sysctl(3)
- NetBSD Manual Pages
SYSCTL(3) NetBSD Library Functions Manual SYSCTL(3)
NAME
sysctl, sysctlbyname, sysctlgetmibinfo, sysctlnametomib -- get or set
system information
LIBRARY
Standard C Library (libc, -lc)
SYNOPSIS
#include <sys/param.h>
#include <sys/sysctl.h>
int
sysctl(const int *name, u_int namelen, void *oldp, size_t *oldlenp,
const void *newp, size_t newlen);
int
sysctlbyname(const char *sname, void *oldp, size_t *oldlenp, void *newp,
size_t newlen);
int
sysctlgetmibinfo(const char *sname, int *name, u_int *namelenp,
char *cname, size_t *csz, struct sysctlnode **rnode, int v);
int
sysctlnametomib(const char *sname, int *name, size_t *namelenp);
DESCRIPTION
The sysctl function retrieves system information and allows processes
with appropriate privileges to set system information. The information
available from sysctl consists of integers, strings, and tables. Infor-
mation may be retrieved and set from the command interface using the
sysctl(8) utility.
Unless explicitly noted below, sysctl returns a consistent snapshot of
the data requested. Consistency is obtained by locking the destination
buffer into memory so that the data may be copied out without blocking.
Calls to sysctl are serialized to avoid deadlock.
The state is described using a ``Management Information Base'' (MIB)
style name, listed in name, which is a namelen length array of integers.
The sysctlbyname() function accepts a string representation of a MIB
entry and internally maps it to the appropriate numeric MIB representa-
tion. Its semantics are otherwise no different from sysctl().
The information is copied into the buffer specified by oldp. The size of
the buffer is given by the location specified by oldlenp before the call,
and that location gives the amount of data copied after a successful
call. If the amount of data available is greater than the size of the
buffer supplied, the call supplies as much data as fits in the buffer
provided and returns with the error code ENOMEM. If the old value is not
desired, oldp and oldlenp should be set to NULL.
The size of the available data can be determined by calling sysctl with a
NULL parameter for oldp. The size of the available data will be returned
in the location pointed to by oldlenp. For some operations, the amount
of space may change often. For these operations, the system attempts to
round up so that the returned size is large enough for a call to return
the data shortly thereafter.
To set a new value, newp is set to point to a buffer of length newlen
from which the requested value is to be taken. If a new value is not to
be set, newp should be set to NULL and newlen set to 0.
The sysctlnametomib() function can be used to map the string representa-
tion of a MIB entry to the numeric version. The name argument should
point to an array of integers large enough to hold the MIB, and namelenp
should indicate the number of integer slots available. Following a suc-
cessful translation, the size_t indicated by namelenp will be changed to
show the number of slots consumed.
The sysctlgetmibinfo() function performs name translation similar to
sysctlnametomib(), but also canonicalizes the name (or returns the first
erroneous token from the string being parsed) into the space indicated by
cname and csz. csz should indicate the size of the buffer pointed to by
cname and on return, will indicate the size of the returned string
including the trailing `nul' character.
The rnode and v arguments to sysctlgetmibinfo() are used to provide a
tree for it to parse into, and to get back either a pointer to, or a copy
of, the terminal node. If rnode is NULL, sysctlgetmibinfo() uses its own
internal tree for parsing, and checks it against the kernel at each call,
to make sure that the name-to-number mapping is kept up to date. The v
argument is ignored in this case. If rnode is not NULL but the pointer
it references is, on a successful return, rnode will be adjusted to point
to a copy of the terminal node. The v argument indicates which version
of the sysctl node structure the caller wants. The application must
later free() this copy. If neither rnode nor the pointer it references
are NULL, the pointer is used as the address of a tree over which the
parsing is done. In this last case, the tree is not checked against the
kernel, no refreshing of the mappings is performed, and the value given
by v must agree with the version indicated by the tree. It is recom-
mended that applications always use SYSCTL_VERSION as the value for v, as
defined in the include file sys/sysctl.h.
The top level names are defined with a CTL_ prefix in <sys/sysctl.h>, and
are as follows. The next and subsequent levels down are found in the
include files listed here, and described in separate sections below.
Name Next level names Description
CTL_KERN sys/sysctl.h High kernel limits
CTL_VM uvm/uvm_param.h Virtual memory
CTL_VFS sys/mount.h Filesystem
CTL_NET sys/socket.h Networking
CTL_DEBUG sys/sysctl.h Debugging
CTL_HW sys/sysctl.h Generic CPU, I/O
CTL_MACHDEP sys/sysctl.h Machine dependent
CTL_USER sys/sysctl.h User-level
CTL_DDB sys/sysctl.h In-kernel debugger
CTL_PROC sys/sysctl.h Per-process
CTL_VENDOR ? Vendor specific
CTL_EMUL sys/sysctl.h Emulation settings
CTL_SECURITY sys/sysctl.h Security settings
For example, the following retrieves the maximum number of processes
allowed in the system:
int mib[2], maxproc;
size_t len;
mib[0] = CTL_KERN;
mib[1] = KERN_MAXPROC;
len = sizeof(maxproc);
sysctl(mib, 2, &maxproc, &len, NULL, 0);
To retrieve the standard search path for the system utilities:
int mib[2];
size_t len;
char *p;
mib[0] = CTL_USER;
mib[1] = USER_CS_PATH;
sysctl(mib, 2, NULL, &len, NULL, 0);
p = malloc(len);
sysctl(mib, 2, p, &len, NULL, 0);
CTL_DEBUG
The debugging variables vary from system to system. A debugging variable
may be added or deleted without need to recompile sysctl to know about
it. Each time it runs, sysctl gets the list of debugging variables from
the kernel and displays their current values. The system defines twenty
(struct ctldebug) variables named debug0 through debug19. They are
declared as separate variables so that they can be individually initial-
ized at the location of their associated variable. The loader prevents
multiple use of the same variable by issuing errors if a variable is ini-
tialized in more than one place. For example, to export the variable
dospecialcheck as a debugging variable, the following declaration would
be used:
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
Note that the dynamic implementation of sysctl currently in use largely
makes this particular sysctl interface obsolete. See sysctl(8) for more
information.
CTL_VFS
A distinguished second level name, VFS_GENERIC, is used to get general
information about all filesystems. One of its third level identifiers is
VFS_MAXTYPENUM that gives the highest valid filesystem type number. Its
other third level identifier is VFS_CONF that returns configuration
information about the filesystem type given as a fourth level identifier.
The remaining second level identifiers are the filesystem type number
returned by a statvfs(2) call or from VFS_CONF. The third level identi-
fiers available for each filesystem are given in the header file that
defines the mount argument structure for that filesystem.
CTL_HW
The string and integer information available for the CTL_HW level is
detailed below. The changeable column shows whether a process with
appropriate privilege may change the value.
Second level name Type Changeable
HW_ALIGNBYTES integer no
HW_BYTEORDER integer no
HW_CNMAGIC string yes
HW_DISKNAMES string no
HW_DISKSTATS struct no
HW_MACHINE string no
HW_MACHINE_ARCH string no
HW_MODEL string no
HW_NCPU integer no
HW_PAGESIZE integer no
HW_PHYSMEM integer no
HW_PHYSMEM64 quad no
HW_USERMEM integer no
HW_USERMEM64 quad no
HW_ALIGNBYTES
Alignment constraint for all possible data types. This shows the
value ALIGNBYTES in /usr/include/machine/param.h, at the kernel
compilation time.
HW_BYTEORDER
The byteorder (4,321, or 1,234).
HW_CNMAGIC
The console magic key sequence.
HW_DISKNAMES
The list of (space separated) disk device and NFS mount names on
the system.
HW_IOSTATNAMES
A space separated list of devices that will have I/O statistics
collected on them.
HW_IOSTATS
Return statistical information on the NFS mounts, disk and tape
devices on the system. An array of struct io_sysctl structures
is returned, whose size depends on the current number of such
objects in the system. The third level name is the size of the
struct io_sysctl. The type of object can be determined by exam-
ining the type element of struct io_sysctl. Which can be
IOSTAT_DISK (disk drive), IOSTAT_TAPE (tape drive), or IOSTAT_NFS
(NFS mount).
HW_MACHINE
The machine class.
HW_MACHINE_ARCH
The machine CPU class.
HW_MODEL
The machine model.
HW_NCPU
The number of CPUs.
HW_PAGESIZE
The software page size.
HW_PHYSMEM
The bytes of physical memory as a 32-bit integer.
HW_PHYSMEM64
The bytes of physical memory as a 64-bit integer.
HW_USERMEM
The bytes of non-kernel memory as a 32-bit integer.
HW_USERMEM64
The bytes of non-kernel memory as a 64-bit integer.
CTL_KERN
The string and integer information available for the CTL_KERN level is
detailed below. The changeable column shows whether a process with
appropriate privilege may change the value. The types of data currently
available are process information, system vnodes, the open file entries,
routing table entries, virtual memory statistics, load average history,
and clock rate information.
