maxdynroutes Maximum number of routes created by redirect. Set it to negative to disable. The default value is 4096. ip6.maxifprefixes Maximum number of prefixes created by route advertise- ments per interface. Set it to negative to disable. The default value is 16. ip6.maxifdefrouters 16 Maximum number of default routers created by route adver- tisements per interface. Set it to negative to disable. The default value is 16. ip6.maxflows IPv6 Fast Forwarding is enabled by default. If set to 0, IPv6 Fast Forwarding is disabled. ip6.maxflows controls the maximum amount of flows which can be created. The default value is 256. ip6.maxfragpackets The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any frag- mented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is pro- vided basically for avoiding possible DoS attacks. ip6.maxfrags The maximum number of fragments the node will accept. 0 means that the node will not accept any fragments. -1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks. ip6.neighborgcthresh Maximum number of entries in neighbor cache per inter- face. Set to negative to disable. The default value is 2048. ip6.param_rt_msg If set to 0, parameter changing routing message is sup- pressed. If set to 1, parameter changing routing message is sent by RTM_NEWADDR. Other values are undefined yet. ip6.redirect If set to 1, ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, and should normally be enabled on all systems. ip6.rr_prune The variable specifies interval between IPv6 router renumbering prefix babysitting, in seconds. ip6.use_deprecated The variable controls use of deprecated address, speci- fied in RFC 2462 5.5.4. ip6.v6only The variable specifies initial value for IPV6_V6ONLY socket option for AF_INET6 socket. Please refer to ip6(4) for detail. icmp6.errppslimit The variable specifies the maximum number of outgoing ICMPv6 error messages, per second. ICMPv6 error messages that exceeded the value are subject to rate limitation and will not go out from the node. Negative value dis- ables rate limitation. icmp6.mtudisc_hiwat icmp6.mtudisc_lowat The variables define the maximum number of routing table entries, created due to path MTU discovery (prevents denial-of-service attacks with ICMPv6 too big messages). When IPv6 path MTU discovery happens, we keep path MTU information into the routing table. If the number of routing table entries exceed the value, the kernel will not attempt to keep the path MTU information. icmp6.mtudisc_hiwat is used when we have verified ICMPv6 too big messages. icmp6.mtudisc_lowat is used when we have unverified ICMPv6 too big messages. Verification is performed by using address/port pairs kept in connected pcbs. Negative value disables the upper limit. icmp6.nd6_debug If set to non-zero, kernel IPv6 neighbor discovery code will generate debugging messages. The debug outputs are useful to diagnose IPv6 interoperability issues. The flag must be set to 0 for normal operation. icmp6.nd6_delay The variable specifies DELAY_FIRST_PROBE_TIME timing con- stant in IPv6 neighbor discovery specification (RFC 2461), in seconds. icmp6.nd6_maxnudhint Neighbor discovery permits upper layer protocols to sup- ply reachability hints, to avoid unnecessary neighbor discovery exchanges. The variable defines the number of consecutive hints the neighbor discovery layer will take. For example, by setting the variable to 3, neighbor dis- covery layer will take 3 consecutive hints in maximum. After receiving 3 hints, neighbor discovery layer will perform normal neighbor discovery process. icmp6.nd6_mmaxtries The variable specifies MAX_MULTICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 2461). icmp6.nd6_prune The variable specifies interval between IPv6 neighbor cache babysitting, in seconds. icmp6.nd6_umaxtries The variable specifies MAX_UNICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 2461). icmp6.nd6_useloopback If set to non-zero, kernel IPv6 stack will use loopback interface for local traffic. icmp6.nodeinfo The variable enables responses to ICMPv6 node information queries. If you set the variable to 0, responses will not be generated for ICMPv6 node information queries. Since node information queries can have a security impact, it is possible to fine tune which responses should be answered. Two separate bits can be set. 1 Respond to ICMPv6 FQDN queries, e.g. ping6 -w. 2 Respond to ICMPv6 node addresses queries, e.g. ping6 -a. icmp6.rediraccept If set to non-zero, the host will accept ICMPv6 redirect packets. Note that IPv6 routers will never accept ICMPv6 redirect packets, and the variable is meaningful on IPv6 hosts (non-router) only. icmp6.redirtimeout The variable specifies lifetime of routing entries gener- ated by incoming ICMPv6 redirect. icmp6.reflect_pmtu A boolean that icmpv6 reflecting uses path MTU discovery or not. When not, icmpv6 reflecting uses IPV6_MINMTU. icmp6.dynamic_rt_msg A boolean that the kernel sends routing message for RTM_DYNAMIC or not. If set to true, sends such routing message. udp6.do_loopback_cksum Perform UDP checksum on loopback. udp6.recvspace Default UDP receive buffer size. udp6.sendspace Default UDP send buffer size. We reuse net.