sysctl(3) - NetBSD Manual Pages

Command: Section: Arch: Collection:  
SYSCTL(3)               NetBSD Library Functions Manual              SYSCTL(3)


NAME
sysctl, sysctlbyname, sysctlgetmibinfo, sysctlnametomib -- get or set system information
LIBRARY
Standard C Library (libc, -lc)
SYNOPSIS
#include <sys/param.h> #include <sys/sysctl.h> int sysctl(const int *name, u_int namelen, void *oldp, size_t *oldlenp, const void *newp, size_t newlen); int sysctlbyname(const char *sname, void *oldp, size_t *oldlenp, void *newp, size_t newlen); int sysctlgetmibinfo(const char *sname, int *name, u_int *namelenp, char *cname, size_t *csz, struct sysctlnode **rnode, int v); int sysctlnametomib(const char *sname, int *name, size_t *namelenp);
DESCRIPTION
The sysctl function retrieves system information and allows processes with appropriate privileges to set system information. The information available from sysctl consists of integers, strings, and tables. Infor- mation may be retrieved and set from the command interface using the sysctl(8) utility. Unless explicitly noted below, sysctl returns a consistent snapshot of the data requested. Consistency is obtained by locking the destination buffer into memory so that the data may be copied out without blocking. Calls to sysctl are serialized to avoid deadlock. The state is described using a ``Management Information Base'' (MIB) style name, listed in name, which is a namelen length array of integers. The sysctlbyname() function accepts a string representation of a MIB entry and internally maps it to the appropriate numeric MIB representa- tion. Its semantics are otherwise no different from sysctl(). The information is copied into the buffer specified by oldp. The size of the buffer is given by the location specified by oldlenp before the call, and that location gives the amount of data copied after a successful call. If the amount of data available is greater than the size of the buffer supplied, the call supplies as much data as fits in the buffer provided and returns with the error code ENOMEM. If the old value is not desired, oldp and oldlenp should be set to NULL. The size of the available data can be determined by calling sysctl with a NULL parameter for oldp. The size of the available data will be returned in the location pointed to by oldlenp. For some operations, the amount of space may change often. For these operations, the system attempts to round up so that the returned size is large enough for a call to return the data shortly thereafter. To set a new value, newp is set to point to a buffer of length newlen from which the requested value is to be taken. If a new value is not to be set, newp should be set to NULL and newlen set to 0. The sysctlnametomib() function can be used to map the string representa- tion of a MIB entry to the numeric version. The name argument should point to an array of integers large enough to hold the MIB, and namelenp should indicate the number of integer slots available. Following a suc- cessful translation, the size_t indicated by namelenp will be changed to show the number of slots consumed. The sysctlgetmibinfo() function performs name translation similar to sysctlnametomib(), but also canonicalizes the name (or returns the first erroneous token from the string being parsed) into the space indicated by cname and csz. csz should indicate the size of the buffer pointed to by cname and on return, will indicate the size of the returned string including the trailing `nul' character. The rnode and v arguments to sysctlgetmibinfo() are used to provide a tree for it to parse into, and to get back either a pointer to, or a copy of, the terminal node. If rnode is NULL, sysctlgetmibinfo() uses its own internal tree for parsing, and checks it against the kernel at each call, to make sure that the name-to-number mapping is kept up to date. The v argument is ignored in this case. If rnode is not NULL but the pointer it references is, on a successful return, rnode will be adjusted to point to a copy of the terminal node. The v argument indicates which version of the sysctl node structure the caller wants. The application must later free() this copy. If neither rnode nor the pointer it references are NULL, the pointer is used as the address of a tree over which the parsing is done. In this last case, the tree is not checked against the kernel, no refreshing of the mappings is performed, and the value given by v must agree with the version indicated by the tree. It is recom- mended that applications always use SYSCTL_VERSION as the value for v, as defined in the include file sys/sysctl.h. The top level names are defined with a CTL_ prefix in <sys/sysctl.h>, and are as follows. The next and subsequent levels down are found in the include files listed here, and described in separate sections below. Name Next level names Description CTL_KERN sys/sysctl.h High kernel limits CTL_VM uvm/uvm_param.h Virtual memory CTL_VFS sys/mount.h Filesystem CTL_NET sys/socket.h Networking CTL_DEBUG sys/sysctl.h Debugging CTL_HW sys/sysctl.h Generic CPU, I/O CTL_MACHDEP sys/sysctl.h Machine dependent CTL_USER sys/sysctl.h User-level CTL_DDB sys/sysctl.h In-kernel debugger CTL_PROC sys/sysctl.h Per-process CTL_VENDOR ? Vendor specific CTL_EMUL sys/sysctl.h Emulation settings CTL_SECURITY sys/sysctl.h Security settings For example, the following retrieves the maximum number of processes allowed in the system: int mib[2], maxproc; size_t len; mib[0] = CTL_KERN; mib[1] = KERN_MAXPROC; len = sizeof(maxproc); sysctl(mib, 2, &maxproc, &len, NULL, 0); To retrieve the standard search path for the system utilities: int mib[2]; size_t len; char *p; mib[0] = CTL_USER; mib[1] = USER_CS_PATH; sysctl(mib, 2, NULL, &len, NULL, 0); p = malloc(len); sysctl(mib, 2, p, &len, NULL, 0);
CTL_DEBUG
The debugging variables vary from system to system. A debugging variable may be added or deleted without need to recompile sysctl to know about it. Each time it runs, sysctl gets the list of debugging variables from the kernel and displays their current values. The system defines twenty (struct ctldebug) variables named debug0 through debug19. They are declared as separate variables so that they can be individually initial- ized at the location of their associated variable. The loader prevents multiple use of the same variable by issuing errors if a variable is ini- tialized in more than one place. For example, to export the variable dospecialcheck as a debugging variable, the following declaration would be used: int dospecialcheck = 1; struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck }; Note that the dynamic implementation of sysctl currently in use largely makes this particular sysctl interface obsolete. See sysctl(8) for more information.
CTL_VFS
A distinguished second level name, VFS_GENERIC, is used to get general information about all filesystems. One of its third level identifiers is VFS_MAXTYPENUM that gives the highest valid filesystem type number. Its other third level identifier is VFS_CONF that returns configuration information about the filesystem type given as a fourth level identifier. The remaining second level identifiers are the filesystem type number returned by a statvfs(2) call or from VFS_CONF. The third level identi- fiers available for each filesystem are given in the header file that defines the mount argument structure for that filesystem.
CTL_HW
The string and integer information available for the CTL_HW level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Second level name Type Changeable HW_ALIGNBYTES integer no HW_BYTEORDER integer no HW_CNMAGIC string yes HW_DISKNAMES string no HW_DISKSTATS struct no HW_MACHINE string no HW_MACHINE_ARCH string no HW_MODEL string no HW_NCPU integer no HW_PAGESIZE integer no HW_PHYSMEM integer no HW_PHYSMEM64 quad no HW_USERMEM integer no HW_USERMEM64 quad no HW_ALIGNBYTES Alignment constraint for all possible data types. This shows the value ALIGNBYTES in /usr/include/machine/param.h, at the kernel compilation time. HW_BYTEORDER The byteorder (4,321, or 1,234). HW_CNMAGIC The console magic key sequence. HW_DISKNAMES The list of (space separated) disk device and NFS mount names on the system. HW_IOSTATNAMES A space separated list of devices that will have I/O statistics collected on them. HW_IOSTATS Return statistical information on the NFS mounts, disk and tape devices on the system. An array of struct io_sysctl structures is returned, whose size depends on the current number of such objects in the system. The third level name is the size of the struct io_sysctl. The type of object can be determined by exam- ining the type element of struct io_sysctl. Which can be IOSTAT_DISK (disk drive), IOSTAT_TAPE (tape drive), or IOSTAT_NFS (NFS mount). HW_MACHINE The machine class. HW_MACHINE_ARCH The machine CPU class. HW_MODEL The machine model. HW_NCPU The number of CPUs. HW_PAGESIZE The software page size. HW_PHYSMEM The bytes of physical memory as a 32-bit integer. HW_PHYSMEM64 The bytes of physical memory as a 64-bit integer. HW_USERMEM The bytes of non-kernel memory as a 32-bit integer. HW_USERMEM64 The bytes of non-kernel memory as a 64-bit integer.
