sysctl(8) - NetBSD Manual Pages

Command: Section: Arch: Collection:  
SYSCTL(8)               NetBSD System Manager's Manual               SYSCTL(8)


NAME
sysctl -- get or set kernel state
SYNOPSIS
sysctl [-AdeMn] [-r | -x] [name ...] sysctl [-nq] [-r | -x] -w name=value ... sysctl [-en] [-r | -x] -a sysctl [-nq] [-r | -x] -f file
DESCRIPTION
The sysctl utility retrieves kernel state and allows processes with appropriate privilege to set kernel state. The state to be retrieved or set is described using a ``Management Information Base'' (``MIB'') style name, described as a dotted set of components. The `/' character may also be used as a separator and a leading separator character is accepted. If name specifies a non-leaf node in the MIB, all the nodes underneath name will be printed. The following options are available: -A List all the known MIB names including tables, unless any MIB arguments or -f file are given. Those with string or integer values will be printed as with the -a flag; for table or struc- ture values that sysctl is not able to print, the name of the utility to retrieve them is given. Errors in retrieving or set- ting values will be directed to stdout instead of stderr. -a List all the currently available string or integer values. The use of a solitary separator character (either `.' or `/') by itself has the same effect. Any given name arguments are ignored if this option is specified. -d Descriptions of each of the nodes selected will be printed instead of their values. -e Separate the name and the value of the variable(s) with `='. This is useful for producing output which can be fed back to the sysctl utility. This option is ignored if -n is specified or a variable is being set. -f Specifies the name of a file to read and process. Blank lines and comments (beginning with `#') are ignored. Line continua- tions with `\' are permitted. Remaining lines are processed sim- ilarly to command line arguments of the form name or name=value. The -w flag is implied by -f. Any name arguments are ignored. -M Makes sysctl print the MIB instead of any of the actual values contained in the MIB. This causes the entire MIB to be printed unless specific MIB arguments or -f file are also given. -n Specifies that the printing of the field name should be sup- pressed and that only its value should be output. This flag is useful for setting shell variables. For example, to save the pagesize in variable psize, use: set psize=`sysctl -n hw.pagesize` -q Used to indicate that nothing should be printed for writes unless an error is detected. -r Raw output form. Values printed are in their raw binary forms as retrieved directly from the kernel. Some additional nodes that sysctl cannot print directly can be retrieved with this flag. This option conflicts with the -x option. -w Sets the MIB style name given to the value given. The MIB style name and value must be separated by `=' with no whitespace. Only integral and string values can be set via this method. -x Makes sysctl print the requested value in a hexadecimal represen- tation instead of its regular form. If specified more than once, the output for each value resembles that of hexdump(1) when given the -C flag. This option conflicts with the -r option. The `proc' top-level MIB has a special semantic: it represent per-process values and as such may differ from one process to another. The second- level name is the pid of the process (in decimal form), or the special word `curproc'. For variables below `proc.