sysctl
—
system information variables
The sysctl(3) library function and
the sysctl(8) utility are used
to get and set values of system variables, maintained by the kernel. The
variables are organized in a tree and identified by a sequence of numbers,
conventionally separated by dots with the topmost identifier at the left side.
The numbers have corresponding text names. The
sysctlnametomib(3)
function or the -M
argument to the
sysctl(8) utility can be used to
convert the text representation to the numeric one.
The individual sysctl variables are described below, both the
textual and numeric form where applicable. The textual names can be used as
argument to the sysctl(8)
utility and in the file /etc/sysctl.conf. The
numeric names are usually defined as preprocessor constants and are intended
for use by programs. Every such constant expands to one integer, which
identifies the sysctl variable relative to the upper level of the tree. See
the sysctl(3) manual page for
programming examples.
The top level names are defined with a CTL_ prefix in
<sys/sysctl.h>
, and are as
follows. The next and subsequent levels down are found in the include files
listed here, and described in separate sections below.
The debugging variables vary from system to system. A debugging variable may be
added or deleted without need to recompile sysctl
to
know about it. Each time it runs, sysctl
gets the list
of debugging variables from the kernel and displays their current values. The
system defines twenty (struct ctldebug) variables named
debug0
through debug19
. They
are declared as separate variables so that they can be individually
initialized at the location of their associated variable. The loader prevents
multiple use of the same variable by issuing errors if a variable is
initialized in more than one place. For example, to export the variable
dospecialcheck as a debugging variable, the following
declaration would be used:
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
Note that the dynamic implementation of
sysctl
currently in use largely makes this
particular sysctl
interface obsolete. See
sysctl(8) for more
information.
A distinguished second level name, vfs.generic
(VFS_GENERIC
), is used to get general information
about all file systems. It has the following third level identifiers:
vfs.generic.maxtypenum
(VFS_MAXTYPENUM
)
- The highest valid file system type number.
vfs.generic.conf
(VFS_CONF
)
- Returns configuration information about the file system type given as a
fourth level identifier.
vfs.generic.usermount
(VFS_USERMOUNT
)
- Determines if non superuser mounts are allowed, defaults to
0
.
vfs.generic.magiclinks
(VFS_MAGICLINKS
)
- Controls if expansion of variables is going to be performed on pathnames
or not. Defaults to no variable expansion,
0
.
Variables are of the form @name
and the variables
supported are described in
symlink(7) under
“MAGIC SYMLINKS”.
A second level name for controlling the
wapbl(4) (Write Ahead Physical
Block Logging file system journalling) capabilities with the following third
level identifiers:
vfs.wapbl.flush_disk_cache
- Controls whether to attempt to flush the disk cache on each commit. It
defaults to 1 and it should always be on to ensure integrity of file
system metadata in the event of a power loss. For slow disks, turning it
off can improve performance.
vfs.wapbl.verbose_commit
- For each transaction log commit, print the number of bytes written and the
time it took to commit as seconds.nanoseconds.
The remaining second level identifiers are the file system names,
identified by the type number returned by a
statvfs(2) call or from
vfs.generic.conf
.
The third level identifiers available for each file system are
given in the header file that defines the mount argument structure for that
file system.
The string and integer information available for the hw
level is detailed below. The changeable column shows whether a process with
appropriate privilege may change the value.
Second level name |
Type |
Changeable |
hw.alignbytes |
integer |
no |
hw.byteorder |
integer |
no |
hw.cnmagic |
string |
yes |
hw.disknames |
string |
no |
hw.diskstats |
struct |
no |
hw.machine |
string |
no |
hw.machine_arch |
string |
no |
hw.model |
string |
no |
hw.ncpu |
integer |
no |
hw.ncpuonline |
integer |
no |
hw.pagesize |
integer |
no |
hw.physmem |
integer |
no |
hw.physmem64 |
quad |
no |
hw.usermem |
integer |
no |
hw.usermem64 |
quad |
no |
hw.alignbytes
(HW_ALIGNBYTES
)
- Alignment constraint for all possible data types. This shows the value
ALIGNBYTES
in
<machine/param.h>
, at the
kernel compilation time.
hw.byteorder
(HW_BYTEORDER
)
- The byteorder (4321, or 1234).
hw.cnmagic
(HW_CNMAGIC
)
- The console magic key sequence.
hw.disknames
(HW_DISKNAMES
)
- The list of (space separated) disk device names on the system.
hw.iostatnames
(HW_IOSTATNAMES
)
- A space separated list of devices that will have I/O statistics collected
on them.
