NAME
sysctl —
system information
variables
DESCRIPTION
The
sysctl(3) library function and
the
sysctl(8) utility are used
to get and set values of system variables, maintained by the kernel. The
variables are organized in a tree and identified by a sequence of numbers,
conventionally separated by dots with the topmost identifier at the left side.
The numbers have corresponding text names. The
sysctlnametomib(3)
function or the
-M argument to the
sysctl(8) utility can be used to
convert the text representation to the numeric one.
The individual sysctl variables are described below, both the textual and
numeric form where applicable. The textual names can be used as argument to
the
sysctl(8) utility and in the
file
/etc/sysctl.conf. The numeric names are usually defined
as preprocessor constants and are intended for use by programs. Every such
constant expands to one integer, which identifies the sysctl variable relative
to the upper level of the tree. See the
sysctl(3) manual page for
programming examples.
Top level names
The top level names are defined with a
CTL_ prefix in
<sys/sysctl.h>, and are as follows.
The next and subsequent levels down are found in the include files listed
here, and described in separate sections below.
The debug.* subtree
The debugging variables vary from system to system. A debugging variable may be
added or deleted without need to recompile
sysctl to know
about it. Each time it runs,
sysctl gets the list of
debugging variables from the kernel and displays their current values. The
system defines twenty (
struct ctldebug) variables named
debug0
through
debug19
. They
are declared as separate variables so that they can be individually
initialized at the location of their associated variable. The loader prevents
multiple use of the same variable by issuing errors if a variable is
initialized in more than one place. For example, to export the variable
dospecialcheck as a debugging variable, the following
declaration would be used:
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
Note that the dynamic implementation of
sysctl currently in
use largely makes this particular
sysctl interface obsolete.
See
sysctl(8) for more
information.
The vfs.* subtree
A distinguished second level name,
vfs.generic
(
VFS_GENERIC
), is used to get general information
about all file systems. It has the following third level identifiers:
-
-
vfs.generic.maxtypenum
(VFS_MAXTYPENUM
)
- The highest valid file system type number.
-
-
vfs.generic.conf
(VFS_CONF
)
- Returns configuration information about the file system
type given as a fourth level identifier.
-
-
vfs.generic.usermount
(VFS_USERMOUNT
)
- Determines if non superuser mounts are allowed, defaults to
0
.
-
-
vfs.generic.magiclinks
(VFS_MAGICLINKS
)
- Controls if expansion of variables is going to be performed
on pathnames or not. Defaults to no variable expansion,
0
. Variables are of the form
@name
and the variables supported are described in
symlink(7) under
“MAGIC SYMLINKS”.
A second level name for controlling the
wapbl(4) (Write Ahead Physical
Block Logging file system journalling) capabilities with the following third
level identifiers:
-
-
vfs.wapbl.flush_disk_cache
- Controls whether to attempt to flush the disk cache on each
commit. It defaults to 1 and it should always be on to ensure integrity of
file system metadata in the event of a power loss. For slow disks, turning
it off can improve performance.
-
-
vfs.wapbl.verbose_commit
- For each transaction log commit, print the number of bytes
written and the time it took to commit as seconds.nanoseconds.
The remaining second level identifiers are the file system names, identified by
the type number returned by a
statvfs(2) call or from
vfs.generic.conf
.
The third level identifiers available for each file system are given in the
header file that defines the mount argument structure for that file system.
The hw.* subtree
The string and integer information available for the
hw
level is detailed below. The changeable column shows whether a process with
appropriate privilege may change the value.
Second level name |
Type |
Changeable |
hw.alignbytes |
integer |
no |
hw.byteorder |
integer |
no |
hw.cnmagic |
string |
yes |
hw.disknames |
string |
no |
hw.diskstats |
struct |
no |
hw.machine |
string |
no |
hw.machine_arch |
string |
no |
hw.model |
string |
no |
hw.ncpu |
integer |
no |
hw.ncpuonline |
integer |
no |
hw.pagesize |
integer |
no |
hw.physmem |
integer |
no |
hw.physmem64 |
quad |
no |
hw.usermem |
integer |
no |
hw.usermem64 |
quad |
no |
-
-
hw.alignbytes
(HW_ALIGNBYTES
)
- Alignment constraint for all possible data types. This
shows the value
ALIGNBYTES
in
<machine/param.h>, at the kernel
compilation time.
-
-
hw.byteorder
(HW_BYTEORDER
)
- The byteorder (4321, or 1234).
-
-
hw.cnmagic
(HW_CNMAGIC
)
- The console magic key sequence.
-
-
hw.disknames
(HW_DISKNAMES
)
- The list of (space separated) disk device names on the
system.
-
-
hw.iostatnames
(HW_IOSTATNAMES
)
- A space separated list of devices that will have I/O
statistics collected on them.
-
-
hw.iostats
(HW_IOSTATS
)
- Return statistical information on the NFS mounts, disk and
tape devices on the system. An array of struct
io_sysctl structures is returned, whose size depends on the current
number of such objects in the system. The third level name is the size of
the struct io_sysctl. The type of object can be
determined by examining the type element of
struct io_sysctl. Which can be
IOSTAT_DISK
(disk drive),
IOSTAT_TAPE
(tape drive), or
IOSTAT_NFS
(NFS mount).
-
-
hw.machine
(HW_MACHINE
)
- The machine class.
-
-
hw.machine_arch
(HW_MACHINE_ARCH
)
- The machine CPU class.
-
-
hw.model
(HW_MODEL
)
- The machine model.
-
-
hw.ncpu
(HW_NCPU
)
- The number of CPUs configured.
-
-
hw.ncpuonline
(HW_NCPUONLINE
)
- The number of CPUs online.
-
-
hw.pagesize
(HW_PAGESIZE
)
- The software page size.
-
-
hw.physmem
(HW_PHYSMEM
)
- The bytes of physical memory as a 32-bit integer.
-
-
hw.physmem64
(HW_PHYSMEM64
)
- The bytes of physical memory as a 64-bit integer.
-
-
hw.usermem
(HW_USERMEM
)
- The bytes of non-kernel memory as a 32-bit integer.
-
-
hw.usermem64
(HW_USERMEM64
)
- The bytes of non-kernel memory as a 64-bit integer.
The kern.* subtree
This subtree includes data generally related to the kernel. The string and
integer information available for the
kern
level is
detailed below. The changeable column shows whether a process with appropriate
privilege may change the value.
Second level name |
Type |
Changeable |
kern.aio_listio_max |
integer |
yes |
kern.aio_max |
integer |
yes |
kern.arandom |
integer |
no |
kern.argmax |
integer |
no |
kern.boothowto |
integer |
no |
kern.boottime |
struct timeval |
no |
kern.buildinfo |
string |
no |
kern.ccpu |
integer |
no |
kern.clockrate |
struct clockinfo |
no |
kern.consdev |
integer |
no |
kern.coredump |
node |
not applicable |
kern.cp_id |
struct |
no |
kern.cp_time |
uint64_t[] |
no |
kern.cryptodevallowsoft |
integer |
yes |
kern.defcorename |
string |
yes |
kern.detachall |
integer |
yes |
kern.domainname |
string |
yes |
kern.drivers |
struct kinfo_drivers |
no |
kern.dump_on_panic |
integer |
yes |
kern.file |
struct file |
no |
kern.forkfsleep |
integer |
yes |
kern.fscale |
integer |
no |
kern.fsync |
integer |
no |
kern.hardclock_ticks |
integer |
no |
kern.hostid |
integer |
yes |
kern.hostname |
string |
yes |
kern.iov_max |
integer |
no |
kern.ipc |
node |
not applicable |
kern.job_control |
integer |
no |
kern.labeloffset |
integer |
no |
kern.labelsector |
integer |
no |
kern.login_name_max |
integer |
no |
kern.logsigexit |
integer |
yes |
kern.mapped_files |
integer |
no |
kern.maxfiles |
integer |
yes |
kern.maxlwp |
integer |
yes |
kern.maxpartitions |
integer |
no |
kern.maxphys |
integer |
no |
kern.maxproc |
integer |
yes |
kern.maxptys |
integer |
yes |
kern.maxvnodes |
integer |
yes |
kern.messages |
integer yes |
kern.mbuf |
node |
not applicable |
kern.memlock |
integer |
no |
kern.memlock_range |
integer |
no |
kern.memory_protection |
integer |
no |
kern.module |
node |
not applicable |
kern.monotonic_clock |
integer |
no |
kern.mqueue |
node |
not applicable |
kern.msgbuf |
integer |
no |
kern.msgbufsize |
integer |
no |
kern.ngroups |
integer |
no |
kern.ntptime |
struct ntptimeval |
no |
kern.osrelease |
string |
no |
kern.osrevision |
integer |
no |
kern.ostype |
string |
no |
kern.pipe |
node |
not applicable |
kern.pool |
struct pool_sysctl |
no |
kern.posix1version |
integer |
no |
kern.posix_aio |
integer |
no |
kern.posix_barriers |
integer |
no |
kern.posix_reader_writer_locks |
integer |
no |
kern.posix_semaphores |
integer |
no |
kern.posix_spin_locks |
integer |
no |
kern.posix_threads |
integer |
no |
kern.posix_timers |
integer |
no |
kern.proc |
struct kinfo_proc |
no |
kern.proc2 |
struct kinfo_proc2 |
no |
kern.proc_args |
string |
no |
kern.profiling |
node |
not applicable |
kern.rawpartition |
integer |
no |
kern.root_device |
string |
no |
kern.root_partition |
integer |
no |
kern.rtc_offset |
integer |
yes |
kern.saved_ids |
integer |
no |
kern.sbmax |
integer |
yes |
kern.sched |
node |
not applicable |
kern.securelevel |
integer |
raise only |
kern.somaxkva |
integer |
yes |
kern.synchronized_io |
integer |
no |
kern.timecounter |
node |
not applicable |
kern.timex |
struct |
no |
kern.tkstat |
node |
not applicable |
kern.tty |
node |
not applicable |
kern.urandom |
integer |
no |
kern.usercrypto |
integer |
yes |
kern.userasymcrypto |
integer |
yes |
kern.veriexec |
node |
not applicable |
kern.version |
string |
no |
kern.vnode |
struct vnode |
no |
-
-
kern.aio_listio_max
- The maximum number of asynchronous I/O operations in a
single list I/O call. Like with all variables related to
aio(3), the variable may be
created and removed dynamically upon loading or unloading the
corresponding kernel module.
-
-
kern.aio_max
- The maximum number of asynchronous I/O operations.
-
-
kern.arandom
- This variable picks a random number each time it is
queried. The used random number generator (RNG) is based on
arc4random(3).
-
-
kern.argmax
(KERN_ARGMAX
)
- The maximum bytes of argument to
execve(2).
-
-
kern.boothowto
- Flags passed from the boot loader; see
reboot(2) for the meanings
of the flags.
-
-
kern.boottime
(KERN_BOOTTIME
)
- A struct timeval structure is
returned. This structure contains the time that the system was
booted.
-
-
kern.bufq
- This variable contains information on the
bufq(9) subsystem. Currently,
the only third level name implemented is
kern.bufq.strategies
which provides a list of
buffer queue strategies currently available.
-
-
kern.buildinfo
- When the kernel is built, the build environment may
optionally provide arbitrary information to be stored in this
variable.
-
-
kern.ccpu
(KERN_CCPU
)
- The scheduler exponential decay value.