<pid>.rlimit', the integer value may be replaced with the string `unlimited' if it matches the magic value used to disable a limit. The information available from sysctl consists of integers, strings, and tables. The tabular information can only be retrieved by special purpose programs such as ps, systat, and netstat. The string and integer infor- mation is summarized below. For a detailed description of these variable see sysctl(3). The changeable column indicates whether a process with appropriate privilege can change the value. Name Type Changeable ddb.commandonenter string yes ddb.fromconsole integer yes ddb.lines integer yes ddb.maxoff integer yes ddb.maxwidth integer yes ddb.onpanic integer yes ddb.radix integer yes ddb.tabstops integer yes ddb.tee_msgbuf integer yes hw.alignbytes integer no hw.byteorder integer no hw.cnmagic integer yes hw.disknames string no hw.diskstats struct no hw.machine string no hw.machine_arch string no hw.model string no hw.ncpu integer no hw.pagesize integer no hw.physmem integer no hw.physmem64 quad no hw.usermem integer no hw.usermem64 quad no kern.argmax integer no kern.autonicetime integer yes kern.autoniceval integer yes kern.boottime struct no kern.bufq.strategies string no kern.ccpu integer no kern.clockrate struct no kern.consdev integer no kern.coredump node not applicable kern.coredump.setid node not applicable kern.coredump.setid.dump integer yes kern.coredump.setid.group integer yes kern.coredump.setid.mode integer yes kern.coredump.setid.owner integer yes kern.coredump.setid.path string yes kern.cp_id struct no kern.cp_time struct no kern.cryptodevallowsoft int yes kern.defcorename string yes kern.domainname string yes kern.dump_on_panic integer yes kern.drivers struct no kern.file struct no kern.forkfsleep integer yes kern.fscale integer no kern.fsync integer no kern.hardclock_ticks integer no kern.hostid integer yes kern.hostname string yes kern.iov_max integer no kern.job_control integer no kern.labeloffset integer no kern.labelsector integer no kern.login_name_max integer no kern.logsigexit integer yes kern.mapped_files integer no kern.maxfiles integer yes kern.maxpartitions integer no kern.maxphys integer no kern.maxproc integer yes kern.maxptys integer yes, special kern.maxvnodes integer raise only kern.mbuf.mblowat integer yes kern.mbuf.mclbytes integer no kern.mbuf.mcllowat integer yes kern.mbuf.mclsize integer no kern.mbuf.msize integer no kern.mbuf.nmbclusters integer raise only kern.memlock integer no kern.memlock_range integer no kern.memory_protection integer no kern.monotonic_clock integer no kern.msgbuf integer no kern.msgbufsize integer no kern.ngroups integer no kern.ntptime struct no kern.osrelease string no kern.osrevision integer no kern.ostype string no kern.pipe.kvasize integer no kern.pipe.maxbigpipes integer yes kern.pipe.maxkvasz integer yes kern.pipe.maxloankvasz integer yes kern.pipe.nbigpipes integer no kern.posix1version integer no kern.posix_barriers integer no kern.posix_reader_writer_locks integer no kern.posix_semaphores integer no kern.posix_spin_locks integer no kern.posix_threads integer no kern.posix_timers integer no kern.proc struct no kern.proc2 struct no kern.proc_args string yes kern.prof node not applicable kern.rawpartition integer no kern.root_device string no kern.root_partition integer no kern.rtc_offset integer yes kern.saved_ids integer no kern.sbmax integer yes kern.securelevel integer raise only kern.somaxkva integer yes kern.synchronized_io integer no kern.ipc.sysvipc_info struct no kern.ipc.sysvmsg integer no kern.ipc.sysvsem integer no kern.ipc.sysvshm integer no kern.ipc.shmmax integer no kern.ipc.shmmni integer yes kern.ipc.shmseg integer yes kern.ipc.shmmaxpgs integer yes kern.ipc.shm_use_phys integer yes kern.timecounter.choice string no kern.timecounter.hardware string yes kern.timecounter.timestepwarnings integer yes kern.timex struct no kern.tkstat.cancc quad no kern.tkstat.nin quad no kern.tkstat.nout quad no kern.tkstat.rawcc quad no kern.urandom integer no kern.userasymcrypto int yes kern.usercrypto int yes kern.veriexec.verbose integer yes kern.veriexec.strict integer raise only kern.veriexec.algorithms string no kern.veriexec.count.table<N> quad no kern.veriexec.count.table<N>.mntpt string no kern.veriexec.count.table<N>.fstype string no kern.veriexec.count.table<N>.nentries quad no kern.version string no kern.vnode struct no machdep.console_device dev_t no net.bpf.maxbufsize