CTL_KERN
The string and integer information available for the CTL_KERN level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. The types of data currently available are process information, system vnodes, the open file entries, routing table entries, virtual memory statistics, load average history, and clock rate information. Second level name Type Changeable KERN_ARGMAX integer no KERN_AUTONICETIME integer yes KERN_AUTONICEVAL integer yes KERN_BOOTTIME struct timeval no KERN_BUFQ node not applicable KERN_CCPU integer no KERN_CLOCKRATE struct clockinfo no KERN_CONSDEV integer no KERN_CP_ID struct no KERN_CP_TIME uint64_t[] no KERN_DEFCORENAME string yes KERN_DOMAINNAME string yes KERN_DRIVERS struct kinfo_drivers no KERN_FILE struct file no KERN_FORKFSLEEP integer yes KERN_FSCALE integer no KERN_FSYNC integer no KERN_HARDCLOCK_TICKS integer no KERN_HOSTID integer yes KERN_HOSTNAME string yes KERN_IOV_MAX integer no KERN_JOB_CONTROL integer no KERN_LABELOFFSET integer no KERN_LABELSECTOR integer no KERN_LOGIN_NAME_MAX integer no KERN_LOGSIGEXIT integer yes KERN_MAPPED_FILES integer no KERN_MAXFILES integer yes KERN_MAXPARTITIONS integer no KERN_MAXPHYS integer no KERN_MAXPROC integer yes KERN_MAXPTYS integer yes KERN_MAXVNODES integer yes KERN_MBUF node not applicable KERN_MEMLOCK integer no KERN_MEMLOCK_RANGE integer no KERN_MEMORY_PROTECTION integer no KERN_MONOTONIC_CLOCK integer no KERN_MSGBUF integer no KERN_MSGBUFSIZE integer no KERN_NGROUPS integer no KERN_NTPTIME struct ntptimeval no KERN_OSRELEASE string no KERN_OSREV integer no KERN_OSTYPE string no KERN_PIPE node not applicable KERN_POSIX1 integer no KERN_POSIX_BARRIERS integer no KERN_POSIX_READER_WRITER_LOCKS integer no KERN_POSIX_SEMAPHORES integer no KERN_POSIX_SPIN_LOCKS integer no KERN_POSIX_THREADS integer no KERN_POSIX_TIMERS integer no KERN_PROC struct kinfo_proc no KERN_PROC2 struct kinfo_proc2 no KERN_PROC_ARGS string no KERN_PROF node not applicable KERN_RAWPARTITION integer no KERN_ROOT_DEVICE string no KERN_ROOT_PARTITION integer no KERN_RTC_OFFSET integer yes KERN_SAVED_IDS integer no KERN_SECURELVL integer raise only KERN_SYNCHRONIZED_IO integer no KERN_SYSVIPC node not applicable KERN_TIMEX struct no KERN_TKSTAT node not applicable KERN_URANDOM integer no KERN_VERSION string no KERN_VNODE struct vnode no KERN_ARGMAX The maximum bytes of argument to execve(2). KERN_AUTONICETIME The number of seconds of CPU-time a non-root process may accumu- late before having its priority lowered from the default to the value of KERN_AUTONICEVAL. If set to 0, automatic lowering of priority is not performed, and if set to -1 all non-root pro- cesses are immediately lowered. KERN_AUTONICEVAL The priority assigned for automatically niced processes. KERN_BOOTTIME A struct timeval structure is returned. This structure contains the time that the system was booted. KERN_CCPU The scheduler exponential decay value. KERN_CLOCKRATE A struct clockinfo structure is returned. This structure con- tains the clock, statistics clock and profiling clock frequen- cies, the number of micro-seconds per hz tick, and the clock skew rate. KERN_CONSDEV Console device. KERN_CP_ID Mapping of CPU number to CPU id. KERN_CP_TIME Returns an array of CPUSTATES uint64_ts. This array contains the number of clock ticks spent in different CPU states. On multi- processor systems, the sum across all CPUs is returned unless appropriate space is given for one data set for each CPU. Data for a specific CPU can also be obtained by adding the number of the CPU at the end of the MIB, enlarging it by one. KERN_DEFCORENAME Default template for the name of core dump files (see also PROC_PID_CORENAME in the per-process variables CTL_PROC, and core(5) for format of this template). The default value is %n.core and can be changed with the kernel configuration option options DEFCORENAME (see options(4) ). KERN_DOMAINNAME Get or set the YP domain name. KERN_DUMP_ON_PANIC Perform a crash dump on system panic. KERN_DRIVERS Return an array of struct kinfo_drivers that contains the name and major device numbers of all the device drivers in the current kernel. The d_name field is always a NUL terminated string. The d_bmajor field will be set to -1 if the driver doesn't have a block device. KERN_FILE Return the entire file table. The returned data consists of a single struct filelist followed by an array of struct file, whose size depends on the current number of such objects in the system. KERN_FORKFSLEEP If fork(2) system call fails due to limit on number of processes (either the global maxproc limit or user's one), wait for this many milliseconds before returning EAGAIN error to process. Use- ful to keep heavily forking runaway processes in bay. Default zero (no sleep). Maximum is 20 seconds. KERN_FSCALE The kernel fixed-point scale factor. KERN_FSYNC Return 1 if the POSIX 1003.1b File Synchronization Option is available on this system, otherwise 0. KERN_HARDCLOCK_TICKS Returns the number of hardclock(9) ticks. KERN_HOSTID Get or set the host id. KERN_HOSTNAME Get or set the hostname. KERN_IOV_MAX Return the maximum number of iovec structures that a process has available for use with preadv(2), pwritev(2), readv(2), recvmsg(2), sendmsg(2) and writev(2). KERN_JOB_CONTROL Return 1 if job control is available on this system, otherwise 0. KERN_LABELOFFSET The offset within the sector specified by KERN_LABELSECTOR of the disklabel(5). KERN_LABELSECTOR The sector number containing the disklabel(5). KERN_LOGIN_NAME_MAX The size of the storage required for a login name, in bytes, including the terminating NUL. KERN_LOGSIGEXIT If this flag is non-zero, the kernel will log(9) all process exits due to signals which create a core(5) file, and whether the coredump was created. KERN_MAPPED_FILES Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available on this system, otherwise 0. KERN_MAXFILES The maximum number of open files that may be open in the system. KERN_MAXPARTITIONS The maximum number of partitions allowed per disk. KERN_MAXPHYS Maximum raw I/O transfer size. KERN_MAXPROC The maximum number of simultaneous processes the system will allow. KERN_MAXPTYS The maximum number of pseudo terminals. This value can be both raised and lowered, though it cannot be set lower than number of currently used ptys. See also pty(4). KERN_MAXVNODES The maximum number of vnodes available on the system. This can only be raised. KERN_MBUF Return information about the mbuf control variables. the third level names for the mbuf variables are detailed below. The changeable column shows whether a process with appropriate privi- lege may change the value. Third level name Type Changeable MBUF_MBLOWAT integer yes MBUF_MCLBYTES integer yes MBUF_MCLLOWAT integer yes MBUF_MSIZE integer yes MBUF_NMBCLUSTERS integer yes The variables are as follows: MBUF_MBLOWAT The mbuf low water mark. MBUF_MCLBYTES The mbuf cluster size. MBUF_MCLLOWAT The mbuf cluster low water mark. MBUF_MSIZE The mbuf base size. MBUF_NMBCLUSTERS The limit on the number of mbuf clusters. The variable can only be increased, and only increased on machines with direct-mapped pool pages. KERN_MEMLOCK Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available on this system, otherwise 0. KERN_MEMLOCK_RANGE Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available on this system, otherwise 0. KERN_MEMORY_PROTECTION Returns 1 if the POSIX 1003.1b Memory Protection Option is avail- able on this system, otherwise 0. KERN_MONOTONIC_CLOCK Returns the standard version the implementation of the POSIX 1003.1b Monotonic Clock Option conforms to, otherwise 0. KERN_MSGBUF The kernel message buffer, rotated so that the head of the circu- lar kernel message buffer is returned at the start of the buffer specified by oldp. The returned data may contain NUL bytes. KERN_MSGBUFSIZE The maximum number of characters that the kernel message buffer can hold. KERN_NGROUPS The maximum number of supplemental groups. KERN_NTPTIME A struct ntptimeval structure is returned. This structure con- tains data used by the ntpd(8) program. KERN_OSRELEASE The system release string. KERN_OSREV The system revision string. KERN_OSTYPE The system type string. KERN_PIPE Pipe settings. The third level names for the integer pipe set- tings is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Third level name Type Changeable KERN_PIPE_KVASIZ integer yes KERN_PIPE_MAXBIGPIPES integeryes KERN_PIPE_MAXKVASZ integer yes KERN_PIPE_LIMITKVA integer