-
-
kern.clockrate
(KERN_CLOCKRATE
)
- A struct clockinfo structure is
returned. This structure contains the clock, statistics clock and
profiling clock frequencies, the number of micro-seconds per hz tick, and
the clock skew rate. Refer to
hz(9) for additional
details.
-
-
kern.consdev
(KERN_CONSDEV
)
- Console device.
-
-
kern.coredump
- Settings related to set-id processes coredumps. By default,
set-id processes do not dump core in situations where other processes
would. The settings in this node allows an administrator to change this
behavior.
The third level name is
kern.coredump.setid
and
fourth level variables are described below.
Fourth level name |
Type |
Changeable |
kern.coredump.setid.dump |
integer |
yes |
kern.coredump.setid.group |
integer |
yes |
kern.coredump.setid.mode |
integer |
yes |
kern.coredump.setid.owner |
integer |
yes |
kern.coredump.setid.path |
string |
yes |
-
-
kern.coredump.setid.dump
- If non-zero, set-id processes will dump core.
-
-
kern.coredump.setid.group
- The group-id for the set-id processes' coredump.
-
-
kern.coredump.setid.mode
- The mode for the set-id processes' coredump. See
chmod(1).
-
-
kern.coredump.setid.owner
- The user-id that will be used as the owner of the
set-id processes' coredump.
-
-
kern.coredump.setid.path
- The path to which set-id processes' coredumps will be
saved to. Same syntax as kern.defcorename.
-
-
kern.cp_id
(KERN_CP_ID
)
- Mapping of CPU number to CPU id.
-
-
kern.cp_time
(KERN_CP_TIME
)
- Returns an array of
CPUSTATES
uint64_ts. This array contains the number of clock
ticks spent in different CPU states. On multi-processor systems, the sum
across all CPUs is returned unless appropriate space is given for one data
set for each CPU. Data for a specific CPU can also be obtained by adding
the number of the CPU at the end of the MIB, enlarging it by one.
-
-
kern.cryptodevallowsoft
- This variable controls userland access to hardware versus
software transforms in the
crypto(4) system. The
available values are as follows:
-
-
<
0
- Always force userlevel requests to use software
transforms.
-
-
=
0
- If present, use hardware and grant userlevel requests
for non-accelerated transforms (handling the latter in software).
-
-
>
0
- Allow user requests only for transforms which are
hardware-accelerated.
-
-
kern.defcorename
(KERN_DEFCORENAME
)
- Default template for the name of core dump files (see also
proc.pid.corename
in the per-process variables
proc.*
, and
core(5) for format of this
template). The default value is %n.core and can be
changed with the kernel configuration option options
DEFCORENAME (see
options(4) ).
-
-
kern.detachall
- Detach all devices at shutdown.
-
-
kern.domainname
(KERN_DOMAINNAME
)
- Get or set the YP domain name.
-
-
kern.drivers
(KERN_DRIVERS
)
- Return an array of struct
kinfo_drivers that contains the name and major device numbers of all
the device drivers in the current kernel. The d_name
field is always a NUL terminated string. The
d_bmajor field will be set to -1 if the driver
doesn't have a block device.
-
-
kern.dump_on_panic
(KERN_DUMP_ON_PANIC
)
- Perform a crash dump on system
panic(9).
-
-
kern.file
(KERN_FILE
)
- Return the entire file table. The returned data consists of
a single struct filelist followed by an array of
struct file, whose size depends on the current
number of such objects in the system.
-
-
kern.forkfsleep
(KERN_FORKFSLEEP
)
- If fork(2)
system call fails due to limit on number of processes (either the global
maxproc limit or user's one), wait for this many milliseconds before
returning
EAGAIN
error to process. Useful to keep
heavily forking runaway processes in bay. Default zero (no sleep). Maximum
is 20 seconds.
-
-
kern.fscale
(KERN_FSCALE
)
- The kernel fixed-point scale factor.
-
-
kern.fsync
(KERN_FSYNC
)
- Return 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) File Synchronization Option is available
on this system, otherwise 0.
-
-
kern.hardclock_ticks
(KERN_HARDCLOCK_TICKS
)
- Returns the number of
hardclock(9) ticks.
-
-
kern.hist
- This variable contains kernel history data if the kernel
was configured for any of the options
UVHMIST
,
USB_DEBUG
, BIOHIST
, or
SCDEBUG
. (See
options(4) for more
details.) The third-level names correspond to each available history
table. The values of the history tables are in an internal format, and can
be decoded by the vmstat(1)
utility's -U and -u options; the
-l option can be used to see which tables are
available.
-
-
kern.hostid
(KERN_HOSTID
)
- Get or set the host identifier. This is aimed to replace
the legacy gethostid(3)
and sethostid(3) system
calls.
-
-
kern.hostname
(KERN_HOSTNAME
)
- Get or set the
hostname(1).
-
-
kern.iov_max
(KERN_IOV_MAX
)
- Return the maximum number of iovec
structures that a process has available for use with
preadv(2),
pwritev(2),
readv(2),
recvmsg(2),
sendmsg(2) and
writev(2).
-
-
kern.ipc
(KERN_SYSVIPC
)
- Return information about the SysV IPC parameters. The third
level names for the ipc variables are detailed below.
Third level name |
Type |
Changeable |
kern.ipc.sysvmsg |
integer |
no |
kern.ipc.sysvsem |
integer |
no |
kern.ipc.sysvshm |
integer |
no |
kern.ipc.sysvipc_info |
struct |
no |
kern.ipc.shmmax |
integer |
yes |
kern.ipc.shmmni |
integer |
yes |
kern.ipc.shmseg |
integer |
yes |
kern.ipc.shmmaxpgs |
integer |
yes |
kern.ipc.shm_use_phys |
integer |
yes |
kern.ipc.msgmni |
integer |
yes |
kern.ipc.msgseg |
integer |
yes |
kern.ipc.semmni |
integer |
yes |
kern.ipc.semmns |
integer |
yes |
kern.ipc.semmnu |
integer |
yes |
-
-
kern.ipc.sysvmsg
(KERN_SYSVIPC_MSG
)
- Returns 1 if System V style message queue functionality
is available on this system, otherwise 0.
-
-
kern.ipc.sysvsem
(KERN_SYSVIPC_SEM
)
- Returns 1 if System V style semaphore functionality is
available on this system, otherwise 0.
-
-
kern.ipc.sysvshm
(KERN_SYSVIPC_SHM
)
- Returns 1 if System V style share memory functionality
is available on this system, otherwise 0.
-
-
kern.ipc.sysvipc_info
(KERN_SYSVIPC_INFO
)
- Return System V style IPC configuration and run-time
information. The fourth level name selects the System V style IPC
facility.
Fourth level name |
Type |
KERN_SYSVIPC_MSG_INFO |
struct msg_sysctl_info |
KERN_SYSVIPC_SEM_INFO |
struct sem_sysctl_info |
KERN_SYSVIPC_SHM_INFO |
struct shm_sysctl_info |
-
-
KERN_SYSVIPC_MSG_INFO
- Return information on the System V style message
facility. The msg_sysctl_info structure is
defined in
<sys/msg.h>.
-
-
KERN_SYSVIPC_SEM_INFO
- Return information on the System V style semaphore
facility. The sem_sysctl_info structure is
defined in
<sys/sem.h>.
-
-
KERN_SYSVIPC_SHM_INFO
- Return information on the System V style shared
memory facility. The shm_sysctl_info structure
is defined in
<sys/shm.h>.
-
-
kern.ipc.shmmax
(KERN_SYSVIPC_SHMMAX
)
- Max shared memory segment size in bytes.
-
-
kern.ipc.shmmni
(KERN_SYSVIPC_SHMMNI
)
- Max number of shared memory identifiers.
-
-
kern.ipc.shmseg
(KERN_SYSVIPC_SHMSEG
)
- Max shared memory segments per process.
-
-
kern.ipc.shmmaxpgs
(KERN_SYSVIPC_SHMMAXPGS
)
- Max amount of shared memory in pages.
-
-
kern.ipc.shm_use_phys
(KERN_SYSVIPC_SHMUSEPHYS
)
- Locking of shared memory in physical memory. If 0,
memory can be swapped out, otherwise it will be locked in physical
memory.
-
-
kern.ipc.msgmni
- Max number of message queue identifiers.
-
-
kern.ipc.msgseg
- Max number of number of message segments.
-
-
kern.ipc.semmni
- Max number of number of semaphore identifiers.
-
-
kern.ipc.semmns
- Max number of number of semaphores in system.
-
-
kern.ipc.semmnu
- Max number of undo structures in system.
-
-
kern.job_control
(KERN_JOB_CONTROL
)
- Return 1 if job control is available on this system,
otherwise 0.
-
-
kern.labeloffset
(KERN_LABELOFFSET
)
- The offset within the sector specified by
KERN_LABELSECTOR
of the
disklabel(5).
-
-
kern.labelsector
(KERN_LABELSECTOR
)
- The sector number containing the
disklabel(5).
-
-
kern.login_name_max
(KERN_LOGIN_NAME_MAX
)
- The size of the storage required for a login name, in
bytes, including the terminating NUL.
-
-
kern.logsigexit
(KERN_LOGSIGEXIT
)
- If this flag is non-zero, the kernel will
log(9) all process exits due to
signals which create a core(5)
file, and whether the coredump was created.
-
-
kern.mapped_files
(KERN_MAPPED_FILES
)
- Returns 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) Memory Mapped Files Option is available on
this system, otherwise 0.
-
-
kern.maxfiles
(KERN_MAXFILES
)
- The maximum number of open files that may be open in the
system.
-
-
kern.maxpartitions
(KERN_MAXPARTITIONS
)
- The maximum number of partitions allowed per disk.
-
-
kern.maxlwp
- The maximum number of Lightweight Processes (threads) the
system allows per uid.
-
-
kern.maxphys
(KERN_MAXPHYS
)
- Maximum raw I/O transfer size.
-
-
kern.maxproc
(KERN_MAXPROC
)
- The maximum number of simultaneous processes the system
will allow.
-
-
kern.maxptys
(KERN_MAXPTYS
)
- The maximum number of pseudo terminals. This value can be
both raised and lowered, though it cannot be set lower than number of
currently used ptys. See also
pty(4).
-
-
kern.maxvnodes
(KERN_MAXVNODES
)
- The maximum number of vnodes available on the system. This
can only be raised.
-
-
kern.mbuf
(KERN_MBUF
)
- Return information about the mbuf control variables. Mbufs
are data structures which store network packets and other data structures
in the networking code, see
mbuf(9). The third level names
for the mbuf variables are detailed below. The changeable column shows
whether a process with appropriate privilege may change the value.
Third level name |
Type |
Changeable |
kern.mbuf.mblowat |
integer |
yes |
kern.mbuf.mclbytes |
integer |
yes |
kern.mbuf.mcllowat |
integer |
yes |
kern.mbuf.msize |
integer |
yes |
kern.mbuf.nmbclusters |
integer |
yes |
The variables are as follows:
-
-
kern.mbuf.mblowat
(MBUF_MBLOWAT
)
- The mbuf low water mark.
-
-
kern.mbuf.mclbytes
(MBUF_MCLBYTES
)
- The mbuf cluster size.
-
-
kern.mbuf.mcllowat
(MBUF_MCLLOWAT
)
- The mbuf cluster low water mark.
-
-
kern.mbuf.msize
(MBUF_MSIZE
)
- The mbuf base size.