*.tcp for TCP over IPv6, and therefore we do not have variables net.*.tcp6. Variables net.inet6.udp6 have identi- cal meaning to net.inet.udp. Please refer to PF_INET section above. For variables net.*.ipsec6, please refer to ipsec(4). net.key (PF_KEY) Get or set various global information about the IPsec key manage- ment. The third level name is the variable name. The currently defined variable and names are: Variable Type Changeable debug integer yes enabled integer yes used integer no spi_try integer yes spi_min_value integer yes spi_max_value integer yes larval_lifetime integer yes blockacq_count integer yes blockacq_lifetime integer yes esp_keymin integer yes esp_auth integer yes ah_keymin integer yes allow_different_idtype boolean yes The variables are as follows: debug Turn on debugging message from within the kernel. The value is a bitmap, as defined in <netipsec/key_debug.h>. enabled Control processing of IPsec control messages. 0 Never allow IPsec processing 1 Allow IPsec processing when SPD policies are present. 2 Force IPsec processing even when SPD policies are not present. used Based on if IPsec is enabled, and SPD rule existence, show if IPsec is being used. Note that currently once IPsec is being used, it cannot be disabled. spi_try The number of times the kernel will try to obtain an unique SPI when it generates it from random number gener- ator. spi_min_value Minimum SPI value when generating it within the kernel. spi_max_value Maximum SPI value when generating it within the kernel. larval_lifetime Lifetime for LARVAL SAD entries, in seconds. blockacq_count Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the key management daemon. blockacq_lifetime Lifetime of ACQUIRE PF_KEY message. esp_keymin Minimum ESP key length, in bits. The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message. esp_auth Whether ESP authentication should be used or not. Non- zero value indicates that ESP authentication should be used. The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message. ah_keymin Minimum AH key length, in bits, The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message. allow_different_idtype A boolean that allow or disallow different identifier types on IDii and IDir. Allowing that can improve inter- connectivity to some VPN appliances. net.local (PF_LOCAL) Get or set various global information about AF_LOCAL type sock- ets. For some variables, the third level name is the variable name: Variable Type Changeable inflight integer no deferred integer no The variables are as follows: inflight The number of file descriptors currently passed between processes, "in flight". deferred The number of file descriptors passed between processes that have been deferred for cleanup by a kernel task. Other variables are specific to a socket type: Socket Type Sy Variable Type Changeable dgram pcblist struct no dgram recvspace integer yes dgram sendspace integer yes seqpacket pcblist struct no stream pcblist struct no stream recvspace integer yes stream sendspace integer yes The variables are as follows: dgram.pcblist The Protocol Control Block list structure for datagram sockets. Parsed by netstat(1) or sockstat(1). dgram.recvspace The default datagram receive buffer size. dgram.sendspace The default datagram send buffer size. seqpacket.pcblist The Protocol Control Block list structure for Sequential Packet sockets. Parsed by netstat(1) or sockstat(1). stream.pcblist The Protocol Control Block list structure for stream sockets. Parsed by netstat(1) or sockstat(1). stream.recvspace The default stream receive buffer size. stream.sendspace The default stream send buffer size. The proc.