Bump date for previous.

[netbsd-mini2440.git] / share / man / man7 / sysctl.7

.\"     $NetBSD: sysctl.7,v 1.23 2009/09/11 18:14:58 apb Exp $
.\"
.\" Copyright (c) 1993
.\"     The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     @(#)sysctl.3    8.4 (Berkeley) 5/9/95
.\"
.Dd September 11, 2009
.Dt SYSCTL 7
.Os
.Sh NAME
.Nm sysctl
.Nd system information variables
.Sh DESCRIPTION
The
.Xr sysctl 3
library function and the
.Xr sysctl 8
utility are used to get and set values of system variables, maintained
by the kernel.
The variables are organized in a tree and identified by a sequence of
numbers, conventionally separated by dots with the topmost identifier
at the left side.
The numbers have corresponding text names.
The
.Xr sysctlnametomib 3
function or the
.Fl M
argument to the
.Xr sysctl 8
utility can be used to convert the text representation to the
numeric one.
.Pp
The individual sysctl variables are described below, both the textual
and numeric form where applicable.
The textual names can be used as argument to the
.Xr sysctl 8
utility and in the file
.Pa /etc/sysctl.conf .
The numeric names are usually defined as preprocessor constants and
are intended for use by programs.
Every such constant expands to one integer, which identifies the
sysctl variable relative to the upper level of the tree.
See the
.Xr sysctl 3
manual page for programming examples.
.Sh Top level names
The top level names are defined with a CTL_ prefix in
.Aq Pa sys/sysctl.h ,
and are as follows.
The next and subsequent levels down are found in the include files
listed here, and described in separate sections below.
.Bl -column security CTL_SECURITY "Next level names" "High kernel limits"
.It Sy Name     Constant        Next level names        Description
.It kern        CTL_KERN        sys/sysctl.h    High kernel limits
.It vm  CTL_VM  uvm/uvm_param.h Virtual memory
.It vfs CTL_VFS sys/mount.h     Filesystem
.It net CTL_NET sys/socket.h    Networking
.It debug       CTL_DEBUG       sys/sysctl.h    Debugging
.It hw  CTL_HW  sys/sysctl.h    Generic CPU, I/O
.It machdep     CTL_MACHDEP     sys/sysctl.h    Machine dependent
.It user        CTL_USER        sys/sysctl.h    User-level
.It ddb CTL_DDB sys/sysctl.h    In-kernel debugger
.It proc        CTL_PROC        sys/sysctl.h    Per-process
.It vendor      CTL_VENDOR      ?       Vendor specific
.It emul        CTL_EMUL        sys/sysctl.h    Emulation settings
.It security    CTL_SECURITY    sys/sysctl.h    Security settings
.El
.Sh The debug.* subtree
The debugging variables vary from system to system.
A debugging variable may be added or deleted without need to recompile
.Nm
to know about it.
Each time it runs,
.Nm
gets the list of debugging variables from the kernel and
displays their current values.
The system defines twenty
.Va ( struct ctldebug )
variables named
.Dv debug0
through
.Dv debug19 .
They are declared as separate variables so that they can be
individually initialized at the location of their associated variable.
The loader prevents multiple use of the same variable by issuing errors
if a variable is initialized in more than one place.
For example, to export the variable
.Dv dospecialcheck
as a debugging variable, the following declaration would be used:
.Bd -literal -offset indent -compact
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck };
.Ed
.Pp
Note that the dynamic implementation of
.Nm
currently in use largely makes this particular
.Nm
interface obsolete.
See
.Xr sysctl 8
.\" and
.\" .Xr sysctl 9
for more information.
.Sh The vfs.* subtree
A distinguished second level name,
.Li vfs.generic ( VFS_GENERIC ) ,
is used to get general information about all filesystems.
One of its third level identifiers is
.Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM )
that gives the highest valid filesystem type number.
Its other third level identifier is
.Li vfs.generic.conf ( VFS_CONF )
that returns configuration information about the filesystem
type given as a fourth level identifier.
The remaining second level identifiers are the
filesystem type number returned by a
.Xr statvfs 2
call or from
.Li vfs.generic.conf .
The third level identifiers available for each filesystem
are given in the header file that defines the mount
argument structure for that filesystem.
.Sh The hw.* subtree
The string and integer information available for the
.Li hw
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "hw.acpi.supported_states" "integer" "Changeable" -offset indent
.It Sy Second level name        Type    Changeable
.It hw.acpi.supported_states    string  no
.It hw.alignbytes       integer no
.It hw.byteorder        integer no
.It hw.cnmagic  string  yes
.It hw.disknames        string  no
.It hw.diskstats        struct  no
.It hw.machine  string  no
.It hw.machine_arch     string  no
.It hw.model    string  no
.It hw.ncpu     integer no
.It hw.pagesize integer no
.It hw.physmem  integer no
.It hw.physmem64        quad    no
.It hw.usermem  integer no
.It hw.usermem64        quad    no
.El
.Pp
.Bl -tag -width "123456"
.It Li hw.acpi.support_states
List of possible
.Tn ACPI
sleep states.
The list can contain the following values:
.Bl -tag -width XS1X
.It S0
fully running
.It S1
power on suspend (CPU and hard disks are off)
.It S2
similar to S3, usually not implemented
.It S3
suspend-to-RAM
.It S4
suspend-to-disk (needs BIOS support)
.It S5
power off
.El
.It Li hw.alignbytes ( HW_ALIGNBYTES )
Alignment constraint for all possible data types.
This shows the value
.Dv ALIGNBYTES
in
.Pa /usr/include/machine/param.h ,
at the kernel compilation time.
.It Li hw.byteorder ( HW_BYTEORDER )
The byteorder (4,321, or 1,234).
.It Li hw.cnmagic ( HW_CNMAGIC )
The console magic key sequence.
.It Li hw.disknames ( HW_DISKNAMES )
The list of (space separated) disk device names on the system.
.It Li hw.iostatnames ( HW_IOSTATNAMES )
A space separated list of devices that will have I/O statistics
collected on them.
.It Li hw.iostats ( HW_IOSTATS )
Return statistical information on the NFS mounts, disk and tape
devices on the system.
An array of
.Va struct io_sysctl
structures is returned,
whose size depends on the current number of such objects in the system.
The third level name is the size of the
.Va struct io_sysctl .
The type of object can be determined by examining the
.Va type
element of
.Va struct io_sysctl .
Which can be
.Dv IOSTAT_DISK
(disk drive),
.Dv IOSTAT_TAPE
(tape drive), or
.Dv IOSTAT_NFS
(NFS mount).
.It Li hw.machine ( HW_MACHINE )
The machine class.
.It Li hw.machine_arch ( HW_MACHINE_ARCH )
The machine CPU class.
.It Li hw.model ( HW_MODEL )
The machine model.
.It Li hw.ncpu ( HW_NCPU )
The number of CPUs.
.It Li hw.pagesize ( HW_PAGESIZE )
The software page size.
.It Li hw.physmem ( HW_PHYSMEM )
The bytes of physical memory as a 32-bit integer.
.It Li hw.physmem64 ( HW_PHYSMEM64 )
The bytes of physical memory as a 64-bit integer.
.It Li hw.usermem ( HW_USERMEM )
The bytes of non-kernel memory as a 32-bit integer.
.It Li hw.usermem64 ( HW_USERMEM64 )
The bytes of non-kernel memory as a 64-bit integer.
.El
.Sh The kern.* subtree
The string and integer information available for the
.Li kern
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
The types of data currently available are process information,
system vnodes, the open file entries, routing table entries,
virtual memory statistics, load average history, and clock rate
information.
.Bl -column "kern.posix_reader_writer_locks" "struct kinfo_drivers" "not applicable"
.It Sy Second level name        Type    Changeable
.It kern.argmax integer no
.It kern.autonicetime   integer yes
.It kern.autoniceval    integer yes
.It kern.boottime       struct timeval  no
.It kern.bufq   node    not applicable
.It kern.ccpu   integer no
.It kern.clockrate      struct clockinfo        no
.It kern.consdev        integer no
.It kern.cp_id  struct  no
.It kern.cp_time        uint64_t[\|]    no
.It kern.defcorename    string  yes
.It kern.domainname     string  yes
.It kern.drivers        struct kinfo_drivers    no
.It kern.file   struct file     no
.It kern.forkfsleep     integer yes
.It kern.fscale integer no
.It kern.fsync  integer no
.It kern.hardclock_ticks        integer no
.It kern.hostid integer yes
.It kern.hostname       string  yes
.It kern.iov_max        integer no
.It kern.job_control    integer no
.It kern.labeloffset    integer no
.It kern.labelsector    integer no
.It kern.login_name_max integer no
.It kern.logsigexit     integer yes
.It kern.mapped_files   integer no
.It kern.maxfiles       integer yes
.It kern.maxpartitions  integer no
.It kern.maxphys        integer no
.It kern.maxproc        integer yes
.It kern.maxptys        integer yes
.It kern.maxvnodes      integer yes
.It kern.mbuf   node    not applicable
.It kern.memlock        integer no
.It kern.memlock_range  integer no
.It kern.memory_protection      integer no
.It kern.monotonic_clock        integer no
.It kern.msgbuf integer no
.It kern.msgbufsize     integer no
.It kern.ngroups        integer no
.It kern.ntptime        struct ntptimeval       no
.It kern.osrelease      string  no
.It kern.osrev  integer no
.It kern.ostype string  no
.It kern.pipe   node    not applicable
.It kern.posix1 integer no
.It kern.posix_barriers integer no
.It kern.posix_reader_writer_locks      integer no
.It kern.posix_semaphores       integer no
.It kern.posix_spin_locks       integer no
.It kern.posix_threads  integer no
.It kern.posix_timers   integer no
.It kern.proc   struct kinfo_proc       no
.It kern.proc2  struct kinfo_proc2      no
.It kern.proc_args      string  no
.It kern.prof   node    not applicable
.It kern.rawpartition   integer no
.It kern.root_device    string  no
.It kern.root_partition integer no
.It kern.rtc_offset     integer yes
.It kern.saved_ids      integer no
.It kern.securelevel    integer raise only
.It kern.synchronized_io        integer no
.It kern.ipc    node    not applicable
.It kern.timecounter    node    not applicable
.It kern.timex  struct  no
.It kern.tkstat node    not applicable
.It kern.urandom        integer no
.It kern.version        string  no
.It kern.vnode  struct vnode    no
.El
.Bl -tag -width "123456"
.It Li kern.argmax ( KERN_ARGMAX )
The maximum bytes of argument to
.Xr execve 2 .