Second level name Type Changeable
KERN_ARGMAX integer no
KERN_AUTONICETIME integer yes
KERN_AUTONICEVAL integer yes
KERN_BOOTTIME struct timeval no
KERN_BUFQ node not
applicable
KERN_CCPU integer no
KERN_CLOCKRATE struct clockinfo no
KERN_CONSDEV integer no
KERN_CP_ID struct no
KERN_CP_TIME uint64_t[] no
KERN_DEFCORENAME string yes
KERN_DOMAINNAME string yes
KERN_DRIVERS struct kinfo_drivers no
KERN_FILE struct file no
KERN_FORKFSLEEP integer yes
KERN_FSCALE integer no
KERN_FSYNC integer no
KERN_HARDCLOCK_TICKS integer no
KERN_HOSTID integer yes
KERN_HOSTNAME string yes
KERN_IOV_MAX integer no
KERN_JOB_CONTROL integer no
KERN_LABELOFFSET integer no
KERN_LABELSECTOR integer no
KERN_LOGIN_NAME_MAX integer no
KERN_LOGSIGEXIT integer yes
KERN_MAPPED_FILES integer no
KERN_MAXFILES integer yes
KERN_MAXPARTITIONS integer no
KERN_MAXPHYS integer no
KERN_MAXPROC integer yes
KERN_MAXPTYS integer yes
KERN_MAXVNODES integer yes
KERN_MBUF node not
applicable
KERN_MEMLOCK integer no
KERN_MEMLOCK_RANGE integer no
KERN_MEMORY_PROTECTION integer no
KERN_MONOTONIC_CLOCK integer no
KERN_MSGBUF integer no
KERN_MSGBUFSIZE integer no
KERN_NGROUPS integer no
KERN_NTPTIME struct ntptimeval no
KERN_OSRELEASE string no
KERN_OSREV integer no
KERN_OSTYPE string no
KERN_PIPE node not
applicable
KERN_POSIX1 integer no
KERN_POSIX_BARRIERS integer no
KERN_POSIX_READER_WRITER_LOCKS integer no
KERN_POSIX_SEMAPHORES integer no
KERN_POSIX_SPIN_LOCKS integer no
KERN_POSIX_THREADS integer no
KERN_POSIX_TIMERS integer no
KERN_PROC struct kinfo_proc no
KERN_PROC2 struct kinfo_proc2 no
KERN_PROC_ARGS string no
KERN_PROF node not
applicable
KERN_RAWPARTITION integer no
KERN_ROOT_DEVICE string no
KERN_ROOT_PARTITION integer no
KERN_RTC_OFFSET integer yes
KERN_SAVED_IDS integer no
KERN_SECURELVL integer raise only
KERN_SYNCHRONIZED_IO integer no
KERN_SYSVIPC node not
applicable
KERN_TIMEX struct no
KERN_TKSTAT node not
applicable
KERN_URANDOM integer no
KERN_VERSION string no
KERN_VNODE struct vnode no
KERN_ARGMAX
The maximum bytes of argument to execve(2).
KERN_AUTONICETIME
The number of seconds of CPU-time a non-root process may accumu-
late before having its priority lowered from the default to the
value of KERN_AUTONICEVAL. If set to 0, automatic lowering of
priority is not performed, and if set to -1 all non-root pro-
cesses are immediately lowered.
KERN_AUTONICEVAL
The priority assigned for automatically niced processes.
KERN_BOOTTIME
A struct timeval structure is returned. This structure contains
the time that the system was booted.
KERN_CCPU
The scheduler exponential decay value.
KERN_CLOCKRATE
A struct clockinfo structure is returned. This structure con-
tains the clock, statistics clock and profiling clock frequen-
cies, the number of micro-seconds per hz tick, and the clock skew
rate.
KERN_CONSDEV
Console device.
KERN_CP_ID
Mapping of CPU number to CPU id.
KERN_CP_TIME
Returns an array of CPUSTATES uint64_ts. This array contains the
number of clock ticks spent in different CPU states. On multi-
processor systems, the sum across all CPUs is returned unless
appropriate space is given for one data set for each CPU. Data
for a specific CPU can also be obtained by adding the number of
the CPU at the end of the MIB, enlarging it by one.
KERN_DEFCORENAME
Default template for the name of core dump files (see also
PROC_PID_CORENAME in the per-process variables CTL_PROC, and
core(5) for format of this template). The default value is
%n.core and can be changed with the kernel configuration option
options DEFCORENAME (see options(4) ).
KERN_DOMAINNAME
Get or set the YP domain name.
KERN_DUMP_ON_PANIC
Perform a crash dump on system panic.
KERN_DRIVERS
Return an array of struct kinfo_drivers that contains the name
and major device numbers of all the device drivers in the current
kernel. The d_name field is always a NUL terminated string. The
d_bmajor field will be set to -1 if the driver doesn't have a
block device.
KERN_FILE
Return the entire file table. The returned data consists of a
single struct filelist followed by an array of struct file, whose
size depends on the current number of such objects in the system.
KERN_FORKFSLEEP
If fork(2) system call fails due to limit on number of processes
(either the global maxproc limit or user's one), wait for this
many milliseconds before returning EAGAIN error to process. Use-
ful to keep heavily forking runaway processes in bay. Default
zero (no sleep). Maximum is 20 seconds.
KERN_FSCALE
The kernel fixed-point scale factor.
KERN_FSYNC
Return 1 if the POSIX 1003.1b File Synchronization Option is
available on this system, otherwise 0.
KERN_HARDCLOCK_TICKS
Returns the number of hardclock(9) ticks.
KERN_HOSTID
Get or set the host id.
KERN_HOSTNAME
Get or set the hostname.
KERN_IOV_MAX
Return the maximum number of iovec structures that a process has
available for use with preadv(2), pwritev(2), readv(2),
recvmsg(2), sendmsg(2) and writev(2).
KERN_JOB_CONTROL
Return 1 if job control is available on this system, otherwise 0.
KERN_LABELOFFSET
The offset within the sector specified by KERN_LABELSECTOR of the
disklabel(5).
KERN_LABELSECTOR
The sector number containing the disklabel(5).
KERN_LOGIN_NAME_MAX
The size of the storage required for a login name, in bytes,
including the terminating NUL.
KERN_LOGSIGEXIT
If this flag is non-zero, the kernel will log(9) all process
exits due to signals which create a core(5) file, and whether the
coredump was created.
KERN_MAPPED_FILES
Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is
available on this system, otherwise 0.
KERN_MAXFILES
The maximum number of open files that may be open in the system.
KERN_MAXPARTITIONS
The maximum number of partitions allowed per disk.
KERN_MAXPHYS
Maximum raw I/O transfer size.
KERN_MAXPROC
The maximum number of simultaneous processes the system will
allow.
KERN_MAXPTYS
The maximum number of pseudo terminals. This value can be both
raised and lowered, though it cannot be set lower than number of
currently used ptys. See also pty(4).
KERN_MAXVNODES
The maximum number of vnodes available on the system. This can
only be raised.
KERN_MBUF
Return information about the mbuf control variables. the third
level names for the mbuf variables are detailed below. The
changeable column shows whether a process with appropriate privi-
lege may change the value.
Third level name Type Changeable
MBUF_MBLOWAT integer yes
MBUF_MCLBYTES integer yes
MBUF_MCLLOWAT integer yes
MBUF_MSIZE integer yes
MBUF_NMBCLUSTERS integer yes
The variables are as follows:
MBUF_MBLOWAT
The mbuf low water mark.
MBUF_MCLBYTES
The mbuf cluster size.
MBUF_MCLLOWAT
The mbuf cluster low water mark.
MBUF_MSIZE
The mbuf base size.
MBUF_NMBCLUSTERS
The limit on the number of mbuf clusters. The variable
can only be increased, and only increased on machines
with direct-mapped pool pages.
KERN_MEMLOCK
Returns 1 if the POSIX 1003.1b Process Memory Locking Option is
available on this system, otherwise 0.
KERN_MEMLOCK_RANGE
Returns 1 if the POSIX 1003.1b Range Memory Locking Option is
available on this system, otherwise 0.
KERN_MEMORY_PROTECTION
Returns 1 if the POSIX 1003.1b Memory Protection Option is avail-
able on this system, otherwise 0.
KERN_MONOTONIC_CLOCK
Returns the standard version the implementation of the POSIX
1003.1b Monotonic Clock Option conforms to, otherwise 0.
KERN_MSGBUF
The kernel message buffer, rotated so that the head of the circu-
lar kernel message buffer is returned at the start of the buffer
specified by oldp. The returned data may contain NUL bytes.
KERN_MSGBUFSIZE
The maximum number of characters that the kernel message buffer
can hold.
KERN_NGROUPS
The maximum number of supplemental groups.
KERN_NTPTIME
A struct ntptimeval structure is returned. This structure con-
tains data used by the ntpd(8) program.
KERN_OSRELEASE
The system release string.
KERN_OSREV
The system revision string.
KERN_OSTYPE
The system type string.
KERN_PIPE
Pipe settings. The third level names for the integer pipe set-
tings is detailed below. The changeable column shows whether a
process with appropriate privilege may change the value.
Third level name Type Changeable
KERN_PIPE_KVASIZ integer yes
KERN_PIPE_MAXBIGPIPES integeryes
KERN_PIPE_MAXKVASZ integer yes
KERN_PIPE_LIMITKVA integer yes
KERN_PIPE_NBIGPIPES integer yes
The variables are as follows:
KERN_PIPE_KVASIZ
Amount of kernel memory consumed by pipe buffers.
KERN_PIPE_MAXBIGPIPES
Maximum number of "big" pipes.
KERN_PIPE_MAXKVASZ
Maximum amount of kernel memory to be used for pipes.
KERN_PIPE_LIMITKVA
Limit for direct transfers via page loan.
KERN_PIPE_NBIGPIPES
Number of "big" pipes.
KERN_POSIX1
The version of ISO/IEC 9945 (POSIX 1003.1) with which the system
attempts to comply.
KERN_POSIX_BARRIERS
The version of IEEE Std 1003.1 (``POSIX.1'') and its Barriers
option to which the system attempts to conform, otherwise 0.
KERN_POSIX_READER_WRITER_LOCKS
The version of IEEE Std 1003.1 (``POSIX.1'') and its Read-Write
Locks option to which the system attempts to conform, otherwise
0.