integer yes net.bpf.stats struct no net.bpf.peers struct no net.inet.arp.prune integer yes net.inet.arp.keep integer yes net.inet.arp.down integer yes net.inet.arp.refresh integer yes net.inet.carp.allow integer yes net.inet.carp.arpbalance integer yes net.inet.carp.log integer yes net.inet.carp.preempt integer yes net.inet.icmp.maskrepl integer yes net.inet.icmp.errppslimit integer yes net.inet.icmp.rediraccept integer yes net.inet.icmp.redirtimeout integer yes net.inet.icmp.returndatabytes integer yes net.inet.ip.allowsrcrt integer yes net.inet.ip.anonportmax integer yes net.inet.ip.anonportmin integer yes net.inet.ip.checkinterface integer yes net.inet.ip.directed-broadcast integer yes net.inet.ip.do_loopback_cksum integer yes net.inet.ip.forwarding integer yes net.inet.ip.forwsrcrt integer yes net.inet.ip.gifttl integer yes net.inet.ip.grettl integer yes net.inet.ip.hostzerobroadcast integer yes net.inet.ip.maxfragpackets integer yes net.inet.ip.lowportmax integer yes net.inet.ip.lowportmin integer yes net.inet.ip.maxflows integer yes net.inet.ip.mtudisc integer yes net.inet.ip.mtudisctimeout integer yes net.inet.ip.random_id integer yes net.inet.ip.redirect integer yes net.inet.ip.subnetsarelocal integer yes net.inet.ip.ttl integer yes net.inet.ip.ifq.drops integer no net.inet.ip.ifq.len integer no net.inet.ip.ifq.maxlen integer yes net.inet.ipsec.ah_cleartos integer yes net.inet.ipsec.ah_net_deflev integer yes net.inet.ipsec.ah_offsetmask integer yes net.inet.ipsec.ah_trans_deflev integer yes net.inet.ipsec.def_policy integer yes net.inet.ipsec.dfbit integer yes net.inet.ipsec.ecn integer yes net.inet.ipsec.esp_net_deflev integer yes net.inet.ipsec.esp_trans_deflev integer yes net.inet.ipsec.inbound_call_ike integer yes net.inet.tcp.ack_on_push integer yes net.inet.tcp.compat_42 integer yes net.inet.tcp.cwm integer yes net.inet.tcp.cwm_burstsize integer yes net.inet.tcp.delack_ticks integer yes net.inet.tcp.do_lookback_cksum integer yes net.inet.tcp.init_win integer yes net.inet.tcp.init_win_local integer yes net.inet.tcp.keepcnt integer yes net.inet.tcp.keepidle integer yes net.inet.tcp.keepintvl integer yes net.inet.tcp.log_refused integer yes net.inet.tcp.mss_ifmtu integer yes net.inet.tcp.mssdflt integer yes net.inet.tcp.newreno integer yes net.inet.tcp.recvspace integer yes net.inet.tcp.rfc1323 integer yes net.inet.tcp.rstppslimit integer yes net.inet.tcp.sack.enable integer yes net.inet.tcp.sack.globalholes integer no net.inet.tcp.sack.globalmaxholes integer yes net.inet.tcp.sack.maxholes integer yes net.inet.tcp.ecn.enable integer yes net.inet.tcp.ecn.maxretries integer yes net.inet.tcp.sendspace integer yes net.inet.tcp.slowhz integer no net.inet.tcp.syn_bucket_limit integer yes net.inet.tcp.syn_cache_interval integer yes net.inet.tcp.syn_cache_limit integer yes net.inet.tcp.timestamps integer yes net.inet.tcp.win_scale integer yes net.inet.tcp.ident struct no net.inet.tcp.debug struct no net.inet.tcp.debx integer no net.inet.udp.checksum integer yes net.inet.udp.do_loopback_cksum integer yes net.inet.udp.recvspace integer yes net.inet.udp.sendspace integer yes net.ns.spp.debug struct yes net.ns.spp.debx integer yes net.inet6.icmp6.errppslimit integer yes net.inet6.icmp6.mtudisc_hiwat integer yes net.inet6.icmp6.mtudisc_lowat integer yes net.inet6.icmp6.nd6_debug integer yes net.inet6.icmp6.nd6_delay integer yes net.inet6.icmp6.nd6_maxnudhint integer yes net.inet6.icmp6.nd6_mmaxtries integer yes net.inet6.icmp6.nd6_prune integer yes net.inet6.icmp6.nd6_umaxtries integer yes net.inet6.icmp6.nd6_useloopback integer yes net.inet6.icmp6.nodeinfo integer yes net.inet6.icmp6.rediraccept integer yes net.inet6.icmp6.redirtimeout integer yes net.inet6.ip6.accept_rtadv integer yes net.inet6.ip6.anonportmax integer yes net.inet6.ip6.anonportmin integer yes net.inet6.ip6.auto_flowlabel integer yes net.inet6.ip6.dad_count integer yes net.inet6.ip6.defmcasthlim integer yes net.inet6.ip6.forwarding integer yes