Updated: 2022/Sep/29
Please read Privacy Policy. It's for your privacy.
SYSCTL(7) Miscellaneous Information Manual SYSCTL(7)
NAME
sysctl - system information variables
DESCRIPTION
The sysctl(3) library function and the sysctl(8) utility are used to get
and set values of system variables, maintained by the kernel. The
variables are organized in a tree and identified by a sequence of
numbers, conventionally separated by dots with the topmost identifier at
the left side. The numbers have corresponding text names. The
sysctlnametomib(3) function or the -M argument to the sysctl(8) utility
can be used to convert the text representation to the numeric one.
The individual sysctl variables are described below, both the textual and
numeric form where applicable. The textual names can be used as argument
to the sysctl(8) utility and in the file /etc/sysctl.conf. The numeric
names are usually defined as preprocessor constants and are intended for
use by programs. Every such constant expands to one integer, which
identifies the sysctl variable relative to the upper level of the tree.
See the sysctl(3) manual page for programming examples.
Top level names
The top level names are defined with a CTL_ prefix in <sys/sysctl.h>, and
are as follows. The next and subsequent levels down are found in the
include files listed here, and described in separate sections below.
Name Constant Next level names Description
kern CTL_KERN <sys/sysctl.h> High kernel limits
vm CTL_VM <uvm/uvm_param.h> Virtual memory
vfs CTL_VFS <sys/mount.h> Filesystem
net CTL_NET <sys/socket.h> Networking
debug CTL_DEBUG <sys/sysctl.h> Debugging
hw CTL_HW <sys/sysctl.h> Generic CPU, I/O
machdep CTL_MACHDEP <sys/sysctl.h> Machine dependent
user CTL_USER <sys/sysctl.h> User-level
ddb CTL_DDB <sys/sysctl.h> In-kernel debugger
proc CTL_PROC <sys/sysctl.h> Per-process
vendor CTL_VENDOR ? Vendor specific
emul CTL_EMUL <sys/sysctl.h> Emulation settings
security CTL_SECURITY <sys/sysctl.h> Security settings
The debug.* subtree
The debugging variables vary from system to system. A debugging variable
may be added or deleted without need to recompile sysctl to know about
it. Each time it runs, sysctl gets the list of debugging variables from
the kernel and displays their current values. The system defines twenty
(struct ctldebug) variables named debug0 through debug19. They are
declared as separate variables so that they can be individually
initialized at the location of their associated variable. The loader
prevents multiple use of the same variable by issuing errors if a
variable is initialized in more than one place. For example, to export
the variable dospecialcheck as a debugging variable, the following
declaration would be used:
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
Note that the dynamic implementation of sysctl currently in use largely
makes this particular sysctl interface obsolete. See sysctl(8) for more
information.
The vfs.* subtree
A distinguished second level name, vfs.generic (VFS_GENERIC), is used to
get general information about all file systems. It has the following
third level identifiers:
vfs.generic.maxtypenum (VFS_MAXTYPENUM)
The highest valid file system type number.
vfs.generic.conf (VFS_CONF)
Returns configuration information about the file system type
given as a fourth level identifier.
vfs.generic.usermount (VFS_USERMOUNT)
Controls whether users other than the super-user can mount file
systems. Defaults to 0, so only the super-user can mount file
systems.
File systems mounted by unprivileged users must be mounted with
the nodev and nosuid mount(8) options.
vfs.generic.magiclinks (VFS_MAGICLINKS)
Controls whether expansion of variables is going to be performed
on pathnames or not. Defaults to 0, no variable expansion.
Variables are of the form @name and the variables supported are
described in symlink(7) under "MAGIC SYMLINKS".
A second level name for controlling the wapbl(4) (Write Ahead Physical
Block Logging file system journaling) capabilities with the following
third level identifiers:
vfs.wapbl.flush_disk_cache
Controls whether to attempt to flush the disk cache on each
commit. It defaults to 1 and it should always be on to ensure
integrity of file system metadata in the event of a power loss.
For slow disks, turning it off can improve performance.
vfs.wapbl.verbose_commit
For each transaction log commit, print the number of bytes
written and the time it took to commit as seconds.nanoseconds.
The remaining second level identifiers are the file system names,
identified by the type number returned by a statvfs(2) call or from
vfs.generic.conf.
The third level identifiers available for each file system are given in
the header file that defines the mount argument structure for that file
system.
The hw.* subtree
The string and integer information available for the hw level is detailed
below. The changeable column shows whether a process with appropriate
privilege may change the value.
Second level name Type Changeable
hw.alignbytes integer no
hw.byteorder integer no
hw.cnmagic string yes
hw.disknames string no
hw.diskstats struct no
hw.machine string no
hw.machine_arch string no
hw.model string no
hw.ncpu integer no
hw.ncpuonline integer no
hw.pagesize integer no
hw.physmem integer no
hw.physmem64 quad no
hw.usermem integer no
hw.usermem64 quad no
hw.alignbytes (HW_ALIGNBYTES)
Alignment constraint for all possible data types. This shows the
value ALIGNBYTES in <machine/param.h>, at the kernel compilation
time.
hw.byteorder (HW_BYTEORDER)
The byteorder (4321, or 1234).
hw.cnmagic (HW_CNMAGIC)
The console magic key sequence.
hw.disknames (HW_DISKNAMES)
The list of (space separated) disk device names on the system.
hw.iostatnames (HW_IOSTATNAMES)
A space separated list of devices that will have I/O statistics
collected on them.
hw.iostats (HW_IOSTATS)
Return statistical information on the NFS mounts, disk and tape
devices on the system. An array of struct io_sysctl structures
is returned, whose size depends on the current number of such
objects in the system. The third level name is the size of the
struct io_sysctl. The type of object can be determined by
examining the type element of struct io_sysctl. Which can be
IOSTAT_DISK (disk drive), IOSTAT_TAPE (tape drive), or IOSTAT_NFS
(NFS mount).
hw.machine (HW_MACHINE)
The machine class.
hw.machine_arch (HW_MACHINE_ARCH)
The machine CPU class.
hw.model (HW_MODEL)
The machine model.
hw.ncpu (HW_NCPU)
The number of CPUs configured.
hw.ncpuonline (HW_NCPUONLINE)
The number of CPUs online.
hw.pagesize (HW_PAGESIZE)
The software page size.
hw.physmem (HW_PHYSMEM)
The bytes of physical memory as a 32-bit integer.
hw.physmem64 (HW_PHYSMEM64)
The bytes of physical memory as a 64-bit integer.
hw.usermem (HW_USERMEM)
The bytes of non-kernel memory as a 32-bit integer.
hw.usermem64 (HW_USERMEM64)
The bytes of non-kernel memory as a 64-bit integer.
The kern.* subtree
This subtree includes data generally related to the kernel. The string
and integer information available for the kern level is detailed below.
The changeable column shows whether a process with appropriate privilege
may change the value.
Second level name Type Changeable
kern.aio_listio_max integer yes
kern.aio_max integer yes
kern.arandom integer no
kern.argmax integer no
kern.boothowto integer no
kern.boottime struct timespec no
kern.buildinfo string no
kern.ccpu integer no
kern.clockrate struct clockinfo no
kern.consdev integer no
kern.coredump node not applicable
kern.cp_id struct no
kern.cp_time uint64_t[] no
kern.cryptodevallowsoft integer yes
kern.defcorename string yes
kern.detachall integer yes
kern.domainname string yes
kern.drivers struct kinfo_drivers no
kern.dump_on_panic integer yes
kern.expose_address integer yes
kern.file struct file no
kern.forkfsleep integer yes
kern.fscale integer no
kern.fsync integer no
kern.hardclock_ticks integer no
kern.heartbeat.max_period integer yes
kern.hostid integer yes
kern.hostname string yes
kern.iov_max integer no
kern.ipc node not applicable
kern.job_control integer no
kern.labeloffset integer no
kern.labelsector integer no
kern.login_name_max integer no
kern.logsigexit integer yes
kern.lwp struct kinfo_lwp yes
kern.mapped_files integer no
kern.maxfiles integer yes
kern.maxlwp integer yes
kern.maxpartitions integer no
kern.maxphys integer no
kern.maxproc integer yes
kern.maxptys integer yes
kern.maxvnodes integer yes
kern.messages integer yes
kern.mbuf node not applicable
kern.memlock integer no
kern.memlock_range integer no
kern.memory_protection integer no
kern.module node not applicable
kern.monotonic_clock integer no
kern.mqueue node not applicable
kern.msgbuf integer no
kern.msgbufsize integer no
kern.ngroups integer no
kern.ntptime struct ntptimeval no
kern.osrelease string no
kern.osrevision integer no
kern.ostype string no
kern.pipe node not applicable
kern.pool struct pool_sysctl no
kern.posix1version integer no
kern.posix_aio integer no
kern.posix_barriers integer no
kern.posix_reader_writer_locks integer no
kern.posix_semaphores integer no
kern.posix_spin_locks integer no
kern.posix_threads integer no
kern.posix_timers integer no
kern.proc struct kinfo_proc no
kern.proc2 struct kinfo_proc2 no
kern.proc_args string no
kern.profiling node not applicable
kern.rawpartition integer no
kern.root_device string no
kern.root_partition integer no
kern.rtc_offset integer yes
kern.saved_ids integer no
kern.sbmax integer yes
kern.sched node not applicable
kern.securelevel integer raise only
kern.sofixedbuf boolean yes
kern.somaxkva integer yes
kern.sooptions integer yes
kern.synchronized_io integer no
kern.timecounter node not applicable
kern.timex struct no
kern.tkstat node not applicable
kern.tty node not applicable
kern.urandom integer no
kern.usercrypto integer yes
kern.userasymcrypto integer yes
kern.veriexec node not applicable
kern.version string no
kern.vnode struct vnode no
kern.aio_listio_max
The maximum number of asynchronous I/O operations in a single
list I/O call. Like with all variables related to aio(3), the
variable may be created and removed dynamically upon loading or
unloading the corresponding kernel module.
kern.aio_max
The maximum number of asynchronous I/O operations.
kern.arandom (KERN_ARND)
Returns independent uniformly distributed bytes at random each
time, as many as requested up to 256, derived from the system
entropy pool; see rnd(4).
Reading kern.arandom is equivalent to reading up to 256 bytes at
a time from /dev/urandom: reading kern.arandom never blocks, and
once the system entropy pool has full entropy, output
subsequently read from kern.arandom is fit for use as
cryptographic key material. For example, the arc4random(3)
library routine uses kern.arandom internally to seed a
cryptographic pseudorandom number generator.
kern.argmax (KERN_ARGMAX)
The maximum bytes of argument to execve(2).
kern.boothowto
Flags passed from the boot loader; see reboot(2) for the meanings
of the flags.
kern.boottime (KERN_BOOTTIME)
A struct timespec structure is returned. This structure contains
the time that the system was booted. That time is defined (for
this purpose) to be the time at which the kernel first started
accumulating clock ticks.
kern.bufq
This variable contains information on the bufq(9) subsystem.