* subtree The string and integer information available for the proc level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. These values are per- process, and as such may change from one process to another. When a process is created, the default values are inherited from its parent. When a set-user-ID or set-group-ID binary is executed, the value of PROC_PID_CORENAME is reset to the system default value. The second level name is either the magic value PROC_CURPROC, which points to the current process, or the PID of the target process. Third level name Type Changeable proc.pid.corename string yes proc.pid.rlimit node not applicable proc.pid.stopfork int yes proc.pid.stopexec int yes proc.pid.stopexit int yes proc.pid.paxflags int no proc.pid.corename (PROC_PID_CORENAME) The template used for the core dump file name (see core(5) for details). The base name must either be core or end with the suf- fix .core (the super-user may set arbitrary names). By default it points to KERN_DEFCORENAME. proc.pid.rlimit (PROC_PID_LIMIT) Return resources limits, as defined for the getrlimit(2) and setrlimit(2) system calls. The fourth level name is one of: proc.pid.rlimit.cputime (PROC_PID_LIMIT_CPU) The maximum amount of CPU time (in seconds) to be used by each process. proc.pid.rlimit.filesize (PROC_PID_LIMIT_FSIZE) The largest size (in bytes) file that may be created. proc.pid.rlimit.datasize (PROC_PID_LIMIT_DATA) The maximum size (in bytes) of the data segment for a process; this defines how far a program may extend its break with the sbrk(2) system call. proc.pid.rlimit.stacksize (PROC_PID_LIMIT_STACK) The maximum size (in bytes) of the stack segment for a process; this defines how far a program's stack segment may be extended. Stack extension is performed automati- cally by the system. proc.pid.rlimit.coredumpsize (PROC_PID_LIMIT_CORE) The largest size (in bytes) core file that may be cre- ated. proc.pid.rlimit.memoryuse (PROC_PID_LIMIT_RSS) The maximum size (in bytes) to which a process's resident set size may grow. This imposes a limit on the amount of physical memory to be given to a process; if memory is tight, the system will prefer to take memory from pro- cesses that are exceeding their declared resident set size. proc.pid.rlimit.memorylocked (PROC_PID_LIMIT_MEMLOCK) The maximum size (in bytes) which a process may lock into memory using the mlock(2) function. proc.pid.rlimit.maxproc (PROC_PID_LIMIT_NPROC) The maximum number of simultaneous processes for this user id. proc.pid.rlimit.descriptors (PROC_PID_LIMIT_NOFILE) The maximum number of open files for this process. proc.pid.rlimit.sbsize (PROC_PID_LIMIT_SBSIZE) The maximum size (in bytes) of the socket buffers set by the setsockopt(2) SO_RCVBUF and SO_SNDBUF options. proc.pid.rlimit.vmemoryuse (PROC_PID_LIMIT_AS) The maximum size (in bytes) which a process can obtain. proc.pid.rlimit.maxlwp (PROC_PID_LIMIT_NTHR) The maximum number of threads that cen be created and running at one time in the process. The first thread of each process is not counted against this. The fifth level name is one of soft (PROC_PID_LIMIT_TYPE_SOFT) or hard (PROC_PID_LIMIT_TYPE_HARD), to select respectively the soft or hard limit. Both are of type integer. proc.pid.stopfork (PROC_PID_STOPFORK) If non zero, the process' children will be stopped after fork(2) calls. The children are created in the SSTOP state and are never scheduled for running before being stopped. This feature enables attaching to a process with a debugger such as gdb(1) before the process has the opportunity to actually do anything. This value is inherited by the process's children, and it also applies to emulation specific system calls that fork a new process, such as sproc() or clone(). proc.pid.stopexec (PROC_PID_STOPEXEC) If non zero, the process will be stopped on the next exec(3) call. The process created by exec(3) is created in the SSTOP state and is never scheduled for running before being stopped. This feature enables attaching to a process with a debugger such as gdb(1) before the process has the opportunity to actually do anything. This value is inherited by the process's children. proc.pid.stopexit (PROC_PID_STOPEXIT) If non zero, the process will be stopped when it has cause to exit, either by way of calling exit(3), _exit(2), or by the receipt of a specific signal. The process is stopped before any of its resources or vm space is released allowing examination of the termination state of the process before it disappears. This feature can be used to examine the final conditions of the process's vmspace via pmap(1) or its resource settings with sysctl(8) before it disappears. This value is also inherited by the process's children. proc.pid.paxflags (PROC_PID_PAXFLAGS) This read-only variable returns the current value of the process's pax flags (see paxctl(8)). The user.