KERN_POSIX_SEMAPHORES
The version of IEEE Std 1003.1 (``POSIX.1'') and its Semaphores
option to which the system attempts to conform, otherwise 0.
KERN_POSIX_SPIN_LOCKS
The version of IEEE Std 1003.1 (``POSIX.1'') and its Spin Locks
option to which the system attempts to conform, otherwise 0.
KERN_POSIX_THREADS
The version of IEEE Std 1003.1 (``POSIX.1'') and its Threads
option to which the system attempts to conform, otherwise 0.
KERN_POSIX_TIMERS
The version of IEEE Std 1003.1 (``POSIX.1'') and its Timers
option to which the system attempts to conform, otherwise 0.
KERN_PROC
Return the entire process table, or a subset of it. An array of
struct kinfo_proc structures is returned, whose size depends on
the current number of such objects in the system. The third and
fourth level names are as follows:
Third level name Fourth level is:
KERN_PROC_ALL None
KERN_PROC_GID A group ID
KERN_PROC_PID A process ID
KERN_PROC_PGRP A process group
KERN_PROC_RGID A real group ID
KERN_PROC_RUID A real user ID
KERN_PROC_SESSION A session ID
KERN_PROC_TTY A tty device
KERN_PROC_UID A user ID
KERN_PROC2
As for KERN_PROC, but an array of struct kinfo_proc2 structures
are returned. The fifth level name is the size of the struct
kinfo_proc2 and the sixth level name is the number of structures
to return.
KERN_PROC_ARGS
Return the argv or environment strings (or the number thereof) of
a process. Multiple strings are returned separated by NUL char-
acters. The third level name is the process ID. The fourth
level name is as follows:
KERN_PROC_ARGV The argv strings
KERN_PROC_ENV The environ strings
KERN_PROC_NARGV The number of argv strings
KERN_PROC_NENV The number of environ strings
KERN_PROF
Return profiling information about the kernel. If the kernel is
not compiled for profiling, attempts to retrieve any of the
KERN_PROF values will fail with EOPNOTSUPP. The third level
names for the string and integer profiling information is
detailed below. The changeable column shows whether a process
with appropriate privilege may change the value.
Third level name Type Changeable
GPROF_COUNT u_short[] yes
GPROF_FROMS u_short[] yes
GPROF_GMONPARAM struct gmonparam no
GPROF_STATE integer yes
GPROF_TOS struct tostruct yes
The variables are as follows:
GPROF_COUNT
Array of statistical program counter counts.
GPROF_FROMS
Array indexed by program counter of call-from points.
GPROF_GMONPARAM
Structure giving the sizes of the above arrays.
GPROF_STATE
Profiling state. If set to GMON_PROF_ON, starts profil-
ing. If set to GMON_PROF_OFF, stops profiling.
GPROF_TOS
Array of struct tostruct describing destination of calls
and their counts.
KERN_RAWPARTITION
The raw partition of a disk (a == 0).
KERN_ROOT_DEVICE
The name of the root device (e.g., ``wd0'').
KERN_ROOT_PARTITION
The root partition on the root device (a == 0).
KERN_RTC_OFFSET
Return the offset of real time clock from UTC in minutes.
KERN_SAVED_IDS
Returns 1 if saved set-group and saved set-user ID is available.
KERN_SBMAX
Maximum socket buffer size.
KERN_SECURELVL
The system security level. This level may be raised by processes
with appropriate privilege. It may only be lowered by process 1.
KERN_SOMAXKVA
Maximum amount of kernel memory to be used for socket buffers.
KERN_SYNCHRONIZED_IO
Returns 1 if the POSIX 1003.1b Synchronized I/O Option is avail-
able on this system, otherwise 0.
KERN_SYSVIPC
Return information about the SysV IPC parameters. The third level
names for the ipc variables are detailed below.
Third level name Type Changeable
KERN_SYSVIPC_MSG integer no
KERN_SYSVIPC_SEM integer no
KERN_SYSVIPC_SHM integer no
KERN_SYSVIPC_INFO struct no
KERN_SYSVIPC_SHMMAX integer no
KERN_SYSVIPC_SHMMNI integer yes
KERN_SYSVIPC_SHMSEG integer yes
KERN_SYSVIPC_SHMMAXPGS integer yes
KERN_SYSVIPC_SHMUSEPHYS integer yes
KERN_SYSVIPC_MSG
Returns 1 if System V style message queue functionality
is available on this system, otherwise 0.
KERN_SYSVIPC_SEM
Returns 1 if System V style semaphore functionality is
available on this system, otherwise 0.
KERN_SYSVIPC_SHM
Returns 1 if System V style share memory functionality is
available on this system, otherwise 0.
KERN_SYSVIPC_INFO
Return System V style IPC configuration and run-time
information. The third level name selects the System V
style IPC facility.
Fourth level name Type
KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info
KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info
KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info
KERN_SYSVIPC_MSG_INFO
Return information on the System V style message
facility. The msg_sysctl_info structure is
defined in <sys/msg.h>.
KERN_SYSVIPC_SEM_INFO
Return information on the System V style sema-
phore facility. The sem_sysctl_info structure is
defined in <sys/sem.h>.
KERN_SYSVIPC_SHM_INFO
Return information on the System V style shared
memory facility. The shm_sysctl_info structure
is defined in <sys/shm.h>.
KERN_SYSVIPC_SHMMAX
Max shared memory segment size in bytes.
KERN_SYSVIPC_SHMMNI
Max number of shared memory identifiers.
KERN_SYSVIPC_SHMSEG
Max shared memory segments per process.
KERN_SYSVIPC_SHMMAXPGS
Max amount of shared memory in pages.
KERN_SYSVIPC_SHMUSEPHYS
Locking of shared memory in physical memory. If 0, memory
can be swaped out, otherwise it will be locked in physi-
cal memory.
KERN_TIMEX
Not available.
KERN_TKSTAT
Return information about the number of characters sent and
received on ttys. The third level names for the tty statistic
variables are detailed below. The changeable column shows
whether a process with appropriate privilege may change the
value.
Third level name Type Changeable
KERN_TKSTAT_CANCC quad no
KERN_TKSTAT_NIN quad no
KERN_TKSTAT_NOUT quad no
KERN_TKSTAT_RAWCC quad no
The variables are as follows:
KERN_TKSTAT_CANCC
The number of canonical input characters.
KERN_TKSTAT_NIN
The total number of input characters.
KERN_TKSTAT_NOUT
The total number of output characters.
KERN_TKSTAT_RAWCC
The number of raw input characters.
KERN_URND
Random integer value.
kern.veriexec
Tunings for Verixec.
kern.veriexec.algorithms
Returns a string with the supported algorithms in Ver-
iexec.
kern.veriexec.count
Sub-nodes are added to this node as new mounts are moni-
tored by Veriexec. Each mount will be under its own
tableN node. Under each node there will be three vari-
ables, indicating the mount point, the file-system type,
and the number of entries.
kern.veriexec.strict
Controls the strict level of Veriexec. See security(8)
for more information on each level's implications.
kern.veriexec.verbose
Controls the verbosity level of Veriexec. If 0, only the
minimal indication required will be given about what's
happening - fingerprint mismatches, removal of entries
from the tables, modification of a fingerprinted file.
If 1, more messages will be printed (ie., when a file
with a valid fingerprint is accessed). Verbose level 2
is debug mode.
KERN_VERSION
The system version string.
KERN_VNODE
Return the entire vnode table. Note, the vnode table is not nec-
essarily a consistent snapshot of the system. The returned data
consists of an array whose size depends on the current number of
such objects in the system. Each element of the array contains
the kernel address of a vnode struct vnode * followed by the
vnode itself struct vnode.
kern.coredump.setid
Settings related to set-id processes coredumps. By default, set-
id processes do not dump core in situations where other processes
would. The settings in this node allows an administrator to
change this behavior.
kern.coredump.setid.dump
If non-zero, set-id processes will dump core.
kern.coredump.setid.group
The group-id for the set-id processes' coredump.
kern.coredump.setid.mode
The mode for the set-id processes' coredump. See
chmod(1).
kern.coredump.setid.owner
The user-id that will be used as the owner of the set-id
processes' coredump.
kern.coredump.setid.path
The path to which set-id processes' coredumps will be
saved to. Same syntax as kern.defcorename.
CTL_MACHDEP
The set of variables defined is architecture dependent. Most architec-
tures define at least the following variables.
Second level name Type Changeable
CPU_CONSDEV dev_t no
CTL_NET
The string and integer information available for the CTL_NET level is
detailed below. The changeable column shows whether a process with
appropriate privilege may change the value. The second and third levels
are typically the protocol family and protocol number, though this is not
always the case.
Second level name Type Changeable
PF_ROUTE routing messages no
PF_INET IPv4 values yes
PF_INET6 IPv6 values yes
PF_KEY IPsec key management valuesyes
PF_ROUTE
Return the entire routing table or a subset of it. The data is
returned as a sequence of routing messages (see route(4) for the
header file, format and meaning). The length of each message is
contained in the message header.