yes KERN_PIPE_NBIGPIPES integer yes The variables are as follows: KERN_PIPE_KVASIZ Amount of kernel memory consumed by pipe buffers. KERN_PIPE_MAXBIGPIPES Maximum number of "big" pipes. KERN_PIPE_MAXKVASZ Maximum amount of kernel memory to be used for pipes. KERN_PIPE_LIMITKVA Limit for direct transfers via page loan. KERN_PIPE_NBIGPIPES Number of "big" pipes. KERN_POSIX1 The version of ISO/IEC 9945 (POSIX 1003.1) with which the system attempts to comply. KERN_POSIX_BARRIERS The version of IEEE Std 1003.1 (``POSIX.1'') and its Barriers option to which the system attempts to conform, otherwise 0. KERN_POSIX_READER_WRITER_LOCKS The version of IEEE Std 1003.1 (``POSIX.1'') and its Read-Write Locks option to which the system attempts to conform, otherwise 0. KERN_POSIX_SEMAPHORES The version of IEEE Std 1003.1 (``POSIX.1'') and its Semaphores option to which the system attempts to conform, otherwise 0. KERN_POSIX_SPIN_LOCKS The version of IEEE Std 1003.1 (``POSIX.1'') and its Spin Locks option to which the system attempts to conform, otherwise 0. KERN_POSIX_THREADS The version of IEEE Std 1003.1 (``POSIX.1'') and its Threads option to which the system attempts to conform, otherwise 0. KERN_POSIX_TIMERS The version of IEEE Std 1003.1 (``POSIX.1'') and its Timers option to which the system attempts to conform, otherwise 0. KERN_PROC Return the entire process table, or a subset of it. An array of struct kinfo_proc structures is returned, whose size depends on the current number of such objects in the system. The third and fourth level names are as follows: Third level name Fourth level is: KERN_PROC_ALL None KERN_PROC_GID A group ID KERN_PROC_PID A process ID KERN_PROC_PGRP A process group KERN_PROC_RGID A real group ID KERN_PROC_RUID A real user ID KERN_PROC_SESSION A session ID KERN_PROC_TTY A tty device KERN_PROC_UID A user ID KERN_PROC2 As for KERN_PROC, but an array of struct kinfo_proc2 structures are returned. The fifth level name is the size of the struct kinfo_proc2 and the sixth level name is the number of structures to return. KERN_PROC_ARGS Return the argv or environment strings (or the number thereof) of a process. Multiple strings are returned separated by NUL char- acters. The third level name is the process ID. The fourth level name is as follows: KERN_PROC_ARGV The argv strings KERN_PROC_ENV The environ strings KERN_PROC_NARGV The number of argv strings KERN_PROC_NENV The number of environ strings KERN_PROF Return profiling information about the kernel. If the kernel is not compiled for profiling, attempts to retrieve any of the KERN_PROF values will fail with EOPNOTSUPP. The third level names for the string and integer profiling information is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Third level name Type Changeable GPROF_COUNT u_short[] yes GPROF_FROMS u_short[] yes GPROF_GMONPARAM struct gmonparam no GPROF_STATE integer yes GPROF_TOS struct tostruct yes The variables are as follows: GPROF_COUNT Array of statistical program counter counts. GPROF_FROMS Array indexed by program counter of call-from points. GPROF_GMONPARAM Structure giving the sizes of the above arrays. GPROF_STATE Profiling state. If set to GMON_PROF_ON, starts profil- ing. If set to GMON_PROF_OFF, stops profiling. GPROF_TOS Array of struct tostruct describing destination of calls and their counts. KERN_RAWPARTITION The raw partition of a disk (a == 0). KERN_ROOT_DEVICE The name of the root device (e.g., ``wd0''). KERN_ROOT_PARTITION The root partition on the root device (a == 0). KERN_RTC_OFFSET Return the offset of real time clock from UTC in minutes. KERN_SAVED_IDS Returns 1 if saved set-group and saved set-user ID is available. KERN_SBMAX Maximum socket buffer size. KERN_SECURELVL The system security level. This level may be raised by processes with appropriate privilege. It may only be lowered by process 1. KERN_SOMAXKVA Maximum amount of kernel memory to be used for socket buffers. KERN_SYNCHRONIZED_IO Returns 1 if the POSIX 1003.1b Synchronized I/O Option is avail- able on this system, otherwise 0. KERN_SYSVIPC Return information about the SysV IPC parameters. The third level names for the ipc variables are detailed below. Third level name Type Changeable KERN_SYSVIPC_MSG integer no KERN_SYSVIPC_SEM integer no KERN_SYSVIPC_SHM integer no KERN_SYSVIPC_INFO struct no KERN_SYSVIPC_SHMMAX integer no KERN_SYSVIPC_SHMMNI integer yes KERN_SYSVIPC_SHMSEG integer yes KERN_SYSVIPC_SHMMAXPGS integer yes KERN_SYSVIPC_SHMUSEPHYS integer yes KERN_SYSVIPC_MSG Returns 1 if System V style message queue functionality is available on this system, otherwise 0. KERN_SYSVIPC_SEM Returns 1 if System V style semaphore functionality is available on this system, otherwise 0. KERN_SYSVIPC_SHM Returns 1 if System V style share memory functionality is available on this system, otherwise 0. KERN_SYSVIPC_INFO Return System V style IPC configuration and run-time information. The third level name selects the System V style IPC facility. Fourth level name Type KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info KERN_SYSVIPC_MSG_INFO Return information on the System V style message facility. The msg_sysctl_info structure is defined in <sys/msg.h>. KERN_SYSVIPC_SEM_INFO Return information on the System V style sema- phore facility. The sem_sysctl_info structure is defined in <sys/sem.h>. KERN_SYSVIPC_SHM_INFO Return information on the System V style shared memory facility. The shm_sysctl_info structure is defined in <sys/shm.h>. KERN_SYSVIPC_SHMMAX Max shared memory segment size in bytes. KERN_SYSVIPC_SHMMNI Max number of shared memory identifiers. KERN_SYSVIPC_SHMSEG Max shared memory segments per process. KERN_SYSVIPC_SHMMAXPGS Max amount of shared memory in pages. KERN_SYSVIPC_SHMUSEPHYS Locking of shared memory in physical memory. If 0, memory can be swaped out, otherwise it will be locked in physi- cal memory. KERN_TIMEX Not available. KERN_TKSTAT Return information about the number of characters sent and received on ttys. The third level names for the tty statistic variables are detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Third level name Type Changeable KERN_TKSTAT_CANCC quad no KERN_TKSTAT_NIN quad no KERN_TKSTAT_NOUT quad no KERN_TKSTAT_RAWCC quad no The variables are as follows: KERN_TKSTAT_CANCC The number of canonical input characters. KERN_TKSTAT_NIN The total number of input characters. KERN_TKSTAT_NOUT The total number of output characters. KERN_TKSTAT_RAWCC The number of raw input characters. KERN_URND Random integer value. kern.veriexec Tunings for Verixec. kern.veriexec.algorithms Returns a string with the supported algorithms in Ver- iexec. kern.veriexec.count Sub-nodes are added to this node as new mounts are moni- tored by Veriexec. Each mount will be under its own tableN node. Under each node there will be three vari- ables, indicating the mount point, the file-system type, and the number of entries. kern.veriexec.strict Controls the strict level of Veriexec. See security(8) for more information on each level's implications. kern.veriexec.verbose Controls the verbosity level of Veriexec. If 0, only the minimal indication required will be given about what's happening - fingerprint mismatches, removal of entries from the tables, modification of a fingerprinted file. If 1, more messages will be printed (ie., when a file with a valid fingerprint is accessed). Verbose level 2 is debug mode. KERN_VERSION The system version string. KERN_VNODE Return the entire vnode table. Note, the vnode table is not nec- essarily a consistent snapshot of the system. The returned data consists of an array whose size depends on the current number of such objects in the system. Each element of the array contains the kernel address of a vnode struct vnode * followed by the vnode itself struct vnode. kern.coredump.setid Settings related to set-id processes coredumps. By default, set- id processes do not dump core in situations where other processes would. The settings in this node allows an administrator to change this behavior. kern.coredump.setid.dump If non-zero, set-id processes will dump core. kern.coredump.setid.group The group-id for the set-id processes' coredump. kern.coredump.setid.mode The mode for the set-id processes' coredump. See chmod(1). kern.coredump.setid.owner The user-id that will be used as the owner of the set-id processes' coredump. kern.coredump.setid.path The path to which set-id processes' coredumps will be saved to. Same syntax as kern.defcorename.