Currently, the only third level name implemented is
kern.bufq.strategies which provides a list of buffer queue
strategies currently available.
kern.buildinfo
When the kernel is built, the build environment may optionally
provide arbitrary information to be stored in this variable.
kern.ccpu (KERN_CCPU)
The scheduler exponential decay value.
kern.clockrate (KERN_CLOCKRATE)
A struct clockinfo structure is returned. This structure
contains the clock, statistics clock and profiling clock
frequencies, the number of micro-seconds per hz tick, and the
clock skew rate. Refer to hz(9) for additional details.
kern.consdev (KERN_CONSDEV)
Console device.
kern.coredump
Settings related to set-id processes coredumps. By default, set-
id processes do not dump core in situations where other processes
would. The settings in this node allows an administrator to
change this behavior.
The third level name is kern.coredump.setid and fourth level
variables are described below.
Fourth level name Type Changeable
kern.coredump.setid.dump integer yes
kern.coredump.setid.group integer yes
kern.coredump.setid.mode integer yes
kern.coredump.setid.owner integer yes
kern.coredump.setid.path string yes
kern.coredump.setid.dump
If non-zero, set-id processes will dump core.
kern.coredump.setid.group
The group-id for the set-id processes' coredump.
kern.coredump.setid.mode
The mode for the set-id processes' coredump. See
chmod(1).
kern.coredump.setid.owner
The user-id that will be used as the owner of the set-id
processes' coredump.
kern.coredump.setid.path
The path to which set-id processes' coredumps will be
saved to. Same syntax as kern.defcorename.
kern.cp_id (KERN_CP_ID)
Mapping of CPU number to CPU id.
kern.cp_time (KERN_CP_TIME)
Returns an array of CPUSTATES uint64_ts. This array contains the
number of clock ticks spent in different CPU states. On multi-
processor systems, the sum across all CPUs is returned unless
appropriate space is given for one data set for each CPU. Data
for a specific CPU can also be obtained by adding the number of
the CPU at the end of the MIB, enlarging it by one.
kern.cryptodevallowsoft
This variable controls userland access to hardware versus
software transforms in the crypto(4) system. The available
values are as follows:
< 0 Always force userlevel requests to use software
transforms.
= 0 If present, use hardware and grant userlevel requests
for non-accelerated transforms (handling the latter in
software).
> 0 Allow user requests only for transforms which are
hardware-accelerated.
kern.defcorename (KERN_DEFCORENAME)
Default template for the name of core dump files (see also
proc.pid.corename in the per-process variables proc.*, and
core(5) for format of this template). The default value is
%n.core and can be changed with the kernel configuration option
options DEFCORENAME (see options(4) ).
kern.detachall
Detach all devices at shutdown.
kern.domainname (KERN_DOMAINNAME)
Get or set the YP domain name.
kern.drivers (KERN_DRIVERS)
Return an array of struct kinfo_drivers that contains the name
and major device numbers of all the device drivers in the current
kernel. The d_name field is always a NUL terminated string. The
d_bmajor field will be set to -1 if the driver doesn't have a
block device.
kern.expose_address
Expose kernel addresses in sysctl(3) calls used by fstat(1) and
sockstat(1). If it is set to 0 access is not allowed. If it is
set to 1 then only processes that have opened /dev/kmem can have
access. If it is set to 2 every process is allowed. Defaults to
0 for KASLR kernels and 1 otherwise. Allowing general access
renders KASLR ineffective; allowing only kmem accessing programs
weakens KASLR if those programs can be subverted to leak the
addresses.
kern.dump_on_panic (KERN_DUMP_ON_PANIC)
Perform a crash dump on system panic(9).
kern.file (KERN_FILE)
Return the entire file table. The returned data consists of a
single struct filelist followed by an array of struct file, whose
size depends on the current number of such objects in the system.
kern.forkfsleep (KERN_FORKFSLEEP)
If fork(2) system call fails due to limit on number of processes
(either the global maxproc limit or user's one), wait for this
many milliseconds before returning EAGAIN error to process.
Useful to keep heavily forking runaway processes in bay. Default
zero (no sleep). Maximum is 20 seconds.
kern.fscale (KERN_FSCALE)
The kernel fixed-point scale factor.
kern.fsync (KERN_FSYNC)
Return 1 if the IEEE Std 1003.1b-1993 ("POSIX.1b") File
Synchronization Option is available on this system, otherwise 0.
kern.hardclock_ticks (KERN_HARDCLOCK_TICKS)
Returns the number of hardclock(9) ticks.
kern.heartbeat.max_period
Time in seconds since the last options HEARTBEAT progress check
has passed before it will trigger a panic. See options(4).
kern.hist
This variable contains kernel history data if the kernel was
configured for any of the options UVHMIST, USB_DEBUG, BIOHIST, or
SCDEBUG. (See options(4) for more details.) The third-level
names correspond to each available history table. The values of
the history tables are in an internal format, and can be decoded
by the vmstat(1) utility's -U and -u options; the -l option can
be used to see which tables are available.
kern.hostid (KERN_HOSTID)
Get or set the host identifier. This is aimed to replace the
legacy gethostid(3) and sethostid(3) system calls.
kern.hostname (KERN_HOSTNAME)
Get or set the hostname(1).
kern.iov_max (KERN_IOV_MAX)
Return the maximum number of iovec structures that a process has
available for use with preadv(2), pwritev(2), readv(2),
recvmsg(2), sendmsg(2) and writev(2).
kern.ipc (KERN_SYSVIPC)
Return information about the SysV IPC parameters. The third
level names for the ipc variables are detailed below.
Third level name Type Changeable
kern.ipc.sysvmsg integer no
kern.ipc.sysvsem integer no
kern.ipc.sysvshm integer no
kern.ipc.sysvipc_info struct no
kern.ipc.shmmax integer yes
kern.ipc.shmmni integer yes
kern.ipc.shmseg integer yes
kern.ipc.shmmaxpgs integer yes
kern.ipc.shm_use_phys integer yes
kern.ipc.msgmni integer yes
kern.ipc.msgseg integer yes
kern.ipc.semmni integer yes
kern.ipc.semmns integer yes
kern.ipc.semmnu integer yes
kern.ipc.sysvmsg (KERN_SYSVIPC_MSG)
Returns 1 if System V style message queue functionality
is available on this system, otherwise 0.
kern.ipc.sysvsem (KERN_SYSVIPC_SEM)
Returns 1 if System V style semaphore functionality is
available on this system, otherwise 0.
kern.ipc.sysvshm (KERN_SYSVIPC_SHM)
Returns 1 if System V style share memory functionality is
available on this system, otherwise 0.
kern.ipc.sysvipc_info (KERN_SYSVIPC_INFO)
Return System V style IPC configuration and run-time
information. The fourth level name selects the System V
style IPC facility.
Fourth level name Type
KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info
KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info
KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info
KERN_SYSVIPC_MSG_INFO
Return information on the System V style message
facility. The msg_sysctl_info structure is
defined in <sys/msg.h>.
KERN_SYSVIPC_SEM_INFO
Return information on the System V style
semaphore facility. The sem_sysctl_info
structure is defined in <sys/sem.h>.
KERN_SYSVIPC_SHM_INFO
Return information on the System V style shared
memory facility. The shm_sysctl_info structure
is defined in <sys/shm.h>.
kern.ipc.shmmax (KERN_SYSVIPC_SHMMAX)
Max shared memory segment size in bytes.
kern.ipc.shmmni (KERN_SYSVIPC_SHMMNI)
Max number of shared memory identifiers.
kern.ipc.shmseg (KERN_SYSVIPC_SHMSEG)
Max shared memory segments per process.
kern.ipc.shmmaxpgs (KERN_SYSVIPC_SHMMAXPGS)
Max amount of shared memory in pages.
kern.ipc.shm_use_phys (KERN_SYSVIPC_SHMUSEPHYS)
Locking of shared memory in physical memory. If 0,
memory can be swapped out, otherwise it will be locked in
physical memory.
kern.ipc.msgmni
Max number of message queue identifiers.
kern.ipc.msgseg
Max number of number of message segments.
kern.ipc.semmni
Max number of number of semaphore identifiers.
kern.ipc.semmns
Max number of number of semaphores in system.
kern.ipc.semmnu
Max number of undo structures in system.
kern.job_control (KERN_JOB_CONTROL)
Return 1 if job control is available on this system, otherwise 0.
kern.labeloffset (KERN_LABELOFFSET)
The offset within the sector specified by KERN_LABELSECTOR of the
disklabel(5).
kern.labelsector (KERN_LABELSECTOR)
The sector number containing the disklabel(5).
kern.login_name_max (KERN_LOGIN_NAME_MAX)
The size of the storage required for a login name, in bytes,
including the terminating NUL.
kern.logsigexit (KERN_LOGSIGEXIT)
If this flag is non-zero, the kernel will log(9) all process
exits due to signals which create a core(5) file, and whether the
coredump was created.
kern.lwp (KERN_LWP)
Returns information about the current light-weight process. The
kinfo_lwp structure is defined in <sys/sysctl.h>.
kern.mapped_files (KERN_MAPPED_FILES)
Returns 1 if the IEEE Std 1003.1b-1993 ("POSIX.1b") Memory Mapped
Files Option is available on this system, otherwise 0.
kern.maxfiles (KERN_MAXFILES)
The maximum number of open files that may be open in the system.
This also controls the maximum file locks per unprivileged user
enforced by fcntl(2) and flock(2).
kern.maxpartitions (KERN_MAXPARTITIONS)
The maximum number of partitions allowed per disk.
kern.maxlwp
The maximum number of Lightweight Processes (threads) the system
allows per uid.
kern.maxphys (KERN_MAXPHYS)
Maximum raw I/O transfer size.
kern.maxproc (KERN_MAXPROC)
The maximum number of simultaneous processes the system will
allow.
kern.maxptys (KERN_MAXPTYS)
The maximum number of pseudo terminals. This value can be both
raised and lowered, though it cannot be set lower than number of
currently used ptys. See also pty(4).
kern.maxvnodes (KERN_MAXVNODES)
The maximum number of vnodes available on the system. This
cannot be lowered below the number of currently active vnodes.
kern.mbuf (KERN_MBUF)
Return information about the mbuf control variables. Mbufs are
data structures which store network packets and other data
structures in the networking code, see mbuf(9). The third level
names for the mbuf variables are detailed below. The changeable
column shows whether a process with appropriate privilege may
change the value.