.It Li kern.autonicetime ( KERN_AUTONICETIME )
The number of seconds of CPU-time a non-root process may accumulate before
having its priority lowered from the default to the value of KERN_AUTONICEVAL.
If set to 0, automatic lowering of priority is not performed, and if set to \-1
all non-root processes are immediately lowered.
.It Li kern.autoniceval ( KERN_AUTONICEVAL )
The priority assigned for automatically niced processes.
.It Li kern.boothowto
Flags passed from the boot loader; see
.Xr reboot 2
for the meanings of the flags.
.It Li kern.boottime ( KERN_BOOTTIME )
A
.Va struct timeval
structure is returned.
This structure contains the time that the system was booted.
.It Li kern.ccpu ( KERN_CCPU )
The scheduler exponential decay value.
.It Li kern.clockrate ( KERN_CLOCKRATE )
A
.Va struct clockinfo
structure is returned.
This structure contains the clock, statistics clock and profiling clock
frequencies, the number of micro-seconds per hz tick, and the clock
skew rate.
.It Li kern.consdev ( KERN_CONSDEV )
Console device.
.It Li kern.cp_id ( KERN_CP_ID )
Mapping of CPU number to CPU id.
.It Li kern.cp_time ( KERN_CP_TIME )
Returns an array of CPUSTATES uint64_ts.
This array contains the
number of clock ticks spent in different CPU states.
On multi-processor systems, the sum across all CPUs is returned unless
appropriate space is given for one data set for each CPU.
Data for a specific CPU can also be obtained by adding the number of the
CPU at the end of the MIB, enlarging it by one.
.It Li kern.defcorename ( KERN_DEFCORENAME )
Default template for the name of core dump files (see also
.Li proc.pid.corename
in the per-process variables
.Li proc.* ,
and
.Xr core 5
for format of this template).
The default value is
.Nm %n.core
and can be changed with the kernel configuration option
.Cd options DEFCORENAME
(see
.Xr options 4
).
.It Li kern.domainname ( KERN_DOMAINNAME )
Get or set the YP domain name.
.It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC )
Perform a crash dump on system panic.
.It Li kern.drivers ( KERN_DRIVERS )
Return an array of
.Va struct kinfo_drivers
that contains the name and major device numbers of all the device drivers
in the current kernel.
The
.Va d_name
field is always a NUL terminated string.
The
.Va d_bmajor
field will be set to \-1 if the driver doesn't have a block device.
.It Li kern.file ( KERN_FILE )
Return the entire file table.
The returned data consists of a single
.Va struct filelist
followed by an array of
.Va struct file ,
whose size depends on the current number of such objects in the system.
.It Li kern.forkfsleep ( KERN_FORKFSLEEP )
If
.Xr fork 2
system call fails due to limit on number of processes (either
the global maxproc limit or user's one), wait for this many
milliseconds before returning
.Er EAGAIN
error to process.
Useful to keep heavily forking runaway processes in bay.
Default zero (no sleep).
Maximum is 20 seconds.
.It Li kern.fscale ( KERN_FSCALE )
The kernel fixed-point scale factor.
.It Li kern.fsync ( KERN_FSYNC )
Return 1 if the POSIX 1003.1b File Synchronization Option is available
on this system,
otherwise 0.
.It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS )
Returns the number of
.Xr hardclock 9
ticks.
.It Li kern.hostid ( KERN_HOSTID )
Get or set the host id.
.It Li kern.hostname ( KERN_HOSTNAME )
Get or set the hostname.
.It Li kern.iov_max ( KERN_IOV_MAX )
Return the maximum number of
.Va iovec
structures that a process has available for use with
.Xr preadv 2 ,
.Xr pwritev 2 ,
.Xr readv 2 ,
.Xr recvmsg 2 ,
.Xr sendmsg 2
and
.Xr writev 2 .
.It Li kern.job_control ( KERN_JOB_CONTROL )
Return 1 if job control is available on this system, otherwise 0.
.It Li kern.labeloffset ( KERN_LABELOFFSET )
The offset within the sector specified by KERN_LABELSECTOR of the
.Xr disklabel 5 .
.It Li kern.labelsector ( KERN_LABELSECTOR )
The sector number containing the
.Xr disklabel 5 .
.It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX )
The size of the storage required for a login name, in bytes,
including the terminating NUL.
.It Li kern.logsigexit ( KERN_LOGSIGEXIT )
If this flag is non-zero, the kernel will
.Xr log 9
all process exits due to signals which create a
.Xr core 5
file, and whether the coredump was created.
.It Li kern.mapped_files ( KERN_MAPPED_FILES )
Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available
on this system,
otherwise 0.
.It Li kern.maxfiles ( KERN_MAXFILES )
The maximum number of open files that may be open in the system.
.It Li kern.maxpartitions ( KERN_MAXPARTITIONS )
The maximum number of partitions allowed per disk.
.It Li kern.maxphys ( KERN_MAXPHYS )
Maximum raw I/O transfer size.
.It Li kern.maxproc ( KERN_MAXPROC )
The maximum number of simultaneous processes the system will allow.
.It Li kern.maxptys ( KERN_MAXPTYS )
The maximum number of pseudo terminals.
This value can be both raised and lowered, though it cannot
be set lower than number of currently used ptys.
See also
.Xr pty 4 .
.It Li kern.maxvnodes ( KERN_MAXVNODES )
The maximum number of vnodes available on the system.
This can only be raised.
.It Li kern.mbuf ( KERN_MBUF )
Return information about the mbuf control variables.
Mbufs are data structures which store network packets and other data
structures in the networking code, see
.Xr mbuf 9 .
The third level names for the mbuf variables are detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent
.It Sy Third level name Type    Changeable
.\" XXX Changeable? really?
.It kern.mbuf.mblowat   integer yes
.It kern.mbuf.mclbytes  integer yes
.It kern.mbuf.mcllowat  integer yes
.It kern.mbuf.msize     integer yes
.It kern.mbuf.nmbclusters       integer yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.mbuf.mblowat ( MBUF_MBLOWAT )
The mbuf low water mark.
.It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES )
The mbuf cluster size.
.It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT )
The mbuf cluster low water mark.
.It Li kern.mbuf.msize ( MBUF_MSIZE )
The mbuf base size.
.It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS )
The limit on the number of mbuf clusters.
The variable can only be increased, and only increased on machines with
direct-mapped pool pages.
.El
.It Li kern.memlock ( KERN_MEMLOCK )
Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available
on this system,
otherwise 0.
.It Li kern.memlock_range ( KERN_MEMLOCK_RANGE )
Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available
on this system,
otherwise 0.
.It Li kern.memory_protection ( KERN_MEMORY_PROTECTION )
Returns 1 if the POSIX 1003.1b Memory Protection Option is available
on this system,
otherwise 0.
.It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK )
Returns the standard version the implementation of the POSIX 1003.1b
Monotonic Clock Option conforms to,
otherwise 0.
.It Li kern.msgbuf ( KERN_MSGBUF )
The kernel message buffer, rotated so that the head of the circular kernel
message buffer is at the start of the returned data.
The returned data may contain NUL bytes.
.It Li kern.msgbufsize ( KERN_MSGBUFSIZE )
The maximum number of characters that the kernel message buffer can hold.
.It Li kern.ngroups ( KERN_NGROUPS )
The maximum number of supplemental groups.
.It Li kern.ntptime ( KERN_NTPTIME )
A
.Va struct ntptimeval
structure is returned.
This structure contains data used by the
.Xr ntpd 8
program.
.It Li kern.osrelease ( KERN_OSRELEASE )
The system release string.
.It Li kern.osrevision ( KERN_OSREV )
The system revision string.