CTL_MACHDEP
The set of variables defined is architecture dependent. Most architec- tures define at least the following variables. Second level name Type Changeable CPU_CONSDEV dev_t no
CTL_NET
The string and integer information available for the CTL_NET level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. The second and third levels are typically the protocol family and protocol number, though this is not always the case. Second level name Type Changeable PF_ROUTE routing messages no PF_INET IPv4 values yes PF_INET6 IPv6 values yes PF_KEY IPsec key management valuesyes PF_ROUTE Return the entire routing table or a subset of it. The data is returned as a sequence of routing messages (see route(4) for the header file, format and meaning). The length of each message is contained in the message header. The third level name is a protocol number, which is currently always 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows: Fifth level name Sixth level is: NET_RT_FLAGS rtflags NET_RT_DUMP None NET_RT_IFLIST None PF_INET Get or set various global information about the IPv4 (Internet Protocol version 4). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: Protocol name Variable name Type Changeable arp down integer yes arp keep integer yes arp prune integer yes arp refresh integer yes carp allow integer yes carp preempt integer yes carp log integer yes carp arpbalance integer yes icmp errppslimit integer yes icmp maskrepl integer yes icmp rediraccept integer yes icmp redirtimeout integer yes ip allowsrcrt integer yes ip anonportmax integer yes ip anonportmin integer yes ip checkinterface integer yes ip directed-broadcast integer yes ip do_loopback_cksum integer yes ip forwarding integer yes ip forwsrcrt integer yes ip gifttl integer yes ip grettl integer yes ip hostzerobroadcast integer yes ip lowportmin integer yes ip lowportmax integer yes ip maxflows integer yes ip maxfragpackets integer yes ip mtudisc integer yes ip mtudisctimeout integer yes ip random_id integer yes ip redirect integer yes ip subnetsarelocal integer yes ip ttl integer yes tcp rfc1323 integer yes tcp sendspace integer yes tcp recvspace integer yes tcp mssdflt integer yes tcp syn_cache_limit integer yes tcp syn_bucket_limit integer yes tcp syn_cache_interval integer yes tcp init_win integer yes tcp init_win_local integer yes tcp mss_ifmtu integer yes tcp win_scale integer yes tcp timestamps integer yes tcp compat_42 integer yes tcp cwm integer yes tcp cwm_burstsize integer yes tcp ack_on_push integer yes tcp keepidle integer yes tcp keepintvl integer yes tcp keepcnt integer yes tcp slowhz integer no tcp log_refused integer yes tcp rstppslimit integer yes tcp ident struct no tcp sack.enable integer yes tcp sack.globalholes integer no tcp sack.globalmaxholes integeryes tcp sack.maxholes integer yes tcp ecn.enable integer yes tcp ecn.maxretries integer yes tcp congctl.selected string yes tcp congctl.available string yes tcp abc.enable integer yes tcp abc.aggressive integer yes udp checksum integer yes udp do_loopback_cksum integer yes udp recvspace integer yes udp sendspace integer yes The variables are as follows: arp.down Failed ARP entry lifetime. arp.keep Valid ARP entry lifetime. arp.prune ARP cache pruning interval. arp.refresh ARP entry refresh interval. carp.allow If set to 0, incoming carp(4) packets will not be pro- cessed. If set to any other value, processing will occur. Enabled by default. carp.arpbalance If set to any value other than 0, the ARP balancing func- tionality of carp(4) is enabled. When ARP requests are received for an IP address which is part of any virtual host, carp will hash the source IP in the ARP request to select one of the virtual hosts from the set of all the virtual hosts which have that IP address. The master of that host will respond with the correct virtual MAC address. Disabled by default. carp.log If set to any value other than 0, carp(4) will log errors. Disabled by default. carp.preempt If set to 0, carp(4) will not attempt to become master if it is receiving advertisements from another active mas- ter. If set to any other value, carp will become master of the virtual host if it believes it can send advertise- ments more frequently than the current master. Disabled by default. ip.allowsrcrt If set to 1, the host accepts source routed packets. ip.anonportmax The highest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535, and must be greater than ip.anonportmin. ip.anonportmin The lowest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535. ip.checkinterface If set to non-zero, the host will reject packets addressed to it that arrive on an interface not bound to that address. Currently, this must be disabled if ipnat is used to translate the destination address to another local interface, or if addresses are added to the loop- back interface instead of the interface where the packets for those packets are received. ip.directed-broadcast If set to 1, enables directed broadcast behavior for the host. ip.do_loopback_cksum Perform IP checksum on loopback. ip.forwarding If set to 1, enables IP forwarding for the host, meaning that the host is acting as a router. ip.forwsrcrt If set to 1, enables forwarding of source-routed packets for the host. This value may only be changed if the ker- nel security level is less than 1. ip.gifttl The maximum time-to-live (hop count) value for an IPv4 packet generated by gif(4) tunnel interface. ip.grettl The maximum time-to-live (hop count) value for an IPv4 packet generated by gre(4) tunnel interface. ip.hostzerobroadcast All zeroes address is broadcast address. ip.lowportmax The highest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be greater than ip.lowportmin. ip.lowportmin The lowest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be smaller than ip.lowportmax. ip.maxflows IP Fast Forwarding is enabled by default. If set to 0, IP Fast Forwarding is disabled. ip.maxflows controls the maximum amount of flows which can be created. The default value is 256. ip.maxfragpackets The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any frag- mented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is pro- vided basically for avoiding possible DoS attacks. ip.mtudisc If set to 1, enables Path MTU Discovery (RFC 1191). When Path MTU Discovery is enabled, the transmitted TCP seg- ment size will be determined by the advertised maximum segment size (MSS) from the remote end, as constrained by the path MTU. If MTU Discovery is disabled, the trans- mitted segment size will never be greater than tcp.mssdflt (the local maximum segment size). ip.mtudisctimeout The number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will attempt to probe a larger path MTU. ip.random_id Assign random ip_id values. ip.redirect If set to 1, ICMP redirects may be sent by the host. This option is ignored unless the host is routing IP packets, and should normally be enabled on all systems. ip.subnetsarelocal If set to 1, subnets are to be considered local addresses. ip.ttl The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to nor- mal transport protocols, not to ICMP. icmp.errppslimit The variable specifies the maximum number of outgoing ICMP error messages, per second. ICMP error messages that exceeded the value are subject to rate limitation and will not go out from the node. Negative value dis- ables rate limitation. icmp.maskrepl If set to 1, ICMP network mask requests are to be answered. icmp.rediraccept If set to non-zero, the host will accept ICMP redirect packets. Note that routers will never accept ICMP redi- rect packets, and the variable is meaningful on IP hosts only. icmp.redirtimeout The variable specifies lifetime of routing entries gener- ated by incoming ICMP redirect. This defaults to 600 seconds. icmp.returndatabytes Number of bytes to return in an ICMP error message. tcp.ack_on_push If set to 1, TCP is to immediately transmit an ACK upon reception of a packet with PUSH set. This can avoid los- ing a round trip time in some rare situations, but has the caveat of potentially defeating TCP's delayed ACK algorithm. Use of this option is generally not recom- mended, but the variable exists in case your configura- tion really needs it. tcp.compat_42 If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. Use of this option is not recom- mended, although it may be required in order to communi- cate with extremely old TCP implementations. tcp.cwm If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window Monitoring algorithm. This algorithm prevents line-rate bursts of packets that could otherwise occur when data begins flowing on an idle TCP connection. These line-rate bursts can contribute to network and router congestion. This can be particularly useful on World Wide Web servers which support HTTP/1.1, which has lingering connections. tcp.cwm_burstsize The Congestion Window Monitoring allowed burst size, in terms of packet count. tcp.delack_ticks Number of ticks to delay sending an ACK. tcp.do_loopback_cksum Perform TCP checksum on loopback. tcp.init_win A value indicating the TCP initial congestion window. If this value is 0, an auto-tuning algorithm designed to use an initial window of approximately 4K bytes is in use. Otherwise, this value indicates a fixed number of pack- ets. tcp.init_win_local Like tcp.init_win, but used when communicating with hosts on a local network. tcp.keepcnt Number of keepalive probes sent before declaring a con- nection dead. If set to zero, there is no limit; keepalives will be sent until some kind of response is received from the peer. tcp.keepidle Time a connection must be idle before keepalives are sent (if keepalives are enabled for the connection). See also tcp.slowhz. tcp.keepintvl Time after a keepalive probe is sent until, in the absence of any response, another probe is sent. See also tcp.slowhz. tcp.log_refused If set to 1, refused TCP connections to the host will be logged. tcp.mss_ifmtu If set to 1, TCP calculates the outgoing maximum segment size based on the MTU of the appropriate interface. If set to 0, it is calculated based on the greater of the MTU of the interface, and the largest (non-loopback) interface MTU on the system. tcp.mssdflt The default maximum segment size both advertised to the peer and to use when either the peer does not advertise a maximum segment size to us during connection setup or Path MTU Discovery (ip.mtudisc) is disabled. Do not change this value unless you really know what you are doing. tcp.newreno If set to 1, enables the use of J. Hoe's NewReno conges- tion control algorithm. This algorithm improves the start-up behavior of TCP connections. tcp.recvspace The default TCP receive buffer size. tcp.rfc1323 If set to 1, enables RFC 1323 extensions to TCP. tcp.rstppslimit The variable specifies the maximum number of outgoing TCP RST packets, per second. TCP RST packet that exceeded the value are subject to rate limitation and will not go out from the node. Negative value disables rate limita- tion. tcp.sack.enable If set to 1, enables RFC 2018 Selective ACKnowledgement. tcp.sack.globalholes Global number of TCP SACK holes. tcp.sack.globalmaxholes Global