Third level name Type Changeable
kern.mbuf.mblowat integer yes
kern.mbuf.mclbytes integer yes
kern.mbuf.mcllowat integer yes
kern.mbuf.msize integer yes
kern.mbuf.nmbclusters integer yes
kern.mbuf.nmbclusters_limit integer no
The variables are as follows:
kern.mbuf.mblowat (MBUF_MBLOWAT)
The mbuf low water mark.
kern.mbuf.mclbytes (MBUF_MCLBYTES)
The mbuf cluster size.
kern.mbuf.mcllowat (MBUF_MCLLOWAT)
The mbuf cluster low water mark.
kern.mbuf.msize (MBUF_MSIZE)
The mbuf base size.
kern.mbuf.nmbclusters (MBUF_NMBCLUSTERS)
The limit on the number of mbuf clusters. The variable
can only be increased, and only increased on machines
with direct-mapped pool pages.
kern.mbuf.nmbclusters_limit (MBUF_NMBCLUSTERS_LIMIT)
The limit of nmbclusters.
kern.memlock (KERN_MEMLOCK)
Returns 1 if the IEEE Std 1003.1b-1993 ("POSIX.1b") Process
Memory Locking Option is available on this system, otherwise 0.
kern.memlock_range (KERN_MEMLOCK_RANGE)
Returns 1 if the IEEE Std 1003.1b-1993 ("POSIX.1b") Range Memory
Locking Option is available on this system, otherwise 0.
kern.memory_protection (KERN_MEMORY_PROTECTION)
Returns 1 if the IEEE Std 1003.1b-1993 ("POSIX.1b") Memory
Protection Option is available on this system, otherwise 0.
kern.messages
Kernel console message verbosity. See <sys/reboot.h>
Value Verbosity sys/reboot.h equivalent
0 Silent AB_SILENT
1 Quiet AB_QUIET
2 Normal AB_NORMAL
3 Verbose AB_VERBOSE
4 Debug AB_DEBUG
kern.module
Settings related to kernel modules. The third level names for
the settings are described below.
Third level name Type Changeable
kern.module.autoload integer yes
kern.module.autounload_unsafe integer yes
kern.module.autotime integer yes
kern.module.verbose boolean yes
The variables are as follows:
kern.module.autoload
A boolean that controls whether kernel modules are loaded
automatically. See module(7) for details.
kern.module.autounload_unsafe
A boolean that controls whether the kernel will
autounload modules that were automatically loaded and
have not been audited for autounload.
By default, only modules that have been audited will be
autounloaded, and only if they were autoloaded to begin
with.
kern.module.autotime
An integer that controls the delay before an attempt is
made to automatically unload a module that was auto-
loaded. Setting this value to zero disables the auto-
unload function.
kern.module.verbose
A boolean that enables or disables verbose debug messages
related to kernel modules.
kern.monotonic_clock (KERN_MONOTONIC_CLOCK)
Returns the standard version the implementation of the IEEE Std
1003.1b-1993 ("POSIX.1b") Monotonic Clock Option conforms to,
otherwise 0.
kern.mqueue
Settings related to POSIX message queues; see mqueue(3). This
node is created dynamically when the corresponding kernel module
is loaded. The third level names for the settings are described
below.
Third level name Type Changeable
kern.mqueue.mq_open_max integer yes
kern.mqueue.mq_prio_max integer yes
kern.mqueue.mq_max_msgsize integer yes
kern.mqueue.mq_def_maxmsg integer yes
kern.mqueue.mq_max_maxmsg integer yes
The variables are:
kern.mqueue.mq_open_max
The maximum number of message queue descriptors any
single process can open.
kern.mqueue.mq_prio_max
The maximum priority of a message.
kern.mqueue.mq_max_msgsize
The maximum size of a message in a message queue.
kern.mqueue.mq_def_maxmsg
The default maximum message count.
kern.mqueue.mq_max_maxmsg
The maximum number of messages in a message queue.
kern.msgbuf (KERN_MSGBUF)
The kernel message buffer, rotated so that the head of the
circular kernel message buffer is at the start of the returned
data. The returned data may contain NUL bytes.
kern.msgbufsize (KERN_MSGBUFSIZE)
The maximum number of characters that the kernel message buffer
can hold.
kern.ngroups (KERN_NGROUPS)
The maximum number of supplemental groups.
kern.ntptime (KERN_NTPTIME)
A struct ntptimeval structure is returned. This structure
contains data used by the ntpd(8) program.
kern.osrelease (KERN_OSRELEASE)
The system release string.
kern.osrevision (KERN_OSREV)
The system revision, expressed as an integer.
kern.ostype (KERN_OSTYPE)
The system type string.
kern.pipe (KERN_PIPE)
Pipe settings. The third level names for the integer pipe
settings is detailed below. The changeable column shows whether
a process with appropriate privilege may change the value.
Third level name Type Changeable
kern.pipe.kvasiz integer yes
kern.pipe.maxbigpipes integer yes
kern.pipe.maxkvasz integer yes
kern.pipe.limitkva integer yes
kern.pipe.nbigpipes integer yes
The variables are as follows:
kern.pipe.kvasiz (KERN_PIPE_KVASIZ)
Amount of kernel memory consumed by pipe buffers.
kern.pipe.maxbigpipes (KERN_PIPE_MAXBIGPIPES)
Maximum number of "big" pipes.
kern.pipe.maxkvasz (KERN_PIPE_MAXKVASZ)
Maximum amount of kernel memory to be used for pipes.
kern.pipe.limitkva (KERN_PIPE_LIMITKVA)
Limit for direct transfers via page loan.
kern.pipe.nbigpipes (KERN_PIPE_NBIGPIPES)
Number of "big" pipes.
kern.pool
Provides statistics about the pool(9) and pool_cache(9)
subsystems.
kern.posix1version (KERN_POSIX1)
The version of ISO/IEC 9945 (IEEE Std 1003.1 ("POSIX.1")) with
which the system attempts to comply.
kern.posix_aio
The version of IEEE Std 1003.1 ("POSIX.1") and its Asynchronous
I/O option to which the system attempts to conform.
kern.posix_barriers (KERN_POSIX_BARRIERS)
The version of IEEE Std 1003.1 ("POSIX.1") and its Barriers
option to which the system attempts to conform, otherwise 0.
kern.posix_reader_writer_locks (KERN_POSIX_READER_WRITER_LOCKS)
The version of IEEE Std 1003.1 ("POSIX.1") and its Read-Write
Locks option to which the system attempts to conform,
otherwise 0.
kern.posix_semaphores (KERN_POSIX_SEMAPHORES)
The version of IEEE Std 1003.1 ("POSIX.1") and its Semaphores
option to which the system attempts to conform, otherwise 0.
kern.posix_spin_locks (KERN_POSIX_SPIN_LOCKS)
The version of IEEE Std 1003.1 ("POSIX.1") and its Spin Locks
option to which the system attempts to conform, otherwise 0.
kern.posix_threads (KERN_POSIX_THREADS)
The version of IEEE Std 1003.1 ("POSIX.1") and its Threads option
to which the system attempts to conform, otherwise 0.
kern.posix_timers (KERN_POSIX_TIMERS)
The version of IEEE Std 1003.1 ("POSIX.1") and its Timers option
to which the system attempts to conform, otherwise 0.
kern.proc (KERN_PROC)
Return the entire process table, or a subset of it. An array of
struct kinfo_proc structures is returned, whose size depends on
the current number of such objects in the system. The third and
fourth level numeric names are as follows:
Third level name Fourth level is:
KERN_PROC_ALL None
KERN_PROC_GID A group ID
KERN_PROC_PID A process ID
KERN_PROC_PGRP A process group
KERN_PROC_RGID A real group ID
KERN_PROC_RUID A real user ID
KERN_PROC_SESSION A session ID
KERN_PROC_TTY A tty device
KERN_PROC_UID A user ID
kern.proc2 (KERN_PROC2)
As for KERN_PROC, but an array of struct kinfo_proc2 structures
are returned. The fifth level name is the size of the struct
kinfo_proc2 and the sixth level name is the number of structures
to return.
kern.proc_args (KERN_PROC_ARGS)
Return the argv or environment strings (or the number thereof) of
a process. Multiple strings are returned separated by NUL
characters. The third level name is the process ID. The fourth
level name is as follows:
KERN_PROC_ARGV The argv strings
KERN_PROC_ENV The environ strings
KERN_PROC_NARGV The number of argv strings
KERN_PROC_NENV The number of environ strings
KERN_PROC_PATHNAME The full pathname of the executable
KERN_PROC_CWD The current working directory
kern.profiling (KERN_PROF)
Return profiling information about the kernel. If the kernel is
not compiled for profiling, attempts to retrieve any of the
KERN_PROF values will fail with EOPNOTSUPP. The third level
names for the string and integer profiling information is
detailed below. The changeable column shows whether a process
with appropriate privilege may change the value.
Third level name Type Changeable
kern.profiling.count u_short[] yes
kern.profiling.froms u_short[] yes
kern.profiling.gmonparam struct gmonparam no
kern.profiling.state integer yes
kern.profiling.tos struct tostruct yes
The variables are as follows:
kern.profiling.count (GPROF_COUNT)
Array of statistical program counter counts.
kern.profiling.froms (GPROF_FROMS)
Array indexed by program counter of call-from points.
kern.profiling.gmonparams (GPROF_GMONPARAM)
Structure giving the sizes of the above arrays.
kern.profiling.state (GPROF_STATE)
Profiling state. If set to GMON_PROF_ON, starts
profiling. If set to GMON_PROF_OFF, stops profiling.
kern.profiling.tos (GPROF_TOS)
Array of struct tostruct describing destination of calls
and their counts.
kern.rawpartition (KERN_RAWPARTITION)
The raw partition of a disk (a == 0).
kern.root_device (KERN_ROOT_DEVICE)
The name of the root device (e.g., "wd0").
kern.root_partition (KERN_ROOT_PARTITION)
The root partition on the root device (a == 0).
kern.rtc_offset (KERN_RTC_OFFSET)
Return the offset of real time clock from UTC in minutes.
kern.saved_ids (KERN_SAVED_IDS)
Returns 1 if saved set-group and saved set-user ID is available.
kern.sbmax (KERN_SBMAX)
Maximum socket buffer size in bytes.
kern.securelevel (KERN_SECURELVL)
See secmodel_securelevel(9).
kern.sched (dynamic)
Influence the scheduling of LWPs, their priorisation and how they
are distributed on and moved between CPUs.
Third level name Type Changeable
kern.sched.cacheht_time integer yes
kern.sched.balance_period integer yes
kern.sched.average_weight integer yes
kern.sched.min_catch integer yes
kern.sched.timesoftints integer yes
kern.sched.kpreempt_pri integer yes
kern.sched.upreempt_pri integer yes
kern.sched.maxts integer yes
kern.sched.mints integer yes
kern.sched.name string no
kern.sched.rtts integer no
kern.sched.pri_min integer no
kern.sched.pri_max integer no
The variables are as follows:
kern.sched.cacheht_time (dynamic)
Cache hotness time in which a LWP is kept on one
particular CPU and not moved to another CPU. This
reduces the overhead of flushing and reloading caches.