The third level name is a protocol number, which is currently
always 0. The fourth level name is an address family, which may
be set to 0 to select all address families. The fifth and sixth
level names are as follows:
Fifth level name Sixth level is:
NET_RT_FLAGS rtflags
NET_RT_DUMP None
NET_RT_IFLIST None
PF_INET
Get or set various global information about the IPv4 (Internet
Protocol version 4). The third level name is the protocol. The
fourth level name is the variable name. The currently defined
protocols and names are:
Protocol name Variable name Type Changeable
arp down integer yes
arp keep integer yes
arp prune integer yes
arp refresh integer yes
carp allow integer yes
carp preempt integer yes
carp log integer yes
carp arpbalance integer yes
icmp errppslimit integer yes
icmp maskrepl integer yes
icmp rediraccept integer yes
icmp redirtimeout integer yes
ip allowsrcrt integer yes
ip anonportmax integer yes
ip anonportmin integer yes
ip checkinterface integer yes
ip directed-broadcast integer yes
ip do_loopback_cksum integer yes
ip forwarding integer yes
ip forwsrcrt integer yes
ip gifttl integer yes
ip grettl integer yes
ip hostzerobroadcast integer yes
ip lowportmin integer yes
ip lowportmax integer yes
ip maxflows integer yes
ip maxfragpackets integer yes
ip mtudisc integer yes
ip mtudisctimeout integer yes
ip random_id integer yes
ip redirect integer yes
ip subnetsarelocal integer yes
ip ttl integer yes
tcp rfc1323 integer yes
tcp sendspace integer yes
tcp recvspace integer yes
tcp mssdflt integer yes
tcp syn_cache_limit integer yes
tcp syn_bucket_limit integer yes
tcp syn_cache_interval integer yes
tcp init_win integer yes
tcp init_win_local integer yes
tcp mss_ifmtu integer yes
tcp win_scale integer yes
tcp timestamps integer yes
tcp compat_42 integer yes
tcp cwm integer yes
tcp cwm_burstsize integer yes
tcp ack_on_push integer yes
tcp keepidle integer yes
tcp keepintvl integer yes
tcp keepcnt integer yes
tcp slowhz integer no
tcp log_refused integer yes
tcp rstppslimit integer yes
tcp ident struct no
tcp sack.enable integer yes
tcp sack.globalholes integer no
tcp sack.globalmaxholes integeryes
tcp sack.maxholes integer yes
tcp ecn.enable integer yes
tcp ecn.maxretries integer yes
tcp congctl.selected string yes
tcp congctl.available string yes
tcp abc.enable integer yes
tcp abc.aggressive integer yes
udp checksum integer yes
udp do_loopback_cksum integer yes
udp recvspace integer yes
udp sendspace integer yes
The variables are as follows:
arp.down
Failed ARP entry lifetime.
arp.keep
Valid ARP entry lifetime.
arp.prune
ARP cache pruning interval.
arp.refresh
ARP entry refresh interval.
carp.allow
If set to 0, incoming carp(4) packets will not be pro-
cessed. If set to any other value, processing will
occur. Enabled by default.
carp.arpbalance
If set to any value other than 0, the ARP balancing func-
tionality of carp(4) is enabled. When ARP requests are
received for an IP address which is part of any virtual
host, carp will hash the source IP in the ARP request to
select one of the virtual hosts from the set of all the
virtual hosts which have that IP address. The master of
that host will respond with the correct virtual MAC
address. Disabled by default.
carp.log
If set to any value other than 0, carp(4) will log
errors. Disabled by default.
carp.preempt
If set to 0, carp(4) will not attempt to become master if
it is receiving advertisements from another active mas-
ter. If set to any other value, carp will become master
of the virtual host if it believes it can send advertise-
ments more frequently than the current master. Disabled
by default.
ip.allowsrcrt
If set to 1, the host accepts source routed packets.
ip.anonportmax
The highest port number to use for TCP and UDP ephemeral
port allocation. This cannot be set to less than 1024 or
greater than 65535, and must be greater than
ip.anonportmin.
ip.anonportmin
The lowest port number to use for TCP and UDP ephemeral
port allocation. This cannot be set to less than 1024 or
greater than 65535.
ip.checkinterface
If set to non-zero, the host will reject packets
addressed to it that arrive on an interface not bound to
that address. Currently, this must be disabled if ipnat
is used to translate the destination address to another
local interface, or if addresses are added to the loop-
back interface instead of the interface where the packets
for those packets are received.
ip.directed-broadcast
If set to 1, enables directed broadcast behavior for the
host.
ip.do_loopback_cksum
Perform IP checksum on loopback.
ip.forwarding
If set to 1, enables IP forwarding for the host, meaning
that the host is acting as a router.
ip.forwsrcrt
If set to 1, enables forwarding of source-routed packets
for the host. This value may only be changed if the ker-
nel security level is less than 1.
ip.gifttl
The maximum time-to-live (hop count) value for an IPv4
packet generated by gif(4) tunnel interface.
ip.grettl
The maximum time-to-live (hop count) value for an IPv4
packet generated by gre(4) tunnel interface.
ip.hostzerobroadcast
All zeroes address is broadcast address.
ip.lowportmax
The highest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or
greater than 1024, and must be greater than
ip.lowportmin.
ip.lowportmin
The lowest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or
greater than 1024, and must be smaller than
ip.lowportmax.
ip.maxflows
IP Fast Forwarding is enabled by default. If set to 0,
IP Fast Forwarding is disabled. ip.maxflows controls the
maximum amount of flows which can be created. The
default value is 256.
ip.maxfragpackets
The maximum number of fragmented packets the node will
accept. 0 means that the node will not accept any frag-
mented packets. -1 means that the node will accept as
many fragmented packets as it receives. The flag is pro-
vided basically for avoiding possible DoS attacks.
ip.mtudisc
If set to 1, enables Path MTU Discovery (RFC 1191). When
Path MTU Discovery is enabled, the transmitted TCP seg-
ment size will be determined by the advertised maximum
segment size (MSS) from the remote end, as constrained by
the path MTU. If MTU Discovery is disabled, the trans-
mitted segment size will never be greater than
tcp.mssdflt (the local maximum segment size).
ip.mtudisctimeout
The number of seconds in which a route added by the Path
MTU Discovery engine will time out. When the route times
out, the Path MTU Discovery engine will attempt to probe
a larger path MTU.
ip.random_id
Assign random ip_id values.
ip.redirect
If set to 1, ICMP redirects may be sent by the host.
This option is ignored unless the host is routing IP
packets, and should normally be enabled on all systems.
ip.subnetsarelocal
If set to 1, subnets are to be considered local
addresses.
ip.ttl The maximum time-to-live (hop count) value for an IP
packet sourced by the system. This value applies to nor-
mal transport protocols, not to ICMP.
icmp.errppslimit
The variable specifies the maximum number of outgoing
ICMP error messages, per second. ICMP error messages
that exceeded the value are subject to rate limitation
and will not go out from the node. Negative value dis-
ables rate limitation.
icmp.maskrepl
If set to 1, ICMP network mask requests are to be
answered.
icmp.rediraccept
If set to non-zero, the host will accept ICMP redirect
packets. Note that routers will never accept ICMP redi-
rect packets, and the variable is meaningful on IP hosts
only.
icmp.redirtimeout
The variable specifies lifetime of routing entries gener-
ated by incoming ICMP redirect. This defaults to 600
seconds.
icmp.returndatabytes
Number of bytes to return in an ICMP error message.
tcp.ack_on_push
If set to 1, TCP is to immediately transmit an ACK upon
reception of a packet with PUSH set. This can avoid los-
ing a round trip time in some rare situations, but has
the caveat of potentially defeating TCP's delayed ACK
algorithm. Use of this option is generally not recom-
mended, but the variable exists in case your configura-
tion really needs it.
tcp.compat_42
If set to 1, enables work-arounds for bugs in the 4.2BSD
TCP implementation. Use of this option is not recom-
mended, although it may be required in order to communi-
cate with extremely old TCP implementations.
tcp.cwm
If set to 1, enables use of the Hughes/Touch/Heidemann
Congestion Window Monitoring algorithm. This algorithm
prevents line-rate bursts of packets that could otherwise
occur when data begins flowing on an idle TCP connection.
These line-rate bursts can contribute to network and
router congestion. This can be particularly useful on
World Wide Web servers which support HTTP/1.1, which has
lingering connections.
tcp.cwm_burstsize
The Congestion Window Monitoring allowed burst size, in
terms of packet count.
tcp.delack_ticks
Number of ticks to delay sending an ACK.
tcp.do_loopback_cksum
Perform TCP checksum on loopback.
tcp.init_win
A value indicating the TCP initial congestion window. If
this value is 0, an auto-tuning algorithm designed to use
an initial window of approximately 4K bytes is in use.
Otherwise, this value indicates a fixed number of pack-
ets.
tcp.init_win_local
Like tcp.init_win, but used when communicating with hosts
on a local network.
tcp.keepcnt
Number of keepalive probes sent before declaring a con-
nection dead. If set to zero, there is no limit;
keepalives will be sent until some kind of response is
received from the peer.
tcp.keepidle
Time a connection must be idle before keepalives are sent
(if keepalives are enabled for the connection). See also
tcp.slowhz.
tcp.keepintvl
Time after a keepalive probe is sent until, in the
absence of any response, another probe is sent. See also
tcp.slowhz.
tcp.log_refused
If set to 1, refused TCP connections to the host will be
logged.
tcp.mss_ifmtu
If set to 1, TCP calculates the outgoing maximum segment
size based on the MTU of the appropriate interface. If
set to 0, it is calculated based on the greater of the
MTU of the interface, and the largest (non-loopback)
interface MTU on the system.
tcp.mssdflt
The default maximum segment size both advertised to the
peer and to use when either the peer does not advertise a
maximum segment size to us during connection setup or
Path MTU Discovery (ip.mtudisc) is disabled. Do not
change this value unless you really know what you are
doing.
tcp.newreno
If set to 1, enables the use of J. Hoe's NewReno conges-
tion control algorithm. This algorithm improves the
start-up behavior of TCP connections.
tcp.recvspace
The default TCP receive buffer size.
tcp.rfc1323
If set to 1, enables RFC 1323 extensions to TCP.