-
-
kern.mbuf.nmbclusters
(MBUF_NMBCLUSTERS
)
- The limit on the number of mbuf clusters. The variable
can only be increased, and only increased on machines with
direct-mapped pool pages.
-
-
kern.memlock
(KERN_MEMLOCK
)
- Returns 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) Process Memory Locking Option is available
on this system, otherwise 0.
-
-
kern.memlock_range
(KERN_MEMLOCK_RANGE
)
- Returns 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) Range Memory Locking Option is available
on this system, otherwise 0.
-
-
kern.memory_protection
(KERN_MEMORY_PROTECTION
)
- Returns 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) Memory Protection Option is available on
this system, otherwise 0.
-
-
kern.messages
- Kernel console message verbosity. See
<sys/reboot.h>
Verbosity Setting |
0 Silent
AB_SILENT |
1 Quiet
AB_QUIET |
2 Normal
AB_NORMAL |
3 Verbose
AB_VERBOSE |
4 Debug
AB_DEBUG |
-
-
kern.module
- Settings related to kernel modules. The third level names
for the settings are described below.
Third level name |
Type |
Changeable |
kern.module.autoload |
integer |
yes |
kern.module.autotime |
integer |
yes |
kern.module.verbose |
integer |
yes |
The variables are as follows:
-
-
kern.module.autoload
- A boolean that controls whether kernel modules are
loaded automatically. See
module(7) for additional
details.
-
-
kern.module.autotime
- An integer that controls the delay before an attempt is
made to automatically unload a module that was auto-loaded. Setting
this value to zero disables the auto-unload function.
-
-
kern.module.verbose
- A boolean that enables or disables verbose debug
messages related to kernel modules.
-
-
kern.monotonic_clock
(KERN_MONOTONIC_CLOCK
)
- Returns the standard version the implementation of the
IEEE Std 1003.1b-1993 (“POSIX.1b”)
Monotonic Clock Option conforms to, otherwise 0.
-
-
kern.mqueue
- Settings related to POSIX message queues; see
mqueue(3). This node is
created dynamically when the corresponding kernel module is loaded. The
third level names for the settings are described below.
Third level name |
Type |
Changeable |
kern.mqueue.mq_open_max |
integer |
yes |
kern.mqueue.mq_prio_max |
integer |
yes |
kern.mqueue.mq_max_msgsize |
integer |
yes |
kern.mqueue.mq_def_maxmsg |
integer |
yes |
kern.mqueue.mq_max_maxmsg |
integer |
yes |
The variables are:
-
-
kern.mqueue.mq_open_max
- The maximum number of message queue descriptors any
single process can open.
-
-
kern.mqueue.mq_prio_max
- The maximum priority of a message.
-
-
kern.mqueue.mq_max_msgsize
- The maximum size of a message in a message queue.
-
-
kern.mqueue.mq_def_maxmsg
- The default maximum message count.
-
-
kern.mqueue.mq_max_maxmsg
- The maximum number of messages in a message queue.
-
-
kern.msgbuf
(KERN_MSGBUF
)
- The kernel message buffer, rotated so that the head of the
circular kernel message buffer is at the start of the returned data. The
returned data may contain NUL bytes.
-
-
kern.msgbufsize
(KERN_MSGBUFSIZE
)
- The maximum number of characters that the kernel message
buffer can hold.
-
-
kern.ngroups
(KERN_NGROUPS
)
- The maximum number of supplemental groups.
-
-
kern.ntptime
(KERN_NTPTIME
)
- A struct ntptimeval structure is
returned. This structure contains data used by the
ntpd(8) program.
-
-
kern.osrelease
(KERN_OSRELEASE
)
- The system release string.
-
-
kern.osrevision
(KERN_OSREV
)
- The system revision string.
-
-
kern.ostype
(KERN_OSTYPE
)
- The system type string.
-
-
kern.pipe
(KERN_PIPE
)
- Pipe settings. The third level names for the integer pipe
settings is detailed below. The changeable column shows whether a process
with appropriate privilege may change the value.
Third level name |
Type |
Changeable |
kern.pipe.kvasiz |
integer |
yes |
kern.pipe.maxbigpipes |
integer |
yes |
kern.pipe.maxkvasz |
integer |
yes |
kern.pipe.limitkva |
integer |
yes |
kern.pipe.nbigpipes |
integer |
yes |
The variables are as follows:
-
-
kern.pipe.kvasiz
(KERN_PIPE_KVASIZ
)
- Amount of kernel memory consumed by pipe buffers.
-
-
kern.pipe.maxbigpipes
(KERN_PIPE_MAXBIGPIPES
)
- Maximum number of “big” pipes.
-
-
kern.pipe.maxkvasz
(KERN_PIPE_MAXKVASZ
)
- Maximum amount of kernel memory to be used for
pipes.
-
-
kern.pipe.limitkva
(KERN_PIPE_LIMITKVA
)
- Limit for direct transfers via page loan.
-
-
kern.pipe.nbigpipes
(KERN_PIPE_NBIGPIPES
)
- Number of “big” pipes.
-
-
kern.pool
- Provides statistics about the
pool(9) and
pool_cache(9)
subsystems.
-
-
kern.posix1version
(KERN_POSIX1
)
- The version of ISO/IEC 9945 (IEEE Std
1003.1 (“POSIX.1”)) with which the system attempts to
comply.
-
-
kern.posix_aio
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Asynchronous I/O option to which
the system attempts to conform.
-
-
kern.posix_barriers
(KERN_POSIX_BARRIERS
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Barriers option to which the system
attempts to conform, otherwise 0.
-
-
kern.posix_reader_writer_locks
(KERN_POSIX_READER_WRITER_LOCKS
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Read-Write Locks option to which
the system attempts to conform, otherwise 0.
-
-
kern.posix_semaphores
(KERN_POSIX_SEMAPHORES
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Semaphores option to which the
system attempts to conform, otherwise 0.
-
-
kern.posix_spin_locks
(KERN_POSIX_SPIN_LOCKS
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Spin Locks option to which the
system attempts to conform, otherwise 0.
-
-
kern.posix_threads
(KERN_POSIX_THREADS
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Threads option to which the system
attempts to conform, otherwise 0.
-
-
kern.posix_timers
(KERN_POSIX_TIMERS
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Timers option to which the system
attempts to conform, otherwise 0.
-
-
kern.proc
(KERN_PROC
)
- Return the entire process table, or a subset of it. An
array of struct kinfo_proc structures is returned,
whose size depends on the current number of such objects in the system.
The third and fourth level numeric names are as follows:
Third level name |
Fourth level is: |
KERN_PROC_ALL |
None |
KERN_PROC_GID |
A group ID |
KERN_PROC_PID |
A process ID |
KERN_PROC_PGRP |
A process group |
KERN_PROC_RGID |
A real group ID |
KERN_PROC_RUID |
A real user ID |
KERN_PROC_SESSION |
A session ID |
KERN_PROC_TTY |
A tty device |
KERN_PROC_UID |
A user ID |
-
-
kern.proc2
(KERN_PROC2
)
- As for
KERN_PROC
, but an array of
struct kinfo_proc2 structures are returned. The
fifth level name is the size of the struct
kinfo_proc2 and the sixth level name is the number of structures to
return.
-
-
kern.proc_args
(KERN_PROC_ARGS
)
- Return the argv or environment strings (or the number
thereof) of a process. Multiple strings are returned separated by NUL
characters. The third level name is the process ID. The fourth level name
is as follows:
KERN_PROC_ARGV |
The argv strings |
KERN_PROC_ENV |
The environ strings |
KERN_PROC_NARGV |
The number of argv strings |
KERN_PROC_NENV |
The number of environ strings |
KERN_PROC_PATHNAME |
The full pathname of the executable |
-
-
kern.profiling
(KERN_PROF
)
- Return profiling information about the kernel. If the
kernel is not compiled for profiling, attempts to retrieve any of the
KERN_PROF
values will fail with
EOPNOTSUPP
. The third level names for the string
and integer profiling information is detailed below. The changeable column
shows whether a process with appropriate privilege may change the value.
Third level name |
Type |
Changeable |
kern.profiling.count |
u_short[] |
yes |
kern.profiling.froms |
u_short[] |
yes |
kern.profiling.gmonparam |
struct gmonparam |
no |
kern.profiling.state |
integer |
yes |
kern.profiling.tos |
struct tostruct |
yes |
The variables are as follows:
-
-
kern.profiling.count
(GPROF_COUNT
)
- Array of statistical program counter counts.
-
-
kern.profiling.froms
(GPROF_FROMS
)
- Array indexed by program counter of call-from
points.
-
-
kern.profiling.gmonparams
(GPROF_GMONPARAM
)
- Structure giving the sizes of the above arrays.
-
-
kern.profiling.state
(GPROF_STATE
)
- Profiling state. If set to
GMON_PROF_ON
, starts profiling. If set to
GMON_PROF_OFF
, stops profiling.
-
-
kern.profiling.tos
(GPROF_TOS
)
- Array of struct tostruct
describing destination of calls and their counts.
-
-
kern.rawpartition
(KERN_RAWPARTITION
)
- The raw partition of a disk (a == 0).
-
-
kern.root_device
(KERN_ROOT_DEVICE
)
- The name of the root device (e.g., “wd0”).
-
-
kern.root_partition
(KERN_ROOT_PARTITION
)
- The root partition on the root device (a == 0).
-
-
kern.rtc_offset
(KERN_RTC_OFFSET
)
- Return the offset of real time clock from UTC in
minutes.
-
-
kern.saved_ids
(KERN_SAVED_IDS
)
- Returns 1 if saved set-group and saved set-user ID is
available.
-
-
kern.sbmax
(KERN_SBMAX
)
- Maximum socket buffer size.
-
-
kern.securelevel
(KERN_SECURELVL
)
- See
secmodel_securelevel(9).
-
-
kern.sched
(dynamic
)
- Influence the scheduling of LWPs, their priorisation and
how they are distributed on and moved between CPUs.
Third level name |
Type |
Changeable |
kern.sched.cacheht_time |
integer |
yes |
kern.sched.balance_period |
integer |
yes |
kern.sched.average_weight |
integer |
yes |
kern.sched.min_catch |
integer |
yes |
kern.sched.timesoftints |
integer |
yes |
kern.sched.kpreempt_pri |
integer |
yes |
kern.sched.upreempt_pri |
integer |
yes |
kern.sched.maxts |
integer |
yes |
kern.sched.mints |
integer |
yes |
kern.sched.name |
string |
no |
kern.sched.rtts |
integer |
no |
kern.sched.pri_min |
integer |
no |
kern.sched.pri_max |
integer |
no |
The variables are as follows:
-
-
kern.sched.cacheht_time
(dynamic
)
- Cache hotness time in which a LWP is kept on one
particular CPU and not moved to another CPU. This reduces the overhead
of flushing and reloading caches. Defaults to 3ms. Needs to be given
in “hz” units, see
mstohz(9).
-
-
kern.sched.balance_period
(dynamic
)
- Interval at which the CPU queues are checked for
re-balancing. Defaults to 300ms. Needs to be given in “hz”
units, see
mstohz(9).
-
-
kern.sched.average_weight
(dynamic
)
- Can be used to influence how likely LWPs are to be
migrated from one CPU's queue of LWPs that are ready to run to a
different, idle CPU. The value gives the percentage for weighting the
average count of migratable threads from the past against the current
number of migratable threads. A small value gives more weight to the
past, a larger values more weight on the current situation. Defaults
to 50 and must be between 0 and 100.