Defaults to 3ms. Needs to be given in "hz" units, see
mstohz(9).
kern.sched.balance_period (dynamic)
Interval at which the CPU queues are checked for re-
balancing. Defaults to 300ms. Needs to be given in "hz"
units, see mstohz(9).
kern.sched.average_weight (dynamic)
Can be used to influence how likely LWPs are to be
migrated from one CPU's queue of LWPs that are ready to
run to a different, idle CPU. The value gives the
percentage for weighting the average count of migratable
threads from the past against the current number of
migratable threads. A small value gives more weight to
the past, a larger values more weight on the current
situation. Defaults to 50 and must be between 0 and 100.
kern.sched.min_catch (dynamic)
Minimum count of migratable (runnable) threads for
catching (stealing) from another CPU. Defaults to 1 but
can be increased to decrease chance of thread migration
between CPUs.
kern.sched.timesoftints (dynamic)
Enable tracking of CPU time for soft interrupts as part
of a LWP's real execution time. Set to a non-zero value
to enable, and see ps(1) for printing CPU times.
kern.sched.kpreempt_pri (dynamic)
Minimum priority to trigger kernel preemption.
kern.sched.upreempt_pri (dynamic)
Minimum priority to trigger user preemption.
kern.sched.maxts (dynamic)
Scheduler specific maximal time quantum (in
milliseconds). Must be set to a value larger than
"mints" and between 10 and "hz" as given by the
kern.clockrate sysctl. Provided by the M2 scheduler.
kern.sched.mints (dynamic)
Scheduler specific minimal time quantum (in
milliseconds). Must be set to a value smaller than
"maxts" and between 1 and "hz" as given by the
"kern.clockrate" sysctl. Provided by the M2 scheduler.
kern.sched.name (dynamic)
Scheduler name. Provided both by the M2 and the 4BSD
scheduler.
kern.sched.rtts (dynamic)
Fixed scheduler specific round-robin time quantum in
milliseconds. Provided both by the M2 and the 4BSD
scheduler.
kern.sched.pri_min (dynamic)
Minimal POSIX real-time priority. See sched(3).
kern.sched.pri_max (dynamic)
Maximal POSIX real-time priority. See sched(3).
kern.sofixedbuf (KERN_SOFIXEDBUF)
Prevent socket buffer autoscaling when a size is set with
SO_SNDBUF or SO_RCVBUF.
kern.somaxkva (KERN_SOMAXKVA)
Maximum amount of kernel memory to be used for socket buffers in
bytes.
kern.sooptions
Set the default socket option flags for socket(2) creation. See
setsockopt(2) for a list of supported flags.
kern.synchronized_io (KERN_SYNCHRONIZED_IO)
Returns 1 if the IEEE Std 1003.1b-1993 ("POSIX.1b") Synchronized
I/O Option is available on this system, otherwise 0.
kern.timecounter (dynamic)
Display and control the timecounter source of the system.
Third level name Type Changeable
kern.timecounter.choice string no
kern.timecounter.hardware string yes
kern.timecounter.timestepwarnings integer yes
The variables are as follows:
kern.timecounter.choice (dynamic)
The list of available timecounters with their quality and
frequency.
kern.timecounter.hardware (dynamic)
The currently selected timecounter source.
kern.timecounter.timestepwarnings (dynamic)
If non-zero display a message each time the time is
stepped.
kern.timex (KERN_TIMEX)
Not available.
kern.tkstat (KERN_TKSTAT)
Return information about the number of characters sent and
received on ttys. The third level names for the tty statistic
variables are detailed below. The changeable column shows
whether a process with appropriate privilege may change the
value.
Third level name Type Changeable
kern.tkstat.cancc quad no
kern.tkstat.nin quad no
kern.tkstat.nout quad no
kern.tkstat.rawcc quad no
The variables are as follows:
kern.tkstat.cancc (KERN_TKSTAT_CANCC)
The number of canonical input characters.
kern.tkstat.nin (KERN_TKSTAT_NIN)
The total number of input characters.
kern.tkstat.nout (KERN_TKSTAT_NOUT)
The total number of output characters.
kern.tkstat.rawcc (KERN_TKSTAT_RAWCC)
The number of raw input characters.
kern.tty
The third level names for the tty setup variables are detailed
below. The changeable column shows whether a process with
appropriate privilege may change the value.
Third level name Type Changeable
kern.tty.qsize int yes
The variables are as follows:
kern.tty.qsize
Control/display the size of the default input and output
queues selected during tty creation. Is converted to a
power of two and its range is between 1024 and 65536.
kern.uidinfo
Resource usage for the current user.
Third level name Type Changeable
kern.uidinfo.proccnt integer no
kern.uidinfo.lwpcnt integer no
kern.uidinfo.lockcnt integer no
kern.uidinfo.semcnt integer no
kern.uidinfo.sbsize integer no
kern.uidinfo.proccnt
Returns the number of active processes for the current
user.
kern.uidinfo.lwpcnt
Returns the number of active threads for the current
user; the first thread of each process is not counted.
kern.uidinfo.lockcnt
Number of locks held by the current user.
kern.uidinfo.semcnt
Number of semaphores held by the current user.
kern.uidinfo.sbsize
Number of bytes in socket buffers allocated to the
current user.
kern.urandom (KERN_URND)
Random integer value.
kern.usercrypto
When enabled, allows userland to open(2) the /dev/crypto special
device, used by the crypto(4) system.
kern.userasymcrypto
Enables or disables the use of software asymmetric crypto support
in the crypto(4) system.
kern.veriexec
Runtime information for veriexec(8).
Third level name Type Changeable
kern.veriexec.algorithms string no
kern.veriexec.count node not applicable
kern.veriexec.strict integer yes
kern.veriexec.verbose integer yes
kern.veriexec.algorithms
Returns a string with the supported algorithms in
Veriexec.
kern.veriexec.count
Sub-nodes are added to this node as new mounts are
monitored by Veriexec. Each mount will be under its own
tableN node. Under each node there will be three
variables, indicating the mount point, the file system
type, and the number of entries.
kern.veriexec.strict
Controls the strict level of Veriexec. See security(7)
for more information on each level's implications.
kern.veriexec.verbose
Controls the verbosity level of Veriexec. If 0, only the
minimal indication required will be given about what's
happening - fingerprint mismatches, removal of entries
from the tables, modification of a fingerprinted file.
If 1, more messages will be printed (ie., when a file
with a valid fingerprint is accessed). Verbose level 2
is debug mode.
kern.version (KERN_VERSION)
The system version string.
kern.vnode (KERN_VNODE)
Return the entire vnode table. Note, the vnode table is not
necessarily a consistent snapshot of the system. The returned
data consists of an array whose size depends on the current
number of such objects in the system. Each element of the array
contains the kernel address of a vnode struct vnode * followed by
the vnode itself struct vnode.
The machdep.* subtree
The set of variables defined is architecture dependent. Most
architectures define at least the following variables.
Second level name Type Changeable
machdep.booted_kernel string no
The net.* subtree
The string and integer information available for the net level is
detailed below. The changeable column shows whether a process with
appropriate privilege may change the value. The second and third levels
are typically the protocol family and protocol number, though this is not
always the case.
Second level name Type Changeable
net.route routing messages no
net.inet IPv4 values yes
net.inet6 IPv6 values yes
net.key IPsec key management values yes
net.route (PF_ROUTE)
Return the entire routing table or a subset of it. The data is
returned as a sequence of routing messages (see route(4) for the
header file, format and meaning). The length of each message is
contained in the message header.
The third level name is a protocol number, which is currently
always 0. The fourth level name is an address family, which may
be set to 0 to select all address families. The fifth and sixth
level names are as follows:
Fifth level name Sixth level is:
NET_RT_FLAGS rtflags
NET_RT_DUMP None
NET_RT_IFLIST None
net.inet (PF_INET)
Get or set various global information about the IPv4 (Internet
Protocol version 4). The third level name is the protocol. The
fourth level name is the variable name. The currently defined
protocols and names are:
Protocol Variable Type Changeable
arp nd_delay integer yes
arp nd_bmaxtries integer yes
arp nd_umaxtries integer yes
arp nd_basereachable integer yes
arp nd_retrans integer yes
arp nd_nud integer yes
arp nd_maxnudhint integer yes
arp log_movements integer yes
arp log_permanent_modify integer yes
arp log_unknown_network integer yes
arp log_wrong_iface integer yes
carp allow integer yes
carp preempt integer yes
carp log integer yes
carp arpbalance integer yes
icmp errppslimit integer yes
icmp maskrepl integer yes
icmp rediraccept integer yes
icmp redirtimeout integer yes
icmp bmcastecho integer yes
icmp dynamic_rt_msg boolean yes
ip allowsrcrt integer yes
ip anonportalgo.selected string yes
ip anonportalgo.available string yes
ip anonportalgo.reserve struct yes
ip anonportmax integer yes
ip anonportmin integer yes
ip checkinterface integer yes
ip dad_count integer yes
ip directed-broadcast integer yes
ip do_loopback_cksum integer yes
ip forwarding integer yes
ip forwsrcrt integer yes
ip gifttl integer yes
ip grettl integer yes
ip hashsize integer yes
ip hostzerobroadcast integer yes
ip lowportmin integer yes
ip lowportmax integer yes
ip maxflows integer yes
ip maxfragpackets integer yes
ip mtudisc integer yes
ip mtudisctimeout integer yes
ip random_id integer yes
ip redirect integer yes
ip subnetsarelocal integer yes
ip ttl integer yes
tcp rfc1323 integer yes
tcp sendspace integer yes
tcp recvspace integer yes
tcp mssdflt integer yes
tcp syn_cache_limit integer yes
tcp syn_bucket_limit integer yes
tcp syn_cache_interval integer yes
tcp init_win integer yes
tcp init_win_local integer yes
tcp mss_ifmtu integer yes
tcp win_scale integer yes
tcp timestamps integer yes
tcp cwm integer yes
tcp cwm_burstsize integer yes
tcp ack_on_push integer yes
tcp keepidle integer yes
tcp keepintvl integer yes
tcp keepcnt integer yes
tcp slowhz integer no
tcp keepinit integer yes
tcp log_refused integer yes
tcp rstppslimit integer yes
tcp ident struct no
tcp drop struct no
tcp sack.enable integer yes
tcp sack.globalholes integer no
tcp sack.globalmaxholes integer yes
tcp sack.maxholes integer yes
tcp ecn.enable integer yes
tcp ecn.maxretries integer yes
tcp congctl.selected string yes
tcp congctl.available string yes
tcp abc.enable integer yes
tcp abc.aggressive integer yes
udp checksum integer yes
udp do_loopback_cksum integer yes
udp recvspace integer yes
udp sendspace integer yes
The variables are as follows:
arp.nd_delay
The delay in seconds before sending the first probe,
after it has been decided that the entry is stale.
arp.nd_bmaxtries
The maximum number of broadcasts send to discover the
hardware address claiming an IP address.
arp.nd_umaxtries
The maximum number of unicasts send to the hardware
address to ensure it still claims an IP address.
arp.nd_basereachable
The number of milliseconds the ARP entry is considered
reachable before probing reachability.
arp.nd_retrans
The number of milliseconds between ARP probes.
arp.nd_nud
If set to non-zero, perform Neighor Unreachability
Detection.
arp.nd_maxnudhint
Neighbor discovery permits upper layer protocols to
supply reachability hints, to avoid unnecessary neighbor
discovery exchanges. The variable defines the number of
consecutive hints the neighbor discovery layer will take.