tcp.rstppslimit
The variable specifies the maximum number of outgoing TCP
RST packets, per second. TCP RST packet that exceeded
the value are subject to rate limitation and will not go
out from the node. Negative value disables rate limita-
tion.
tcp.sack.enable
If set to 1, enables RFC 2018 Selective ACKnowledgement.
tcp.sack.globalholes
Global number of TCP SACK holes.
tcp.sack.globalmaxholes
Global maximum number of TCP SACK holes.
tcp.sack.maxholes
Maximum number of TCP SACK holes allowed per connection.
tcp.ecn.enable
If set to 1, enables RFC 3168 Explicit Congestion Notifi-
cation.
tcp.ecn.maxretries
Number of times to retry sending the ECN-setup packet.
tcp.sendspace
The default TCP send buffer size.
tcp.slowhz
The units for tcp.keepidle and tcp.keepintvl; those vari-
ables are in ticks of a clock that ticks tcp.slowhz times
per second. (That is, their values must be divided by
the tcp.slowhz value to get times in seconds.)
tcp.syn_bucket_limit
The maximum number of entries allowed per hash bucket in
the TCP compressed state engine.
tcp.syn_cache_limit
The maximum number of entries allowed in the TCP com-
pressed state engine.
tcp.timestamps
If rfc1323 is enabled, a value of 1 indicates RFC 1323
time stamp options, used for measuring TCP round trip
times, are enabled.
tcp.win_scale
If rfc1323 is enabled, a value of 1 indicates RFC 1323
window scale options, for increasing the TCP window size,
are enabled.
tcp.congctl.available
The available TCP congestion control algorithms.
tcp.congctl.selected
The currently selected TCP congestion control algorithm.
tcp.abc.enable
If set to 1, use RFC 3465 Appropriate Byte Counting
(ABC). If set to 0, use traditional Packet Counting.
tcp.abc.aggressive
Choose the L parameter found in RFC 3465. L is the maxi-
mum cwnd increase for an ack during slow start. If set
to 1, use L=2*SMSS. If set to 0, use L=1*SMSS. It has
no effect unless tcp.abc.enable is set to 1.
udp.checksum
If set to 1, UDP checksums are being computed. Received
non-zero UDP checksums are always checked. Disabling UDP
checksums is strongly discouraged.
udp.sendspace
The default UDP send buffer size.
udp.recvspace
The default UDP receive buffer size.
For variables net.*.ipsec, please refer to ipsec(4).
PF_INET6
Get or set various global information about the IPv6 (Internet
Protocol version 6). The third level name is the protocol. The
fourth level name is the variable name. The currently defined
protocols and names are:
Protocol name Variable name Type Changeable
icmp6 errppslimit integer yes
icmp6 mtudisc_hiwat integer yes
icmp6 mtudisc_lowat integer yes
icmp6 nd6_debug integer yes
icmp6 nd6_delay integer yes
icmp6 nd6_maxnudhint integer yes
icmp6 nd6_mmaxtries integer yes
icmp6 nd6_prune integer yes
icmp6 nd6_umaxtries integer yes
icmp6 nd6_useloopback integer yes
icmp6 nodeinfo integer yes
icmp6 rediraccept integer yes
icmp6 redirtimeout integer yes
ip6 accept_rtadv integer yes
ip6 anonportmax integer yes
ip6 anonportmin integer yes
ip6 auto_flowlabel integer yes
ip6 dad_count integer yes
ip6 defmcasthlim integer yes
ip6 forwarding integer yes
ip6 gifhlim integer yes
ip6 hlim integer yes
ip6 hdrnestlimit integer yes
ip6 kame_version string no
ip6 keepfaith integer yes
ip6 log_interval integer yes
ip6 lowportmax integer yes
ip6 lowportmin integer yes
ip6 maxfragpackets integer yes
ip6 maxfrags integer yes
ip6 redirect integer yes
ip6 rr_prune integer yes
ip6 use_deprecated integer yes
ip6 v6only integer yes
udp6 do_loopback_cksum integer yes
udp6 recvspace integer yes
udp6 sendspace integer yes
The variables are as follows:
ip6.accept_rtadv
If set to non-zero, the node will accept ICMPv6 router
advertisement packets and autoconfigures address prefixes
and default routers. The node must be a host (not a
router) for the option to be meaningful.
ip6.anonportmax
The highest port number to use for TCP and UDP ephemeral
port allocation. This cannot be set to less than 1024 or
greater than 65535, and must be greater than
ip6.anonportmin.
ip6.anonportmin
The lowest port number to use for TCP and UDP ephemeral
port allocation. This cannot be set to less than 1024 or
greater than 65535.
ip6.auto_flowlabel
On connected transport protocol packets, fill IPv6
flowlabel field to help intermediate routers to identify
packet flows.
ip6.dad_count
The variable configures number of IPv6 DAD (duplicated
address detection) probe packets. The packets will be
generated when IPv6 interface addresses are configured.
ip6.defmcasthlim
The default hop limit value for an IPv6 multicast packet
sourced by the node. This value applies to all the
transport protocols on top of IPv6. There are APIs to
override the value, as documented in ip6(4).
ip6.forwarding
If set to 1, enables IPv6 forwarding for the node, mean-
ing that the node is acting as a router. If set to 0,
disables IPv6 forwarding for the node, meaning that the
node is acting as a host. IPv6 specification defines
node behavior for ``router'' case and ``host'' case quite
differently, and changing this variable during operation
may cause serious trouble. It is recommended to config-
ure the variable at bootstrap time, and bootstrap time
only.
ip6.gifhlim
The maximum hop limit value for an IPv6 packet generated
by gif(4) tunnel interface.
ip6.hdrnestlimit
The number of IPv6 extension headers permitted on incom-
ing IPv6 packets. If set to 0, the node will accept as
many extension headers as possible.
ip6.hlim
The default hop limit value for an IPv6 unicast packet
sourced by the node. This value applies to all the
transport protocols on top of IPv6. There are APIs to
override the value, as documented in ip6(4).
ip6.kame_version
The string identifies the version of KAME IPv6 stack
implemented in the kernel.
ip6.keepfaith
If set to non-zero, it enables ``FAITH'' TCP relay
IPv6-to-IPv4 translator code in the kernel. Refer
faith(4) and faithd(8) for detail.
ip6.log_interval
The variable controls amount of logs generated by IPv6
packet forwarding engine, by setting interval between log
output (in seconds).
ip6.lowportmax
The highest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or
greater than 1024, and must be greater than
ip6.lowportmin.
ip6.lowportmin
The lowest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or
greater than 1024, and must be smaller than
ip6.lowportmax.
ip6.maxfragpackets
The maximum number of fragmented packets the node will
accept. 0 means that the node will not accept any frag-
mented packets. -1 means that the node will accept as
many fragmented packets as it receives. The flag is pro-
vided basically for avoiding possible DoS attacks.
ip6.maxfrags
The maximum number of fragments the node will accept. 0
means that the node will not accept any fragments. -1
means that the node will accept as many fragments as it
receives. The flag is provided basically for avoiding
possible DoS attacks.
ip6.redirect
If set to 1, ICMPv6 redirects may be sent by the node.
This option is ignored unless the node is routing IP
packets, and should normally be enabled on all systems.
ip6.rr_prune
The variable specifies interval between IPv6 router
renumbering prefix babysitting, in seconds.
ip6.use_deprecated
The variable controls use of deprecated address, speci-
fied in RFC 2462 5.5.4.
ip6.v6only
The variable specifies initial value for IPV6_V6ONLY
socket option for AF_INET6 socket. Please refer to
ip6(4) for detail.
icmp6.errppslimit
The variable specifies the maximum number of outgoing
ICMPv6 error messages, per second. ICMPv6 error messages
that exceeded the value are subject to rate limitation
and will not go out from the node. Negative value dis-
ables rate limitation.
icmp6.mtudisc_hiwat
icmp6.mtudisc_lowat
The variables define the maximum number of routing table
entries, created due to path MTU discovery (prevents
denial-of-service attacks with ICMPv6 too big messages).
When IPv6 path MTU discovery happens, we keep path MTU
information into the routing table. If the number of
routing table entries exceed the value, the kernel will
not attempt to keep the path MTU information.
icmp6.mtudisc_hiwat is used when we have verified ICMPv6
too big messages. icmp6.mtudisc_lowat is used when we
have unverified ICMPv6 too big messages. Verification is
performed by using address/port pairs kept in connected
pcbs. Negative value disables the upper limit.
icmp6.nd6_debug
If set to non-zero, kernel IPv6 neighbor discovery code
will generate debugging messages. The debug outputs are
useful to diagnose IPv6 interoperability issues. The
flag must be set to 0 for normal operation.
icmp6.nd6_delay
The variable specifies DELAY_FIRST_PROBE_TIME timing con-
stant in IPv6 neighbor discovery specification (RFC
2461), in seconds.
icmp6.nd6_maxnudhint
IPv6 neighbor discovery permits upper layer protocols to
supply reachability hints, to avoid unnecessary neighbor
discovery exchanges. The variable defines the number of
consecutive hints the neighbor discovery layer will take.
For example, by setting the variable to 3, neighbor dis-
covery layer will take 3 consecutive hints in maximum.
After receiving 3 hints, neighbor discovery layer will
perform normal neighbor discovery process.
icmp6.nd6_mmaxtries
The variable specifies MAX_MULTICAST_SOLICIT constant in
IPv6 neighbor discovery specification (RFC 2461).
icmp6.nd6_prune
The variable specifies interval between IPv6 neighbor
cache babysitting, in seconds.
icmp6.nd6_umaxtries
The variable specifies MAX_UNICAST_SOLICIT constant in
IPv6 neighbor discovery specification (RFC 2461).
icmp6.nd6_useloopback
If set to non-zero, kernel IPv6 stack will use loopback
interface for local traffic.
icmp6.nodeinfo
The variable enables responses to ICMPv6 node information
queries. If you set the variable to 0, responses will
not be generated for ICMPv6 node information queries.