net.inet6.ip6.gifhlim integer yes net.inet6.ip6.hdrnestlimit integer yes net.inet6.ip6.hlim integer yes net.inet6.ip6.kame_version string no net.inet6.ip6.keepfaith integer yes net.inet6.ip6.log_interval integer yes net.inet6.ip6.lowportmax integer yes net.inet6.ip6.lowportmin integer yes net.inet6.ip6.maxfragpackets integer yes net.inet6.ip6.maxfrags integer yes net.inet6.ip6.redirect integer yes net.inet6.ip6.rht0 integer yes net.inet6.ip6.rr_prune integer yes net.inet6.ip6.use_deprecated integer yes net.inet6.ip6.v6only integer yes net.inet6.ip6.ifq.drops integer no net.inet6.ip6.ifq.len integer no net.inet6.ip6.ifq.maxlen integer yes net.inet6.ipsec6.ah_net_deflev integer yes net.inet6.ipsec6.ah_trans_deflev integer yes net.inet6.ipsec6.def_policy integer yes net.inet6.ipsec6.ecn integer yes net.inet6.ipsec6.esp_net_deflev integer yes net.inet6.ipsec6.esp_trans_deflev integer yes net.inet6.ipsec6.inbound_call_ike integer yes net.inet6.udp6.do_loopback_cksum integer yes net.inet6.udp6.recvspace integer yes net.inet6.udp6.sendspace integer yes net.key.ah_keymin integer yes net.key.debug integer yes net.key.esp_auth integer yes net.key.esp_keymin integer yes net.key.kill_int integer yes net.key.spi_max_value integer yes net.key.spi_min_value integer yes net.key.spi_try integer yes proc.<pid>.corename string yes proc.<pid>.rlimit.coredumpsize.hard integer yes proc.<pid>.rlimit.coredumpsize.soft integer yes proc.<pid>.rlimit.cputime.hard integer yes proc.<pid>.rlimit.cputime.soft integer yes proc.<pid>.rlimit.datasize.hard integer yes proc.<pid>.rlimit.datasize.soft integer yes proc.<pid>.rlimit.filesize.hard integer yes proc.<pid>.rlimit.filesize.soft integer yes proc.<pid>.rlimit.maxproc.hard integer yes proc.<pid>.rlimit.maxproc.soft integer yes proc.<pid>.rlimit.memorylocked.hard integer yes proc.<pid>.rlimit.memorylocked.soft integer yes proc.<pid>.rlimit.memoryuse.hard integer yes proc.<pid>.rlimit.memoryuse.soft integer yes proc.<pid>.rlimit.stacksize.hard integer yes proc.<pid>.rlimit.stacksize.soft integer yes proc.<pid>.stopexec int yes proc.<pid>.stopfork int yes security.curtain integer yes security.pax.mprotect.enabled integer yes security.pax.mprotect.global integer yes security.pax.segvguard.enabled integer yes security.pax.segvguard.global integer yes security.pax.segvguard.expiry_timeout integer yes security.pax.segvguard.suspend_timeout integer yes security.pax.segvguard.max_crashes integer yes user.bc_base_max integer no user.bc_dim_max integer no user.bc_scale_max integer no user.bc_string_max integer no user.coll_weights_max integer no user.cs_path string no user.expr_nest_max integer no user.line_max integer no user.posix2_c_bind integer no user.posix2_c_dev integer no user.posix2_char_term integer no user.posix2_fort_dev integer no user.posix2_fort_run integer no user.posix2_localedef integer no user.posix2_sw_dev integer no user.posix2_upe integer no user.posix2_version integer no user.re_dup_max integer no vendor.<vendor>.* ? vendor specific vfs.generic.usermount integer yes vfs.generic.fstypes string yes vfs.ffs.doasyncfree integer yes vfs.ffs.log_changeopt integer yes vfs.nfs.iothreads integer yes vfs.cd9660.utf8_joliet integer yes vfs.sync.delay integer yes vfs.sync.filedelay integer yes vfs.sync.dirdelay integer yes vfs.sync.metadelay integer yes vm.anonmax integer yes vm.anonmin integer yes vm.bufcache integer yes vm.bufmem integer no vm.bufmem_hiwater integer yes vm.bufmem_lowater integer yes vm.execmax integer yes vm.execmin integer yes vm.filemax integer yes vm.filemin integer yes vm.idlezero integer yes vm.inactivepct integer yes vm.loadavg struct no vm.maxslp integer no vm.nkmempages integer no vm.uspace integer no vm.uvmexp struct no vm.uvmexp2 struct no vm.vmmeter struct no Entries found under ``vendor.<vendor>'' are left to be specified (and used) by vendors using the NetBSD operating system in their products. Values and structure are vendor-defined, and no registry exists right now.