For example, by setting the variable to 3, neighbor
discovery layer will take 3 consecutive hints in maximum.
After receiving 3 hints, neighbor discovery layer will
perform normal neighbor discovery process.
carp.allow
If set to 0, incoming carp(4) packets will not be
processed. If set to any other value, processing will
occur. Enabled by default.
carp.arpbalance
If set to any value other than 0, the ARP balancing
functionality of carp(4) is enabled. When ARP requests
are received for an IP address which is part of any
virtual host, carp will hash the source IP in the ARP
request to select one of the virtual hosts from the set
of all the virtual hosts which have that IP address. The
master of that host will respond with the correct virtual
MAC address. Disabled by default.
carp.log
If set to any value other than 0, carp(4) will log
errors. Disabled by default.
carp.preempt
If set to 0, carp(4) will not attempt to become master if
it is receiving advertisements from another active
master. If set to any other value, carp will become
master of the virtual host if it believes it can send
advertisements more frequently than the current master.
Disabled by default.
ip.allowsrcrt
If set to 1, the host accepts source routed packets.
ip.anonportalgo.available
The available RFC 6056 port randomization algorithms.
ip.anonportalgo.reserve
A bitmask of ports that will not be used during anonymous
or privileged port selection.
ip.anonportalgo.selected
The currently selected RFC 6056 port randomization
algorithm; see rfc6056(7) for details.
ip.anonportmax
The highest port number to use for TCP and UDP ephemeral
port allocation. This cannot be set to less than 1024 or
greater than 65535, and must be greater than
ip.anonportmin.
ip.anonportmin
The lowest port number to use for TCP and UDP ephemeral
port allocation. This cannot be set to less than 1024 or
greater than 65535.
ip.checkinterface
If set to non-zero, the host will reject packets
addressed to it that arrive on an interface not bound to
that address. Currently, this must be disabled if NAT is
used to translate the destination address to another
local interface, or if addresses are added to the
loopback interface instead of the interface where the
packets for those packets are received.
ip.dad_count
The number of arp(4) probes sent for Address Conflict
Detection. Set to 0 to disable this.
ip.directed-broadcast
If set to 1, enables directed broadcast behavior for the
host.
ip.do_loopback_cksum
Perform IP checksum on loopback.
ip.forwarding
If set to 1, enables IP forwarding for the host, meaning
that the host is acting as a router.
ip.forwsrcrt
If set to 1, enables forwarding of source-routed packets
for the host. This value may only be changed if the
kernel security level is less than 1.
ip.gifttl
The maximum time-to-live (hop count) value for an IPv4
packet generated by gif(4) tunnel interface.
ip.grettl
The maximum time-to-live (hop count) value for an IPv4
packet generated by gre(4) tunnel interface.
ip.hashsize
The size of IPv4 Fast Forward hash table. This value
must be a power of 2 (64, 256...). A larger hash table
size results in fewer collisions. Also see ip.maxflows.
ip.hostzerobroadcast
All zeroes address is broadcast address.
ip.lowportmax
The highest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or
greater than 1024, and must be greater than
ip.lowportmin.
ip.lowportmin
The lowest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or
greater than 1024, and must be smaller than
ip.lowportmax.
ip.maxflows
IPv4 Fast Forwarding is enabled by default. If set to 0,
IPv4 Fast Forwarding is disabled. ip.maxflows controls
the maximum amount of flows which can be created. The
default value is 256.
ip.maxfragpackets
The maximum number of fragmented packets the node will
accept. 0 means that the node will not accept any
fragmented packets. -1 means that the node will accept
as many fragmented packets as it receives. The flag is
provided basically for avoiding possible DoS attacks.
ip.mtudisc
If set to 1, enables Path MTU Discovery (RFC 1191). When
Path MTU Discovery is enabled, the transmitted TCP
segment size will be determined by the advertised maximum
segment size (MSS) from the remote end, as constrained by
the path MTU. If MTU Discovery is disabled, the
transmitted segment size will never be greater than
tcp.mssdflt (the local maximum segment size).
ip.mtudisctimeout
The number of seconds in which a route added by the Path
MTU Discovery engine will time out. When the route times
out, the Path MTU Discovery engine will attempt to probe
a larger path MTU.
ip.random_id
Assign random ip_id values.
ip.redirect
If set to 1, ICMP redirects may be sent by the host.
This option is ignored unless the host is routing IP
packets, and should normally be enabled on all systems.
ip.subnetsarelocal
If set to 1, subnets are to be considered local
addresses.
ip.ttl The maximum time-to-live (hop count) value for an IP
packet sourced by the system. This value applies to
normal transport protocols, not to ICMP.
icmp.errppslimit
The variable specifies the maximum number of outgoing
ICMP error messages, per second. ICMP error messages
that exceeded the value are subject to rate limitation
and will not go out from the node. Negative value
disables rate limitation.
icmp.maskrepl
If set to 1, ICMP network mask requests are to be
answered.
icmp.rediraccept
If set to non-zero, the host will accept ICMP redirect
packets. Note that routers will never accept ICMP
redirect packets, and the variable is meaningful on IP
hosts only.
icmp.redirtimeout
The variable specifies lifetime of routing entries
generated by incoming ICMP redirect. This defaults to
600 seconds.
icmp.returndatabytes
Number of bytes to return in an ICMP error message.
icmp.bmcastecho
If set to 1, enables responding to ICMP echo or timestamp
request to the broadcast address.
icmp.dynamic_rt_msg
A boolean that the kernel sends routing message for
RTM_DYNAMIC or not. If set to true, sends such routing
message.
tcp.ack_on_push
If set to 1, TCP is to immediately transmit an ACK upon
reception of a packet with PUSH set. This can avoid
losing a round trip time in some rare situations, but has
the caveat of potentially defeating TCP's delayed ACK
algorithm. Use of this option is generally not
recommended, but the variable exists in case your
configuration really needs it.
tcp.cwm
If set to 1, enables use of the Hughes/Touch/Heidemann
Congestion Window Monitoring algorithm. This algorithm
prevents line-rate bursts of packets that could otherwise
occur when data begins flowing on an idle TCP connection.
These line-rate bursts can contribute to network and
router congestion. This can be particularly useful on
World Wide Web servers which support HTTP/1.1, which has
lingering connections.
tcp.cwm_burstsize
The Congestion Window Monitoring allowed burst size, in
terms of packet count.
tcp.delack_ticks
Number of ticks to delay sending an ACK.
tcp.do_loopback_cksum
Perform TCP checksum on loopback.
tcp.init_win
A value indicating the TCP initial congestion window.
The valid range is 0 to 10 (maximum specified by
RFC6928), with a default of 4 (approximately 4K per
RFC3390).
tcp.init_win_local
Like tcp.init_win, but used when communicating with hosts
on a local network.
tcp.keepcnt
Number of keepalive probes sent before declaring a
connection dead. If set to zero, there is no limit;
keepalives will be sent until some kind of response is
received from the peer.
tcp.keepidle
Time a connection must be idle before keepalives are sent
(if keepalives are enabled for the connection). See also
tcp.slowhz.
tcp.keepintvl
Time after a keepalive probe is sent until, in the
absence of any response, another probe is sent. See also
tcp.slowhz.
tcp.log_refused
If set to 1, refused TCP connections to the host will be
logged.
tcp.keepinit
Timeout in seconds during connection establishment.
tcp.mss_ifmtu
If set to 1, TCP calculates the outgoing maximum segment
size based on the MTU of the appropriate interface. If
set to 0, it is calculated based on the greater of the
MTU of the interface, and the largest (non-loopback)
interface MTU on the system.
tcp.mssdflt
The default maximum segment size both advertised to the
peer and to use when either the peer does not advertise a
maximum segment size to us during connection setup or
Path MTU Discovery (ip.mtudisc) is disabled. Do not
change this value unless you really know what you are
doing.
tcp.recvspace
The default TCP receive buffer size.
tcp.rfc1323
If set to 1, enables RFC 1323 extensions to TCP.
tcp.rstppslimit
The variable specifies the maximum number of outgoing TCP
RST packets, per second. TCP RST packet that exceeded
the value are subject to rate limitation and will not go
out from the node. Negative value disables rate
limitation.
tcp.ident
Return the user ID of a connected socket pair. (RFC1413
Identification Protocol lookups.)
tcp.drop
Drop a TCP socket pair connection.
tcp.sack.enable
If set to 1, enables RFC 2018 Selective ACKnowledgement.
tcp.sack.globalholes
Global number of TCP SACK holes.
tcp.sack.globalmaxholes
Global maximum number of TCP SACK holes.
tcp.sack.maxholes
Maximum number of TCP SACK holes allowed per connection.
tcp.ecn.enable
If set to 1, enables RFC 3168 Explicit Congestion
Notification.
tcp.ecn.maxretries
Number of times to retry sending the ECN-setup packet.
tcp.sendspace
The default TCP send buffer size.
tcp.slowhz
The units for tcp.keepidle and tcp.keepintvl; those
variables are in ticks of a clock that ticks tcp.slowhz
times per second. (That is, their values must be divided
by the tcp.slowhz value to get times in seconds.)
tcp.syn_bucket_limit
The maximum number of entries allowed per hash bucket in
the TCP compressed state engine.
tcp.syn_cache_limit
The maximum number of entries allowed in the TCP
compressed state engine.
tcp.timestamps
If rfc1323 is enabled, a value of 1 indicates RFC 1323
time stamp options, used for measuring TCP round trip
times, are enabled.
tcp.win_scale
If rfc1323 is enabled, a value of 1 indicates RFC 1323
window scale options, for increasing the TCP window size,
are enabled.
tcp.congctl.available
The available TCP congestion control algorithms.
tcp.congctl.selected
The currently selected TCP congestion control algorithm.
tcp.abc.enable
If set to 1, use RFC 3465 Appropriate Byte Counting
(ABC). If set to 0, use traditional Packet Counting.
tcp.abc.aggressive
Choose the L parameter found in RFC 3465. L is the
maximum cwnd increase for an ack during slow start. If
set to 1, use L=2*SMSS. If set to 0, use L=1*SMSS. It
has no effect unless tcp.abc.enable is set to 1.
udp.checksum
If set to 1, UDP checksums are being computed. Received
non-zero UDP checksums are always checked. Disabling UDP
checksums is strongly discouraged.
udp.recvspace
The default UDP receive buffer size.
udp.sendspace
The default UDP send buffer size.