-
-
kern.sched.min_catch
(dynamic
)
- Minimum count of migratable (runable) threads for
catching (stealing) from another CPU. Defaults to 1 but can be
increased to decrease chance of thread migration between CPUs.
-
-
kern.sched.timesoftints
(dynamic
)
- Enable tracking of CPU time for soft interrupts as part
of a LWP's real execution time. Set to a non-zero value to enable, and
see ps(1) for printing CPU
times.
-
-
kern.sched.kpreempt_pri
(dynamic
)
- Minimum priority to trigger kernel preemption.
-
-
kern.sched.upreempt_pri
(dynamic
)
- Minimum priority to trigger user preemption.
-
-
kern.sched.maxts
(dynamic
)
- Scheduler specific maximal time quantum (in
milliseconds). Must be set to a value larger than “mints”
and between 10 and “hz” as given by the
kern.clockrate
sysctl. Provided by the M2
scheduler.
-
-
kern.sched.mints
(dynamic
)
- Scheduler specific minimal time quantum (in
milliseconds). Must be set to a value smaller than “maxts”
and between 1 and “hz” as given by the
“kern.clockrate” sysctl. Provided by the M2
scheduler.
-
-
kern.sched.name
(dynamic
)
- Scheduler name. Provided both by the M2 and the 4BSD
scheduler.
-
-
kern.sched.rtts
(dynamic
)
- Fixed scheduler specific round-robin time quantum in
milliseconds. Provided both by the M2 and the 4BSD scheduler.
-
-
kern.sched.pri_min
(dynamic
)
- Minimal POSIX real-time priority. See
sched(3).
-
-
kern.sched.pri_max
(dynamic
)
- Maximal POSIX real-time priority. See
sched(3).
-
-
kern.somaxkva
(KERN_SOMAXKVA
)
- Maximum amount of kernel memory to be used for socket
buffers.
-
-
kern.synchronized_io
(KERN_SYNCHRONIZED_IO
)
- Returns 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) Synchronized I/O Option is available on
this system, otherwise 0.
-
-
kern.timecounter
(dynamic
)
- Display and control the timecounter source of the system.
Third level name |
Type |
Changeable |
kern.timecounter.choice |
string |
no |
kern.timecounter.hardware |
string |
yes |
kern.timecounter.timestepwarnings |
integer |
yes |
The variables are as follows:
-
-
kern.timecounter.choice
(dynamic
)
- The list of available timecounters with their quality
and frequency.
-
-
kern.timecounter.hardware
(dynamic
)
- The currently selected timecounter source.
-
-
kern.timecounter.timestepwarnings
(dynamic
)
- If non-zero display a message each time the time is
stepped.
-
-
kern.timex
(KERN_TIMEX
)
- Not available.
-
-
kern.tkstat
(KERN_TKSTAT
)
- Return information about the number of characters sent and
received on ttys. The third level names for the tty statistic variables
are detailed below. The changeable column shows whether a process with
appropriate privilege may change the value.
Third level name |
Type |
Changeable |
kern.tkstat.cancc |
quad |
no |
kern.tkstat.nin |
quad |
no |
kern.tkstat.nout |
quad |
no |
kern.tkstat.rawcc |
quad |
no |
The variables are as follows:
-
-
kern.tkstat.cancc
(KERN_TKSTAT_CANCC
)
- The number of canonical input characters.
-
-
kern.tkstat.nin
(KERN_TKSTAT_NIN
)
- The total number of input characters.
-
-
kern.tkstat.nout
(KERN_TKSTAT_NOUT
)
- The total number of output characters.
-
-
kern.tkstat.rawcc
(KERN_TKSTAT_RAWCC
)
- The number of raw input characters.
-
-
kern.tty
- The third level names for the tty setup variables are
detailed below. The changeable column shows whether a process with
appropriate privilege may change the value.
Third level name |
Type |
Changeable |
kern.tty.qsize |
int |
yes |
The variables are as follows:
-
-
kern.tty.qsize
- Control/display the size of the default input and
output queues selected during tty creation. Is converted to a power of
two and its range is between
1024
and
65536
.
-
-
kern.uidinfo
- Resource usage for the current user.
Third level name |
Type |
Changeable |
kern.uidinfo.proccnt |
integer |
no |
kern.uidinfo.lwpcnt |
integer |
no |
kern.uidinfo.lockcnt |
integer |
no |
kern.uidinfo.sbsize |
integer |
no |
-
-
kern.uidinfo.proccnt
- Returns the number of active processes for the current
user.
-
-
kern.uidinfo.lwpcnt
- Returns the number of active threads for the current
user; the first thread of each process is not counted.
-
-
kern.uidinfo.lockcnt
- Number of locks held by the current user.
-
-
kern.uidinfo.sbsize
- Number of bytes in socket buffers allocated to the
current user.
-
-
kern.urandom
(KERN_URND
)
- Random integer value.
-
-
kern.usercrypto
- When enabled, allows userland to
open(2) the
/dev/crypto special device, used by the
crypto(4) system.
-
-
kern.userasymcrypto
- Enables or disables the use of software asymmetric crypto
support in the crypto(4)
system.
-
-
kern.veriexec
- Runtime information for
veriexec(8).
Third level name |
Type |
Changeable |
kern.veriexec.algorithms |
string |
no |
kern.veriexec.count |
node |
not applicable |
kern.veriexec.strict |
integer |
yes |
kern.veriexec.verbose |
integer |
yes |
-
-
kern.veriexec.algorithms
- Returns a string with the supported algorithms in
Veriexec.
-
-
kern.veriexec.count
- Sub-nodes are added to this node as new mounts are
monitored by Veriexec. Each mount will be under its own
tableN node. Under each node there will be
three variables, indicating the mount point, the file system type, and
the number of entries.
-
-
kern.veriexec.strict
- Controls the strict level of Veriexec. See
security(7) for more
information on each level's implications.
-
-
kern.veriexec.verbose
- Controls the verbosity level of Veriexec. If 0, only
the minimal indication required will be given about what's happening -
fingerprint mismatches, removal of entries from the tables,
modification of a fingerprinted file. If 1, more messages will be
printed (ie., when a file with a valid fingerprint is accessed).
Verbose level 2 is debug mode.
-
-
kern.version
(KERN_VERSION
)
- The system version string.
-
-
kern.vnode
(KERN_VNODE
)
- Return the entire vnode table. Note, the vnode table is not
necessarily a consistent snapshot of the system. The returned data
consists of an array whose size depends on the current number of such
objects in the system. Each element of the array contains the kernel
address of a vnode struct vnode * followed by the
vnode itself struct vnode.
The machdep.* subtree
The set of variables defined is architecture dependent. Most architectures
define at least the following variables.
Second level name |
Type |
Changeable |
machdep.booted_kernel |
string |
no |
The net.* subtree
The string and integer information available for the
net
level is detailed below. The changeable column shows whether a process with
appropriate privilege may change the value. The second and third levels are
typically the protocol family and protocol number, though this is not always
the case.
Second level name |
Type |
Changeable |
net.route |
routing messages |
no |
net.inet |
IPv4 values |
yes |
net.inet6 |
IPv6 values |
yes |
net.key |
IPsec key management values |
yes |
-
-
net.route
(PF_ROUTE
)
- Return the entire routing table or a subset of it. The data
is returned as a sequence of routing messages (see
route(4) for the header file,
format and meaning). The length of each message is contained in the
message header.
The third level name is a protocol number, which is currently always 0.
The fourth level name is an address family, which may be set to 0 to
select all address families. The fifth and sixth level names are as
follows:
Fifth level name |
Sixth level is: |
NET_RT_FLAGS |
rtflags |
NET_RT_DUMP |
None |
NET_RT_IFLIST |
None |
-
-
net.inet
(PF_INET
)
- Get or set various global information about the IPv4
(Internet Protocol version 4). The third level name is the protocol. The
fourth level name is the variable name. The currently defined protocols
and names are:
Protocol |
Variable |
Type |
Changeable |
arp |
down |
integer |
yes |
arp |
keep |
integer |
yes |
arp |
log_movements |
integer |
yes |
arp |
log_permanent_modify |
integer |
yes |
arp |
log_unknown_network |
integer |
yes |
arp |
log_wrong_iface |
integer |
yes |
carp |
allow |
integer |
yes |
carp |
preempt |
integer |
yes |
carp |
log |
integer |
yes |
carp |
arpbalance |
integer |
yes |
icmp |
errppslimit |
integer |
yes |
icmp |
maskrepl |
integer |
yes |
icmp |
rediraccept |
integer |
yes |
icmp |
redirtimeout |
integer |
yes |
icmp |
bmcastecho |
integer |
yes |
ip |
allowsrcrt |
integer |
yes |
ip |
anonportalgo.selected |
string |
yes |
ip |
anonportalgo.available |
string |
yes |
ip |
anonportalgo.reserve |
struct |
yes |
ip |
anonportmax |
integer |
yes |
ip |
anonportmin |
integer |
yes |
ip |
checkinterface |
integer |
yes |
ip |
dad_count |
integer |
yes |
ip |
directed-broadcast |
integer |
yes |
ip |
do_loopback_cksum |
integer |
yes |
ip |
forwarding |
integer |
yes |
ip |
forwsrcrt |
integer |
yes |
ip |
gifttl |
integer |
yes |
ip |
grettl |
integer |
yes |
ip |
hashsize |
integer |
yes |
ip |
hostzerobroadcast |
integer |
yes |
ip |
lowportmin |
integer |
yes |
ip |
lowportmax |
integer |
yes |
ip |
maxflows |
integer |
yes |
ip |
maxfragpackets |
integer |
yes |
ip |
mtudisc |
integer |
yes |
ip |
mtudisctimeout |
integer |
yes |
ip |
random_id |
integer |
yes |
ip |
redirect |
integer |
yes |
ip |
subnetsarelocal |
integer |
yes |
ip |
ttl |
integer |
yes |
tcp |
rfc1323 |
integer |
yes |
tcp |
sendspace |
integer |
yes |
tcp |
recvspace |
integer |
yes |
tcp |
mssdflt |
integer |
yes |
tcp |
syn_cache_limit |
integer |
yes |
tcp |
syn_bucket_limit |
integer |
yes |
tcp |
syn_cache_interval |
integer |
yes |
tcp |
init_win |
integer |
yes |
tcp |
init_win_local |
integer |
yes |
tcp |
mss_ifmtu |
integer |
yes |
tcp |
win_scale |
integer |
yes |
tcp |
timestamps |
integer |
yes |
tcp |
compat_42 |
integer |
yes |
tcp |
cwm |
integer |
yes |
tcp |
cwm_burstsize |
integer |
yes |
tcp |
ack_on_push |
integer |
yes |
tcp |
keepidle |
integer |
yes |
tcp |
keepintvl |
integer |
yes |
tcp |
keepcnt |
integer |
yes |
tcp |
slowhz |
integer |
no |
tcp |
keepinit |
integer |
yes |
tcp |
log_refused |
integer |
yes |
tcp |
rstppslimit |
integer |
yes |
tcp |
ident |
struct |
no |
tcp |
drop |
struct |
no |
tcp |
sack.enable |
integer |
yes |
tcp |
sack.globalholes |
integer |
no |
tcp |
sack.globalmaxholes |
integer |
yes |
tcp |
sack.maxholes |
integer |
yes |
tcp |
ecn.enable |
integer |
yes |
tcp |
ecn.maxretries |
integer |
yes |
tcp |
congctl.selected |
string |
yes |
tcp |
congctl.available |
string |
yes |
tcp |
abc.enable |
integer |
yes |
tcp |
abc.aggressive |
integer |
yes |
udp |
checksum |
integer |
yes |
udp |
do_loopback_cksum |
integer |
yes |
udp |
recvspace |
integer |
yes |
udp |
sendspace |
integer |
yes |
The variables are as follows:
-
-
arp.down
- Failed ARP entry lifetime.