Since node information queries can have a security
impact, it is possible to fine tune which responses
should be answered. Two separate bits can be set.
1 Respond to ICMPv6 FQDN queries, e.g. ping6 -w.
2 Respond to ICMPv6 node addresses queries, e.g.
ping6 -a.
icmp6.rediraccept
If set to non-zero, the host will accept ICMPv6 redirect
packets. Note that IPv6 routers will never accept ICMPv6
redirect packets, and the variable is meaningful on IPv6
hosts (non-router) only.
icmp6.redirtimeout
The variable specifies lifetime of routing entries gener-
ated by incoming ICMPv6 redirect.
udp6.do_loopback_cksum
Perform UDP checksum on loopback.
udp6.recvspace
Default UDP receive buffer size.
udp6.sendspace
Default UDP send buffer size.
We reuse net.*.tcp for TCP over IPv6, and therefore we do not
have variables net.*.tcp6. Variables net.inet6.udp6 have identi-
cal meaning to net.inet.udp. Please refer to PF_INET section
above. For variables net.*.ipsec6, please refer to ipsec(4).
PF_KEY Get or set various global information about the IPsec key manage-
ment. The third level name is the variable name. The currently
defined variable and names are:
Variable name Type Changeable
debug integer yes
spi_try integer yes
spi_min_value integer yes
spi_max_value integer yes
larval_lifetime integer yes
blockacq_count integer yes
blockacq_lifetime integer yes
esp_keymin integer yes
esp_auth integer yes
ah_keymin integer yes
The variables are as follows:
debug Turn on debugging message from within the kernel. The
value is a bitmap, as defined in
/usr/include/netkey/key_debug.h.
spi_try
The number of times the kernel will try to obtain an
unique SPI when it generates it from random number gener-
ator.
spi_min_value
Minimum SPI value when generating it within the kernel.
spi_max_value
Maximum SPI value when generating it within the kernel.
larval_lifetime
Lifetime for LARVAL SAD entries, in seconds.
blockacq_count
Number of ACQUIRE PF_KEY messages to be blocked after an
ACQUIRE message. It avoids flood of ACQUIRE PF_KEY from
being sent from the kernel to the key management daemon.
blockacq_lifetime
Lifetime of ACQUIRE PF_KEY message.
esp_keymin
Minimum ESP key length, in bits. The value is used when
the kernel creates proposal payload on ACQUIRE PF_KEY
message.
esp_auth
Whether ESP authentication should be used or not. Non-
zero value indicates that ESP authentication should be
used. The value is used when the kernel creates proposal
payload on ACQUIRE PF_KEY message.
ah_keymin
Minimum AH key length, in bits, The value is used when
the kernel creates proposal payload on ACQUIRE PF_KEY
message.
CTL_PROC
The string and integer information available for the CTL_PROC is detailed
below. The changeable column shows whether a process with appropriate
privilege may change the value. These values are per-process, and as
such may change from one process to another. When a process is created,
the default values are inherited from its parent. When a set-user-ID or
set-group-ID binary is executed, the value of PROC_PID_CORENAME is reset
to the system default value. The second level name is either the magic
value PROC_CURPROC, which points to the current process, or the PID of
the target process.
Third level name Type Changeable
PROC_PID_CORENAME string yes
PROC_PID_LIMIT node not applicable
PROC_PID_STOPFORK int yes
PROC_PID_STOPEXEC int yes
PROC_PID_STOPEXIT int yes
PROC_PID_CORENAME
The template used for the core dump file name (see core(5) for
details). The base name must either be core or end with the suf-
fix ``.core'' (the super-user may set arbitrary names). By
default it points to KERN_DEFCORENAME.
PROC_PID_LIMIT
Return resources limits, as defined for the getrlimit(2) and
setrlimit(2) system calls. The fourth level name is one of:
PROC_PID_LIMIT_CPU The maximum amount of CPU time (in sec-
onds) to be used by each process.
PROC_PID_LIMIT_FSIZE The largest size (in bytes) file that
may be created.
PROC_PID_LIMIT_DATA The maximum size (in bytes) of the data
segment for a process; this defines how
far a program may extend its break with
the sbrk(2) system call.
PROC_PID_LIMIT_STACK The maximum size (in bytes) of the
stack segment for a process; this
defines how far a program's stack seg-
ment may be extended. Stack extension
is performed automatically by the sys-
tem.
PROC_PID_LIMIT_CORE The largest size (in bytes) core file
that may be created.
PROC_PID_LIMIT_RSS The maximum size (in bytes) to which a
process's resident set size may grow.
This imposes a limit on the amount of
physical memory to be given to a
process; if memory is tight, the system
will prefer to take memory from pro-
cesses that are exceeding their
declared resident set size.
PROC_PID_LIMIT_MEMLOCK The maximum size (in bytes) which a
process may lock into memory using the
mlock(2) function.
PROC_PID_LIMIT_NPROC The maximum number of simultaneous pro-
cesses for this user id.
PROC_PID_LIMIT_NOFILE The maximum number of open files for
this process.
The fifth level name is one of PROC_PID_LIMIT_TYPE_SOFT or
PROC_PID_LIMIT_TYPE_HARD, to select respectively the soft or hard
limit. Both are of type integer.
PROC_PID_STOPFORK
If non zero, the process' children will be stopped after fork(2)
calls. The children is created in the SSTOP state and is never
scheduled for running before being stopped. This feature helps
attaching a process with a debugger such as gdb(1) before it had
the opportunity to actually do anything.
This value is inherited by the process's children, and it also
apply to emulation specific system calls that fork a new process,
such as sproc() or clone().
PROC_PID_STOPEXEC
If non zero, the process will be stopped on next exec(3) call.
The process created by exec(3) is created in the SSTOP state and
is never scheduled for running before being stopped. This fea-
ture helps attaching a process with a debugger such as gdb(1)
before it had the opportunity to actually do anything.
This value is inherited by the process's children.
PROC_PID_STOPEXIT
If non zero, the process will be stopped on when it has cause to
exit, either by way of calling exit(3), _exit(2), or by the
receipt of a specific signal. The process is stopped before any
of its resources or vm space is released allowing examination of
the termination state of a process before it disappears. This
feature can be used to examine the final conditions of the
process's vmspace via pmap(1) or its resource settings with
sysctl(8) before it disappears.
This value is also inherited by the process's children.
CTL_USER
The string and integer information available for the CTL_USER level is
detailed below. The changeable column shows whether a process with
appropriate privilege may change the value.
Second level name Type Changeable
USER_BC_BASE_MAX integer no
USER_BC_DIM_MAX integer no
USER_BC_SCALE_MAX integer no
USER_BC_STRING_MAX integer no
USER_COLL_WEIGHTS_MAX integer no
USER_CS_PATH string no
USER_EXPR_NEST_MAX integer no
USER_LINE_MAX integer no
USER_POSIX2_CHAR_TERM integer no
USER_POSIX2_C_BIND integer no
USER_POSIX2_C_DEV integer no
USER_POSIX2_FORT_DEV integer no
USER_POSIX2_FORT_RUN integer no
USER_POSIX2_LOCALEDEF integer no
USER_POSIX2_SW_DEV integer no
USER_POSIX2_UPE integer no
USER_POSIX2_VERSION integer no
USER_RE_DUP_MAX integer no
USER_STREAM_MAX integer no
USER_TZNAME_MAX integer no
USER_ATEXIT_MAX integer no
USER_BC_BASE_MAX
The maximum ibase/obase values in the bc(1) utility.
USER_BC_DIM_MAX
The maximum array size in the bc(1) utility.
USER_BC_SCALE_MAX
The maximum scale value in the bc(1) utility.
USER_BC_STRING_MAX
The maximum string length in the bc(1) utility.
USER_COLL_WEIGHTS_MAX
The maximum number of weights that can be assigned to any entry
of the LC_COLLATE order keyword in the locale definition file.
USER_CS_PATH
Return a value for the PATH environment variable that finds all
the standard utilities.
USER_EXPR_NEST_MAX
The maximum number of expressions that can be nested within
parenthesis by the expr(1) utility.
USER_LINE_MAX
The maximum length in bytes of a text-processing utility's input
line.
USER_POSIX2_CHAR_TERM
Return 1 if the system supports at least one terminal type capa-
ble of all operations described in POSIX 1003.2, otherwise 0.
USER_POSIX2_C_BIND
Return 1 if the system's C-language development facilities sup-
port the C-Language Bindings Option, otherwise 0.
USER_POSIX2_C_DEV
Return 1 if the system supports the C-Language Development Utili-
ties Option, otherwise 0.
USER_POSIX2_FORT_DEV
Return 1 if the system supports the FORTRAN Development Utilities
Option, otherwise 0.
USER_POSIX2_FORT_RUN
Return 1 if the system supports the FORTRAN Runtime Utilities
Option, otherwise 0.
USER_POSIX2_LOCALEDEF
Return 1 if the system supports the creation of locales, other-
wise 0.
USER_POSIX2_SW_DEV
Return 1 if the system supports the Software Development Utili-
ties Option, otherwise 0.
USER_POSIX2_UPE
Return 1 if the system supports the User Portability Utilities
Option, otherwise 0.
USER_POSIX2_VERSION
The version of POSIX 1003.2 with which the system attempts to
comply.
USER_RE_DUP_MAX
The maximum number of repeated occurrences of a regular expres-
sion permitted when using interval notation.