* subtree (CTL_USER) The string and integer information available for the user level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Second level name Type Changeable user.atexit_max integer no user.bc_base_max integer no user.bc_dim_max integer no user.bc_scale_max integer no user.bc_string_max integer no user.coll_weights_max integer no user.cs_path string no user.expr_nest_max integer no user.line_max integer no user.posix2_c_bind integer no user.posix2_c_dev integer no user.posix2_char_term integer no user.posix2_fort_dev integer no user.posix2_fort_run integer no user.posix2_localedef integer no user.posix2_sw_dev integer no user.posix2_upe integer no user.posix2_version integer no user.re_dup_max integer no user.stream_max integer no user.stream_max integer no user.tzname_max integer no user.atexit_max (USER_ATEXIT_MAX) The maximum number of functions that may be registered with atexit(3). user.bc_base_max (USER_BC_BASE_MAX) The maximum ibase/obase values in the bc(1) utility. user.bc_dim_max (USER_BC_DIM_MAX) The maximum array size in the bc(1) utility. user.bc_scale_max (USER_BC_SCALE_MAX) The maximum scale value in the bc(1) utility. user.bc_string_max (USER_BC_STRING_MAX) The maximum string length in the bc(1) utility. user.coll_weights_max (USER_COLL_WEIGHTS_MAX) The maximum number of weights that can be assigned to any entry of the LC_COLLATE order keyword in the locale definition file. user.cs_path (USER_CS_PATH) Return a value for the PATH environment variable that finds all the standard utilities. user.expr_nest_max (USER_EXPR_NEST_MAX) The maximum number of expressions that can be nested within parenthesis by the expr(1) utility. user.line_max (USER_LINE_MAX) The maximum length in bytes of a text-processing utility's input line. user.posix2_char_term (USER_POSIX2_CHAR_TERM) Return 1 if the system supports at least one terminal type capa- ble of all operations described in IEEE Std 1003.2 (``POSIX.2''), otherwise 0. user.posix2_c_bind (USER_POSIX2_C_BIND) Return 1 if the system's C-language development facilities sup- port the C-Language Bindings Option, otherwise 0. user.posix2_c_dev (USER_POSIX2_C_DEV) Return 1 if the system supports the C-Language Development Utili- ties Option, otherwise 0. user.posix2_fort_dev (USER_POSIX2_FORT_DEV) Return 1 if the system supports the FORTRAN Development Utilities Option, otherwise 0. user.posix2_fort_run (USER_POSIX2_FORT_RUN) Return 1 if the system supports the FORTRAN Runtime Utilities Option, otherwise 0. user.posix2_localedef (USER_POSIX2_LOCALEDEF) Return 1 if the system supports the creation of locales, other- wise 0. user.posix2_sw_dev (USER_POSIX2_SW_DEV) Return 1 if the system supports the Software Development Utili- ties Option, otherwise 0. user.posix2_upe (USER_POSIX2_UPE) Return 1 if the system supports the User Portability Utilities Option, otherwise 0. user.posix2_version (USER_POSIX2_VERSION) The version of IEEE Std 1003.2 (``POSIX.2'') with which the sys- tem attempts to comply. user.re_dup_max (USER_RE_DUP_MAX) The maximum number of repeated occurrences of a regular expres- sion permitted when using interval notation. user.stream_max (USER_STREAM_MAX) The minimum maximum number of streams that a process may have open at any one time. user.tzname_max (USER_TZNAME_MAX) The minimum maximum number of types supported for the name of a timezone. The vm.* subtree (CTL_VM) The string and integer information available for the vm level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Second level name Type Changeable vm.anonmax int yes vm.anonmin int yes vm.bufcache int yes vm.bufmem int no vm.bufmem_hiwater int yes vm.bufmem_lowater int yes vm.execmax int yes vm.execmin int yes vm.filemax int yes vm.filemin int yes vm.loadavg struct loadavg no vm.maxslp int no vm.nkmempages int no vm.uspace int no vm.uvmexp struct uvmexp no vm.uvmexp2 struct uvmexp_sysctl no vm.vmmeter struct vmtotal no vm.proc.map struct kinfo_vmentry no vm.guard_size unsigned int no vm.thread_guard_size unsigned int yes vm.swap_encrypt bool yes vm.anonmax (VM_ANONMAX) The percentage of physical memory which will be reclaimed from other types of memory usage to store anonymous application data. vm.anonmin (VM_ANONMIN) The percentage of physical memory which will be always be avail- able for anonymous application data. vm.bufcache (VM_BUFCACHE) The percentage of physical memory which will be available for the buffer cache. vm.bufmem (VM_BUFMEM) The amount of kernel memory that is being used by the buffer cache. vm.bufmem_lowater (VM_BUFMEM_LOWATER) The minimum amount of kernel memory to reserve for the buffer cache. vm.bufmem_hiwater (VM_BUFMEM_HIWATER) The maximum amount of kernel memory to be used for the buffer cache. vm.execmax (VM_EXECMAX) The percentage of physical memory which will be reclaimed from other types of memory usage to store cached executable data. vm.execmin (VM_EXECMIN) The percentage of physical memory which will be always be avail- able for cached executable data. vm.filemax (VM_FILEMAX) The percentage of physical memory which will be reclaimed from other types of memory usage to store cached file data. vm.filemin (VM_FILEMIN) The percentage of physical memory which will be always be avail- able for cached file data. vm.loadavg (VM_LOADAVG) Return the load average history. The returned data consists of a struct loadavg. vm.maxslp (VM_MAXSLP) The value of the maxslp kernel global variable. vm.vmmeter (VM_METER) Return system wide virtual memory statistics. The returned data consists of a struct vmtotal. vm.user_va0_disable A flag which controls whether user processes can map virtual address 0. vm.proc.map (VM_PROC) The third level is VM_PROC_MAP, the fourth is the pid of the process to display the vm object entries for, and the fifth is the size of struct kinfo_vmentry. Returns an array of struct kinfo_vmentry objects. vm.ubc_direct [EXPERIMENTAL, default off] Use direct map for UBC I/O, avoiding need to map and unmap buffer memory. Speeds up operation for fast I/O devices like NVMe, especially on multi-CPU systems. Only available on some archi- tectures. vm.uspace (VM_USPACE) The number of bytes allocated for each kernel stack. vm.uvmexp (VM_UVMEXP) Return system wide virtual memory statistics. The returned data consists of a struct uvmexp. vm.uvmexp2 (VM_UVMEXP2) Return system wide virtual memory statistics. The returned data consists of a struct uvmexp_sysctl. vm.guard_size Return system wide guard size for the main thread of a program. vm.thread_guard_size Return system wide default size for the guard area of all other threads of a program. vm.swap_encrypt If true, encrypt data while swapped out to disk. Each swap device maintains an independent AES-256 key, generated when the first page is swapped to that device. Each page is swapped independently using AES-CBC, with an initialization vec- tor chosen by the encryption under the AES-256 key of the little- endian swap slot number padded to 128 bits with zeros. (This is essentially the cgd(4) `encblkno1' method.) Changes to vm.swap_encrypt only affect pages of swap newly writ- ten out. To force encrypting or decrypting all existing swap, or to rekey previously encrypted swap, you can remove the swap devices and re-add them with swapctl(8), with the caveat that whatever pages were already written to disk unencrypted or encrypted with a compromised key may still be written to disk afterward. The ddb.* subtree (CTL_DDB) The information available for the ddb level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Second level name Type Changeable ddb.commandonenter string yes ddb.dumpstack integer yes ddb.fromconsole integer yes ddb.lines integer yes ddb.maxoff integer yes ddb.maxwidth integer yes ddb.onpanic integer yes ddb.panicstackframes integer yes ddb.radix integer yes ddb.tabstops integer yes ddb.tee_msgbuf integer yes ddb.commandonenter If not empty, the string is used as the DDB command to be exe- cuted each time DDB is entered. ddb.dumpstack A value of 1 causes a stack trace to be printed on entering ddb from a panic. A value of 0 disables this behaviour. The default value is 1. ddb.fromconsole (DDBCTL_FROMCONSOLE) If not zero, DDB may be entered by sending a break on a serial console or by a special key sequence on a graphics console. ddb.lines (DDBCTL_LINES) Number of display lines. ddb.maxoff (DDBCTL_MAXOFF) The maximum symbol offset. ddb.maxwidth (DDBCTL_MAXWIDTH) The maximum output line width. ddb.onpanic (DDBCTL_ONPANIC) If greater than zero, DDB will be entered if the kernel panics. A value of 1 causes the system to enter DDB on panic. A value of 0 causes the kernel to attempt to print a stack trace, then reboot, while a value of -1 means neither a stack trace will be printed nor DDB entered. ddb.panicstackframes Number of stack frames to display on panic. Useful to avoid scrolling away the interesting frames on a glass tty. Default value is 65535 (all frames), useful value around 10. ddb.radix (DDBCTL_RADIX) The input and output radix. ddb.tabstops (DDBCTL_TABSTOPS) Tab width. ddb.tee_msgbuf If not zero, DDB will output also to the kernel message buffer. Some of these MIB nodes are also available as variables from within the debugger. See ddb(4) for more details. The security.