-
-
arp.keep
- Valid ARP entry lifetime.
-
-
carp.allow
- If set to 0, incoming
carp(4) packets will not
be processed. If set to any other value, processing will occur.
Enabled by default.
-
-
carp.arpbalance
- If set to any value other than 0, the ARP balancing
functionality of carp(4)
is enabled. When ARP requests are received for an IP address which is
part of any virtual host, carp will hash the source IP in the ARP
request to select one of the virtual hosts from the set of all the
virtual hosts which have that IP address. The master of that host will
respond with the correct virtual MAC address. Disabled by
default.
-
-
carp.log
- If set to any value other than 0,
carp(4) will log errors.
Disabled by default.
-
-
carp.preempt
- If set to 0,
carp(4) will not attempt
to become master if it is receiving advertisements from another active
master. If set to any other value, carp will become master of the
virtual host if it believes it can send advertisements more frequently
than the current master. Disabled by default.
-
-
ip.allowsrcrt
- If set to 1, the host accepts source routed
packets.
-
-
ip.anonportalgo.available
- The available RFC 6056 port randomization
algorithms.
-
-
ip.anonportalgo.reserve
- A bitmask of ports that will not be used during
anonymous or privileged port selection.
-
-
ip.anonportalgo.selected
- The currently selected RFC 6056 port randomization
algorithm.
-
-
ip.anonportmax
- The highest port number to use for TCP and UDP
ephemeral port allocation. This cannot be set to less than 1024 or
greater than 65535, and must be greater than
ip.anonportmin
.
-
-
ip.anonportmin
- The lowest port number to use for TCP and UDP ephemeral
port allocation. This cannot be set to less than 1024 or greater than
65535.
-
-
ip.checkinterface
- If set to non-zero, the host will reject packets
addressed to it that arrive on an interface not bound to that address.
Currently, this must be disabled if ipnat is used to translate the
destination address to another local interface, or if addresses are
added to the loopback interface instead of the interface where the
packets for those packets are received.
-
-
ip.dad_count
- The number of
arp(4) probes sent for
Address Conflict Detection. Set to 0 to disable this.
-
-
ip.directed-broadcast
- If set to 1, enables directed broadcast behavior for
the host.
-
-
ip.do_loopback_cksum
- Perform IP checksum on loopback.
-
-
ip.forwarding
- If set to 1, enables IP forwarding for the host,
meaning that the host is acting as a router.
-
-
ip.forwsrcrt
- If set to 1, enables forwarding of source-routed
packets for the host. This value may only be changed if the kernel
security level is less than 1.
-
-
ip.gifttl
- The maximum time-to-live (hop count) value for an IPv4
packet generated by gif(4)
tunnel interface.
-
-
ip.grettl
- The maximum time-to-live (hop count) value for an IPv4
packet generated by gre(4)
tunnel interface.
-
-
ip.hashsize
- The size of IPv4 Fast Forward hash table. This value
must be a power of 2 (64, 256...). A larger hash table size results in
fewer collisions. Also see
ip.maxflows
.
-
-
ip.hostzerobroadcast
- All zeroes address is broadcast address.
-
-
ip.lowportmax
- The highest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or greater than
1024, and must be greater than
ip.lowportmin
.
-
-
ip.lowportmin
- The lowest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or greater than
1024, and must be smaller than
ip.lowportmax
.
-
-
ip.maxflows
- IPv4 Fast Forwarding is enabled by default. If set to
0, IPv4 Fast Forwarding is disabled.
ip.maxflows
controls the maximum amount of
flows which can be created. The default value is 256.
-
-
ip.maxfragpackets
- The maximum number of fragmented packets the node will
accept. 0 means that the node will not accept any fragmented packets.
-1 means that the node will accept as many fragmented packets as it
receives. The flag is provided basically for avoiding possible DoS
attacks.
-
-
ip.mtudisc
- If set to 1, enables Path MTU Discovery (RFC 1191).
When Path MTU Discovery is enabled, the transmitted TCP segment size
will be determined by the advertised maximum segment size (MSS) from
the remote end, as constrained by the path MTU. If MTU Discovery is
disabled, the transmitted segment size will never be greater than
tcp.mssdflt
(the local maximum segment
size).
-
-
ip.mtudisctimeout
- The number of seconds in which a route added by the
Path MTU Discovery engine will time out. When the route times out, the
Path MTU Discovery engine will attempt to probe a larger path
MTU.
-
-
ip.random_id
- Assign random ip_id values.
-
-
ip.redirect
- If set to 1, ICMP redirects may be sent by the host.
This option is ignored unless the host is routing IP packets, and
should normally be enabled on all systems.
-
-
ip.subnetsarelocal
- If set to 1, subnets are to be considered local
addresses.
-
-
ip.ttl
- The maximum time-to-live (hop count) value for an IP
packet sourced by the system. This value applies to normal transport
protocols, not to ICMP.
-
-
icmp.errppslimit
- The variable specifies the maximum number of outgoing
ICMP error messages, per second. ICMP error messages that exceeded the
value are subject to rate limitation and will not go out from the
node. Negative value disables rate limitation.
-
-
icmp.maskrepl
- If set to 1, ICMP network mask requests are to be
answered.
-
-
icmp.rediraccept
- If set to non-zero, the host will accept ICMP redirect
packets. Note that routers will never accept ICMP redirect packets,
and the variable is meaningful on IP hosts only.
-
-
icmp.redirtimeout
- The variable specifies lifetime of routing entries
generated by incoming ICMP redirect. This defaults to 600
seconds.
-
-
icmp.returndatabytes
- Number of bytes to return in an ICMP error
message.
-
-
icmp.bmcastecho
- If set to 1, enables responding to ICMP echo or
timestamp request to the broadcast address.
-
-
tcp.ack_on_push
- If set to 1, TCP is to immediately transmit an ACK upon
reception of a packet with PUSH set. This can avoid losing a round
trip time in some rare situations, but has the caveat of potentially
defeating TCP's delayed ACK algorithm. Use of this option is generally
not recommended, but the variable exists in case your configuration
really needs it.
-
-
tcp.compat_42
- If set to 1, enables work-arounds for bugs in the
4.2BSD TCP implementation. Use of this option is not recommended,
although it may be required in order to communicate with extremely old
TCP implementations.
-
-
tcp.cwm
- If set to 1, enables use of the Hughes/Touch/Heidemann
Congestion Window Monitoring algorithm. This algorithm prevents
line-rate bursts of packets that could otherwise occur when data
begins flowing on an idle TCP connection. These line-rate bursts can
contribute to network and router congestion. This can be particularly
useful on World Wide Web servers which support HTTP/1.1, which has
lingering connections.
-
-
tcp.cwm_burstsize
- The Congestion Window Monitoring allowed burst size, in
terms of packet count.
-
-
tcp.delack_ticks
- Number of ticks to delay sending an ACK.
-
-
tcp.do_loopback_cksum
- Perform TCP checksum on loopback.
-
-
tcp.init_win
- A value indicating the TCP initial congestion window.
The valid range is 0 to 10 (maximum specified by RFC6928), with a
default of 4 (approximately 4K per RFC3390).
-
-
tcp.init_win_local
- Like
tcp.init_win
, but used
when communicating with hosts on a local network.
-
-
tcp.keepcnt
- Number of keepalive probes sent before declaring a
connection dead. If set to zero, there is no limit; keepalives will be
sent until some kind of response is received from the peer.
-
-
tcp.keepidle
- Time a connection must be idle before keepalives are
sent (if keepalives are enabled for the connection). See also
tcp.slowhz.
-
-
tcp.keepintvl
- Time after a keepalive probe is sent until, in the
absence of any response, another probe is sent. See also
tcp.slowhz.
-
-
tcp.log_refused
- If set to 1, refused TCP connections to the host will
be logged.
-
-
tcp.keepinit
- Timeout in seconds during connection
establishment.
-
-
tcp.mss_ifmtu
- If set to 1, TCP calculates the outgoing maximum
segment size based on the MTU of the appropriate interface. If set to
0, it is calculated based on the greater of the MTU of the interface,
and the largest (non-loopback) interface MTU on the system.
-
-
tcp.mssdflt
- The default maximum segment size both advertised to the
peer and to use when either the peer does not advertise a maximum
segment size to us during connection setup or Path MTU Discovery
(
ip.mtudisc
) is disabled. Do not change this
value unless you really know what you are doing.
-
-
tcp.recvspace
- The default TCP receive buffer size.
-
-
tcp.rfc1323
- If set to 1, enables RFC 1323 extensions to TCP.
-
-
tcp.rstppslimit
- The variable specifies the maximum number of outgoing
TCP RST packets, per second. TCP RST packet that exceeded the value
are subject to rate limitation and will not go out from the node.
Negative value disables rate limitation.
-
-
tcp.ident
- Return the user ID of a connected socket pair. (RFC1413
Identification Protocol lookups.)
-
-
tcp.drop
- Drop a TCP socket pair connection.
-
-
tcp.sack.enable
- If set to 1, enables RFC 2018 Selective
ACKnowledgement.
-
-
tcp.sack.globalholes
- Global number of TCP SACK holes.
-
-
tcp.sack.globalmaxholes
- Global maximum number of TCP SACK holes.
-
-
tcp.sack.maxholes
- Maximum number of TCP SACK holes allowed per
connection.
-
-
tcp.ecn.enable
- If set to 1, enables RFC 3168 Explicit Congestion
Notification.
-
-
tcp.ecn.maxretries
- Number of times to retry sending the ECN-setup
packet.
-
-
tcp.sendspace
- The default TCP send buffer size.
-
-
tcp.slowhz
- The units for tcp.keepidle and tcp.keepintvl; those
variables are in ticks of a clock that ticks tcp.slowhz times per
second. (That is, their values must be divided by the tcp.slowhz value
to get times in seconds.)
-
-
tcp.syn_bucket_limit
- The maximum number of entries allowed per hash bucket
in the TCP compressed state engine.
-
-
tcp.syn_cache_limit
- The maximum number of entries allowed in the TCP
compressed state engine.
-
-
tcp.timestamps
- If rfc1323 is enabled, a value of 1 indicates RFC 1323
time stamp options, used for measuring TCP round trip times, are
enabled.
-
-
tcp.win_scale
- If rfc1323 is enabled, a value of 1 indicates RFC 1323
window scale options, for increasing the TCP window size, are
enabled.
-
-
tcp.congctl.available
- The available TCP congestion control algorithms.
-
-
tcp.congctl.selected
- The currently selected TCP congestion control
algorithm.
-
-
tcp.abc.enable
- If set to 1, use RFC 3465 Appropriate Byte Counting
(ABC). If set to 0, use traditional Packet Counting.