maximum number of TCP SACK holes. tcp.sack.maxholes Maximum number of TCP SACK holes allowed per connection. tcp.ecn.enable If set to 1, enables RFC 3168 Explicit Congestion Notifi- cation. tcp.ecn.maxretries Number of times to retry sending the ECN-setup packet. tcp.sendspace The default TCP send buffer size. tcp.slowhz The units for tcp.keepidle and tcp.keepintvl; those vari- ables are in ticks of a clock that ticks tcp.slowhz times per second. (That is, their values must be divided by the tcp.slowhz value to get times in seconds.) tcp.syn_bucket_limit The maximum number of entries allowed per hash bucket in the TCP compressed state engine. tcp.syn_cache_limit The maximum number of entries allowed in the TCP com- pressed state engine. tcp.timestamps If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, used for measuring TCP round trip times, are enabled. tcp.win_scale If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, for increasing the TCP window size, are enabled. tcp.congctl.available The available TCP congestion control algorithms. tcp.congctl.selected The currently selected TCP congestion control algorithm. tcp.abc.enable If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). If set to 0, use traditional Packet Counting. tcp.abc.aggressive Choose the L parameter found in RFC 3465. L is the maxi- mum cwnd increase for an ack during slow start. If set to 1, use L=2*SMSS. If set to 0, use L=1*SMSS. It has no effect unless tcp.abc.enable is set to 1. udp.checksum If set to 1, UDP checksums are being computed. Received non-zero UDP checksums are always checked. Disabling UDP checksums is strongly discouraged. udp.sendspace The default UDP send buffer size. udp.recvspace The default UDP receive buffer size. For variables net.*.ipsec, please refer to ipsec(4). PF_INET6 Get or set various global information about the IPv6 (Internet Protocol version 6). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: Protocol name Variable name Type Changeable icmp6 errppslimit integer yes icmp6 mtudisc_hiwat integer yes icmp6 mtudisc_lowat integer yes icmp6 nd6_debug integer yes icmp6 nd6_delay integer yes icmp6 nd6_maxnudhint integer yes icmp6 nd6_mmaxtries integer yes icmp6 nd6_prune integer yes icmp6 nd6_umaxtries integer yes icmp6 nd6_useloopback integer yes icmp6 nodeinfo integer yes icmp6 rediraccept integer yes icmp6 redirtimeout integer yes ip6 accept_rtadv integer yes ip6 anonportmax integer yes ip6 anonportmin integer yes ip6 auto_flowlabel integer yes ip6 dad_count integer yes ip6 defmcasthlim integer yes ip6 forwarding integer yes ip6 gifhlim integer yes ip6 hlim integer yes ip6 hdrnestlimit integer yes ip6 kame_version string no ip6 keepfaith integer yes ip6 log_interval integer yes ip6 lowportmax integer yes ip6 lowportmin integer yes ip6 maxfragpackets integer yes ip6 maxfrags integer yes ip6 redirect integer yes ip6 rr_prune integer yes ip6 use_deprecated integer yes ip6 v6only integer yes udp6 do_loopback_cksum integer yes udp6 recvspace integer yes udp6 sendspace integer yes The variables are as follows: ip6.accept_rtadv If set to non-zero, the node will accept ICMPv6 router advertisement packets and autoconfigures address prefixes and default routers. The node must be a host (not a router) for the option to be meaningful. ip6.anonportmax The highest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535, and must be greater than ip6.anonportmin. ip6.anonportmin The lowest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535. ip6.auto_flowlabel On connected transport protocol packets, fill IPv6 flowlabel field to help intermediate routers to identify packet flows. ip6.dad_count The variable configures number of IPv6 DAD (duplicated address detection) probe packets. The packets will be generated when IPv6 interface addresses are configured. ip6.defmcasthlim The default hop limit value for an IPv6 multicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. There are APIs to override the value, as documented in ip6(4). ip6.forwarding If set to 1, enables IPv6 forwarding for the node, mean- ing that the node is acting as a router. If set to 0, disables IPv6 forwarding for the node, meaning that the node is acting as a host. IPv6 specification defines node behavior for ``router'' case and ``host'' case quite differently, and changing this variable during operation may cause serious trouble. It is recommended to config- ure the variable at bootstrap time, and bootstrap time only. ip6.gifhlim The maximum hop limit value for an IPv6 packet generated by gif(4) tunnel interface. ip6.hdrnestlimit The number of IPv6 extension headers permitted on incom- ing IPv6 packets. If set to 0, the node will accept as many extension headers as possible. ip6.hlim The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. There are APIs to override the value, as documented in ip6(4). ip6.kame_version The string identifies the version of KAME IPv6 stack implemented in the kernel. ip6.keepfaith If set to non-zero, it enables ``FAITH'' TCP relay IPv6-to-IPv4 translator code in the kernel. Refer faith(4) and faithd(8) for detail. ip6.log_interval The variable controls amount of logs generated by IPv6 packet forwarding engine, by setting interval between log output (in seconds). ip6.lowportmax The highest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be greater than ip6.lowportmin. ip6.lowportmin The lowest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be smaller than ip6.lowportmax. ip6.maxfragpackets The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any frag- mented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is pro- vided basically for avoiding possible DoS attacks. ip6.maxfrags The maximum number of fragments the node will accept. 0 means that the node will not accept any fragments. -1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks. ip6.redirect If set to 1, ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, and should normally be enabled on all systems. ip6.rr_prune The variable specifies interval between IPv6 router renumbering prefix babysitting, in seconds. ip6.use_deprecated The variable controls use of deprecated address, speci- fied in RFC 2462 5.5.4. ip6.v6only The variable specifies initial value for IPV6_V6ONLY socket option for AF_INET6 socket. Please refer to ip6(4) for detail. icmp6.errppslimit The variable specifies the maximum number of outgoing ICMPv6 error messages, per second. ICMPv6 error messages that exceeded the value are subject to rate limitation and will not go out from the node. Negative value dis- ables rate limitation. icmp6.mtudisc_hiwat icmp6.mtudisc_lowat The variables define the maximum number of routing table entries, created due to path MTU discovery (prevents denial-of-service attacks with ICMPv6 too big messages). When IPv6 path MTU discovery happens, we keep path MTU information into the routing table. If the number of routing table entries exceed the value, the kernel will not attempt to keep the path MTU information. icmp6.mtudisc_hiwat is used when we have verified ICMPv6 too big messages. icmp6.mtudisc_lowat is used when we have unverified ICMPv6 too big messages. Verification is performed by using address/port pairs kept in connected pcbs. Negative value disables the upper limit. icmp6.nd6_debug If set to non-zero, kernel IPv6 neighbor discovery code will generate debugging messages. The debug outputs are useful to diagnose IPv6 interoperability issues. The flag must be set to 0 for normal operation. icmp6.nd6_delay The variable specifies DELAY_FIRST_PROBE_TIME timing con- stant in IPv6 neighbor discovery specification (RFC 2461), in seconds. icmp6.nd6_maxnudhint IPv6 neighbor discovery permits upper layer protocols to supply reachability hints, to avoid unnecessary neighbor discovery exchanges. The variable defines the number of consecutive hints the neighbor discovery layer will take. For example, by setting the variable to 3, neighbor dis- covery layer will take 3 consecutive hints in maximum. After receiving 3 hints, neighbor discovery layer will perform normal neighbor discovery process. icmp6.nd6_mmaxtries The variable specifies MAX_MULTICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 2461). icmp6.nd6_prune The variable specifies interval between IPv6 neighbor cache babysitting, in seconds. icmp6.nd6_umaxtries The variable specifies MAX_UNICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 2461). icmp6.nd6_useloopback If set to non-zero, kernel IPv6 stack will use loopback interface for local traffic. icmp6.nodeinfo The variable enables responses to ICMPv6 node information queries. If you set the variable to 0, responses will not be generated for ICMPv6 node information queries. Since node information queries can have a security impact, it is possible to fine tune which responses should be answered. Two separate bits can be set. 1 Respond to ICMPv6 FQDN queries, e.g. ping6 -w. 2 Respond to ICMPv6 node addresses queries, e.g. ping6 -a. icmp6.rediraccept If set to non-zero, the host will accept ICMPv6 redirect packets. Note that IPv6 routers will never accept ICMPv6 redirect packets, and the variable is meaningful on IPv6 hosts (non-router) only. icmp6.redirtimeout The variable specifies lifetime of routing entries gener- ated by incoming ICMPv6 redirect. udp6.do_loopback_cksum Perform UDP checksum on loopback. udp6.recvspace Default UDP receive buffer size. udp6.sendspace Default UDP send buffer size. We reuse net.*.tcp for TCP over IPv6, and therefore we do not have variables net.*.tcp6. Variables net.inet6.udp6 have identi- cal meaning to net.inet.udp. Please refer to PF_INET section above. For variables net.*.ipsec6, please refer to ipsec(4). PF_KEY Get or set various global information about the IPsec key manage- ment. The third level name is the variable name. The currently defined variable and names are: Variable name Type Changeable debug integer yes spi_try integer yes spi_min_value integer yes spi_max_value integer yes larval_lifetime integer yes blockacq_count integer yes blockacq_lifetime integer yes esp_keymin integer yes esp_auth integer yes ah_keymin integer yes The variables are as follows: debug Turn on debugging message from within the kernel. The value is a bitmap, as defined in /usr/include/netkey/key_debug.h. spi_try The number of times the kernel will try to obtain an unique SPI when it generates it from random number gener- ator. spi_min_value Minimum SPI value when generating it within the kernel. spi_max_value Maximum SPI value when generating it within the kernel. larval_lifetime Lifetime for LARVAL SAD entries, in seconds. blockacq_count Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the key management daemon. blockacq_lifetime Lifetime of ACQUIRE PF_KEY message. esp_keymin Minimum ESP key length, in bits. The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message. esp_auth Whether ESP authentication should be used or not. Non- zero value indicates that ESP authentication should be used. The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message. ah_keymin Minimum AH key length, in bits, The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message.