For variables net.*.ipsec, please refer to ipsec(4).
net.inet6 (PF_INET6)
Get or set various global information about the IPv6 (Internet
Protocol version 6). The third level name is the protocol. The
fourth level name is the variable name. The currently defined
protocols and names are:
Protocol Variable Type Changeable
icmp6 errppslimit integer yes
icmp6 mtudisc_hiwat integer yes
icmp6 mtudisc_lowat integer yes
icmp6 nd6_debug integer yes
icmp6 nd6_delay integer yes
icmp6 nd6_maxnudhint integer yes
icmp6 nd6_mmaxtries integer yes
icmp6 nd6_prune integer yes
icmp6 nd6_umaxtries integer yes
icmp6 nd6_useloopback integer yes
icmp6 nodeinfo integer yes
icmp6 rediraccept integer yes
icmp6 redirtimeout integer yes
icmp6 reflect_pmtu boolean yes
icmp6 dynamic_rt_msg boolean yes
ip6 accept_rtadv integer yes
ip6 addctlpolicy struct in6_addrpolicy
no
ip6 anonportalgo.selected string yes
ip6 anonportalgo.available string yes
ip6 anonportalgo.reserve struct yes
ip6 anonportmax integer yes
ip6 anonportmin integer yes
ip6 auto_flowlabel integer yes
ip6 dad_count integer yes
ip6 defmcasthlim integer yes
ip6 forwarding integer yes
ip6 gifhlim integer yes
ip6 hashsize integer yes
ip6 hlim integer yes
ip6 hdrnestlimit integer yes
ip6 kame_version string no
ip6 keepfaith integer yes
ip6 log_interval integer yes
ip6 lowportmax integer yes
ip6 lowportmin integer yes
ip6 maxdynroutes integer yes
ip6 maxifprefixes integer yes
ip6 maxifdefrouters integer yes
ip6 maxflows integer yes
ip6 maxfragpackets integer yes
ip6 maxfrags integer yes
ip6 neighborgcthresh integer yes
ip6 param_rt_msg integer yes
ip6 redirect integer yes
ip6 rr_prune integer yes
ip6 use_deprecated integer yes
ip6 v6only integer yes
udp6 do_loopback_cksum integer yes
udp6 recvspace integer yes
udp6 sendspace integer yes
The variables are as follows:
ip6.accept_rtadv
If set to non-zero, the node will accept ICMPv6 router
advertisement packets and autoconfigures address prefixes
and default routers. The node must be a host (not a
router) for the option to be meaningful.
ip6.anonportalgo.available
The available RFC 6056 port randomization algorithms.
ip6.anonportalgo.reserve
A bitmask of ports that will not be used during anonymous
or privileged port selection.
ip6.anonportalgo.selected
The currently selected RFC 6056 port randomization
algorithm; see rfc6056(7) for details.
ip6.anonportmax
The highest port number to use for TCP and UDP ephemeral
port allocation. This cannot be set to less than 1024 or
greater than 65535, and must be greater than
ip6.anonportmin.
ip6.anonportmin
The lowest port number to use for TCP and UDP ephemeral
port allocation. This cannot be set to less than 1024 or
greater than 65535.
ip6.auto_flowlabel
On connected transport protocol packets, fill IPv6
flowlabel field to help intermediate routers to identify
packet flows.
ip6.dad_count
The variable configures number of IPv6 DAD (duplicated
address detection) probe packets. The packets will be
generated when IPv6 interface addresses are configured.
ip6.defmcasthlim
The default hop limit value for an IPv6 multicast packet
sourced by the node. This value applies to all the
transport protocols on top of IPv6. There are APIs to
override the value, as documented in ip6(4).
ip6.forwarding
If set to 1, enables IPv6 forwarding for the node,
meaning that the node is acting as a router. If set to
0, disables IPv6 forwarding for the node, meaning that
the node is acting as a host. IPv6 specification defines
node behavior for "router" case and "host" case quite
differently, and changing this variable during operation
may cause serious trouble. It is recommended to
configure the variable at bootstrap time, and bootstrap
time only.
ip6.gifhlim
The maximum hop limit value for an IPv6 packet generated
by gif(4) tunnel interface.
ip6.hdrnestlimit
The number of IPv6 extension headers permitted on
incoming IPv6 packets. If set to 0, the node will accept
as many extension headers as possible.
ip6.hashsize
The size of IPv6 Fast Forward hash table. This value
must be a power of 2 (64, 256, ...). A larger hash table
size results in fewer collisions. Also see ip6.maxflows.
ip6.hlim
The default hop limit value for an IPv6 unicast packet
sourced by the node. This value applies to all the
transport protocols on top of IPv6. There are APIs to
override the value, as documented in ip6(4).
ip6.kame_version
The string identifies the version of KAME IPv6 stack
implemented in the kernel.
ip6.keepfaith
If set to non-zero, it enables "FAITH" TCP relay IPv6-to-
IPv4 translator code in the kernel. Refer faith(4) and
faithd(8) for detail.
ip6.log_interval
The variable controls amount of logs generated by IPv6
packet forwarding engine, by setting interval between log
output (in seconds).
ip6.lowportmax
The highest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or
greater than 1024, and must be greater than
ip6.lowportmin.
ip6.lowportmin
The lowest port number to use for TCP and UDP reserved
port allocation. This cannot be set to less than 0 or
greater than 1024, and must be smaller than
ip6.lowportmax.
ip6.maxdynroutes
Maximum number of routes created by redirect. Set it to
negative to disable. The default value is 4096.
ip6.maxifprefixes
Maximum number of prefixes created by route
advertisements per interface. Set it to negative to
disable. The default value is 16.
ip6.maxifdefrouters 16
Maximum number of default routers created by route
advertisements per interface. Set it to negative to
disable. The default value is 16.
ip6.maxflows
IPv6 Fast Forwarding is enabled by default. If set to 0,
IPv6 Fast Forwarding is disabled. ip6.maxflows controls
the maximum amount of flows which can be created. The
default value is 256.
ip6.maxfragpackets
The maximum number of fragmented packets the node will
accept. 0 means that the node will not accept any
fragmented packets. -1 means that the node will accept
as many fragmented packets as it receives. The flag is
provided basically for avoiding possible DoS attacks.
ip6.maxfrags
The maximum number of fragments the node will accept. 0
means that the node will not accept any fragments. -1
means that the node will accept as many fragments as it
receives. The flag is provided basically for avoiding
possible DoS attacks.
ip6.neighborgcthresh
Maximum number of entries in neighbor cache per
interface. Set to negative to disable. The default
value is 2048.
ip6.param_rt_msg
If set to 0, parameter changing routing message is
suppressed. If set to 1, parameter changing routing
message is sent by RTM_NEWADDR. Other values are
undefined yet.
ip6.redirect
If set to 1, ICMPv6 redirects may be sent by the node.
This option is ignored unless the node is routing IP
packets, and should normally be enabled on all systems.
ip6.rr_prune
The variable specifies interval between IPv6 router
renumbering prefix babysitting, in seconds.
ip6.use_deprecated
The variable controls use of deprecated address,
specified in RFC 2462 5.5.4.
ip6.v6only
The variable specifies initial value for IPV6_V6ONLY
socket option for AF_INET6 socket. Please refer to
ip6(4) for detail.
icmp6.errppslimit
The variable specifies the maximum number of outgoing
ICMPv6 error messages, per second. ICMPv6 error messages
that exceeded the value are subject to rate limitation
and will not go out from the node. Negative value
disables rate limitation.
icmp6.mtudisc_hiwat
icmp6.mtudisc_lowat
The variables define the maximum number of routing table
entries, created due to path MTU discovery (prevents
denial-of-service attacks with ICMPv6 too big messages).
When IPv6 path MTU discovery happens, we keep path MTU
information into the routing table. If the number of
routing table entries exceed the value, the kernel will
not attempt to keep the path MTU information.
icmp6.mtudisc_hiwat is used when we have verified ICMPv6
too big messages. icmp6.mtudisc_lowat is used when we
have unverified ICMPv6 too big messages. Verification is
performed by using address/port pairs kept in connected
pcbs. Negative value disables the upper limit.
icmp6.nd6_debug
If set to non-zero, kernel IPv6 neighbor discovery code
will generate debugging messages. The debug outputs are
useful to diagnose IPv6 interoperability issues. The
flag must be set to 0 for normal operation.
icmp6.nd6_delay
The variable specifies DELAY_FIRST_PROBE_TIME timing
constant in IPv6 neighbor discovery specification (RFC
2461), in seconds.
icmp6.nd6_maxnudhint
Neighbor discovery permits upper layer protocols to
supply reachability hints, to avoid unnecessary neighbor
discovery exchanges. The variable defines the number of
consecutive hints the neighbor discovery layer will take.
For example, by setting the variable to 3, neighbor
discovery layer will take 3 consecutive hints in maximum.
After receiving 3 hints, neighbor discovery layer will
perform normal neighbor discovery process.
icmp6.nd6_mmaxtries
The variable specifies MAX_MULTICAST_SOLICIT constant in
IPv6 neighbor discovery specification (RFC 2461).
icmp6.nd6_prune
The variable specifies interval between IPv6 neighbor
cache babysitting, in seconds.
icmp6.nd6_umaxtries
The variable specifies MAX_UNICAST_SOLICIT constant in
IPv6 neighbor discovery specification (RFC 2461).
icmp6.nd6_useloopback
If set to non-zero, kernel IPv6 stack will use loopback
interface for local traffic.
icmp6.nodeinfo
The variable enables responses to ICMPv6 node information
queries. If you set the variable to 0, responses will
not be generated for ICMPv6 node information queries.
Since node information queries can have a security
impact, it is possible to fine tune which responses
should be answered. Two separate bits can be set.
1 Respond to ICMPv6 FQDN queries, e.g. ping6 -w.
2 Respond to ICMPv6 node addresses queries, e.g.
ping6 -a.
icmp6.rediraccept
If set to non-zero, the host will accept ICMPv6 redirect
packets. Note that IPv6 routers will never accept ICMPv6
redirect packets, and the variable is meaningful on IPv6
hosts (non-router) only.
icmp6.redirtimeout
The variable specifies lifetime of routing entries
generated by incoming ICMPv6 redirect.
icmp6.reflect_pmtu
A boolean that icmpv6 reflecting uses path MTU discovery
or not. When not, icmpv6 reflecting uses IPV6_MINMTU.
icmp6.dynamic_rt_msg
A boolean that the kernel sends routing message for
RTM_DYNAMIC or not. If set to true, sends such routing
message.
udp6.do_loopback_cksum
Perform UDP checksum on loopback.
udp6.recvspace
Default UDP receive buffer size.
udp6.sendspace
Default UDP send buffer size.