-
-
tcp.abc.aggressive
- Choose the L parameter found in RFC 3465. L is the
maximum cwnd increase for an ack during slow start. If set to 1, use
L=2*SMSS. If set to 0, use L=1*SMSS. It has no effect unless
tcp.abc.enable is set to 1.
-
-
udp.checksum
- If set to 1, UDP checksums are being computed. Received
non-zero UDP checksums are always checked. Disabling UDP checksums is
strongly discouraged.
-
-
udp.recvspace
- The default UDP receive buffer size.
-
-
udp.sendspace
- The default UDP send buffer size.
For variables net.*.ipsec, please refer to
ipsec(4).
-
-
net.inet6
(PF_INET6
)
- Get or set various global information about the IPv6
(Internet Protocol version 6). The third level name is the protocol. The
fourth level name is the variable name. The currently defined protocols
and names are:
Protocol |
Variable |
Type |
Changeable |
icmp6 |
errppslimit |
integer |
yes |
icmp6 |
mtudisc_hiwat |
integer |
yes |
icmp6 |
mtudisc_lowat |
integer |
yes |
icmp6 |
nd6_debug |
integer |
yes |
icmp6 |
nd6_delay |
integer |
yes |
icmp6 |
nd6_maxnudhint |
integer |
yes |
icmp6 |
nd6_mmaxtries |
integer |
yes |
icmp6 |
nd6_prune |
integer |
yes |
icmp6 |
nd6_umaxtries |
integer |
yes |
icmp6 |
nd6_useloopback |
integer |
yes |
icmp6 |
nodeinfo |
integer |
yes |
icmp6 |
rediraccept |
integer |
yes |
icmp6 |
redirtimeout |
integer |
yes |
ip6 |
accept_rtadv |
integer |
yes |
ip6 |
addctlpolicy |
struct in6_addrpolicy |
no |
ip6 |
anonportalgo.selected |
string |
yes |
ip6 |
anonportalgo.available |
string |
yes |
ip6 |
anonportalgo.reserve |
struct |
yes |
ip6 |
anonportmax |
integer |
yes |
ip6 |
anonportmin |
integer |
yes |
ip6 |
auto_flowlabel |
integer |
yes |
ip6 |
dad_count |
integer |
yes |
ip6 |
defmcasthlim |
integer |
yes |
ip6 |
forwarding |
integer |
yes |
ip6 |
gifhlim |
integer |
yes |
ip6 |
hashsize |
integer |
yes |
ip6 |
hlim |
integer |
yes |
ip6 |
hdrnestlimit |
integer |
yes |
ip6 |
kame_version |
string |
no |
ip6 |
keepfaith |
integer |
yes |
ip6 |
log_interval |
integer |
yes |
ip6 |
lowportmax |
integer |
yes |
ip6 |
lowportmin |
integer |
yes |
ip6 |
maxdynroutes |
integer |
yes |
ip6 |
maxifprefixes |
integer |
yes |
ip6 |
maxifdefrouters |
integer |
yes |
ip6 |
maxflows |
integer |
yes |
ip6 |
maxfragpackets |
integer |
yes |
ip6 |
maxfrags |
integer |
yes |
ip6 |
neighborgcthresh |
integer |
yes |
ip6 |
redirect |
integer |
yes |
ip6 |
rr_prune |
integer |
yes |
ip6 |
use_deprecated |
integer |
yes |
ip6 |
v6only |
integer |
yes |
udp6 |
do_loopback_cksum |
integer |
yes |
udp6 |
recvspace |
integer |
yes |
udp6 |
sendspace |
integer |
yes |
The variables are as follows:
-
-
ip6.accept_rtadv
- If set to non-zero, the node will accept ICMPv6 router
advertisement packets and autoconfigures address prefixes and default
routers. The node must be a host (not a router) for the option to be
meaningful.
-
-
ip6.anonportalgo.available
- The available RFC 6056 port randomization
algorithms.
-
-
ip6.anonportalgo.reserve
- A bitmask of ports that will not be used during
anonymous or privileged port selection.
-
-
ip6.anonportalgo.selected
- The currently selected RFC 6056 port randomization
algorithm.
-
-
ip6.anonportmax
- The highest port number to use for TCP and UDP
ephemeral port allocation. This cannot be set to less than 1024 or
greater than 65535, and must be greater than
ip6.anonportmin
.
-
-
ip6.anonportmin
- The lowest port number to use for TCP and UDP ephemeral
port allocation. This cannot be set to less than 1024 or greater than
65535.
-
-
ip6.auto_flowlabel
- On connected transport protocol packets, fill IPv6
flowlabel field to help intermediate routers to identify packet
flows.
-
-
ip6.dad_count
- The variable configures number of IPv6 DAD (duplicated
address detection) probe packets. The packets will be generated when
IPv6 interface addresses are configured.
-
-
ip6.defmcasthlim
- The default hop limit value for an IPv6 multicast
packet sourced by the node. This value applies to all the transport
protocols on top of IPv6. There are APIs to override the value, as
documented in ip6(4).
-
-
ip6.forwarding
- If set to 1, enables IPv6 forwarding for the node,
meaning that the node is acting as a router. If set to 0, disables
IPv6 forwarding for the node, meaning that the node is acting as a
host. IPv6 specification defines node behavior for
“router” case and “host” case quite
differently, and changing this variable during operation may cause
serious trouble. It is recommended to configure the variable at
bootstrap time, and bootstrap time only.
-
-
ip6.gifhlim
- The maximum hop limit value for an IPv6 packet
generated by gif(4) tunnel
interface.
-
-
ip6.hdrnestlimit
- The number of IPv6 extension headers permitted on
incoming IPv6 packets. If set to 0, the node will accept as many
extension headers as possible.
-
-
ip6.hashsize
- The size of IPv6 Fast Forward hash table. This value
must be a power of 2 (64, 256, ...). A larger hash table size results
in fewer collisions. Also see
ip6.maxflows
.
-
-
ip6.hlim
- The default hop limit value for an IPv6 unicast packet
sourced by the node. This value applies to all the transport protocols
on top of IPv6. There are APIs to override the value, as documented in
ip6(4).
-
-
ip6.kame_version
- The string identifies the version of KAME IPv6 stack
implemented in the kernel.
-
-
ip6.keepfaith
- If set to non-zero, it enables “FAITH” TCP
relay IPv6-to-IPv4 translator code in the kernel. Refer
faith(4) and
faithd(8) for
detail.
-
-
ip6.log_interval
- The variable controls amount of logs generated by IPv6
packet forwarding engine, by setting interval between log output (in
seconds).
-
-
ip6.lowportmax
- The highest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or greater than
1024, and must be greater than
ip6.lowportmin
.
-
-
ip6.lowportmin
- The lowest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or greater than
1024, and must be smaller than
ip6.lowportmax
.
-
-
ip6.maxdynroutes
- Maximum number of routes created by redirect. Set it to
negative to disable. The default value is 4096.
-
-
ip6.maxifprefixes
- Maximum number of prefixes created by route
advertisements per interface. Set it to negative to disable. The
default value is 16.
-
-
ip6.maxifdefrouters
16
- Maximum number of default routers created by route
advertisements per interface. Set it to negative to disable. The
default value is 16.
-
-
ip6.maxflows
- IPv6 Fast Forwarding is enabled by default. If set to
0, IPv6 Fast Forwarding is disabled.
ip6.maxflows
controls the maximum amount of
flows which can be created. The default value is 256.
-
-
ip6.maxfragpackets
- The maximum number of fragmented packets the node will
accept. 0 means that the node will not accept any fragmented packets.
-1 means that the node will accept as many fragmented packets as it
receives. The flag is provided basically for avoiding possible DoS
attacks.
-
-
ip6.maxfrags
- The maximum number of fragments the node will accept. 0
means that the node will not accept any fragments. -1 means that the
node will accept as many fragments as it receives. The flag is
provided basically for avoiding possible DoS attacks.
-
-
ip6.neighborgcthresh
- Maximum number of entries in neighbor cache per
interface. Set to negative to disable. The default value is 2048.
-
-
ip6.redirect
- If set to 1, ICMPv6 redirects may be sent by the node.
This option is ignored unless the node is routing IP packets, and
should normally be enabled on all systems.
-
-
ip6.rr_prune
- The variable specifies interval between IPv6 router
renumbering prefix babysitting, in seconds.
-
-
ip6.use_deprecated
- The variable controls use of deprecated address,
specified in RFC 2462 5.5.4.
-
-
ip6.v6only
- The variable specifies initial value for
IPV6_V6ONLY
socket option for
AF_INET6
socket. Please refer to
ip6(4) for detail.
-
-
icmp6.errppslimit
- The variable specifies the maximum number of outgoing
ICMPv6 error messages, per second. ICMPv6 error messages that exceeded
the value are subject to rate limitation and will not go out from the
node. Negative value disables rate limitation.
-
-
icmp6.mtudisc_hiwat
-
icmp6.mtudisc_lowat
- The variables define the maximum number of routing
table entries, created due to path MTU discovery (prevents
denial-of-service attacks with ICMPv6 too big messages). When IPv6
path MTU discovery happens, we keep path MTU information into the
routing table. If the number of routing table entries exceed the
value, the kernel will not attempt to keep the path MTU information.
icmp6.mtudisc_hiwat
is used when we have
verified ICMPv6 too big messages.
icmp6.mtudisc_lowat
is used when we have
unverified ICMPv6 too big messages. Verification is performed by using
address/port pairs kept in connected pcbs. Negative value disables the
upper limit.
-
-
icmp6.nd6_debug
- If set to non-zero, kernel IPv6 neighbor discovery code
will generate debugging messages. The debug outputs are useful to
diagnose IPv6 interoperability issues. The flag must be set to 0 for
normal operation.
-
-
icmp6.nd6_delay
- The variable specifies
DELAY_FIRST_PROBE_TIME
timing constant in IPv6
neighbor discovery specification (RFC 2461), in seconds.
-
-
icmp6.nd6_maxnudhint
- IPv6 neighbor discovery permits upper layer protocols
to supply reachability hints, to avoid unnecessary neighbor discovery
exchanges. The variable defines the number of consecutive hints the
neighbor discovery layer will take. For example, by setting the
variable to 3, neighbor discovery layer will take 3 consecutive hints
in maximum. After receiving 3 hints, neighbor discovery layer will
perform normal neighbor discovery process.
-
-
icmp6.nd6_mmaxtries
- The variable specifies
MAX_MULTICAST_SOLICIT
constant in IPv6
neighbor discovery specification (RFC 2461).
-
-
icmp6.nd6_prune
- The variable specifies interval between IPv6 neighbor
cache babysitting, in seconds.
-
-
icmp6.nd6_umaxtries
- The variable specifies
MAX_UNICAST_SOLICIT
constant in IPv6 neighbor
discovery specification (RFC 2461).
-
-
icmp6.nd6_useloopback
- If set to non-zero, kernel IPv6 stack will use loopback
interface for local traffic.
-
-
icmp6.nodeinfo
- The variable enables responses to ICMPv6 node
information queries. If you set the variable to 0, responses will not
be generated for ICMPv6 node information queries. Since node
information queries can have a security impact, it is possible to fine
tune which responses should be answered. Two separate bits can be set.
-
-
- 1
- Respond to ICMPv6 FQDN queries, e.g.
ping6 -w
.
-
-
- 2
- Respond to ICMPv6 node addresses queries, e.g.
ping6 -a
.