.It Li kern.ostype ( KERN_OSTYPE )
The system type string.
.It Li kern.pipe ( KERN_PIPE )
Pipe settings.
The third level names for the  integer pipe settings is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent
.It Sy Third level name Type    Changeable
.It kern.pipe.kvasiz    integer yes
.It kern.pipe.maxbigpipes       integer yes
.It kern.pipe.maxkvasz  integer yes
.It kern.pipe.limitkva  integer yes
.It kern.pipe.nbigpipes integer yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ )
Amount of kernel memory consumed by pipe buffers.
.It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES )
Maximum number of "big" pipes.
.It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ )
Maximum amount of kernel memory to be used for pipes.
.It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA )
Limit for direct transfers via page loan.
.It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES )
Number of "big" pipes.
.El
.It Li kern.posix1version ( KERN_POSIX1 )
The version of ISO/IEC 9945 (POSIX 1003.1) with which the system
attempts to comply.
.It Li kern.posix_barriers ( KERN_POSIX_BARRIERS )
The version of
.St -p1003.1
and its
Barriers
option to which the system attempts to conform,
otherwise 0.
.It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS )
The version of
.St -p1003.1
and its
Read-Write Locks
option to which the system attempts to conform,
otherwise 0.
.It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES )
The version of
.St -p1003.1
and its
Semaphores
option to which the system attempts to conform,
otherwise 0.
.It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS )
The version of
.St -p1003.1
and its
Spin Locks
option to which the system attempts to conform,
otherwise 0.
.It Li kern.posix_threads ( KERN_POSIX_THREADS )
The version of
.St -p1003.1
and its
Threads
option to which the system attempts to conform,
otherwise 0.
.It Li kern.posix_timers ( KERN_POSIX_TIMERS )
The version of
.St -p1003.1
and its
Timers
option to which the system attempts to conform,
otherwise 0.
.It Li kern.proc ( KERN_PROC )
Return the entire process table, or a subset of it.
An array of
.Va struct kinfo_proc
structures is returned,
whose size depends on the current number of such objects in the system.
The third and fourth level numeric names are as follows:
.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent
.It Sy Third level name Fourth level is:
.It KERN_PROC_ALL       None
.It KERN_PROC_GID       A group ID
.It KERN_PROC_PID       A process ID
.It KERN_PROC_PGRP      A process group
.It KERN_PROC_RGID      A real group ID
.It KERN_PROC_RUID      A real user ID
.It KERN_PROC_SESSION   A session ID
.It KERN_PROC_TTY       A tty device
.It KERN_PROC_UID       A user ID
.El
.It Li kern.proc2 ( KERN_PROC2 )
As for KERN_PROC, but an array of
.Va struct kinfo_proc2
structures are returned.
The fifth level name is the size of the
.Va struct kinfo_proc2
and the sixth level name is the number of structures to return.
.It Li kern.proc_args ( KERN_PROC_ARGS )
Return the argv or environment strings (or the number thereof)
of a process.
Multiple strings are returned separated by NUL characters.
The third level name is the process ID.
The fourth level name is as follows:
.Bl -column "KERN_PROG_NARGV" "The number of environ strings" -offset indent
.It KERN_PROC_ARGV      The argv strings
.It KERN_PROC_ENV       The environ strings
.It KERN_PROC_NARGV     The number of argv strings
.It KERN_PROC_NENV      The number of environ strings
.El
.It Li kern.profiling ( KERN_PROF )
Return profiling information about the kernel.
If the kernel is not compiled for profiling,
attempts to retrieve any of the KERN_PROF values will
fail with
.Er EOPNOTSUPP .
The third level names for the string and integer profiling information
is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent
.It Sy Third level name Type    Changeable
.It kern.profiling.count        u_short[\|]     yes
.It kern.profiling.froms        u_short[\|]     yes
.It kern.profiling.gmonparam    struct gmonparam        no
.It kern.profiling.state        integer yes
.It kern.profiling.tos  struct tostruct yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.profiling.count ( GPROF_COUNT )
Array of statistical program counter counts.
.It Li kern.profiling.froms ( GPROF_FROMS )
Array indexed by program counter of call-from points.
.It Li kern.profiling.gmonparams ( GPROF_GMONPARAM )
Structure giving the sizes of the above arrays.
.It Li kern.profiling.state ( GPROF_STATE )
Profiling state.
If set to GMON_PROF_ON, starts profiling.
If set to GMON_PROF_OFF, stops profiling.
.It Li kern.profiling.tos ( GPROF_TOS )
Array of
.Va struct tostruct
describing destination of calls and their counts.
.El
.It Li kern.rawpartition ( KERN_RAWPARTITION )
The raw partition of a disk (a == 0).
.It Li kern.root_device ( KERN_ROOT_DEVICE )
The name of the root device (e.g.,
.Dq wd0 ) .
.It Li kern.root_partition ( KERN_ROOT_PARTITION )
The root partition on the root device (a == 0).
.It Li kern.rtc_offset ( KERN_RTC_OFFSET )
Return the offset of real time clock from UTC in minutes.
.It Li kern.saved_ids ( KERN_SAVED_IDS )
Returns 1 if saved set-group and saved set-user ID is available.
.It Li kern.sbmax ( KERN_SBMAX )
Maximum socket buffer size.
.\" XXX units?
.It Li kern.securelevel ( KERN_SECURELVL )
The system security level.
This level may be raised by processes with appropriate privilege.
It may only be lowered by process 1.
.It Li kern.somaxkva ( KERN_SOMAXKVA )
Maximum amount of kernel memory to be used for socket buffers.
.\" XXX units?
.It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO )
Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available
on this system,
otherwise 0.
.It Li kern.ipc ( KERN_SYSVIPC )
Return information about the SysV IPC parameters.
The third level names for the ipc variables are detailed below.
.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent
.It Sy Third level name Type    Changeable
.It kern.ipc.sysvmsg    integer no
.It kern.ipc.sysvsem    integer no
.It kern.ipc.sysvshm    integer no
.It kern.ipc.sysvipc_info       struct  no
.It kern.ipc.shmmax     integer yes
.It kern.ipc.shmmni     integer yes
.It kern.ipc.shmseg     integer yes
.It kern.ipc.shmmaxpgs  integer yes
.It kern.ipc.shm_use_phys       integer yes
.It kern.ipc.msgmni     integer yes
.It kern.ipc.msgseg     integer yes
.It kern.ipc.semmni     integer yes
.It kern.ipc.semmns     integer yes
.It kern.ipc.semmnu     integer yes
.El
.Bl -tag -width "123456"
.It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG )
Returns 1 if System V style message queue functionality is available
on this system,
otherwise 0.
.It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM )
Returns 1 if System V style semaphore functionality is available
on this system,
otherwise 0.
.It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM )
Returns 1 if System V style share memory functionality is available
on this system,
otherwise 0.
.It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO )
Return System V style IPC configuration and run-time information.
The fourth level name selects the System V style IPC facility.
.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent
.It Sy Fourth level name        Type
.It KERN_SYSVIPC_MSG_INFO       struct msg_sysctl_info
.It KERN_SYSVIPC_SEM_INFO       struct sem_sysctl_info
.It KERN_SYSVIPC_SHM_INFO       struct shm_sysctl_info
.El
.Pp
.Bl -tag -width "123456"
.It Li KERN_SYSVIPC_MSG_INFO
Return information on the System V style message facility.
The
.Sy msg_sysctl_info
structure is defined in
.Aq Pa sys/msg.h .
.It Li KERN_SYSVIPC_SEM_INFO
Return information on the System V style semaphore facility.
The
.Sy sem_sysctl_info
structure is defined in
.Aq Pa sys/sem.h .
.It Li KERN_SYSVIPC_SHM_INFO
Return information on the System V style shared memory facility.
The
.Sy shm_sysctl_info
structure is defined in
.Aq Pa sys/shm.h .
.El
.It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX )
Max shared memory segment size in bytes.
.It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI )
Max number of shared memory identifiers.
.It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG )
Max shared memory segments per process.
.It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS )
Max amount of shared memory in pages.
.It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS )
Locking of shared memory in physical memory.
If 0, memory can be swapped
out, otherwise it will be locked in physical memory.
.It Li kern.ipc.msgmni
Max number of message queue identifiers.
.It Li kern.ipc.msgseg
Max number of number of message segments.
.It Li kern.ipc.semmni
Max number of number of semaphore identifiers.
.It Li kern.ipc.semmns
Max number of number of semaphores in system.
.It Li kern.ipc.semmnu
Max number of undo structures in system.
.El
.It Li kern.timecounter ( dynamic )
Display and control the timecounter source of the system.
.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent
.It Sy Third level name Type    Changeable
.It kern.timecounter.choice     string  no
.It kern.timecounter.hardware   string  yes
.It kern.timecounter.timestepwarnings   integer yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.timecounter.choice ( dynamic )
The list of available timecounters with their quality and frequency.
.It Li kern.timecounter.hardware ( dynamic )
The currently selected timecounter source.
.It Li kern.timecounter.timestepwarnings ( dynamic )
If non-zero display a message each time the time is stepped.