CTL_PROC
The string and integer information available for the CTL_PROC is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. These values are per-process, and as such may change from one process to another. When a process is created, the default values are inherited from its parent. When a set-user-ID or set-group-ID binary is executed, the value of PROC_PID_CORENAME is reset to the system default value. The second level name is either the magic value PROC_CURPROC, which points to the current process, or the PID of the target process. Third level name Type Changeable PROC_PID_CORENAME string yes PROC_PID_LIMIT node not applicable PROC_PID_STOPFORK int yes PROC_PID_STOPEXEC int yes PROC_PID_STOPEXIT int yes PROC_PID_CORENAME The template used for the core dump file name (see core(5) for details). The base name must either be core or end with the suf- fix ``.core'' (the super-user may set arbitrary names). By default it points to KERN_DEFCORENAME. PROC_PID_LIMIT Return resources limits, as defined for the getrlimit(2) and setrlimit(2) system calls. The fourth level name is one of: PROC_PID_LIMIT_CPU The maximum amount of CPU time (in sec- onds) to be used by each process. PROC_PID_LIMIT_FSIZE The largest size (in bytes) file that may be created. PROC_PID_LIMIT_DATA The maximum size (in bytes) of the data segment for a process; this defines how far a program may extend its break with the sbrk(2) system call. PROC_PID_LIMIT_STACK The maximum size (in bytes) of the stack segment for a process; this defines how far a program's stack seg- ment may be extended. Stack extension is performed automatically by the sys- tem. PROC_PID_LIMIT_CORE The largest size (in bytes) core file that may be created. PROC_PID_LIMIT_RSS The maximum size (in bytes) to which a process's resident set size may grow. This imposes a limit on the amount of physical memory to be given to a process; if memory is tight, the system will prefer to take memory from pro- cesses that are exceeding their declared resident set size. PROC_PID_LIMIT_MEMLOCK The maximum size (in bytes) which a process may lock into memory using the mlock(2) function. PROC_PID_LIMIT_NPROC The maximum number of simultaneous pro- cesses for this user id. PROC_PID_LIMIT_NOFILE The maximum number of open files for this process. The fifth level name is one of PROC_PID_LIMIT_TYPE_SOFT or PROC_PID_LIMIT_TYPE_HARD, to select respectively the soft or hard limit. Both are of type integer. PROC_PID_STOPFORK If non zero, the process' children will be stopped after fork(2) calls. The children is created in the SSTOP state and is never scheduled for running before being stopped. This feature helps attaching a process with a debugger such as gdb(1) before it had the opportunity to actually do anything. This value is inherited by the process's children, and it also apply to emulation specific system calls that fork a new process, such as sproc() or clone(). PROC_PID_STOPEXEC If non zero, the process will be stopped on next exec(3) call. The process created by exec(3) is created in the SSTOP state and is never scheduled for running before being stopped. This fea- ture helps attaching a process with a debugger such as gdb(1) before it had the opportunity to actually do anything. This value is inherited by the process's children. PROC_PID_STOPEXIT If non zero, the process will be stopped on when it has cause to exit, either by way of calling exit(3), _exit(2), or by the receipt of a specific signal. The process is stopped before any of its resources or vm space is released allowing examination of the termination state of a process before it disappears. This feature can be used to examine the final conditions of the process's vmspace via pmap(1) or its resource settings with sysctl(8) before it disappears. This value is also inherited by the process's children.
CTL_USER
The string and integer information available for the CTL_USER level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Second level name Type Changeable USER_BC_BASE_MAX integer no USER_BC_DIM_MAX integer no USER_BC_SCALE_MAX integer no USER_BC_STRING_MAX integer no USER_COLL_WEIGHTS_MAX integer no USER_CS_PATH string no USER_EXPR_NEST_MAX integer no USER_LINE_MAX integer no USER_POSIX2_CHAR_TERM integer no USER_POSIX2_C_BIND integer no USER_POSIX2_C_DEV integer no USER_POSIX2_FORT_DEV integer no USER_POSIX2_FORT_RUN integer no USER_POSIX2_LOCALEDEF integer no USER_POSIX2_SW_DEV integer no USER_POSIX2_UPE integer no USER_POSIX2_VERSION integer no USER_RE_DUP_MAX integer no USER_STREAM_MAX integer no USER_TZNAME_MAX integer no USER_ATEXIT_MAX integer no USER_BC_BASE_MAX The maximum ibase/obase values in the bc(1) utility. USER_BC_DIM_MAX The maximum array size in the bc(1) utility. USER_BC_SCALE_MAX The maximum scale value in the bc(1) utility. USER_BC_STRING_MAX The maximum string length in the bc(1) utility. USER_COLL_WEIGHTS_MAX The maximum number of weights that can be assigned to any entry of the LC_COLLATE order keyword in the locale definition file. USER_CS_PATH Return a value for the PATH environment variable that finds all the standard utilities. USER_EXPR_NEST_MAX The maximum number of expressions that can be nested within parenthesis by the expr(1) utility. USER_LINE_MAX The maximum length in bytes of a text-processing utility's input line. USER_POSIX2_CHAR_TERM Return 1 if the system supports at least one terminal type capa- ble of all operations described in POSIX 1003.2, otherwise 0. USER_POSIX2_C_BIND Return 1 if the system's C-language development facilities sup- port the C-Language Bindings Option, otherwise 0. USER_POSIX2_C_DEV Return 1 if the system supports the C-Language Development Utili- ties Option, otherwise 0. USER_POSIX2_FORT_DEV Return 1 if the system supports the FORTRAN Development Utilities Option, otherwise 0. USER_POSIX2_FORT_RUN Return 1 if the system supports the FORTRAN Runtime Utilities Option, otherwise 0. USER_POSIX2_LOCALEDEF Return 1 if the system supports the creation of locales, other- wise 0. USER_POSIX2_SW_DEV Return 1 if the system supports the Software Development Utili- ties Option, otherwise 0. USER_POSIX2_UPE Return 1 if the system supports the User Portability Utilities Option, otherwise 0. USER_POSIX2_VERSION The version of POSIX 1003.2 with which the system attempts to comply. USER_RE_DUP_MAX The maximum number of repeated occurrences of a regular expres- sion permitted when using interval notation. USER_STREAM_MAX The minimum maximum number of streams that a process may have open at any one time. USER_TZNAME_MAX The minimum maximum number of types supported for the name of a timezone. USER_ATEXIT_MAX The maximum number of functions that may be registered with atexit(3).