-
-
icmp6.rediraccept
- If set to non-zero, the host will accept ICMPv6
redirect packets. Note that IPv6 routers will never accept ICMPv6
redirect packets, and the variable is meaningful on IPv6 hosts
(non-router) only.
-
-
icmp6.redirtimeout
- The variable specifies lifetime of routing entries
generated by incoming ICMPv6 redirect.
-
-
udp6.do_loopback_cksum
- Perform UDP checksum on loopback.
-
-
udp6.recvspace
- Default UDP receive buffer size.
-
-
udp6.sendspace
- Default UDP send buffer size.
We reuse net.*.tcp for TCP over IPv6, and therefore we do not have variables
net.*.tcp6. Variables net.inet6.udp6 have identical meaning to
net.inet.udp. Please refer to PF_INET
section
above. For variables net.*.ipsec6, please refer to
ipsec(4).
-
-
net.key
(PF_KEY
)
- Get or set various global information about the IPsec key
management. The third level name is the variable name. The currently
defined variable and names are:
Variable |
Type |
Changeable |
debug |
integer |
yes |
enabled |
integer |
yes |
used |
integer |
no |
spi_try |
integer |
yes |
spi_min_value |
integer |
yes |
spi_max_value |
integer |
yes |
larval_lifetime |
integer |
yes |
blockacq_count |
integer |
yes |
blockacq_lifetime |
integer |
yes |
esp_keymin |
integer |
yes |
esp_auth |
integer |
yes |
ah_keymin |
integer |
yes |
The variables are as follows:
-
-
debug
- Turn on debugging message from within the kernel. The
value is a bitmap, as defined in
<netkey/key_debug.h>.
-
-
enabled
- Control processing of IPsec control messages.
-
-
- 0
- Never allow IPsec processing
-
-
- 1
- Allow IPsec processing when SPD policies are
present.
-
-
- 2
- Force IPsec processing even when SPD policies are
not present.
-
-
used
- Based on if IPsec is enabled, and SPD rule existance,
show if IPsec is being used. Note that currently once IPsec is being
used, it cannot be disabled.
-
-
spi_try
- The number of times the kernel will try to obtain an
unique SPI when it generates it from random number generator.
-
-
spi_min_value
- Minimum SPI value when generating it within the
kernel.
-
-
spi_max_value
- Maximum SPI value when generating it within the
kernel.
-
-
larval_lifetime
- Lifetime for LARVAL SAD entries, in seconds.
-
-
blockacq_count
- Number of ACQUIRE PF_KEY messages to be blocked after
an ACQUIRE message. It avoids flood of ACQUIRE PF_KEY from being sent
from the kernel to the key management daemon.
-
-
blockacq_lifetime
- Lifetime of ACQUIRE PF_KEY message.
-
-
esp_keymin
- Minimum ESP key length, in bits. The value is used when
the kernel creates proposal payload on ACQUIRE PF_KEY message.
-
-
esp_auth
- Whether ESP authentication should be used or not.
Non-zero value indicates that ESP authentication should be used. The
value is used when the kernel creates proposal payload on ACQUIRE
PF_KEY message.
-
-
ah_keymin
- Minimum AH key length, in bits, The value is used when
the kernel creates proposal payload on ACQUIRE PF_KEY message.
The proc.* subtree
The string and integer information available for the
proc
level is detailed below. The changeable column
shows whether a process with appropriate privilege may change the value. These
values are per-process, and as such may change from one process to another.
When a process is created, the default values are inherited from its parent.
When a set-user-ID or set-group-ID binary is executed, the value of
PROC_PID_CORENAME is reset to the system default value. The second level name
is either the magic value PROC_CURPROC, which points to the current process,
or the PID of the target process.
Third level name |
Type |
Changeable |
proc.pid.corename |
string |
yes |
proc.pid.rlimit |
node |
not applicable |
proc.pid.stopfork |
int |
yes |
proc.pid.stopexec |
int |
yes |
proc.pid.stopexit |
int |
yes |
proc.pid.paxflags |
int |
no |
-
-
proc.pid.corename
(PROC_PID_CORENAME
)
- The template used for the core dump file name (see
core(5) for details). The base
name must either be core or end with the suffix
.core (the super-user may set arbitrary names). By
default it points to
KERN_DEFCORENAME
.
-
-
proc.pid.rlimit
(PROC_PID_LIMIT
)
- Return resources limits, as defined for the
getrlimit(2) and
setrlimit(2) system
calls. The fourth level name is one of:
-
-
proc.pid.rlimit.cputime
(PROC_PID_LIMIT_CPU
)
- The maximum amount of CPU time (in seconds) to be used
by each process.
-
-
proc.pid.rlimit.filesize
(PROC_PID_LIMIT_FSIZE
)
- The largest size (in bytes) file that may be
created.
-
-
proc.pid.rlimit.datasize
(PROC_PID_LIMIT_DATA
)
- The maximum size (in bytes) of the data segment for a
process; this defines how far a program may extend its break with the
sbrk(2) system call.
-
-
proc.pid.rlimit.stacksize
(PROC_PID_LIMIT_STACK
)
- The maximum size (in bytes) of the stack segment for a
process; this defines how far a program's stack segment may be
extended. Stack extension is performed automatically by the
system.
-
-
proc.pid.rlimit.coredumpsize
(PROC_PID_LIMIT_CORE
)
- The largest size (in bytes) core file
that may be created.
-
-
proc.pid.rlimit.memoryuse
(PROC_PID_LIMIT_RSS
)
- The maximum size (in bytes) to which a process's
resident set size may grow. This imposes a limit on the amount of
physical memory to be given to a process; if memory is tight, the
system will prefer to take memory from processes that are exceeding
their declared resident set size.
-
-
proc.pid.rlimit.memorylocked
(PROC_PID_LIMIT_MEMLOCK
)
- The maximum size (in bytes) which a process may lock
into memory using the
mlock(2) function.
-
-
proc.pid.rlimit.maxproc
(PROC_PID_LIMIT_NPROC
)
- The maximum number of simultaneous processes for this
user id.
-
-
proc.pid.rlimit.descriptors
(PROC_PID_LIMIT_NOFILE
)
- The maximum number of open files for this process.
-
-
proc.pid.rlimit.sbsize
(PROC_PID_LIMIT_SBSIZE
)
- The maximum size (in bytes) of the socket buffers set
by the setsockopt(2)
SO_RCVBUF
and
SO_SNDBUF
options.
-
-
proc.pid.rlimit.vmemoryuse
(PROC_PID_LIMIT_AS
)
- The maximum size (in bytes) which a process can
obtain.
-
-
proc.pid.rlimit.maxlwp
(PROC_PID_LIMIT_NTHR
)
- The maximum number of threads that cen be created and
running at one time in the process. The first thread of each process
is not counted against this.
The fifth level name is one of soft
(PROC_PID_LIMIT_TYPE_SOFT
) or
hard
(PROC_PID_LIMIT_TYPE_HARD
), to select respectively
the soft or hard limit. Both are of type integer.
-
-
proc.pid.stopfork
(PROC_PID_STOPFORK
)
- If non zero, the process' children will be stopped after
fork(2) calls. The children
are created in the SSTOP state and are never scheduled for running before
being stopped. This feature enables attaching to a process with a debugger
such as gdb(1) before the
process has the opportunity to actually do anything.
This value is inherited by the process's children, and it also applies to
emulation specific system calls that fork a new process, such as
sproc() or clone().
-
-
proc.pid.stopexec
(PROC_PID_STOPEXEC
)
- If non zero, the process will be stopped on the next
exec(3) call. The process
created by exec(3) is created
in the SSTOP state and is never scheduled for running before being
stopped. This feature enables attaching to a process with a debugger such
as gdb(1) before the process
has the opportunity to actually do anything.
This value is inherited by the process's children.
-
-
proc.pid.stopexit
(PROC_PID_STOPEXIT
)
- If non zero, the process will be stopped when it has cause
to exit, either by way of calling
exit(3),
_exit(2), or by the receipt
of a specific signal. The process is stopped before any of its resources
or vm space is released allowing examination of the termination state of
the process before it disappears. This feature can be used to examine the
final conditions of the process's vmspace via
pmap(1) or its resource
settings with sysctl(8)
before it disappears.
This value is also inherited by the process's children.
-
-
proc.pid.paxflags
(PROC_PID_PAXFLAGS
)
- This read-only variable returns the current value of the
process's pax flags (see
paxctl(8)).
The user.* subtree (CTL_USER
)
The string and integer information available for the
user
level is detailed below. The changeable column
shows whether a process with appropriate privilege may change the value.
Second level name |
Type |
Changeable |
user.atexit_max |
integer |
no |
user.bc_base_max |
integer |
no |
user.bc_dim_max |
integer |
no |
user.bc_scale_max |
integer |
no |
user.bc_string_max |
integer |
no |
user.coll_weights_max |
integer |
no |
user.cs_path |
string |
no |
user.expr_nest_max |
integer |
no |
user.line_max |
integer |
no |
user.posix2_c_bind |
integer |
no |
user.posix2_c_dev |
integer |
no |
user.posix2_char_term |
integer |
no |
user.posix2_fort_dev |
integer |
no |
user.posix2_fort_run |
integer |
no |
user.posix2_localedef |
integer |
no |
user.posix2_sw_dev |
integer |
no |
user.posix2_upe |
integer |
no |
user.posix2_version |
integer |
no |
user.re_dup_max |
integer |
no |
user.stream_max |
integer |
no |
user.stream_max |
integer |
no |
user.tzname_max |
integer |
no |
-
-
user.atexit_max
(USER_ATEXIT_MAX
)
- The maximum number of functions that may be registered with
atexit(3).
-
-
user.bc_base_max
(USER_BC_BASE_MAX
)
- The maximum ibase/obase values in the
bc(1) utility.
-
-
user.bc_dim_max
(USER_BC_DIM_MAX
)
- The maximum array size in the
bc(1) utility.
-
-
user.bc_scale_max
(USER_BC_SCALE_MAX
)
- The maximum scale value in the
bc(1) utility.
-
-
user.bc_string_max
(USER_BC_STRING_MAX
)
- The maximum string length in the
bc(1) utility.
-
-
user.coll_weights_max
(USER_COLL_WEIGHTS_MAX
)
- The maximum number of weights that can be assigned to any
entry of the LC_COLLATE order keyword in the locale definition file.
-
-
user.cs_path
(USER_CS_PATH
)
- Return a value for the
PATH
environment variable that finds all the standard utilities.
-
-
user.expr_nest_max
(USER_EXPR_NEST_MAX
)
- The maximum number of expressions that can be nested within
parenthesis by the expr(1)
utility.
-
-
user.line_max
(USER_LINE_MAX
)
- The maximum length in bytes of a text-processing utility's
input line.
-
-
user.posix2_char_term
(USER_POSIX2_CHAR_TERM
)
- Return 1 if the system supports at least one terminal type
capable of all operations described in IEEE Std 1003.2
(“POSIX.2”), otherwise 0.
-
-
user.posix2_c_bind
(USER_POSIX2_C_BIND
)
- Return 1 if the system's C-language development facilities
support the C-Language Bindings Option, otherwise 0.
-
-
user.posix2_c_dev
(USER_POSIX2_C_DEV
)
- Return 1 if the system supports the C-Language Development
Utilities Option, otherwise 0.
-
-
user.posix2_fort_dev
(USER_POSIX2_FORT_DEV
)
- Return 1 if the system supports the FORTRAN Development
Utilities Option, otherwise 0.