* subtree (CTL_SECURITY) The security level contains various security-related settings for the system. The available second level names are: Second level name Type Changeable security.curtain integer yes security.models node not applicable security.pax node not applicable Available settings are detailed below. security.curtain If non-zero, will filter return objects according to the user ID requesting information about them, preventing users from access- ing any objects they do not own. At the moment, it affects ps(1), netstat(1) (for PF_INET, PF_INET6, and PF_UNIX PCBs), and w(1). security.models NetBSD supports pluggable security models. Every security model used, whether if loaded as a module or built with the system, is required to add an entry to this node with at least one element, ``name'', indicating the name of the security model. In addition to the name, any settings and other information pri- vate to the security model will be available under this node. See secmodel(9) for more information. security.pax Settings for PaX -- exploit mitigation features. For more infor- mation on any of the PaX features, please see paxctl(8) and security(7). The available third and fourth level names are: Third and fourth level names Type Changeable security.pax.aslr.enabled integer yes security.pax.aslr.global integer yes security.pax.mprotect.enabled integer yes security.pax.mprotect.global integer yes security.pax.mprotect.ptrace integer yes security.pax.segvguard.enabled integer yes security.pax.segvguard.expiry_timeout integer yes security.pax.segvguard.global integer yes security.pax.segvguard.max_crashes integer yes security.pax.segvguard.suspend_timeout integer yes security.pax.aslr.enabled Enable PaX ASLR (Address Space Layout Randomization). The value of this knob must be non-zero for PaX ASLR to be enabled, even if a program is set to explicit enable. security.pax.aslr.global Specifies the default global policy for programs without an explicit enable/disable flag. When non-zero, all programs will get PaX ASLR, except those exempted with paxctl(8). Otherwise, all programs will not get PaX ASLR, except those specifically marked as such with paxctl(8). security.pax.mprotect.enabled Enable PaX MPROTECT restrictions. These are mprotect(2) restrictions to better enforce a W^X policy. The value of this knob must be non-zero for PaX MPROTECT to be enabled, even if a program is set to explicit enable. security.pax.mprotect.global Specifies the default global policy for programs without an explicit enable/disable flag. When non-zero, all programs will get the PaX MPROTECT restrictions, except those exempted with paxctl(8). Oth- erwise, all programs will not get the PaX MPROTECT restrictions, except those specifically marked as such with paxctl(8). security.pax.mprotect.ptrace This variable allows ptrace(2) to override PaX MPROTECT permissions. It can have the following values: 0 Does not let override any permissions. 1 Disables PaX MPROTECT from processes that start exe- cuting while traced (default). 2 Bypasses PaX MPROTECT for all processes being traced. security.pax.segvguard.enabled Enable PaX Segvguard. PaX Segvguard can detect and prevent certain exploitation attempts, where an attacker may try for example to brute- force function return addresses of respawning daemons. Note: The NetBSD interface and implementation of the Segvguard is still experimental, and may change in future releases. security.pax.segvguard.expiry_timeout If the max number was not reached within this timeout (in seconds), the entry will expire. security.pax.segvguard.global Specifies the default global policy for programs without an explicit enable/disable flag. When non-zero, all programs will get the PaX Segvguard, except those exempted with paxctl(8). Otherwise, no pro- gram will get the PaX Segvguard restrictions, except those specifically marked as such with paxctl(8). security.pax.segvguard.max_crashes The maximum number of segfaults a program can receive before suspension. security.pax.segvguard.suspend_timeout Number of seconds to suspend a user from running a fault- ing program when the limit was exceeded. The vendor.* subtree (CTL_VENDOR) The vendor toplevel name is reserved to be used by vendors who wish to have their own private MIB tree. Intended use is to store values under ``vendor.<yourname>.*''.
SEE ALSO
sysctl(3), ipsec(4), tcp(4), security(7), sysctl(8)
HISTORY
The sysctl variables first appeared in 4.4BSD. NetBSD 10.1 December 16, 2022 NetBSD 10.1
Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.