USER_STREAM_MAX
The minimum maximum number of streams that a process may have
open at any one time.
USER_TZNAME_MAX
The minimum maximum number of types supported for the name of a
timezone.
USER_ATEXIT_MAX
The maximum number of functions that may be registered with
atexit(3).
CTL_VM
The string and integer information available for the CTL_VM level is
detailed below. The changeable column shows whether a process with
appropriate privilege may change the value.
Second level name Type Changeable
VM_ANONMAX int yes
VM_ANONMIN int yes
VM_BUFCACHE int yes
VM_BUFMEM int no
VM_BUFMEM_HIWATER int yes
VM_BUFMEM_LOWATER int yes
VM_EXECMAX int yes
VM_EXECMIN int yes
VM_FILEMAX int yes
VM_FILEMIN int yes
VM_LOADAVG struct loadavg no
VM_MAXSLP int no
VM_METER struct vmtotal no
VM_NKMEMPAGES int no
VM_USPACE int no
VM_UVMEXP struct uvmexp no
VM_UVMEXP2 struct uvmexp_sysctl no
VM_ANONMAX
The percentage of physical memory which will be reclaimed from
other types of memory usage to store anonymous application data.
VM_ANONMIN
The percentage of physical memory which will be always be avail-
able for anonymous application data.
VM_BUFCACHE
The percentage of physical memory which will be available for the
buffer cache.
VM_BUFMEM
The amount of kernel memory that is being used by the buffer
cache.
VM_BUFMEM_LOWATER
The minimum amount of kernel memory to reserve for the buffer
cache.
VM_BUFMEM_HIWATER
The maximum amount of kernel memory to be used for the buffer
cache.
VM_EXECMAX
The percentage of physical memory which will be reclaimed from
other types of memory usage to store cached executable data.
VM_EXECMIN
The percentage of physical memory which will be always be avail-
able for cached executable data.
VM_FILEMAX
The percentage of physical memory which will be reclaimed from
other types of memory usage to store cached file data.
VM_FILEMIN
The percentage of physical memory which will be always be avail-
able for cached file data.
VM_LOADAVG
Return the load average history. The returned data consists of a
struct loadavg.
VM_MAXSLP
The value of the maxslp kernel global variable.
VM_METER
Return system wide virtual memory statistics. The returned data
consists of a struct vmtotal.
VM_USPACE
The number of bytes allocated for each kernel stack.
VM_UVMEXP
Return system wide virtual memory statistics. The returned data
consists of a struct uvmexp.
VM_UVMEXP2
Return system wide virtual memory statistics. The returned data
consists of a struct uvmexp_sysctl.
CTL_DDB
The integer information available for the CTL_DDB level is detailed
below. The changeable column shows whether a process with appropriate
privilege may change the value.
Second level name Type Changeable
DBCTL_RADIX integer yes
DBCTL_MAXOFF integer yes
DBCTL_LINES integer yes
DBCTL_TABSTOPS integer yes
DBCTL_ONPANIC integer yes
DBCTL_FROMCONSOLE integer yes
DBCTL_RADIX
The input and output radix.
DBCTL_MAXOFF
The maximum symbol offset.
DBCTL_LINES
Number of display lines.
DBCTL_TABSTOPS
Tab width.
DBCTL_ONPANIC
If non-zero, DDB will be entered when the kernel panics.
DBCTL_FROMCONSOLE
If not zero, DDB may be entered by sending a break on a serial
console or by a special key sequence on a graphics console.
These MIB nodes are also available as variables from within the DDB. See
ddb(4) for more details.
CTL_SECURITY
The security level contains various security-related settings for the
system. Available settings are detailed below.
security.curtain
If non-zero, will filter return objects according to the user-id
requesting information about them, preventing from users any
access to objects they don't own.
At the moment, it affects ps(1), netstat(1) (for PF_INET,
PF_INET6, and PF_UNIX PCBs), and w(1).
security.pax
Settings for PaX -- exploit mitigation features.
security.pax.mprotect.enable
Enable PaX MPROTECT restrictions.
These are mprotect(2) restrictions to better enforce a
W^X policy. The value of this knob must be non-zero for
PaX MPROTECT to be enabled, even if a program is set to
explicit enable.
security.pax.mprotect.global
Specifies the default global policy for programs without
an explicit enable/disable flag.
When non-zero, all programs will get the PaX MPROTECT
restrictions, except those exempted with paxctl(1). Oth-
erwise, all programs will not get the PaX MPROTECT
restrictions, except those specifically marked as such
with paxctl(1).
security.pax.segvguard.enable
Enable PaX Segvguard.
Please see security(8) for more information.
PaX Segvguard can detect and prevent certain exploitation
attempts, where an attacker may try for example to brute-
force function return addresses of respawning daemons.
Note: The NetBSD interface and implementation of the
Segvguard is still experimental, and may change in future
releases.
security.pax.segvguard.global
Specifies the default global policy for programs without
an explicit enable/disable flag.
When non-zero, all programs will get the PaX Segvguard,
except those exempted with paxctl(1). Otherwise, all
programs will not get the PaX Segvguard restrictions,
except those specifically marked as such with paxctl(1).
security.pax.segvguard.expiry_timeout
If the max number was not reached within this timeout (in
seconds), the entry will expire.
security.pax.segvguard.suspend_timeout
Number of seconds to suspend a user from running a fault-
ing program when the limit was exceeded.
security.pax.segvguard.max_crashes
Max number of segfaults a program can receive before sus-
pension.
CTL_VENDOR
The "vendor" toplevel name is reserved to be used by vendors who wish to
have their own private MIB tree. Intended use is to store values under
``vendor.<yourname>.*''.
DYNAMIC OPERATIONS
Several meta-identifiers are provided to perform operations on the sysctl
tree itself, or support alternate means of accessing the data instru-
mented by the sysctl tree.
Name Description
CTL_QUERY Retrieve a mapping of names to numbers below a given
node
CTL_CREATE Create a new node
CTL_CREATESYM Create a new node by its kernel symbol
CTL_DESTROY Destroy a node
CTL_DESCRIBE Retrieve node descriptions
The core interface to all of these meta-functions is the structure that
the kernel uses to describe the tree internally, as defined in
<sys/sysctl.h> as:
struct sysctlnode {
uint32_t sysctl_flags; /* flags and type */
int32_t sysctl_num; /* mib number */
char sysctl_name[SYSCTL_NAMELEN]; /* node name */
uint32_t sysctl_ver; /* node's version vs. rest of tree */
uint32_t __rsvd;
union {
struct {
uint32_t suc_csize; /* size of child node array */
uint32_t suc_clen; /* number of valid children */
struct sysctlnode* suc_child; /* array of child nodes */
} scu_child;
struct {
void *sud_data; /* pointer to external data */
size_t sud_offset; /* offset to data */
} scu_data;
int32_t scu_alias; /* node this node refers to */
int32_t scu_idata; /* immediate "int" data */
u_quad_t scu_qdata; /* immediate "u_quad_t" data */
} sysctl_un;
size_t _sysctl_size; /* size of instrumented data */
sysctlfn _sysctl_func; /* access helper function */
struct sysctlnode *sysctl_parent; /* parent of this node */
const char *sysctl_desc; /* description of node */
};
#define sysctl_csize sysctl_un.scu_child.suc_csize
#define sysctl_clen sysctl_un.scu_child.suc_clen
#define sysctl_child sysctl_un.scu_child.suc_child
#define sysctl_data sysctl_un.scu_data.sud_data
#define sysctl_offset sysctl_un.scu_data.sud_offset
#define sysctl_alias sysctl_un.scu_alias
#define sysctl_idata sysctl_un.scu_idata
#define sysctl_qdata sysctl_un.scu_qdata
Querying the tree to discover the name to number mapping permits dynamic
discovery of all the data that the tree currently has instrumented. For
example, to discover all the nodes below the CTL_VFS node:
struct sysctlnode query, vfs[128];
int mib[2];
size_t len;
mib[0] = CTL_VFS;
mib[1] = CTL_QUERY;
memset(&query, 0, sizeof(query));
query.sysctl_flags = SYSCTL_VERSION;
len = sizeof(vfs);
sysctl(mib, 2, &vfs[0], &len, &query, sizeof(query));
Note that a reference to an empty node with sysctl_flags set to
SYSCTL_VERSION is passed to sysctl in order to indicate the version that
the program is using. All dynamic operations passing nodes into sysctl
require that the version be explicitly specified.
Creation and destruction of nodes works by constructing part of a new
node description (or a description of the existing node) and invoking
CTL_CREATE (or CTL_CREATESYM) or CTL_DESTROY at the parent of the new
node, with a pointer to the new node passed via the new and newlen argu-
ments. If valid values for old and oldlenp are passed, a copy of the new
node once in the tree will be returned. If the create operation fails
because a node with the same name or MIB number exists, a copy of the
conflicting node will be returned.
The minimum requirements for creating a node are setting the sysctl_flags
to indicate the new node's type, sysctl_num to either the new node's num-
ber (or CTL_CREATE or CTL_CREATESYM if a dynamically allocated MIB number
is acceptable), sysctl_size to the size of the data to be instrumented
(which must agree with the given type), and sysctl_name must be set to
the new node's name. Nodes that are not of type ``node'' must also have
some description of the data to be instrumented, which will vary depend-
ing on what is to be instrumented.