-
-
user.posix2_fort_run
(USER_POSIX2_FORT_RUN
)
- Return 1 if the system supports the FORTRAN Runtime
Utilities Option, otherwise 0.
-
-
user.posix2_localedef
(USER_POSIX2_LOCALEDEF
)
- Return 1 if the system supports the creation of locales,
otherwise 0.
-
-
user.posix2_sw_dev
(USER_POSIX2_SW_DEV
)
- Return 1 if the system supports the Software Development
Utilities Option, otherwise 0.
-
-
user.posix2_upe
(USER_POSIX2_UPE
)
- Return 1 if the system supports the User Portability
Utilities Option, otherwise 0.
-
-
user.posix2_version
(USER_POSIX2_VERSION
)
- The version of IEEE Std 1003.2
(“POSIX.2”) with which the system attempts to
comply.
-
-
user.re_dup_max
(USER_RE_DUP_MAX
)
- The maximum number of repeated occurrences of a regular
expression permitted when using interval notation.
-
-
user.stream_max
(USER_STREAM_MAX
)
- The minimum maximum number of streams that a process may
have open at any one time.
-
-
user.tzname_max
(USER_TZNAME_MAX
)
- The minimum maximum number of types supported for the name
of a timezone.
The vm.* subtree (CTL_VM
)
The string and integer information available for the
vm
level is detailed below. The changeable column shows whether a process with
appropriate privilege may change the value.
Second level name |
Type |
Changeable |
vm.anonmax |
int |
yes |
vm.anonmin |
int |
yes |
vm.bufcache |
int |
yes |
vm.bufmem |
int |
no |
vm.bufmem_hiwater |
int |
yes |
vm.bufmem_lowater |
int |
yes |
vm.execmax |
int |
yes |
vm.execmin |
int |
yes |
vm.filemax |
int |
yes |
vm.filemin |
int |
yes |
vm.loadavg |
struct loadavg |
no |
vm.maxslp |
int |
no |
vm.nkmempages |
int |
no |
vm.uspace |
int |
no |
vm.uvmexp |
struct uvmexp |
no |
vm.uvmexp2 |
struct uvmexp_sysctl |
no |
vm.vmmeter |
struct vmtotal |
no |
vm.proc.map |
struct kinfo_vmentry |
no |
vm.guard_size |
unsigned int |
no |
vm.thread_guard_size |
unsigned int |
yes |
-
-
vm.anonmax
(VM_ANONMAX
)
- The percentage of physical memory which will be reclaimed
from other types of memory usage to store anonymous application data.
-
-
vm.anonmin
(VM_ANONMIN
)
- The percentage of physical memory which will be always be
available for anonymous application data.
-
-
vm.bufcache
(VM_BUFCACHE
)
- The percentage of physical memory which will be available
for the buffer cache.
-
-
vm.bufmem
(VM_BUFMEM
)
- The amount of kernel memory that is being used by the
buffer cache.
-
-
vm.bufmem_lowater
(VM_BUFMEM_LOWATER
)
- The minimum amount of kernel memory to reserve for the
buffer cache.
-
-
vm.bufmem_hiwater
(VM_BUFMEM_HIWATER
)
- The maximum amount of kernel memory to be used for the
buffer cache.
-
-
vm.execmax
(VM_EXECMAX
)
- The percentage of physical memory which will be reclaimed
from other types of memory usage to store cached executable data.
-
-
vm.execmin
(VM_EXECMIN
)
- The percentage of physical memory which will be always be
available for cached executable data.
-
-
vm.filemax
(VM_FILEMAX
)
- The percentage of physical memory which will be reclaimed
from other types of memory usage to store cached file data.
-
-
vm.filemin
(VM_FILEMIN
)
- The percentage of physical memory which will be always be
available for cached file data.
-
-
vm.loadavg
(VM_LOADAVG
)
- Return the load average history. The returned data consists
of a struct loadavg.
-
-
vm.maxslp
(VM_MAXSLP
)
- The value of the maxslp kernel global variable.
-
-
vm.vmmeter
(VM_METER
)
- Return system wide virtual memory statistics. The returned
data consists of a struct vmtotal.
-
-
- vm.user_va0_disable
- A flag which controls whether user processes can map
virtual address 0.
-
-
vm.proc.map
(VM_PROC
)
- The third level is the fourth is the pid of the process to
display the vm object entries for, and the fifth is the size of
struct kinfo_vmentry. Returns an array of
struct kinfo_vmentry objects.
-
-
vm.uspace
(VM_USPACE
)
- The number of bytes allocated for each kernel stack.
-
-
vm.uvmexp
(VM_UVMEXP
)
- Return system wide virtual memory statistics. The returned
data consists of a struct uvmexp.
-
-
vm.uvmexp2
(VM_UVMEXP2
)
- Return system wide virtual memory statistics. The returned
data consists of a struct uvmexp_sysctl.
-
-
vm.guard_size
- Return system wide guard size for the main thread of a
program.
-
-
vm.thread_guard_size
- Return system wide default size for the guard area of all
other threads of a program.
The ddb.* subtree (CTL_DDB
)
The information available for the
ddb
level is detailed
below. The changeable column shows whether a process with appropriate
privilege may change the value.
Second level name |
Type |
Changeable |
ddb.radix |
integer |
yes |
ddb.maxoff |
integer |
yes |
ddb.maxwidth |
integer |
yes |
ddb.lines |
integer |
yes |
ddb.tabstops |
integer |
yes |
ddb.onpanic |
integer |
yes |
ddb.fromconsole |
integer |
yes |
ddb.tee_msgbuf |
integer |
yes |
ddb.commandonenter |
string |
yes |
-
-
ddb.radix
(DDBCTL_RADIX
)
- The input and output radix.
-
-
ddb.maxoff
(DDBCTL_MAXOFF
)
- The maximum symbol offset.
-
-
ddb.maxwidth
(DDBCTL_MAXWIDTH
)
- The maximum output line width.
-
-
ddb.lines
(DDBCTL_LINES
)
- Number of display lines.
-
-
ddb.tabstops
(DDBCTL_TABSTOPS
)
- Tab width.
-
-
ddb.onpanic
(DDBCTL_ONPANIC
)
- If greater than zero, DDB will be entered if the kernel
panics. A value of 1 causes the system to enter DDB on panic, while a
value of 2 causes the kernel to attempt to print out a stack trace before
entering DDB. A value of 0 causes the kernel to attempt to print a stack
trace, then reboot, while a value of -1 means neither a stack trace will
be printed nor DDB entered.
-
-
ddb.fromconsole
(DDBCTL_FROMCONSOLE
)
- If not zero, DDB may be entered by sending a break on a
serial console or by a special key sequence on a graphics console.
-
-
ddb.tee_msgbuf
- If not zero, DDB will output also to the kernel message
buffer.
-
-
ddb.commandonenter
- If not empty, a command to be executed on each enter to the
DDB.
Some of these MIB nodes are also available as variables from within the
debugger. See
ddb(4) for more
details.
The security.* subtree
(CTL_SECURITY
)
The
security
level contains various security-related
settings for the system. The available second level names are:
Second level name |
Type |
Changeable |
security.curtain |
integer |
yes |
security.models |
node |
not applicable |
security.pax |
node |
not applicable |
Available settings are detailed below.
-
-
security.curtain
- If non-zero, will filter return objects according to the
user ID requesting information about them, preventing users from accessing
any objects they do not own.
At the moment, it affects ps(1),
netstat(1) (for
PF_INET
, PF_INET6
, and
PF_UNIX
PCBs), and
w(1).
-
-
security.models
- NetBSD supports pluggable security
models. Every security model used, whether if loaded as a module or built
with the system, is required to add an entry to this node with at least
one element, “name”, indicating the name of the security
model.
In addition to the name, any settings and other information private to the
security model will be available under this node. See
secmodel(9) for more
information.
-
-
security.pax
- Settings for PaX -- exploit mitigation features. For more
information on any of the PaX features, please see
paxctl(8) and
security(7). The available
third and fourth level names are:
Third and fourth level
names |
Type |
Changeable |
security.pax.aslr.enabled |
integer |
yes |
security.pax.aslr.global |
integer |
yes |
security.pax.mprotect.enabled |
integer |
yes |
security.pax.mprotect.global |
integer |
yes |
security.pax.mprotect.ptrace |
integer |
yes |
security.pax.segvguard.enabled |
integer |
yes |
security.pax.segvguard.expiry_timeout |
integer |
yes |
security.pax.segvguard.global |
integer |
yes |
security.pax.segvguard.max_crashes |
integer |
yes |
security.pax.segvguard.suspend_timeout |
integer |
yes |
-
-
security.pax.aslr.enabled
- Enable PaX ASLR (Address Space Layout Randomization).
The value of this knob must be non-zero for PaX ASLR to be enabled, even
if a program is set to explicit enable.
-
-
security.pax.aslr.global
- Specifies the default global policy for programs
without an explicit enable/disable flag.
When non-zero, all programs will get PaX ASLR, except those exempted
with paxctl(8).
Otherwise, all programs will not get PaX ASLR, except those
specifically marked as such with
paxctl(8).
-
-
security.pax.mprotect.enabled
- Enable PaX MPROTECT restrictions.
These are mprotect(2)
restrictions to better enforce a W^X policy. The value of this knob
must be non-zero for PaX MPROTECT to be enabled, even if a program is
set to explicit enable.
-
-
security.pax.mprotect.global
- Specifies the default global policy for programs
without an explicit enable/disable flag.
When non-zero, all programs will get the PaX MPROTECT restrictions,
except those exempted with
paxctl(8). Otherwise,
all programs will not get the PaX MPROTECT restrictions, except those
specifically marked as such with
paxctl(8).
-
-
security.pax.mprotect.ptrace
- This variable allows
ptrace(2) to override
PaX MPROTECT permissions. It can have the following values:
- 0
- Does not let override any permissions.
- 1
- Disables PaX MPROTECT from processes that start
executing while traced (default).
- 2
- Bypasses PaX MPROTECT for all processes being
traced.
-
-
security.pax.segvguard.enabled
- Enable PaX Segvguard.
PaX Segvguard can detect and prevent certain exploitation attempts,
where an attacker may try for example to brute-force function return
addresses of respawning daemons.
Note: The NetBSD interface and
implementation of the Segvguard is still experimental, and may change
in future releases.
-
-
security.pax.segvguard.expiry_timeout
- If the max number was not reached within this timeout
(in seconds), the entry will expire.
-
-
security.pax.segvguard.global
- Specifies the default global policy for programs
without an explicit enable/disable flag.
When non-zero, all programs will get the PaX Segvguard, except those
exempted with paxctl(8).
Otherwise, no program will get the PaX Segvguard restrictions, except
those specifically marked as such with
paxctl(8).
-
-
security.pax.segvguard.max_crashes
- The maximum number of segfaults a program can receive
before suspension.
-
-
security.pax.segvguard.suspend_timeout
- Number of seconds to suspend a user from running a
faulting program when the limit was exceeded.
The vendor.* subtree (CTL_VENDOR
)
The
vendor
toplevel name is reserved to be used by
vendors who wish to have their own private MIB tree. Intended use is to store
values under “vendor.<yourname>.*”.
SEE ALSO
sysctl(3),
ipsec(4),
tcp(4),
security(7),
sysctl(8)
HISTORY
The
sysctl variables first appeared in
4.4BSD.