.El
.It Li kern.timex ( KERN_TIMEX )
Not available.
.It Li kern.tkstat ( KERN_TKSTAT )
Return information about the number of characters sent and received
on ttys.
The third level names for the tty statistic variables are detailed below.
The changeable column shows whether a process
with appropriate privilege may change the value.
.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent
.It Sy Third level name Type    Changeable
.It kern.tkstat.cancc   quad    no
.It kern.tkstat.nin     quad    no
.It kern.tkstat.nout    quad    no
.It kern.tkstat.rawcc   quad    no
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC )
The number of canonical input characters.
.It Li kern.tkstat.nin ( KERN_TKSTAT_NIN )
The total number of input characters.
.It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT )
The total number of output characters.
.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC )
The number of raw input characters.
.El
.It Li kern.urandom ( KERN_URND )
Random integer value.
.It Li kern.veriexec
Tunings for Verixec.
.Bl -tag -width "123456"
.It Li kern.veriexec.algorithms
Returns a string with the supported algorithms in Veriexec.
.It Li kern.veriexec.count
Sub-nodes are added to this node as new mounts are monitored by Veriexec.
Each mount will be under its own
.No tableN
node.
Under each node there will be three variables, indicating the mount
point, the file-system type, and the number of entries.
.It Li kern.veriexec.strict
Controls the strict level of Veriexec.
See
.Xr security 8
for more information on each level's implications.
.It Li kern.veriexec.verbose
Controls the verbosity level of Veriexec.
If 0, only the minimal
indication required will be given about what's happening - fingerprint
mismatches, removal of entries from the tables, modification of a
fingerprinted file.
If 1, more messages will be printed (ie., when a file with a valid
fingerprint is accessed).
Verbose level 2 is debug mode.
.El
.It Li kern.version ( KERN_VERSION )
The system version string.
.It Li kern.vnode ( KERN_VNODE )
Return the entire vnode table.
Note, the vnode table is not necessarily a consistent snapshot of
the system.
The returned data consists of an array whose size depends on the
current number of such objects in the system.
Each element of the array contains the kernel address of a vnode
.Va struct vnode *
followed by the vnode itself
.Va struct vnode .
.It Li kern.coredump.setid
Settings related to set-id processes coredumps.
By default, set-id processes do not dump core in situations where
other processes would.
The settings in this node allows an administrator to change this
behavior.
.Pp
.Bl -tag -width "123456"
.It Li kern.coredump.setid.dump
If non-zero, set-id processes will dump core.
.It Li kern.coredump.setid.group
The group-id for the set-id processes' coredump.
.It Li kern.coredump.setid.mode
The mode for the set-id processes' coredump.
See
.Xr chmod 1 .
.It Li kern.coredump.setid.owner
The user-id that will be used as the owner of the set-id processes'
coredump.
.It Li kern.coredump.setid.path
The path to which set-id processes' coredumps will be saved to.
Same syntax as kern.defcorename.
.El
.\" XXX kern.lwp
.El
.Sh The machdep.* subtree
The set of variables defined is architecture dependent.
Most architectures define at least the following variables.
.Bl -column "Second level name" "Type" "Changeable" -offset indent
.It Sy Second level name        Type    Changeable
.It Li CPU_CONSDEV      dev_t   no
.El
.Sh The net.* subtree
The string and integer information available for the
.Li net
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
The second and third levels are typically the protocol family and
protocol number, though this is not always the case.
.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent
.It Sy Second level name        Type    Changeable
.It net.route   routing messages        no
.It net.inet    IPv4 values     yes
.It net.inet6   IPv6 values     yes
.It net.key     IPsec key management values     yes
.El
.Pp
.Bl -tag -width "123456"
.It Li net.route ( PF_ROUTE )
.\" XXX really?
Return the entire routing table or a subset of it.
The data is returned as a sequence of routing messages (see
.Xr route 4
for the header file, format and meaning).
The length of each message is contained in the message header.
.Pp
The third level name is a protocol number, which is currently always 0.
The fourth level name is an address family, which may be set to 0 to
select all address families.
The fifth and sixth level names are as follows:
.Bl -column "Fifth level name" "Sixth level is:" -offset indent
.It Sy Fifth level name Sixth level is:
.It NET_RT_FLAGS        rtflags
.It NET_RT_DUMP None
.It NET_RT_IFLIST       None
.El
.It Li net.inet ( PF_INET )
Get or set various global information about the IPv4
.Pq Internet Protocol version 4 .
The third level name is the protocol.
The fourth level name is the variable name.
The currently defined protocols and names are:
.Bl -column "Protocol name" "sack.globalmaxholes" "integer" "Changeable" -offset 4n
.It Sy Protocol name    Variable name   Type    Changeable
.It arp down    integer yes
.It arp keep    integer yes
.It arp prune   integer yes
.It arp refresh integer yes
.It carp        allow   integer yes
.It carp        preempt integer yes
.It carp        log     integer yes
.It carp        arpbalance      integer yes
.It icmp        errppslimit     integer yes
.It icmp        maskrepl        integer yes
.It icmp        rediraccept     integer yes
.It icmp        redirtimeout    integer yes
.It ip  allowsrcrt      integer yes
.It ip  anonportmax     integer yes
.It ip  anonportmin     integer yes
.It ip  checkinterface  integer yes
.It ip  directed-broadcast      integer yes
.It ip  do_loopback_cksum       integer yes
.It ip  forwarding      integer yes
.It ip  forwsrcrt       integer yes
.It ip  gifttl  integer yes
.It ip  grettl  integer yes
.It ip  hashsize        integer yes
.It ip  hostzerobroadcast       integer yes
.It ip  lowportmin      integer yes
.It ip  lowportmax      integer yes
.It ip  maxflows        integer yes
.It ip  maxfragpackets  integer yes
.It ip  mtudisc integer yes
.It ip  mtudisctimeout  integer yes
.It ip  random_id       integer yes
.It ip  redirect        integer yes
.It ip  subnetsarelocal integer yes
.It ip  ttl     integer yes
.It tcp rfc1323 integer yes
.It tcp sendspace       integer yes
.It tcp recvspace       integer yes
.It tcp mssdflt integer yes
.It tcp syn_cache_limit integer yes
.It tcp syn_bucket_limit        integer yes
.It tcp syn_cache_interval      integer yes
.It tcp init_win        integer yes
.It tcp init_win_local  integer yes
.It tcp mss_ifmtu       integer yes
.It tcp win_scale       integer yes
.It tcp timestamps      integer yes
.It tcp compat_42       integer yes
.It tcp cwm     integer yes
.It tcp cwm_burstsize   integer yes
.It tcp ack_on_push     integer yes
.It tcp keepidle        integer yes
.It tcp keepintvl       integer yes
.It tcp keepcnt integer yes
.It tcp slowhz  integer no
.It tcp keepinit        integer yes
.It tcp log_refused     integer yes
.It tcp rstppslimit     integer yes
.It tcp ident   struct  no
.It tcp drop    struct  no
.It tcp sack.enable     integer yes
.It tcp sack.globalholes        integer no
.It tcp sack.globalmaxholes     integer yes
.It tcp sack.maxholes   integer yes
.It tcp ecn.enable      integer yes
.It tcp ecn.maxretries  integer yes
.It tcp congctl.selected        string  yes
.It tcp congctl.available       string  yes
.It tcp abc.enable      integer yes
.It tcp abc.aggressive  integer yes
.It udp checksum        integer yes
.It udp do_loopback_cksum       integer yes
.It udp recvspace       integer yes
.It udp sendspace       integer yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li arp.down
Failed ARP entry lifetime.
.It Li arp.keep
Valid ARP entry lifetime.
.It Li arp.prune
ARP cache pruning interval.
.It Li arp.refresh
ARP entry refresh interval.
.It Li carp.allow
If set to 0, incoming
.Xr carp 4
packets will not be processed.
If set to any other value, processing will occur.
Enabled by default.
.It Li carp.arpbalance
If set to any value other than 0, the ARP balancing functionality of
.Xr carp 4
is enabled.
When ARP requests are received for an IP address which is part of any virtual
host, carp will hash the source IP in the ARP request to select one of the
virtual hosts from the set of all the virtual hosts which have that IP address.
The master of that host will respond with the correct virtual MAC address.
Disabled by default.
.It Li carp.log
If set to any value other than 0,
.Xr carp 4
will log errors.
Disabled by default.
.It Li carp.preempt
If set to 0,
.Xr carp 4
will not attempt to become master if it is receiving advertisements from
another active master.
If set to any other value, carp will become master of the virtual host if it
believes it can send advertisements more frequently than the current master.
Disabled by default.
.It Li ip.allowsrcrt
If set to 1, the host accepts source routed packets.
.It Li ip.anonportmax
The highest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535, and must
be greater than
.Li ip.anonportmin .
.It Li ip.anonportmin
The lowest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535.
.It Li ip.checkinterface
If set to non-zero, the host will reject packets addressed to it
that arrive on an interface not bound to that address.
Currently, this must be disabled if ipnat is used to translate the
destination address to another local interface, or if addresses
are added to the loopback interface instead of the interface where
the packets for those packets are received.