We reuse net.*.tcp for TCP over IPv6, and therefore we do not
have variables net.*.tcp6. Variables net.inet6.udp6 have
identical meaning to net.inet.udp. Please refer to PF_INET
section above. For variables net.*.ipsec6, please refer to
ipsec(4).
net.key (PF_KEY)
Get or set various global information about the IPsec key
management. The third level name is the variable name. The
currently defined variable and names are:
Variable Type Changeable
debug integer yes
enabled integer yes
used integer no
spi_try integer yes
spi_min_value integer yes
spi_max_value integer yes
larval_lifetime integer yes
blockacq_count integer yes
blockacq_lifetime integer yes
esp_keymin integer yes
esp_auth integer yes
ah_keymin integer yes
allow_different_idtype
boolean yes
The variables are as follows:
debug Turn on debugging message from within the kernel. The
value is a bitmap, as defined in <netipsec/key_debug.h>.
enabled
Control processing of IPsec control messages.
0 Never allow IPsec processing
1 Allow IPsec processing when SPD policies are
present.
2 Force IPsec processing even when SPD policies are
not present.
used Based on if IPsec is enabled, and SPD rule existence,
show if IPsec is being used. Note that currently once
IPsec is being used, it cannot be disabled.
spi_try
The number of times the kernel will try to obtain an
unique SPI when it generates it from random number
generator.
spi_min_value
Minimum SPI value when generating it within the kernel.
spi_max_value
Maximum SPI value when generating it within the kernel.
larval_lifetime
Lifetime for LARVAL SAD entries, in seconds.
blockacq_count
Number of ACQUIRE PF_KEY messages to be blocked after an
ACQUIRE message. It avoids flood of ACQUIRE PF_KEY from
being sent from the kernel to the key management daemon.
blockacq_lifetime
Lifetime of ACQUIRE PF_KEY message.
esp_keymin
Minimum ESP key length, in bits. The value is used when
the kernel creates proposal payload on ACQUIRE PF_KEY
message.
esp_auth
Whether ESP authentication should be used or not. Non-
zero value indicates that ESP authentication should be
used. The value is used when the kernel creates proposal
payload on ACQUIRE PF_KEY message.
ah_keymin
Minimum AH key length, in bits, The value is used when
the kernel creates proposal payload on ACQUIRE PF_KEY
message.
allow_different_idtype
A boolean that allow or disallow different identifier
types on IDii and IDir. Allowing that can improve
interconnectivity to some VPN appliances.
net.local (PF_LOCAL)
Get or set various global information about AF_LOCAL type
sockets. For some variables, the third level name is the
variable name:
Variable Type Changeable
inflight integer no
deferred integer no
The variables are as follows:
inflight
The number of file descriptors currently passed between
processes, "in flight".
deferred
The number of file descriptors passed between processes
that have been deferred for cleanup by a kernel task.
Other variables are specific to a socket type:
Socket Type Sy Variable Type Changeable
dgram pcblist struct no
dgram recvspace integer yes
dgram sendspace integer yes
seqpacket pcblist struct no
stream pcblist struct no
stream recvspace integer yes
stream sendspace integer yes
The variables are as follows:
dgram.pcblist
The Protocol Control Block list structure for datagram
sockets. Parsed by netstat(1) or sockstat(1).
dgram.recvspace
The default datagram receive buffer size.
dgram.sendspace
The default datagram send buffer size.
seqpacket.pcblist
The Protocol Control Block list structure for Sequential
Packet sockets. Parsed by netstat(1) or sockstat(1).
stream.pcblist
The Protocol Control Block list structure for stream
sockets. Parsed by netstat(1) or sockstat(1).
stream.recvspace
The default stream receive buffer size.
stream.sendspace
The default stream send buffer size.
The proc.* subtree
The string and integer information available for the proc level is
detailed below. The changeable column shows whether a process with
appropriate privilege may change the value. These values are per-
process, and as such may change from one process to another. When a
process is created, the default values are inherited from its parent.
When a set-user-ID or set-group-ID binary is executed, the value of
PROC_PID_CORENAME is reset to the system default value. The second level
name is either the magic value PROC_CURPROC, which points to the current
process, or the PID of the target process.
Third level name Type Changeable
proc.pid.corename string yes
proc.pid.rlimit node not applicable
proc.pid.stopfork int yes
proc.pid.stopexec int yes
proc.pid.stopexit int yes
proc.pid.paxflags int no
proc.pid.corename (PROC_PID_CORENAME)
The template used for the core dump file name (see core(5) for
details). The base name must either be core or end with the
suffix .core (the super-user may set arbitrary names). By
default it points to KERN_DEFCORENAME.
proc.pid.rlimit (PROC_PID_LIMIT)
Return resources limits, as defined for the getrlimit(2) and
setrlimit(2) system calls. The fourth level name is one of:
proc.pid.rlimit.cputime (PROC_PID_LIMIT_CPU)
The maximum amount of CPU time (in seconds) to be used by
each process.
proc.pid.rlimit.filesize (PROC_PID_LIMIT_FSIZE)
The largest size (in bytes) file that may be created.
proc.pid.rlimit.datasize (PROC_PID_LIMIT_DATA)
The maximum size (in bytes) of the data segment for a
process; this defines how far a program may extend its
break with the sbrk(2) system call.
proc.pid.rlimit.stacksize (PROC_PID_LIMIT_STACK)
The maximum size (in bytes) of the stack segment for a
process; this defines how far a program's stack segment
may be extended. Stack extension is performed
automatically by the system.
proc.pid.rlimit.coredumpsize (PROC_PID_LIMIT_CORE)
The largest size (in bytes) core file that may be
created.
proc.pid.rlimit.memoryuse (PROC_PID_LIMIT_RSS)
The maximum size (in bytes) to which a process's resident
set size may grow. This imposes a limit on the amount of
physical memory to be given to a process; if memory is
tight, the system will prefer to take memory from
processes that are exceeding their declared resident set
size.
proc.pid.rlimit.memorylocked (PROC_PID_LIMIT_MEMLOCK)
The maximum size (in bytes) which a process may lock into
memory using the mlock(2) function.
proc.pid.rlimit.maxproc (PROC_PID_LIMIT_NPROC)
The maximum number of simultaneous processes for this
user id.
proc.pid.rlimit.descriptors (PROC_PID_LIMIT_NOFILE)
The maximum number of open files for this process.
proc.pid.rlimit.sbsize (PROC_PID_LIMIT_SBSIZE)
The maximum size (in bytes) of the socket buffers set by
the setsockopt(2) SO_RCVBUF and SO_SNDBUF options.
proc.pid.rlimit.vmemoryuse (PROC_PID_LIMIT_AS)
The maximum size (in bytes) which a process can obtain.
proc.pid.rlimit.maxlwp (PROC_PID_LIMIT_NTHR)
The maximum number of threads that cen be created and
running at one time in the process. The first thread of
each process is not counted against this.
The fifth level name is one of soft (PROC_PID_LIMIT_TYPE_SOFT) or
hard (PROC_PID_LIMIT_TYPE_HARD), to select respectively the soft
or hard limit. Both are of type integer.
proc.pid.stopfork (PROC_PID_STOPFORK)
If non zero, the process' children will be stopped after fork(2)
calls. The children are created in the SSTOP state and are never
scheduled for running before being stopped. This feature enables
attaching to a process with a debugger such as gdb(1) before the
process has the opportunity to actually do anything.
This value is inherited by the process's children, and it also
applies to emulation specific system calls that fork a new
process, such as sproc() or clone().
proc.pid.stopexec (PROC_PID_STOPEXEC)
If non zero, the process will be stopped on the next exec(3)
call. The process created by exec(3) is created in the SSTOP
state and is never scheduled for running before being stopped.
This feature enables attaching to a process with a debugger such
as gdb(1) before the process has the opportunity to actually do
anything.
This value is inherited by the process's children.
proc.pid.stopexit (PROC_PID_STOPEXIT)
If non zero, the process will be stopped when it has cause to
exit, either by way of calling exit(3), _exit(2), or by the
receipt of a specific signal. The process is stopped before any
of its resources or vm space is released allowing examination of
the termination state of the process before it disappears. This
feature can be used to examine the final conditions of the
process's vmspace via pmap(1) or its resource settings with
sysctl(8) before it disappears.
This value is also inherited by the process's children.
proc.pid.paxflags (PROC_PID_PAXFLAGS)
This read-only variable returns the current value of the
process's pax flags (see paxctl(8)).
The user.* subtree (CTL_USER)
The string and integer information available for the user level is
detailed below. The changeable column shows whether a process with
appropriate privilege may change the value.
Second level name Type Changeable
user.atexit_max integer no
user.bc_base_max integer no
user.bc_dim_max integer no
user.bc_scale_max integer no
user.bc_string_max integer no
user.coll_weights_max integer no
user.cs_path string no
user.expr_nest_max integer no
user.line_max integer no
user.posix2_c_bind integer no
user.posix2_c_dev integer no
user.posix2_char_term integer no
user.posix2_fort_dev integer no
user.posix2_fort_run integer no
user.posix2_localedef integer no
user.posix2_sw_dev integer no
user.posix2_upe integer no
user.posix2_version integer no
user.re_dup_max integer no
user.stream_max integer no
user.stream_max integer no
user.tzname_max integer no
user.atexit_max (USER_ATEXIT_MAX)
The maximum number of functions that may be registered with
atexit(3).
user.bc_base_max (USER_BC_BASE_MAX)
The maximum ibase/obase values in the bc(1) utility.
user.bc_dim_max (USER_BC_DIM_MAX)
The maximum array size in the bc(1) utility.
user.bc_scale_max (USER_BC_SCALE_MAX)
The maximum scale value in the bc(1) utility.
user.bc_string_max (USER_BC_STRING_MAX)
The maximum string length in the bc(1) utility.
user.coll_weights_max (USER_COLL_WEIGHTS_MAX)
The maximum number of weights that can be assigned to any entry
of the LC_COLLATE order keyword in the locale definition file.
user.cs_path (USER_CS_PATH)
Return a value for the PATH environment variable that finds all
the standard utilities.
user.expr_nest_max (USER_EXPR_NEST_MAX)
The maximum number of expressions that can be nested within
parenthesis by the expr(1) utility.
user.line_max (USER_LINE_MAX)
The maximum length in bytes of a text-processing utility's input
line.
user.posix2_char_term (USER_POSIX2_CHAR_TERM)
Return 1 if the system supports at least one terminal type
capable of all operations described in IEEE Std 1003.2
("POSIX.2"), otherwise 0.
user.posix2_c_bind (USER_POSIX2_C_BIND)
Return 1 if the system's C-language development facilities
support the C-Language Bindings Option, otherwise 0.
user.posix2_c_dev (USER_POSIX2_C_DEV)
Return 1 if the system supports the C-Language Development
Utilities Option, otherwise 0.
user.posix2_fort_dev (USER_POSIX2_FORT_DEV)
Return 1 if the system supports the FORTRAN Development Utilities
Option, otherwise 0.
user.posix2_fort_run (USER_POSIX2_FORT_RUN)
Return 1 if the system supports the FORTRAN Runtime Utilities
Option, otherwise 0.
user.posix2_localedef (USER_POSIX2_LOCALEDEF)
Return 1 if the system supports the creation of locales,
otherwise 0.
user.posix2_sw_dev (USER_POSIX2_SW_DEV)
Return 1 if the system supports the Software Development
Utilities Option, otherwise 0.
user.posix2_upe (USER_POSIX2_UPE)
Return 1 if the system supports the User Portability Utilities
Option, otherwise 0.
user.posix2_version (USER_POSIX2_VERSION)
The version of IEEE Std 1003.2 ("POSIX.2") with which the system
attempts to comply.
user.re_dup_max (USER_RE_DUP_MAX)
The maximum number of repeated occurrences of a regular
expression permitted when using interval notation.
user.stream_max (USER_STREAM_MAX)
The minimum maximum number of streams that a process may have
open at any one time.
user.tzname_max (USER_TZNAME_MAX)
The minimum maximum number of types supported for the name of a
timezone.