CREATION AND DELETION
New nodes are allowed to be created by the superuser when the kernel is running at security level 0. These new nodes may refer to existing ker- nel data or to new data that is only instrumented by sysctl(3) itself. The syntax for creating new nodes is ``//create=new.node.path'' followed by one or more of the following attributes separated by commas. The use of a double separator (both `/' and `.' can be used as separators) as the prefix tells sysctl that the first series of tokens is not a MIB name, but a command. It is recommended that the double separator preceding the command not be the same as the separator used in naming the MIB entry so as to avoid possible parse conflicts. The ``value'' assigned, if one is given, must be last. type=<T> where T must be one of ``node'', ``int'', ``string'', ``quad'', or ``struct''. If the type is omitted, the ``node'' type is assumed. size=<S> here, S asserts the size of the new node. Nodes of type ``node'' should not have a size set. The size may be omitted for nodes of types ``int'' or ``quad''. If the size is omitted for a node of type ``string'', the size will be determined by the length of the given value, or by the kernel for kernel strings. Nodes of type ``struct'' must have their size explicitly set. addr=<A> or symbol=<A> The kernel address of the data being instru- mented. If ``symbol'' is used, the symbol must be globally visible to the in-kernel ksyms(4) driver. n=<N> The MIB number to be assigned to the new node. If no number is specified, the kernel will assign a value. flags=<F> A concatenated string of single letters that govern the behavior of the node. Flags currently available are: a Allow anyone to write to the node, if it is writable. h ``Hidden''. sysctl must be invoked with -A or the hidden node must be specifically requested in order to see it i ``Immediate''. Makes the node store data in itself, rather than allocating new space for it. This is the default for nodes of type ``int'' and ``quad''. This is the opposite of owning data. o ``Own''. When the node is created, separate space will be allo- cated to store the data to be instrumented. This is the default for nodes of type ``string'' and ``struct'' where it is not pos- sible to guarantee sufficient space to store the data in the node itself. p ``Private''. Nodes that are marked private, and children of nodes so marked, are only viewable by the superuser. Be aware that the immediate data that some nodes may store is not neces- sarily protected by this. x ``Hexadecimal''. Make sysctl default to hexadecimal display of the retrieved value r ``Read-only''. The data instrumented by the given node is read- only. Note that other mechanisms may still exist for changing the data. This is the default for nodes that instrument data. w ``Writable''. The data instrumented by the given node is writable at any time. This is the default for nodes that can have children. 1 ``Read-only at securelevel 1''. The data instrumented by this node is writable until the securelevel reaches or passes securelevel 1. Examples of this include some network tunables. 2 ``Read-only at securelevel 2''. The data instrumented by this node is writable until the securelevel reaches or passes securelevel 2. An example of this is the per-process core file- name setting. value=<V> An initial starting value for a new node that does not ref- erence existing kernel data. Initial values can only be assigned for nodes of the ``int'', ``quad'', and ``string'' types. New nodes must fit the following set of criteria: If the new node is to address an existing kernel object, only one of the ``symbol'' or ``addr'' arguments may be given. The size for a ``struct'' type node must be specified; no initial value is expected or permitted. Either the size or the initial value for a ``string'' node must be given. The node which will be the parent of the new node must be writable. If any of the given