.It Li ip.directed-broadcast
If set to 1, enables directed broadcast behavior for the host.
.It Li ip.do_loopback_cksum
Perform IP checksum on loopback.
.It Li ip.forwarding
If set to 1, enables IP forwarding for the host,
meaning that the host is acting as a router.
.It Li ip.forwsrcrt
If set to 1, enables forwarding of source-routed packets for the host.
This value may only be changed if the kernel security level is less than 1.
.It Li ip.gifttl
The maximum time-to-live (hop count) value for an IPv4 packet generated by
.Xr gif 4
tunnel interface.
.It Li ip.grettl
The maximum time-to-live (hop count) value for an IPv4 packet generated by
.Xr gre 4
tunnel interface.
.It Li ip.hashsize
The size of IPv4 Fast Forward hash table.
This value must be a power of 2 (64, 256...).
A larger hash table size results in fewer collisions.
Also see
.Li ip.maxflows .
.It Li ip.hostzerobroadcast
All zeroes address is broadcast address.
.It Li ip.lowportmax
The highest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be greater than
.Li ip.lowportmin .
.It Li ip.lowportmin
The lowest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be smaller than
.Li ip.lowportmax .
.It Li ip.maxflows
IPv4 Fast Forwarding is enabled by default.
If set to 0, IPv4 Fast Forwarding is disabled.
.Li ip.maxflows
controls the maximum amount of flows which can be created.
The default value is 256.
.It Li ip.maxfragpackets
The maximum number of fragmented packets the node will accept.
0 means that the node will not accept any fragmented packets.
\-1 means that the node will accept as many fragmented packets as it receives.
The flag is provided basically for avoiding possible DoS attacks.
.It Li ip.mtudisc
If set to 1, enables Path MTU Discovery (RFC 1191).
When Path MTU Discovery is enabled, the transmitted TCP segment
size will be determined by the advertised maximum segment size
(MSS) from the remote end, as constrained by the path MTU.
If MTU Discovery is disabled, the transmitted segment size will
never be greater than
.Li tcp.mssdflt
(the local maximum segment size).
.It Li ip.mtudisctimeout
The number of seconds in which a route added by the Path MTU
Discovery engine will time out.
When the route times out, the Path
MTU Discovery engine will attempt to probe a larger path MTU.
.It Li ip.random_id
Assign random ip_id values.
.It Li ip.redirect
If set to 1, ICMP redirects may be sent by the host.
This option is ignored unless the host is routing IP packets,
and should normally be enabled on all systems.
.It Li ip.subnetsarelocal
If set to 1, subnets are to be considered local addresses.
.It Li ip.ttl
The maximum time-to-live (hop count) value for an IP packet sourced by
the system.
This value applies to normal transport protocols, not to ICMP.
.It Li icmp.errppslimit
The variable specifies the maximum number of outgoing ICMP error messages,
per second.
ICMP error messages that exceeded the value are subject to rate limitation
and will not go out from the node.
Negative value disables rate limitation.
.It Li icmp.maskrepl
If set to 1, ICMP network mask requests are to be answered.
.It Li icmp.rediraccept
If set to non-zero, the host will accept ICMP redirect packets.
Note that routers will never accept ICMP redirect packets,
and the variable is meaningful on IP hosts only.
.It Li icmp.redirtimeout
The variable specifies lifetime of routing entries generated by incoming
ICMP redirect.
This defaults to 600 seconds.
.It Li icmp.returndatabytes
Number of bytes to return in an ICMP error message.
.It Li tcp.ack_on_push
If set to 1, TCP is to immediately transmit an ACK upon reception of
a packet with PUSH set.
This can avoid losing a round trip time in some rare situations,
but has the caveat of potentially defeating TCP's delayed ACK algorithm.
Use of this option is generally not recommended, but
the variable exists in case your configuration really needs it.
.It Li tcp.compat_42
If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation.
Use of this option is not recommended, although it may be
required in order to communicate with extremely old TCP implementations.
.It Li tcp.cwm
If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window
Monitoring algorithm.
This algorithm prevents line-rate bursts of packets that could
otherwise occur when data begins flowing on an idle TCP connection.
These line-rate bursts can contribute to network and router congestion.
This can be particularly useful on World Wide Web servers
which support HTTP/1.1, which has lingering connections.
.It Li tcp.cwm_burstsize
The Congestion Window Monitoring allowed burst size, in terms
of packet count.
.It Li tcp.delack_ticks
Number of ticks to delay sending an ACK.
.It Li tcp.do_loopback_cksum
Perform TCP checksum on loopback.
.It Li tcp.init_win
A value indicating the TCP initial congestion window.
If this value is 0, an auto-tuning algorithm designed to use an initial
window of approximately 4K bytes is in use.
Otherwise, this value indicates a fixed number of packets.
.It Li tcp.init_win_local
Like
.Li tcp.init_win ,
but used when communicating with hosts on a local network.
.It Li tcp.keepcnt
Number of keepalive probes sent before declaring a connection dead.
If set to zero, there is no limit;
keepalives will be sent until some kind of
response is received from the peer.
.It Li tcp.keepidle
Time a connection must be idle before keepalives are sent (if keepalives
are enabled for the connection).
See also tcp.slowhz.
.It Li tcp.keepintvl
Time after a keepalive probe is sent until, in the absence of any response,
another probe is sent.
See also tcp.slowhz.
.It Li tcp.log_refused
If set to 1, refused TCP connections to the host will be logged.
.It Li tcp.keepinit
Timeout in seconds during connection establishment.
.It Li tcp.mss_ifmtu
If set to 1, TCP calculates the outgoing maximum segment size based on
the MTU of the appropriate interface.
If set to 0, it is calculated based on the greater of the MTU of the
interface, and the largest (non-loopback) interface MTU on the system.
.It Li tcp.mssdflt
The default maximum segment size both advertised to the peer
and to use when either the peer does not advertise a maximum segment size to
us during connection setup or Path MTU Discovery
.Li ( ip.mtudisc )
is disabled.
Do not change this value unless you really know what you are doing.
.It Li tcp.recvspace
The default TCP receive buffer size.
.It Li tcp.rfc1323
If set to 1, enables RFC 1323 extensions to TCP.
.It Li tcp.rstppslimit
The variable specifies the maximum number of outgoing TCP RST packets,
per second.
TCP RST packet that exceeded the value are subject to rate limitation
and will not go out from the node.
Negative value disables rate limitation.
.It Li tcp.ident
Return the user ID of a connected socket pair.
(RFC1413 Identification Protocol lookups.)
.It Li tcp.drop
Drop a TCP socket pair connection.
.It Li tcp.sack.enable
If set to 1, enables RFC 2018 Selective ACKnowledgement.
.It Li tcp.sack.globalholes
Global number of TCP SACK holes.
.It Li tcp.sack.globalmaxholes
Global maximum number of TCP SACK holes.
.It Li tcp.sack.maxholes
Maximum number of TCP SACK holes allowed per connection.
.It Li tcp.ecn.enable
If set to 1, enables RFC 3168 Explicit Congestion Notification.
.It Li tcp.ecn.maxretries
Number of times to retry sending the ECN-setup packet.
.It Li tcp.sendspace
The default TCP send buffer size.
.It Li tcp.slowhz
The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks
of a clock that ticks tcp.slowhz times per second.
(That is, their values
must be divided by the tcp.slowhz value to get times in seconds.)
.It Li tcp.syn_bucket_limit
The maximum number of entries allowed per hash bucket in the TCP
compressed state engine.
.It Li tcp.syn_cache_limit
The maximum number of entries allowed in the TCP compressed state
engine.
.It Li tcp.timestamps
If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options,
used for measuring TCP round trip times, are enabled.
.It Li tcp.win_scale
If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options,
for increasing the TCP window size, are enabled.
.It Li tcp.congctl.available
The available TCP congestion control algorithms.
.It Li tcp.congctl.selected
The currently selected TCP congestion control algorithm.
.It Li tcp.abc.enable
If set to 1, use RFC 3465 Appropriate Byte Counting (ABC).
If set to 0, use traditional Packet Counting.
.It Li tcp.abc.aggressive
Choose the L parameter found in RFC 3465.
L is the maximum cwnd increase for an ack during slow start.
If set to 1, use L=2*SMSS.
If set to 0, use L=1*SMSS.
It has no effect unless tcp.abc.enable is set to 1.
.It Li udp.checksum
If set to 1, UDP checksums are being computed.
Received non-zero UDP checksums are always checked.
Disabling UDP checksums is strongly discouraged.
.It Li udp.sendspace
The default UDP send buffer size.
.It Li udp.recvspace
The default UDP receive buffer size.
.El
.Pp
For variables net.*.ipsec, please refer to
.Xr ipsec 4 .
.It Li net.inet6 ( PF_INET6 )
Get or set various global information about the IPv6
.Pq Internet Protocol version 6 .
The third level name is the protocol.
The fourth level name is the variable name.