The vm.* subtree (CTL_VM)
The string and integer information available for the vm level is detailed
below. The changeable column shows whether a process with appropriate
privilege may change the value.
Second level name Type Changeable
vm.anonmax int yes
vm.anonmin int yes
vm.bufcache int yes
vm.bufmem int no
vm.bufmem_hiwater int yes
vm.bufmem_lowater int yes
vm.execmax int yes
vm.execmin int yes
vm.filemax int yes
vm.filemin int yes
vm.loadavg struct loadavg no
vm.maxslp int no
vm.nkmempages int no
vm.uspace int no
vm.uvmexp struct uvmexp no
vm.uvmexp2 struct uvmexp_sysctl no
vm.vmmeter struct vmtotal no
vm.proc.map struct kinfo_vmentry no
vm.guard_size unsigned int no
vm.thread_guard_size unsigned int yes
vm.swap_encrypt bool yes
vm.anonmax (VM_ANONMAX)
The percentage of physical memory which will be reclaimed from
other types of memory usage to store anonymous application data.
vm.anonmin (VM_ANONMIN)
The percentage of physical memory which will be always be
available for anonymous application data.
vm.bufcache (VM_BUFCACHE)
The percentage of physical memory which will be available for the
buffer cache.
vm.bufmem (VM_BUFMEM)
The amount of kernel memory that is being used by the buffer
cache.
vm.bufmem_lowater (VM_BUFMEM_LOWATER)
The minimum amount of kernel memory to reserve for the buffer
cache.
vm.bufmem_hiwater (VM_BUFMEM_HIWATER)
The maximum amount of kernel memory to be used for the buffer
cache.
vm.execmax (VM_EXECMAX)
The percentage of physical memory which will be reclaimed from
other types of memory usage to store cached executable data.
vm.execmin (VM_EXECMIN)
The percentage of physical memory which will be always be
available for cached executable data.
vm.filemax (VM_FILEMAX)
The percentage of physical memory which will be reclaimed from
other types of memory usage to store cached file data.
vm.filemin (VM_FILEMIN)
The percentage of physical memory which will be always be
available for cached file data.
vm.loadavg (VM_LOADAVG)
Return the load average history. The returned data consists of a
struct loadavg.
vm.maxslp (VM_MAXSLP)
The value of the maxslp kernel global variable.
vm.vmmeter (VM_METER)
Return system wide virtual memory statistics. The returned data
consists of a struct vmtotal.
vm.user_va0_disable
A flag which controls whether user processes can map virtual
address 0.
vm.proc.map (VM_PROC)
The third level is VM_PROC_MAP, the fourth is the pid of the
process to display the vm object entries for, and the fifth is
the size of struct kinfo_vmentry. Returns an array of struct
kinfo_vmentry objects.
vm.ubc_direct [EXPERIMENTAL, default off]
Use direct map for UBC I/O, avoiding need to map and unmap buffer
memory. Speeds up operation for fast I/O devices like NVMe,
especially on multi-CPU systems. Only available on some
architectures.
vm.uspace (VM_USPACE)
The number of bytes allocated for each kernel stack.
vm.uvmexp (VM_UVMEXP)
Return system wide virtual memory statistics. The returned data
consists of a struct uvmexp.
vm.uvmexp2 (VM_UVMEXP2)
Return system wide virtual memory statistics. The returned data
consists of a struct uvmexp_sysctl.
vm.guard_size
Return system wide guard size for the main thread of a program.
vm.thread_guard_size
Return system wide default size for the guard area of all other
threads of a program.
vm.swap_encrypt
If true, encrypt data while swapped out to disk.
Each swap device maintains an independent AES-256 key, generated
when the first page is swapped to that device. Each page is
swapped independently using AES-CBC, with an initialization
vector chosen by the encryption under the AES-256 key of the
little-endian swap slot number padded to 128 bits with zeros.
(This is essentially the cgd(4) `encblkno1' method.)
Changes to vm.swap_encrypt only affect pages of swap newly
written out. To force encrypting or decrypting all existing
swap, or to rekey previously encrypted swap, you can remove the
swap devices and re-add them with swapctl(8), with the caveat
that whatever pages were already written to disk unencrypted or
encrypted with a compromised key may still be written to disk
afterward.
The ddb.* subtree (CTL_DDB)
The information available for the ddb level is detailed below. The
changeable column shows whether a process with appropriate privilege may
change the value.
Second level name Type Changeable
ddb.commandonenter string yes
ddb.dumpstack integer yes
ddb.fromconsole integer yes
ddb.lines integer yes
ddb.maxoff integer yes
ddb.maxwidth integer yes
ddb.onpanic integer yes
ddb.panicstackframes integer yes
ddb.radix integer yes
ddb.tabstops integer yes
ddb.tee_msgbuf integer yes
ddb.commandonenter
If not empty, the string is used as the DDB command to be
executed each time DDB is entered.
ddb.dumpstack
A value of 1 causes a stack trace to be printed on entering ddb
from a panic. A value of 0 disables this behaviour. The default
value is 1.
ddb.fromconsole (DDBCTL_FROMCONSOLE)
If not zero, DDB may be entered by sending a break on a serial
console or by a special key sequence on a graphics console.
ddb.lines (DDBCTL_LINES)
Number of display lines.
ddb.maxoff (DDBCTL_MAXOFF)
The maximum symbol offset.
ddb.maxwidth (DDBCTL_MAXWIDTH)
The maximum output line width.
ddb.onpanic (DDBCTL_ONPANIC)
If greater than zero, DDB will be entered if the kernel panics.
A value of 1 causes the system to enter DDB on panic. A value of
0 causes the kernel to attempt to print a stack trace, then
reboot, while a value of -1 means neither a stack trace will be
printed nor DDB entered.
ddb.panicstackframes
Number of stack frames to display on panic. Useful to avoid
scrolling away the interesting frames on a glass tty. Default
value is 65535 (all frames), useful value around 10.
ddb.radix (DDBCTL_RADIX)
The input and output radix.
ddb.tabstops (DDBCTL_TABSTOPS)
Tab width.
ddb.tee_msgbuf
If not zero, DDB will output also to the kernel message buffer.
Some of these MIB nodes are also available as variables from within the
debugger. See ddb(4) for more details.
The security.* subtree (CTL_SECURITY)
The security level contains various security-related settings for the
system. The available second level names are:
Second level name Type Changeable
security.curtain integer yes
security.models node not applicable
security.pax node not applicable
Available settings are detailed below.
security.curtain
If non-zero, will filter return objects according to the user ID
requesting information about them, preventing users from
accessing any objects they do not own.
At the moment, it affects ps(1), netstat(1) (for PF_INET,
PF_INET6, and PF_UNIX PCBs), and w(1).
security.models
NetBSD supports pluggable security models. Every security model
used, whether if loaded as a module or built with the system, is
required to add an entry to this node with at least one element,
"name", indicating the name of the security model.
In addition to the name, any settings and other information
private to the security model will be available under this node.
See secmodel(9) for more information.
security.pax
Settings for PaX -- exploit mitigation features. For more
information on any of the PaX features, please see paxctl(8) and
security(7). The available third and fourth level names are:
Third and fourth level names Type Changeable
security.pax.aslr.enabled integer yes
security.pax.aslr.global integer yes
security.pax.mprotect.enabled integer yes
security.pax.mprotect.global integer yes
security.pax.mprotect.ptrace integer yes
security.pax.segvguard.enabled integer yes
security.pax.segvguard.expiry_timeout integer yes
security.pax.segvguard.global integer yes
security.pax.segvguard.max_crashes integer yes
security.pax.segvguard.suspend_timeout integer yes
security.pax.aslr.enabled
Enable PaX ASLR (Address Space Layout Randomization).
The value of this knob must be non-zero for PaX ASLR to
be enabled, even if a program is set to explicit enable.
security.pax.aslr.global
Specifies the default global policy for programs without
an explicit enable/disable flag.
When non-zero, all programs will get PaX ASLR, except
those exempted with paxctl(8). Otherwise, all programs
will not get PaX ASLR, except those specifically marked
as such with paxctl(8).
security.pax.mprotect.enabled
Enable PaX MPROTECT restrictions.
These are mprotect(2) restrictions to better enforce a
W^X policy. The value of this knob must be non-zero for
PaX MPROTECT to be enabled, even if a program is set to
explicit enable.
security.pax.mprotect.global
Specifies the default global policy for programs without
an explicit enable/disable flag.
When non-zero, all programs will get the PaX MPROTECT
restrictions, except those exempted with paxctl(8).
Otherwise, all programs will not get the PaX MPROTECT
restrictions, except those specifically marked as such
with paxctl(8).
security.pax.mprotect.ptrace
This variable allows ptrace(2) to override PaX MPROTECT
permissions. It can have the following values:
0 Does not let override any permissions.
1 Disables PaX MPROTECT from processes that start
executing while traced (default).
2 Bypasses PaX MPROTECT for all processes being traced.
security.pax.segvguard.enabled
Enable PaX Segvguard.
PaX Segvguard can detect and prevent certain exploitation
attempts, where an attacker may try for example to brute-
force function return addresses of respawning daemons.
Note: The NetBSD interface and implementation of the
Segvguard is still experimental, and may change in future
releases.
security.pax.segvguard.expiry_timeout
If the max number was not reached within this timeout (in
seconds), the entry will expire.
security.pax.segvguard.global
Specifies the default global policy for programs without
an explicit enable/disable flag.
When non-zero, all programs will get the PaX Segvguard,
except those exempted with paxctl(8). Otherwise, no
program will get the PaX Segvguard restrictions, except
those specifically marked as such with paxctl(8).
security.pax.segvguard.max_crashes
The maximum number of segfaults a program can receive
before suspension.
security.pax.segvguard.suspend_timeout
Number of seconds to suspend a user from running a
faulting program when the limit was exceeded.
The vendor.* subtree (CTL_VENDOR)
The vendor toplevel name is reserved to be used by vendors who wish to
have their own private MIB tree. Intended use is to store values under
"vendor.<yourname>.*".
SEE ALSO
sysctl(3), ipsec(4), tcp(4), security(7), sysctl(8)
HISTORY
The sysctl variables first appeared in 4.4BSD.
NetBSD 10.99 May 29, 2023 NetBSD 10.99