CTL_VM
The string and integer information available for the CTL_VM level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Second level name Type Changeable VM_ANONMAX int yes VM_ANONMIN int yes VM_BUFCACHE int yes VM_BUFMEM int no VM_BUFMEM_HIWATER int yes VM_BUFMEM_LOWATER int yes VM_EXECMAX int yes VM_EXECMIN int yes VM_FILEMAX int yes VM_FILEMIN int yes VM_LOADAVG struct loadavg no VM_MAXSLP int no VM_METER struct vmtotal no VM_NKMEMPAGES int no VM_USPACE int no VM_UVMEXP struct uvmexp no VM_UVMEXP2 struct uvmexp_sysctl no VM_ANONMAX The percentage of physical memory which will be reclaimed from other types of memory usage to store anonymous application data. VM_ANONMIN The percentage of physical memory which will be always be avail- able for anonymous application data. VM_BUFCACHE The percentage of physical memory which will be available for the buffer cache. VM_BUFMEM The amount of kernel memory that is being used by the buffer cache. VM_BUFMEM_LOWATER The minimum amount of kernel memory to reserve for the buffer cache. VM_BUFMEM_HIWATER The maximum amount of kernel memory to be used for the buffer cache. VM_EXECMAX The percentage of physical memory which will be reclaimed from other types of memory usage to store cached executable data. VM_EXECMIN The percentage of physical memory which will be always be avail- able for cached executable data. VM_FILEMAX The percentage of physical memory which will be reclaimed from other types of memory usage to store cached file data. VM_FILEMIN The percentage of physical memory which will be always be avail- able for cached file data. VM_LOADAVG Return the load average history. The returned data consists of a struct loadavg. VM_MAXSLP The value of the maxslp kernel global variable. VM_METER Return system wide virtual memory statistics. The returned data consists of a struct vmtotal. VM_USPACE The number of bytes allocated for each kernel stack. VM_UVMEXP Return system wide virtual memory statistics. The returned data consists of a struct uvmexp. VM_UVMEXP2 Return system wide virtual memory statistics. The returned data consists of a struct uvmexp_sysctl.
CTL_DDB
The integer information available for the CTL_DDB level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. Second level name Type Changeable DBCTL_RADIX integer yes DBCTL_MAXOFF integer yes DBCTL_LINES integer yes DBCTL_TABSTOPS integer yes DBCTL_ONPANIC integer yes DBCTL_FROMCONSOLE integer yes DBCTL_RADIX The input and output radix. DBCTL_MAXOFF The maximum symbol offset. DBCTL_LINES Number of display lines. DBCTL_TABSTOPS Tab width. DBCTL_ONPANIC If non-zero, DDB will be entered when the kernel panics. DBCTL_FROMCONSOLE If not zero, DDB may be entered by sending a break on a serial console or by a special key sequence on a graphics console. These MIB nodes are also available as variables from within the DDB. See ddb(4) for more details.
CTL_SECURITY
The security level contains various security-related settings for the system. Available settings are detailed below. security.curtain If non-zero, will filter return objects according to the user-id requesting information about them, preventing from users any access to objects they don't own. At the moment, it affects ps(1), netstat(1) (for PF_INET, PF_INET6, and PF_UNIX PCBs), and w(1). security.pax Settings for PaX -- exploit mitigation features. security.pax.mprotect.enable Enable PaX MPROTECT restrictions. These are mprotect(2) restrictions to better enforce a W^X policy. The value of this knob must be non-zero for PaX MPROTECT to be enabled, even if a program is set to explicit enable. security.pax.mprotect.global Specifies the default global policy for programs without an explicit enable/disable flag. When non-zero, all programs will get the PaX MPROTECT restrictions, except those exempted with paxctl(1). Oth- erwise, all programs will not get the PaX MPROTECT restrictions, except those specifically marked as such with paxctl(1). security.pax.segvguard.enable Enable PaX Segvguard. Please see security(8) for more information. PaX Segvguard can detect and prevent certain exploitation attempts, where an attacker may try for example to brute- force function return addresses of respawning daemons. Note: The NetBSD interface and implementation of the Segvguard is still experimental, and may change in future releases. security.pax.segvguard.global Specifies the default global policy for programs without an explicit enable/disable flag. When non-zero, all programs will get the PaX Segvguard, except those exempted with paxctl(1). Otherwise, all programs will not get the PaX Segvguard restrictions, except those specifically marked as such with paxctl(1). security.pax.segvguard.expiry_timeout If the max number was not reached within this timeout (in seconds), the entry will expire. security.pax.segvguard.suspend_timeout Number of seconds to suspend a user from running a fault- ing program when the limit was exceeded. security.pax.segvguard.max_crashes Max number of segfaults a program can receive before sus- pension.
CTL_VENDOR
The "vendor" toplevel name is reserved to be used by vendors who wish to have their own private MIB tree. Intended use is to store values under ``vendor.<yourname>.*''.
DYNAMIC OPERATIONS
Several meta-identifiers are provided to perform operations on the sysctl tree itself, or support alternate means of accessing the data instru- mented by the sysctl tree. Name Description CTL_QUERY Retrieve a mapping of names to numbers below a given node CTL_CREATE Create a new node CTL_CREATESYM Create a new node by its kernel symbol CTL_DESTROY Destroy a node CTL_DESCRIBE Retrieve node descriptions The core interface to all of these meta-functions is the structure that the kernel uses to describe the tree internally, as defined in <sys/sysctl.h> as: struct sysctlnode { uint32_t sysctl_flags; /* flags and type */ int32_t sysctl_num; /* mib number */ char sysctl_name[SYSCTL_NAMELEN]; /* node name */ uint32_t sysctl_ver; /* node's version vs. rest of tree */ uint32_t __rsvd; union { struct { uint32_t suc_csize; /* size of child node array */ uint32_t suc_clen; /* number of valid children */ struct sysctlnode* suc_child; /* array of child nodes */ } scu_child; struct { void *sud_data; /* pointer to external data */ size_t sud_offset; /* offset to data */ } scu_data; int32_t scu_alias; /* node this node refers to */ int32_t scu_idata; /* immediate "int" data */ u_quad_t scu_qdata; /* immediate "u_quad_t" data */ } sysctl_un; size_t _sysctl_size; /* size of instrumented data */ sysctlfn _sysctl_func; /* access helper function */ struct sysctlnode *sysctl_parent; /* parent of this node */ const char *sysctl_desc; /* description of node */ }; #define sysctl_csize sysctl_un.scu_child.suc_csize #define sysctl_clen sysctl_un.scu_child.suc_clen #define sysctl_child sysctl_un.scu_child.suc_child #define sysctl_data sysctl_un.scu_data.sud_data #define sysctl_offset sysctl_un.scu_data.sud_offset #define sysctl_alias sysctl_un.scu_alias #define sysctl_idata sysctl_un.scu_idata #define sysctl_qdata sysctl_un.scu_qdata Querying the tree to discover the name to number mapping permits dynamic discovery of all the data that the tree currently has instrumented. For example, to discover all the nodes below the CTL_VFS node: struct sysctlnode query, vfs[128]; int mib[2]; size_t len; mib[0] = CTL_VFS; mib[1] = CTL_QUERY; memset(&query, 0, sizeof(query)); query.sysctl_flags = SYSCTL_VERSION; len = sizeof(vfs); sysctl(mib, 2, &vfs[0], &len, &query, sizeof(query)); Note that a reference to an empty node with sysctl_flags set to SYSCTL_VERSION is passed to sysctl in order to indicate the version that the program is using. All dynamic operations passing nodes into sysctl require that the version be explicitly specified. Creation and destruction of nodes works by constructing part of a new node description (or a description of the existing node) and invoking CTL_CREATE (or CTL_CREATESYM) or CTL_DESTROY at the parent of the new node, with a pointer to the new node passed via the new and newlen argu- ments. If valid values for old and oldlenp are passed, a copy of the new node once in the tree will be returned. If the create operation fails because a node with the same name or MIB number exists, a copy of the conflicting node will be returned. The minimum requirements for creating a node are setting the sysctl_flags to indicate the new node's type, sysctl_num to either the new node's num- ber (or CTL_CREATE or CTL_CREATESYM if a dynamically allocated MIB number is acceptable), sysctl_size to the size of the data to be instrumented (which must agree with the given type), and sysctl_name must be set to the new node's name. Nodes that are not of type ``node'' must also have some description of the data to be instrumented, which will vary depend- ing on what is to be instrumented. If existing kernel data is to be covered by this new node, its address should be given in sysctl_data or, if CTL_CREATESYM is used, sysctl_data should be set to a string containing its name from the kernel's symbol table. If new data is to be instrumented and an initial value is avail- able, the new integer or quad type data should be placed