The currently defined protocols and names are:
.Bl -column "Protocol name" "do_loopback_cksum" "integer" "Changeable" -offset indent
.It Sy Protocol name    Variable name   Type    Changeable
.It icmp6       errppslimit     integer yes
.It icmp6       mtudisc_hiwat   integer yes
.It icmp6       mtudisc_lowat   integer yes
.It icmp6       nd6_debug       integer yes
.It icmp6       nd6_delay       integer yes
.It icmp6       nd6_maxnudhint  integer yes
.It icmp6       nd6_mmaxtries   integer yes
.It icmp6       nd6_prune       integer yes
.It icmp6       nd6_umaxtries   integer yes
.It icmp6       nd6_useloopback integer yes
.It icmp6       nodeinfo        integer yes
.It icmp6       rediraccept     integer yes
.It icmp6       redirtimeout    integer yes
.It ip6 accept_rtadv    integer yes
.It ip6 anonportmax     integer yes
.It ip6 anonportmin     integer yes
.It ip6 auto_flowlabel  integer yes
.It ip6 dad_count       integer yes
.It ip6 defmcasthlim    integer yes
.It ip6 forwarding      integer yes
.It ip6 gifhlim integer yes
.It ip6 hashsize        integer yes
.It ip6 hlim    integer yes
.It ip6 hdrnestlimit    integer yes
.It ip6 kame_version    string  no
.It ip6 keepfaith       integer yes
.It ip6 log_interval    integer yes
.It ip6 lowportmax      integer yes
.It ip6 lowportmin      integer yes
.It ip6 maxflows        integer yes
.It ip6 maxfragpackets  integer yes
.It ip6 maxfrags        integer yes
.It ip6 redirect        integer yes
.It ip6 rr_prune        integer yes
.It ip6 use_deprecated  integer yes
.It ip6 v6only  integer yes
.It udp6        do_loopback_cksum       integer yes
.It udp6        recvspace       integer yes
.It udp6        sendspace       integer yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li ip6.accept_rtadv
If set to non-zero, the node will accept ICMPv6 router advertisement packets
and autoconfigures address prefixes and default routers.
The node must be a host
.Pq not a router
for the option to be meaningful.
.It Li ip6.anonportmax
The highest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535, and must
be greater than
.Li ip6.anonportmin .
.It Li ip6.anonportmin
The lowest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535.
.It Li ip6.auto_flowlabel
On connected transport protocol packets,
fill IPv6 flowlabel field to help intermediate routers to identify packet flows.
.It Li ip6.dad_count
The variable configures number of IPv6 DAD
.Pq duplicated address detection
probe packets.
The packets will be generated when IPv6 interface addresses are configured.
.It Li ip6.defmcasthlim
The default hop limit value for an IPv6 multicast packet sourced by the node.
This value applies to all the transport protocols on top of IPv6.
There are APIs to override the value, as documented in
.Xr ip6 4 .
.It Li ip6.forwarding
If set to 1, enables IPv6 forwarding for the node,
meaning that the node is acting as a router.
If set to 0, disables IPv6 forwarding for the node,
meaning that the node is acting as a host.
IPv6 specification defines node behavior for
.Dq router
case and
.Dq host
case quite differently, and changing this variable during operation
may cause serious trouble.
It is recommended to configure the variable at bootstrap time,
and bootstrap time only.
.It Li ip6.gifhlim
The maximum hop limit value for an IPv6 packet generated by
.Xr gif 4
tunnel interface.
.It Li ip6.hdrnestlimit
The number of IPv6 extension headers permitted on incoming IPv6 packets.
If set to 0, the node will accept as many extension headers as possible.
.It Li ip6.hashsize
The size of IPv6 Fast Forward hash table.
This value must be a power of 2 (64, 256...).
A larger hash table size results in fewer collisions.
Also see
.Li ip6.maxflows .
.It Li ip6.hlim
The default hop limit value for an IPv6 unicast packet sourced by the node.
This value applies to all the transport protocols on top of IPv6.
There are APIs to override the value, as documented in
.Xr ip6 4 .
.It Li ip6.kame_version
The string identifies the version of KAME IPv6 stack implemented in the kernel.
.It Li ip6.keepfaith
If set to non-zero, it enables
.Dq FAITH
TCP relay IPv6-to-IPv4 translator code in the kernel.
Refer
.Xr faith 4
and
.Xr faithd 8
for detail.
.It Li ip6.log_interval
The variable controls amount of logs generated by IPv6 packet
forwarding engine, by setting interval between log output
.Pq in seconds .
.It Li ip6.lowportmax
The highest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be greater than
.Li ip6.lowportmin .
.It Li ip6.lowportmin
The lowest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be smaller than
.Li ip6.lowportmax .
.It Li ip6.maxflows
IPv6 Fast Forwarding is enabled by default.
If set to 0, IPv6 Fast Forwarding is disabled.
.Li ip6.maxflows
controls the maximum amount of flows which can be created.
The default value is 256.
.It Li ip6.maxfragpackets
The maximum number of fragmented packets the node will accept.
0 means that the node will not accept any fragmented packets.
\-1 means that the node will accept as many fragmented packets as it receives.
The flag is provided basically for avoiding possible DoS attacks.
.It Li ip6.maxfrags
The maximum number of fragments the node will accept.
0 means that the node will not accept any fragments.
\-1 means that the node will accept as many fragments as it receives.
The flag is provided basically for avoiding possible DoS attacks.
.It Li ip6.redirect
If set to 1, ICMPv6 redirects may be sent by the node.
This option is ignored unless the node is routing IP packets,
and should normally be enabled on all systems.
.It Li ip6.rr_prune
The variable specifies interval between IPv6 router renumbering prefix
babysitting, in seconds.
.It Li ip6.use_deprecated
The variable controls use of deprecated address, specified in RFC 2462 5.5.4.
.It Li ip6.v6only
The variable specifies initial value for
.Dv IPV6_V6ONLY
socket option for
.Dv AF_INET6
socket.
Please refer to
.Xr ip6 4
for detail.
.It Li icmp6.errppslimit
The variable specifies the maximum number of outgoing ICMPv6 error messages,
per second.
ICMPv6 error messages that exceeded the value are subject to rate limitation
and will not go out from the node.
Negative value disables rate limitation.
.It Li icmp6.mtudisc_hiwat
.It Li icmp6.mtudisc_lowat
The variables define the maximum number of routing table entries,
created due to path MTU discovery
.Pq prevents denial-of-service attacks with ICMPv6 too big messages .
When IPv6 path MTU discovery happens, we keep path MTU information into
the routing table.
If the number of routing table entries exceed the value,
the kernel will not attempt to keep the path MTU information.
.Li icmp6.mtudisc_hiwat
is used when we have verified ICMPv6 too big messages.
.Li icmp6.mtudisc_lowat
is used when we have unverified ICMPv6 too big messages.
Verification is performed by using address/port pairs kept in connected pcbs.
Negative value disables the upper limit.
.It Li icmp6.nd6_debug
If set to non-zero, kernel IPv6 neighbor discovery code will generate
debugging messages.
The debug outputs are useful to diagnose IPv6 interoperability issues.
The flag must be set to 0 for normal operation.
.It Li icmp6.nd6_delay
The variable specifies
.Dv DELAY_FIRST_PROBE_TIME
timing constant in IPv6 neighbor discovery specification
.Pq RFC 2461 ,
in seconds.
.It Li icmp6.nd6_maxnudhint
IPv6 neighbor discovery permits upper layer protocols to supply reachability
hints, to avoid unnecessary neighbor discovery exchanges.
The variable defines the number of consecutive hints the neighbor discovery
layer will take.
For example, by setting the variable to 3, neighbor discovery layer
will take 3 consecutive hints in maximum.
After receiving 3 hints, neighbor discovery layer will perform
normal neighbor discovery process.
.It Li icmp6.nd6_mmaxtries
The variable specifies
.Dv MAX_MULTICAST_SOLICIT
constant in IPv6 neighbor discovery specification
.Pq RFC 2461 .
.It Li icmp6.nd6_prune
The variable specifies interval between IPv6 neighbor cache babysitting,
in seconds.
.It Li icmp6.nd6_umaxtries
The variable specifies
.Dv MAX_UNICAST_SOLICIT
constant in IPv6 neighbor discovery specification
.Pq RFC 2461 .
.It Li icmp6.nd6_useloopback
If set to non-zero, kernel IPv6 stack will use loopback interface for
local traffic.
.It Li icmp6.nodeinfo
The variable enables responses to ICMPv6 node information queries.
If you set the variable to 0, responses will not be generated for
ICMPv6 node information queries.
Since node information queries can have a security impact, it is
possible to fine tune which responses should be answered.
Two separate bits can be set.
.Bl -tag -width "12345"
.It 1
Respond to ICMPv6 FQDN queries, e.g.
.Li ping6 -w .
.It 2
Respond to ICMPv6 node addresses queries, e.g.
.Li ping6 -a .
.El
.It Li icmp6.rediraccept
If set to non-zero, the host will accept ICMPv6 redirect packets.
Note that IPv6 routers will never accept ICMPv6 redirect packets,
and the variable is meaningful on IPv6 hosts
.Pq non-router
only.