parameters describes an invalid configuration, sysctl will emit a diagnostic message to the standard error and exit. Descriptions can be added by the super-user to any node that does not have one, provided that the node is not marked with the ``PERMANENT'' flag. The syntax is similar to the syntax for creating new nodes with the exception of the keyword that follows the double separator at the start of the command: ``//describe=new.node.path=new node description''. Once a description has been added, it cannot be changed or removed. When destroying nodes, only the path to the node is necessary, i.e., ``//destroy=old.node.path''. No other parameters are expected or permit- ted. Nodes being destroyed must have no children, and their parent must be writable. Nodes that are marked with the ``PERMANENT'' flag (as assigned by the kernel) may not be deleted. In all cases, the initial `=' that follows the command (eg, ``create'', ``destroy'', or ``describe'') may be replaced with another instance of the separator character, provided that the same separator character is used for the length of the name specification.
FILES
/etc/sysctl.conf sysctl variables set at boot time <sys/sysctl.h> definitions for top level identifiers, second level kernel, hardware, and security identifiers, and user level identifiers <sys/socket.h> definitions for second level network identifiers <sys/gmon.h> definitions for third level profiling identifiers <uvm/uvm_param.h> definitions for second level virtual memory iden- tifiers <netinet/in.h> definitions for third level IPv4/v6 identifiers and fourth level IPv4/v6 identifiers <netinet/icmp_var.h> definitions for fourth level ICMP identifiers <netinet/icmp6.h> definitions for fourth level ICMPv6 identifiers <netinet/tcp_var.h> definitions for fourth level TCP identifiers <netinet/udp_var.h> definitions for fourth level UDP identifiers <netinet6/udp6_var.h> definitions for fourth level IPv6 UDP identifiers <netinet6/ipsec.h> definitions for fourth level IPsec identifiers <netkey/key_var.h> definitions for third level PF_KEY identifiers <sys/verified_exec.h> definitions for third level verified exec identi- fiers
EXAMPLES
For example, to retrieve the maximum number of processes allowed in the system, one would use the following request: sysctl kern.maxproc To set the maximum number of processes allowed in the system to 1000, one would use the following request: sysctl -w kern.maxproc=1000 Information about the system clock rate may be obtained with: sysctl kern.clockrate Information about the load average history may be obtained with: sysctl vm.loadavg To view the values of the per-process variables of the current shell, the request: sysctl proc.$$ can be used if the shell interpreter replaces $$ with its pid (this is true for most shells). To redirect core dumps to the /var/tmp/<username> directory, sysctl -w proc.$$.corename=/var/tmp/%u/%n.core should be used. sysctl -w proc.curproc.corename=/var/tmp/%u/%n.core changes the value for the sysctl process itself, and will not have the desired effect. To create the root of a new sub-tree called ``local'' add some children to the new node, and some descriptions: sysctl -w //create=local sysctl -w //describe=local=my local sysctl tree sysctl -w //create=local.esm_debug,type=int,symbol=esm_debug,flags=w sysctl -w //describe=local.esm_debug=esm driver debug knob sysctl -w //create=local.audiodebug,type=int,symbol=audiodebug,flags=w sysctl -w //describe=local.audiodebug=generic audio debug knob Note that the children are made writable so that the two debug settings in question can be tuned arbitrarily. To destroy that same subtree: sysctl -w //destroy=local.esm_debug sysctl -w //destroy=local.audiodebug sysctl -w //destroy=local
SEE ALSO
sysctl(3), ksyms(4)
HISTORY
sysctl first appeared in 4.4BSD. NetBSD 4.0 April 28, 2007 NetBSD 4.0
Powered by man-cgi (2021-06-01). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.