into either sysctl_idata or sysctl_qdata, respectively, along with the SYSCTL_IMMEDI- ATE flag being set, or sysctl_data should be set to point to a copy of the new data, and the SYSCTL_OWNDATA flag must be set. This latter method is the only way that new string and struct type nodes can be ini- tialized. Invalid kernel addresses are accepted, but any attempt to access those nodes will return an error. The sysctl_csize, sysctl_clen, sysctl_child, sysctl_parent, and sysctl_alias members are used by the kernel to link the tree together and must be NULL or 0. Nodes created in this manner cannot have helper func- tions, so sysctl_func must also be NULL. If the sysctl_ver member is non-zero, it must match either the version of the parent or the version at the root of the MIB or an error is returned. This can be used to ensure that nodes are only added or removed from a known state of the tree. Note: It may not be possible to determine the version at the root of the tree. This example creates a new subtree and adds a node to it that controls the audiodebug kernel variable, thereby making it tunable at at any time, without needing to use ddb(4) or kvm(3) to alter the kernel's memory directly. struct sysctlnode node; int mib[2]; size_t len; mib[0] = CTL_CREATE; /* create at top-level */ len = sizeof(node); memset(&node, 0, len); node.sysctl_flags = SYSCTL_VERSION|CTLFLAG_READWRITE|CTLTYPE_NODE; snprintf(node.sysctl_name, sizeof(node.sysctl_name), "local"); node.sysctl_num = CTL_CREATE; /* request dynamic MIB number */ sysctl(&mib[0], 1, &node, &len, &node, len); mib[0] = node.sysctl_num; /* use new MIB number */ mib[1] = CTL_CREATESYM; /* create at second level */ len = sizeof(node); memset(&node, 0, len); node.sysctl_flags = SYSCTL_VERSION|CTLFLAG_READWRITE|CTLTYPE_INT; snprintf(node.sysctl_name, sizeof(node.sysctl_name), "audiodebug"); node.sysctl_num = CTL_CREATE; node.sysctl_data = "audiodebug"; /* kernel symbol to be used */ sysctl(&mib[0], 2, NULL, NULL, &node, len); The process for deleting nodes is similar, but less data needs to be sup- plied. Only the sysctl_num field needs to be filled in; almost all other fields must be left blank. The sysctl_name and/or sysctl_ver fields can be filled in with the name and version of the existing node as additional checks on what will be deleted. If all the given data fail to match any node, nothing will be deleted. If valid values for old and oldlenp are supplied and a node is deleted, a copy of what was in the MIB tree will be returned. This sample code shows the deletion of the two nodes created in the above example: int mib[2]; len = sizeof(node); memset(&node, 0, len); node.sysctl_flags = SYSCTL_VERSION; mib[0] = 3214; /* assumed number for "local" */ mib[1] = CTL_DESTROY; node.sysctl_num = 3215; /* assumed number for "audiodebug" */ sysctl(&mib[0], 2, NULL, NULL, &node, len); mib[0] = CTL_DESTROY; node.sysctl_num = 3214; /* now deleting "local" */ sysctl(&mib[0], 1, NULL, NULL, &node, len); Descriptions of each of the nodes can also be retrieved, if they are available. Descriptions can be retrieved in bulk at each level or on a per-node basis. The layout of the buffer into which the descriptions are returned is a series of variable length structures, each of which describes its own size. The length indicated includes the terminating `nul' character. Nodes that have no description or where the description is not available are indicated by an empty string. The descr_ver will match the sysctl_ver value for a given node, so that descriptions for nodes whose number have been recycled can be detected and ignored or dis- carded. struct sysctldesc { int32_t descr_num; /* mib number of node */ uint32_t descr_ver; /* version of node */ uint32_t descr_len; /* length of description string */ char descr_str[1]; /* not really 1...see above */ }; The NEXT_DESCR() macro can be used to skip to the next description in the retrieved list. struct sysctlnode desc; struct sysctldesc *d; char buf[1024]; int mib[2]; size_t len; /* retrieve kern-level descriptions */ mib[0] = CTL_KERN; mib[1] = CTL_DESCRIBE; d = (struct sysctldesc *)&buf[0]; len = sizeof(buf); sysctl(mib, 2, d, &len, NULL, 0); while ((caddr_t)d < (caddr_t)&buf[len]) { printf("node %d: %.*s\n", d->descr_num, d->descr_len, d->descr_str); d = NEXT_DESCR(d); } /* retrieve description for kern.securelevel */ memset(&desc, 0, sizeof(desc)); desc.sysctl_flags = SYSCTL_VERSION; desc.sysctl_num = KERN_SECURELEVEL; d = (struct sysctldesc *)&buf[0]; len = sizeof(buf); sysctl(mib, 2, d, &len, &desc, sizeof(desc)); printf("kern.securelevel: %.*s\n", d->descr_len, d->descr_str); Descriptions can also be set as follows, subject to the following rules: The kernel securelevel is at zero or lower The caller has super-user privileges The node does not currently have a description The node is not marked as ``permanent'' struct sysctlnode desc; int mib[2]; /* presuming the given top-level node was just added... */ mib[0] = 3214; /* mib numbers taken from previous examples */ mib[1] = CTL_DESCRIBE; memset(&desc, 0, sizeof(desc)); desc.sysctl_flags = SYSCTL_VERSION; desc.sysctl_num = 3215; desc.sysctl_desc = "audio debug control knob"; sysctl(mib, 2, NULL, NULL, &desc, sizeof(desc)); Upon successfully setting a description, the new description will be returned in the space indicated by the oldp and oldlenp arguments. The sysctl_flags field in the struct sysctlnode contains the sysctl ver- sion, node type information, and a number of flags. The macros SYSCTL_VERS(), SYSCTL_TYPE(), and SYSCTL_FLAGS() can be used to access the different fields. Valid flags are: Name Description CTLFLAG_READONLY Node is read-only CTLFLAG_READONLY1 Node becomes read-only at securelevel 1 CTLFLAG_READONLY2 Node becomes read-only at securelevel 2 CTLFLAG_READWRITE Node is writable by the superuser CTLFLAG_ANYWRITE Node is writable by anyone CTLFLAG_PRIVATE Node is readable only by the superuser CTLFLAG_PERMANENT Node cannot be removed (cannot be set by pro- cesses) CTLFLAG_OWNDATA Node owns data and does not instrument existing data CTLFLAG_IMMEDIATE Node contains instrumented data and does not instrument existing data CTLFLAG_HEX Node's contents should be displayed in a hexadecimal form CTLFLAG_ROOT Node is the root of a tree (cannot be set at any time) CTLFLAG_ANYNUMBER Node matches any MIB number (cannot be set by processes) CTLFLAG_HIDDEN Node not displayed by default CTLFLAG_ALIAS Node refers to a sibling node (cannot be set by processes) CTLFLAG_OWNDESC Node owns its own description string space
RETURN VALUES
If the call to sysctl is successful, the number of bytes copied out is returned. Otherwise -1 is returned and errno is set appropriately.
FILES
<sys/sysctl.h> definitions for top level identifiers, second level kernel and hardware identifiers, and user level identifiers <sys/socket.h> definitions for second level network identifiers <sys/gmon.h> definitions for third level profiling identifiers <uvm/uvm_param.h> definitions for second level virtual memory iden- tifiers <netinet/in.h> definitions for third level IPv4/v6 identifiers and fourth level IPv4/v6 identifiers <netinet/icmp_var.h> definitions for fourth level ICMP identifiers <netinet/icmp6.h> definitions for fourth level ICMPv6 identifiers <netinet/tcp_var.h> definitions for fourth level TCP identifiers <netinet/udp_var.h> definitions for fourth level UDP identifiers <netinet6/udp6_var.h> definitions for fourth level IPv6 UDP identifiers <netinet6/ipsec.h> definitions for fourth level IPsec identifiers <netkey/key_var.h> definitions for third level PF_KEY identifiers <machine/cpu.h> definitions for second level machdep identifiers
ERRORS
The following errors may be reported: [EFAULT] The buffer name, oldp, newp, or length pointer oldlenp contains an invalid address, or the requested value is temporarily unavailable. [EINVAL] The name array is zero or greater than CTL_MAXNAME. [EINVAL] A non-null newp is given and its specified length in newlen is too large or too small, or the given value is not acceptable for the given node. [ENOMEM] The length pointed to by oldlenp is too short to hold the requested value. [EISDIR] The name array specifies an intermediate rather than terminal name. [ENOTDIR] The name array specifies a node below a node that addresses data. [ENOENT] The name array specifies a node that does not exist in the tree. [ENOENT] An attempt was made to destroy a node that does not exist, or to create or destroy a node below a node that does not exist. [ENOTEMPTY] An attempt was made to destroy a node that still has children. [EOPNOTSUPP] The name array specifies a value that is unknown or a meta-operation was attempted that the requested node does not support. [EPERM] An attempt is made to set a read-only value. [EPERM] A process without appropriate privilege attempts to set a value or to create or destroy a node. [EPERM] An attempt to change a value protected by the current kernel security level is made.
SEE ALSO
ipsec(4), tcp(4), sysctl(8)
HISTORY
The sysctl function first appeared in 4.4BSD. NetBSD 4.0 November 27, 2006 NetBSD 4.0
Powered by man-cgi (2021-06-01). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.