.It Li icmp6.redirtimeout
The variable specifies lifetime of routing entries generated by incoming
ICMPv6 redirect.
.It Li udp6.do_loopback_cksum
Perform UDP checksum on loopback.
.It Li udp6.recvspace
Default UDP receive buffer size.
.It Li udp6.sendspace
Default UDP send buffer size.
.El
.Pp
We reuse net.*.tcp for
.Tn TCP
over
.Tn IPv6 ,
and therefore we do not have variables net.*.tcp6.
Variables net.inet6.udp6 have identical meaning to net.inet.udp.
Please refer to
.Li PF_INET
section above.
For variables net.*.ipsec6, please refer to
.Xr ipsec 4 .
.It Li net.key ( PF_KEY )
Get or set various global information about the IPsec key management.
The third level name is the variable name.
The currently defined variable and names are:
.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent
.It Sy Variable name    Type    Changeable
.It debug       integer yes
.It spi_try     integer yes
.It spi_min_value       integer yes
.It spi_max_value       integer yes
.It larval_lifetime     integer yes
.It blockacq_count      integer yes
.It blockacq_lifetime   integer yes
.It esp_keymin  integer yes
.It esp_auth    integer yes
.It ah_keymin   integer yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li debug
Turn on debugging message from within the kernel.
The value is a bitmap, as defined in
.Pa /usr/include/netkey/key_debug.h .
.It Li spi_try
The number of times the kernel will try to obtain an unique SPI
when it generates it from random number generator.
.It Li spi_min_value
Minimum SPI value when generating it within the kernel.
.It Li spi_max_value
Maximum SPI value when generating it within the kernel.
.It Li larval_lifetime
Lifetime for LARVAL SAD entries, in seconds.
.It Li blockacq_count
Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message.
It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the
key management daemon.
.It Li blockacq_lifetime
Lifetime of ACQUIRE PF_KEY message.
.It Li esp_keymin
Minimum ESP key length, in bits.
The value is used when the kernel creates proposal payload
on ACQUIRE PF_KEY message.
.It Li esp_auth
Whether ESP authentication should be used or not.
Non-zero value indicates that ESP authentication should be used.
The value is used when the kernel creates proposal payload
on ACQUIRE PF_KEY message.
.It Li ah_keymin
Minimum AH key length, in bits,
The value is used when the kernel creates proposal payload
on ACQUIRE PF_KEY message.
.El
.El
.Sh The proc.* subtree
The string and integer information available for the
.Li proc
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
These values are per-process,
and as such may change from one process to another.
When a process is created,
the default values are inherited from its parent.
When a set-user-ID or set-group-ID binary is executed, the
value of PROC_PID_CORENAME is reset to the system default value.
The second level name is either the magic value PROC_CURPROC, which
points to the current process, or the PID of the target process.
.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent
.It Sy Third level name Type    Changeable
.It proc.pid.corename   string  yes
.It proc.pid.rlimit     node    not applicable
.It proc.pid.stopfork   int     yes
.It proc.pid.stopexec   int     yes
.It proc.pid.stopexit   int     yes
.El
.Bl -tag -width "123456"
.It Li proc.pid.corename ( PROC_PID_CORENAME )
The template used for the core dump file name (see
.Xr core 5
for details).
The base name must either be
.Nm core
or end with the suffix ``.core'' (the super-user may set arbitrary names).
By default it points to KERN_DEFCORENAME.
.It Li proc.pid.rlimit ( PROC_PID_LIMIT )
Return resources limits, as defined for the
.Xr getrlimit 2
and
.Xr setrlimit 2
system calls.
The fourth level name is one of:
.Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA
.It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU )
The maximum amount of CPU time (in seconds) to be used by each process.
.It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE )
The largest size (in bytes) file that may be created.
.It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA )
The maximum size (in bytes) of the data segment for a process;
this defines how far a program may extend its break with the
.Xr sbrk 2
system call.
.It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK )
The maximum size (in bytes) of the stack segment for a process;
this defines how far a program's stack segment may be extended.
Stack extension is performed automatically by the system.
.It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE )
The largest size (in bytes)
.Pa core
file that may be created.
.It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS )
The maximum size (in bytes) to which a process's resident set size may
grow.
This imposes a limit on the amount of physical memory to be given to
a process; if memory is tight, the system will prefer to take memory
from processes that are exceeding their declared resident set size.
.It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK )
The maximum size (in bytes) which a process may lock into memory
using the
.Xr mlock 2
function.
.It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC )
The maximum number of simultaneous processes for this user id.
.It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE )
The maximum number of open files for this process.
.It Li proc.pid.rlimit.sbsize ( PROC_PID_LIMIT_SBSIZE )
The maximum size (in bytes) of the socket buffers
set by the
.Xr setsockopt 2
.Dv SO_RCVBUF
and
.Dv SO_SNDBUF
options.
.El
.Pp
The fifth level name is one of
.Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or
.Li hard ( PROC_PID_LIMIT_TYPE_HARD ) ,
to select respectively the soft or hard limit.
Both are of type integer.
.It Li proc.pid.stopfork ( PROC_PID_STOPFORK )
If non zero, the process' children will be stopped after
.Xr fork 2
calls.
The children is created in the SSTOP state and is never scheduled
for running before being stopped.
This feature helps attaching a process with a debugger such as
.Xr gdb 1
before it had the opportunity to actually do anything.
.Pp
This value is inherited by the process's children, and it also
apply to emulation specific system calls that fork a new process, such as
.Fn sproc
or
.Fn clone .
.It Li proc.pid.stopexec ( PROC_PID_STOPEXEC )
If non zero, the process will be stopped on next
.Xr exec 3
call.
The process created by
.Xr exec 3
is created in the SSTOP state and is never scheduled for running
before being stopped.
This feature helps attaching a process with a debugger such as
.Xr gdb 1
before it had the opportunity to actually do anything.
.Pp
This value is inherited by the process's children.
.It Li proc.pid.stopexit ( PROC_PID_STOPEXIT )
If non zero, the process will be stopped on when it has cause to exit,
either by way of calling
.Xr exit 3 ,
.Xr _exit 2 ,
or by the receipt of a specific signal.
The process is stopped before any of its resources or vm space is
released allowing examination of the termination state of a process
before it disappears.
This feature can be used to examine the final conditions of the
process's vmspace via
.Xr pmap 1
or its resource settings with
.Xr sysctl 8
before it disappears.
.Pp
This value is also inherited by the process's children.
.El
.Sh The user.* subtree ( CTL_USER )
The string and integer information available for the
.Li user
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent
.It Sy Second level name        Type    Changeable
.It user.atexit_max     integer no
.It user.bc_base_max    integer no
.It user.bc_dim_max     integer no
.It user.bc_scale_max   integer no
.It user.bc_string_max  integer no
.It user.coll_weights_max       integer no
.It user.cs_path        string  no
.It user.expr_nest_max  integer no
.It user.line_max       integer no
.It user.posix2_c_bind  integer no
.It user.posix2_c_dev   integer no
.It user.posix2_char_term       integer no
.It user.posix2_fort_dev        integer no
.It user.posix2_fort_run        integer no
.It user.posix2_localedef       integer no
.It user.posix2_sw_dev  integer no
.It user.posix2_upe     integer no
.It user.posix2_version integer no
.It user.re_dup_max     integer no
.It user.stream_max     integer no
.It user.stream_max     integer no
.It user.tzname_max     integer no
.El
.Bl -tag -width "123456"
.It Li user.atexit_max ( USER_ATEXIT_MAX )
The maximum number of functions that may be registered with
.Xr atexit 3 .
.It Li user.bc_base_max ( USER_BC_BASE_MAX )
The maximum ibase/obase values in the
.Xr bc 1
utility.
.It Li user.bc_dim_max ( USER_BC_DIM_MAX )
The maximum array size in the
.Xr bc 1
utility.
.It Li user.bc_scale_max ( USER_BC_SCALE_MAX )
The maximum scale value in the
.Xr bc 1
utility.
.It Li user.bc_string_max ( USER_BC_STRING_MAX )
The maximum string length in the
.Xr bc 1
utility.
.It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX )
The maximum number of weights that can be assigned to any entry of
the LC_COLLATE order keyword in the locale definition file.
.It Li user.cs_path ( USER_CS_PATH )
Return a value for the
.Ev PATH
environment variable that finds all the standard utilities.
.It Li user.expr_nest_max ( USER_EXPR_NEST_MAX )
The maximum number of expressions that can be nested within
parenthesis by the
.Xr expr 1
utility.
.It Li user.line_max ( USER_LINE_MAX )
The maximum length in bytes of a text-processing utility's input
line.
.It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM )
Return 1 if the system supports at least one terminal type capable of
all operations described in POSIX 1003.2, otherwise 0.
.It Li user.posix2_c_bind ( USER_POSIX2_C_BIND )
Return 1 if the system's C-language development facilities support the
C-Language Bindings Option, otherwise 0.
.It Li user.posix2_c_dev ( USER_POSIX2_C_DEV )
Return 1 if the system supports the C-Language Development Utilities Option,
otherwise 0.
.It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV )
Return 1 if the system supports the FORTRAN Development Utilities Option,
otherwise 0.