If existing kernel data is to be covered by this new node, its address
should be given in sysctl_data or, if CTL_CREATESYM is used, sysctl_data
should be set to a string containing its name from the kernel's symbol
table. If new data is to be instrumented and an initial value is avail-
able, the new integer or quad type data should be placed into either
sysctl_idata or sysctl_qdata, respectively, along with the SYSCTL_IMMEDI-
ATE flag being set, or sysctl_data should be set to point to a copy of
the new data, and the SYSCTL_OWNDATA flag must be set. This latter
method is the only way that new string and struct type nodes can be ini-
tialized. Invalid kernel addresses are accepted, but any attempt to
access those nodes will return an error.
The sysctl_csize, sysctl_clen, sysctl_child, sysctl_parent, and
sysctl_alias members are used by the kernel to link the tree together and
must be NULL or 0. Nodes created in this manner cannot have helper func-
tions, so sysctl_func must also be NULL. If the sysctl_ver member is
non-zero, it must match either the version of the parent or the version
at the root of the MIB or an error is returned. This can be used to
ensure that nodes are only added or removed from a known state of the
tree. Note: It may not be possible to determine the version at the root
of the tree.
This example creates a new subtree and adds a node to it that controls
the audiodebug kernel variable, thereby making it tunable at at any time,
without needing to use ddb(4) or kvm(3) to alter the kernel's memory
directly.
struct sysctlnode node;
int mib[2];
size_t len;
mib[0] = CTL_CREATE; /* create at top-level */
len = sizeof(node);
memset(&node, 0, len);
node.sysctl_flags = SYSCTL_VERSION|CTLFLAG_READWRITE|CTLTYPE_NODE;
snprintf(node.sysctl_name, sizeof(node.sysctl_name), "local");
node.sysctl_num = CTL_CREATE; /* request dynamic MIB number */
sysctl(&mib[0], 1, &node, &len, &node, len);
mib[0] = node.sysctl_num; /* use new MIB number */
mib[1] = CTL_CREATESYM; /* create at second level */
len = sizeof(node);
memset(&node, 0, len);
node.sysctl_flags = SYSCTL_VERSION|CTLFLAG_READWRITE|CTLTYPE_INT;
snprintf(node.sysctl_name, sizeof(node.sysctl_name), "audiodebug");
node.sysctl_num = CTL_CREATE;
node.sysctl_data = "audiodebug"; /* kernel symbol to be used */
sysctl(&mib[0], 2, NULL, NULL, &node, len);
The process for deleting nodes is similar, but less data needs to be sup-
plied. Only the sysctl_num field needs to be filled in; almost all other
fields must be left blank. The sysctl_name and/or sysctl_ver fields can
be filled in with the name and version of the existing node as additional
checks on what will be deleted. If all the given data fail to match any
node, nothing will be deleted. If valid values for old and oldlenp are
supplied and a node is deleted, a copy of what was in the MIB tree will
be returned.
This sample code shows the deletion of the two nodes created in the above
example:
int mib[2];
len = sizeof(node);
memset(&node, 0, len);
node.sysctl_flags = SYSCTL_VERSION;
mib[0] = 3214; /* assumed number for "local" */
mib[1] = CTL_DESTROY;
node.sysctl_num = 3215; /* assumed number for "audiodebug" */
sysctl(&mib[0], 2, NULL, NULL, &node, len);
mib[0] = CTL_DESTROY;
node.sysctl_num = 3214; /* now deleting "local" */
sysctl(&mib[0], 1, NULL, NULL, &node, len);
Descriptions of each of the nodes can also be retrieved, if they are
available. Descriptions can be retrieved in bulk at each level or on a
per-node basis. The layout of the buffer into which the descriptions are
returned is a series of variable length structures, each of which
describes its own size. The length indicated includes the terminating
`nul' character. Nodes that have no description or where the description
is not available are indicated by an empty string. The descr_ver will
match the sysctl_ver value for a given node, so that descriptions for
nodes whose number have been recycled can be detected and ignored or dis-
carded.
struct sysctldesc {
int32_t descr_num; /* mib number of node */
uint32_t descr_ver; /* version of node */
uint32_t descr_len; /* length of description string */
char descr_str[1]; /* not really 1...see above */
};
The NEXT_DESCR() macro can be used to skip to the next description in the
retrieved list.
struct sysctlnode desc;
struct sysctldesc *d;
char buf[1024];
int mib[2];
size_t len;
/* retrieve kern-level descriptions */
mib[0] = CTL_KERN;
mib[1] = CTL_DESCRIBE;
d = (struct sysctldesc *)&buf[0];
len = sizeof(buf);
sysctl(mib, 2, d, &len, NULL, 0);
while ((caddr_t)d < (caddr_t)&buf[len]) {
printf("node %d: %.*s\n", d->descr_num, d->descr_len,
d->descr_str);
d = NEXT_DESCR(d);
}
/* retrieve description for kern.securelevel */
memset(&desc, 0, sizeof(desc));
desc.sysctl_flags = SYSCTL_VERSION;
desc.sysctl_num = KERN_SECURELEVEL;
d = (struct sysctldesc *)&buf[0];
len = sizeof(buf);
sysctl(mib, 2, d, &len, &desc, sizeof(desc));
printf("kern.securelevel: %.*s\n", d->descr_len, d->descr_str);
Descriptions can also be set as follows, subject to the following rules:
· The kernel securelevel is at zero or lower
· The caller has super-user privileges
· The node does not currently have a description
· The node is not marked as ``permanent''
struct sysctlnode desc;
int mib[2];
/* presuming the given top-level node was just added... */
mib[0] = 3214; /* mib numbers taken from previous examples */
mib[1] = CTL_DESCRIBE;
memset(&desc, 0, sizeof(desc));
desc.sysctl_flags = SYSCTL_VERSION;
desc.sysctl_num = 3215;
desc.sysctl_desc = "audio debug control knob";
sysctl(mib, 2, NULL, NULL, &desc, sizeof(desc));
Upon successfully setting a description, the new description will be
returned in the space indicated by the oldp and oldlenp arguments.
The sysctl_flags field in the struct sysctlnode contains the sysctl ver-
sion, node type information, and a number of flags. The macros
SYSCTL_VERS(), SYSCTL_TYPE(), and SYSCTL_FLAGS() can be used to access
the different fields. Valid flags are:
Name Description
CTLFLAG_READONLY Node is read-only
CTLFLAG_READONLY1 Node becomes read-only at securelevel 1
CTLFLAG_READONLY2 Node becomes read-only at securelevel 2
CTLFLAG_READWRITE Node is writable by the superuser
CTLFLAG_ANYWRITE Node is writable by anyone
CTLFLAG_PRIVATE Node is readable only by the superuser
CTLFLAG_PERMANENT Node cannot be removed (cannot be set by pro-
cesses)
CTLFLAG_OWNDATA Node owns data and does not instrument existing
data
CTLFLAG_IMMEDIATE Node contains instrumented data and does not
instrument existing data
CTLFLAG_HEX Node's contents should be displayed in a
hexadecimal form
CTLFLAG_ROOT Node is the root of a tree (cannot be set at any
time)
CTLFLAG_ANYNUMBER Node matches any MIB number (cannot be set by
processes)
CTLFLAG_HIDDEN Node not displayed by default
CTLFLAG_ALIAS Node refers to a sibling node (cannot be set by
processes)
CTLFLAG_OWNDESC Node owns its own description string space
RETURN VALUES
If the call to sysctl is successful, the number of bytes copied out is
returned. Otherwise -1 is returned and errno is set appropriately.
FILES
<sys/sysctl.h> definitions for top level identifiers, second
level kernel and hardware identifiers, and user
level identifiers
<sys/socket.h> definitions for second level network identifiers
<sys/gmon.h> definitions for third level profiling identifiers
<uvm/uvm_param.h> definitions for second level virtual memory iden-
tifiers
<netinet/in.h> definitions for third level IPv4/v6 identifiers
and fourth level IPv4/v6 identifiers
<netinet/icmp_var.h> definitions for fourth level ICMP identifiers
<netinet/icmp6.h> definitions for fourth level ICMPv6 identifiers
<netinet/tcp_var.h> definitions for fourth level TCP identifiers
<netinet/udp_var.h> definitions for fourth level UDP identifiers
<netinet6/udp6_var.h> definitions for fourth level IPv6 UDP identifiers
<netinet6/ipsec.h> definitions for fourth level IPsec identifiers
<netkey/key_var.h> definitions for third level PF_KEY identifiers
<machine/cpu.h> definitions for second level machdep identifiers
ERRORS
The following errors may be reported:
[EFAULT] The buffer name, oldp, newp, or length pointer oldlenp
contains an invalid address, or the requested value is
temporarily unavailable.
[EINVAL] The name array is zero or greater than CTL_MAXNAME.
[EINVAL] A non-null newp is given and its specified length in
newlen is too large or too small, or the given value
is not acceptable for the given node.
[ENOMEM] The length pointed to by oldlenp is too short to hold
the requested value.
[EISDIR] The name array specifies an intermediate rather than
terminal name.
[ENOTDIR] The name array specifies a node below a node that
addresses data.
[ENOENT] The name array specifies a node that does not exist in
the tree.
[ENOENT] An attempt was made to destroy a node that does not
exist, or to create or destroy a node below a node
that does not exist.
[ENOTEMPTY] An attempt was made to destroy a node that still has
children.
[EOPNOTSUPP] The name array specifies a value that is unknown or a
meta-operation was attempted that the requested node
does not support.
[EPERM] An attempt is made to set a read-only value.
[EPERM] A process without appropriate privilege attempts to
set a value or to create or destroy a node.
[EPERM] An attempt to change a value protected by the current
kernel security level is made.
SEE ALSO
ipsec(4), tcp(4), sysctl(8)
HISTORY
The sysctl function first appeared in 4.4BSD.
NetBSD 4.0 November 27, 2006 NetBSD 4.0
Powered by man-cgi (2024-03-20).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.