.It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN )
Return 1 if the system supports the FORTRAN Runtime Utilities Option,
otherwise 0.
.It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF )
Return 1 if the system supports the creation of locales, otherwise 0.
.It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV )
Return 1 if the system supports the Software Development Utilities Option,
otherwise 0.
.It Li user.posix2_upe ( USER_POSIX2_UPE )
Return 1 if the system supports the User Portability Utilities Option,
otherwise 0.
.It Li user.posix2_version ( USER_POSIX2_VERSION )
The version of POSIX 1003.2 with which the system attempts to comply.
.It Li user.re_dup_max ( USER_RE_DUP_MAX )
The maximum number of repeated occurrences of a regular expression
permitted when using interval notation.
.It Li user.stream_max ( USER_STREAM_MAX )
The minimum maximum number of streams that a process may have open
at any one time.
.It Li user.tzname_max ( USER_TZNAME_MAX )
The minimum maximum number of types supported for the name of a
timezone.
.El
.Sh The vm.* subtree ( CTL_VM )
The string and integer information available for the
.Li vm
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent
.It Sy Second level name        Type    Changeable
.It vm.anonmax  int     yes
.It vm.anonmin  int     yes
.It vm.bufcache int     yes
.It vm.bufmem   int     no
.It vm.bufmem_hiwater   int     yes
.It vm.bufmem_lowater   int     yes
.It vm.execmax  int     yes
.It vm.execmin  int     yes
.It vm.filemax  int     yes
.It vm.filemin  int     yes
.It vm.loadavg  struct loadavg  no
.It vm.maxslp   int     no
.It vm.nkmempages       int     no
.It vm.uspace   int     no
.It vm.uvmexp   struct uvmexp   no
.It vm.uvmexp2  struct uvmexp_sysctl    no
.It vm.vmmeter  struct vmtotal  no
.El
.Pp
.Bl -tag -width "123456"
.It Li vm.anonmax ( VM_ANONMAX )
The percentage of physical memory which will be reclaimed
from other types of memory usage to store anonymous application data.
.It Li vm.anonmin ( VM_ANONMIN )
The percentage of physical memory which will be always be available for
anonymous application data.
.It Li vm.bufcache ( VM_BUFCACHE )
The percentage of physical memory which will be available
for the buffer cache.
.It Li vm.bufmem ( VM_BUFMEM )
The amount of kernel memory that is being used by the buffer cache.
.It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER )
The minimum amount of kernel memory to reserve for the
buffer cache.
.It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER )
The maximum amount of kernel memory to be used for the
buffer cache.
.It Li vm.execmax ( VM_EXECMAX )
The percentage of physical memory which will be reclaimed
from other types of memory usage to store cached executable data.
.It Li vm.execmin ( VM_EXECMIN )
The percentage of physical memory which will be always be available for
cached executable data.
.It Li vm.filemax ( VM_FILEMAX )
The percentage of physical memory which will be reclaimed
from other types of memory usage to store cached file data.
.It Li vm.filemin ( VM_FILEMIN )
The percentage of physical memory which will be always be available for
cached file data.
.It Li vm.loadavg ( VM_LOADAVG )
Return the load average history.
The returned data consists of a
.Va struct loadavg .
.It Li vm.maxslp ( VM_MAXSLP )
The value of the maxslp kernel global variable.
.It Li vm.vmmeter ( VM_METER )
Return system wide virtual memory statistics.
The returned data consists of a
.Va struct vmtotal .
.It Li vm.uspace ( VM_USPACE )
The number of bytes allocated for each kernel stack.
.It Li vm.uvmexp ( VM_UVMEXP )
Return system wide virtual memory statistics.
The returned data consists of a
.Va struct uvmexp .
.It Li vm.uvmexp2 ( VM_UVMEXP2 )
Return system wide virtual memory statistics.
The returned data consists of a
.Va struct uvmexp_sysctl .
.\" XXX vm.idlezero
.El
.Sh The ddb.* subtree ( CTL_DDB )
The integer information available for the
.Li ddb
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.\" XXX sort
.Bl -column "Second level name" "integer" "Changeable" -offset indent
.It Sy Second level name        Type    Changeable
.It ddb.radix   integer yes
.It ddb.maxoff  integer yes
.It ddb.lines   integer yes
.It ddb.tabstops        integer yes
.It ddb.onpanic integer yes
.It ddb.fromconsole     integer yes
.El
.Pp
.Bl -tag -width "123456"
.It Li ddb.radix ( DBCTL_RADIX )
The input and output radix.
.It Li ddb.maxoff ( DBCTL_MAXOFF )
The maximum symbol offset.
.It Li ddb.lines ( DBCTL_LINES )
Number of display lines.
.It Li ddb.tabstops ( DBCTL_TABSTOPS )
Tab width.
.It Li ddb.onpanic ( DBCTL_ONPANIC )
If non-zero, DDB will be entered if the kernel panics.
.It Li ddb.fromconsole ( DBCTL_FROMCONSOLE )
If not zero, DDB may be entered by sending a break on a serial
console or by a special key sequence on a graphics console.
.\" XXX tee_msgbuf maxwidth commandonenter
.El
.Pp
These MIB nodes are also available as variables from within the DDB.
See
.Xr ddb 4
for more details.
.Sh The security.* subtree ( CTL_SECURITY )
The
.Li security
level contains various security-related settings for
the system.
Available settings are detailed below.
.Pp
.Bl -tag -width "123456"
.It Li security.curtain
If non-zero, will filter return objects according to the user-id
requesting information about them, preventing from users any
access to objects they don't own.
.Pp
At the moment, it affects
.Xr ps 1 ,
.Xr netstat 1
(for
.Dv PF_INET ,
.Dv PF_INET6 ,
and
.Dv PF_UNIX
PCBs), and
.Xr w 1 .
.It Li security.models
.Nx
supports pluggable security models.
Every security model used, whether if loaded as a module or built with the system,
is required to add an entry to this node with at least one element,
.Dq name ,
indicating the name of the security model.
.Pp
In addition to the name, any settings and other information private to the
security model will be available under this node.
See
.Xr secmodel 9
for more information.
.It Li security.pax
Settings for PaX -- exploit mitigation features.
For more information on any of the PaX features, please see
.Xr paxctl 8
and
.Xr security 8 .
.Pp
.Bl -tag -width "123456"
.It Li security.pax.aslr.enable
Enable PaX ASLR (Address Space Layout Randomization).
.Pp
The value of this
knob must be non-zero for PaX ASLR to be enabled, even if a program is set to
explicit enable.
.It Li security.pax.aslr.global
Specifies the default global policy for programs without an
explicit enable/disable flag.
.Pp
When non-zero, all programs will get PaX ASLR, except those exempted with
.Xr paxctl 8  .
Otherwise, all programs will not get PaX ASLR, except those specifically
marked as such with
.Xr paxctl 8 .
.It Li security.pax.mprotect.enable
Enable PaX MPROTECT restrictions.
.Pp
These are
.Xr mprotect 2
restrictions to better enforce a W^X policy.
The value of this
knob must be non-zero for PaX MPROTECT to be enabled, even if a
program is set to explicit enable.
.It Li security.pax.mprotect.global
Specifies the default global policy for programs without an
explicit enable/disable flag.
.Pp
When non-zero, all programs will get the PaX MPROTECT restrictions,
except those exempted with
.Xr paxctl 8  .
Otherwise, all programs will not get the PaX MPROTECT restrictions,
except those specifically marked as such with
.Xr paxctl 8 .
.It Li security.pax.segvguard.enable
Enable PaX Segvguard.
.Pp
PaX Segvguard can detect and prevent certain exploitation attempts, where
an attacker may try for example to brute-force function return addresses
of respawning daemons.
.Pp
.Em Note :
The
.Nx
interface and implementation of the Segvguard is still experimental, and may
change in future releases.
.It Li security.pax.segvguard.global
Specifies the default global policy for programs without an
explicit enable/disable flag.
.Pp
When non-zero, all programs will get the PaX Segvguard,
except those exempted with
.Xr paxctl 8  .
Otherwise, no program will get the PaX Segvguard restrictions,
except those specifically marked as such with
.Xr paxctl 8 .
.It Li security.pax.segvguard.expiry_timeout
If the max number was not reached within this timeout (in seconds), the entry
will expire.
.It Li security.pax.segvguard.suspend_timeout
Number of seconds to suspend a user from running a faulting program when the
limit was exceeded.
.It Li security.pax.segvguard.max_crashes
Max number of segfaults a program can receive before suspension.
.El
.El
.Sh The vendor.* subtree ( CTL_VENDOR )
The
.Li vendor
toplevel name is reserved to be used by vendors who wish to
have their own private MIB tree.
Intended use is to store values under
.Dq vendor.\*[Lt]yourname\*[Gt].* .
.Sh SEE ALSO
.Xr sysctl 3 ,
.Xr ipsec 4 ,
.Xr tcp 4 ,
.Xr security 8 ,
.Xr sysctl 8
.Sh HISTORY
The
.Nm
variables first appeared in
.Bx 4.4 .