hw.iostats
(HW_IOSTATS
)
- Return statistical information on the NFS mounts, disk and tape devices on
the system. An array of struct io_sysctl structures
is returned, whose size depends on the current number of such objects in
the system. The third level name is the size of the struct
io_sysctl. The type of object can be determined by examining the
type element of struct
io_sysctl. Which can be
IOSTAT_DISK
(disk
drive), IOSTAT_TAPE
(tape drive), or
IOSTAT_NFS
(NFS mount).
hw.machine
(HW_MACHINE
)
- The machine class.
hw.machine_arch
(HW_MACHINE_ARCH
)
- The machine CPU class.
hw.model
(HW_MODEL
)
- The machine model.
hw.ncpu
(HW_NCPU
)
- The number of CPUs configured.
hw.ncpuonline
(HW_NCPUONLINE
)
- The number of CPUs online.
hw.pagesize
(HW_PAGESIZE
)
- The software page size.
hw.physmem
(HW_PHYSMEM
)
- The bytes of physical memory as a 32-bit integer.
hw.physmem64
(HW_PHYSMEM64
)
- The bytes of physical memory as a 64-bit integer.
hw.usermem
(HW_USERMEM
)
- The bytes of non-kernel memory as a 32-bit integer.
hw.usermem64
(HW_USERMEM64
)
- The bytes of non-kernel memory as a 64-bit integer.
This subtree includes data generally related to the kernel. The string and
integer information available for the kern
level is
detailed below. The changeable column shows whether a process with appropriate
privilege may change the value.
Second level name |
Type |
Changeable |
kern.aio_listio_max |
integer |
yes |
kern.aio_max |
integer |
yes |
kern.arandom |
integer |
no |
kern.argmax |
integer |
no |
kern.boothowto |
integer |
no |
kern.boottime |
struct timespec |
no |
kern.buildinfo |
string |
no |
kern.ccpu |
integer |
no |
kern.clockrate |
struct clockinfo |
no |
kern.consdev |
integer |
no |
kern.coredump |
node |
not applicable |
kern.cp_id |
struct |
no |
kern.cp_time |
uint64_t[] |
no |
kern.cryptodevallowsoft |
integer |
yes |
kern.defcorename |
string |
yes |
kern.detachall |
integer |
yes |
kern.domainname |
string |
yes |
kern.drivers |
struct kinfo_drivers |
no |
kern.dump_on_panic |
integer |
yes |
kern.expose_address |
integer |
yes |
kern.file |
struct file |
no |
kern.forkfsleep |
integer |
yes |
kern.fscale |
integer |
no |
kern.fsync |
integer |
no |
kern.hardclock_ticks |
integer |
no |
kern.hostid |
integer |
yes |
kern.hostname |
string |
yes |
kern.iov_max |
integer |
no |
kern.ipc |
node |
not applicable |
kern.job_control |
integer |
no |
kern.labeloffset |
integer |
no |
kern.labelsector |
integer |
no |
kern.login_name_max |
integer |
no |
kern.logsigexit |
integer |
yes |
kern.mapped_files |
integer |
no |
kern.maxfiles |
integer |
yes |
kern.maxlwp |
integer |
yes |
kern.maxpartitions |
integer |
no |
kern.maxphys |
integer |
no |
kern.maxproc |
integer |
yes |
kern.maxptys |
integer |
yes |
kern.maxvnodes |
integer |
yes |
kern.messages |
integer |
yes |
kern.mbuf |
node |
not applicable |
kern.memlock |
integer |
no |
kern.memlock_range |
integer |
no |
kern.memory_protection |
integer |
no |
kern.module |
node |
not applicable |
kern.monotonic_clock |
integer |
no |
kern.mqueue |
node |
not applicable |
kern.msgbuf |
integer |
no |
kern.msgbufsize |
integer |
no |
kern.ngroups |
integer |
no |
kern.ntptime |
struct ntptimeval |
no |
kern.osrelease |
string |
no |
kern.osrevision |
integer |
no |
kern.ostype |
string |
no |
kern.pipe |
node |
not applicable |
kern.pool |
struct pool_sysctl |
no |
kern.posix1version |
integer |
no |
kern.posix_aio |
integer |
no |
kern.posix_barriers |
integer |
no |
kern.posix_reader_writer_locks |
integer |
no |
kern.posix_semaphores |
integer |
no |
kern.posix_spin_locks |
integer |
no |
kern.posix_threads |
integer |
no |
kern.posix_timers |
integer |
no |
kern.proc |
struct kinfo_proc |
no |
kern.proc2 |
struct kinfo_proc2 |
no |
kern.proc_args |
string |
no |
kern.profiling |
node |
not applicable |
kern.rawpartition |
integer |
no |
kern.root_device |
string |
no |
kern.root_partition |
integer |
no |
kern.rtc_offset |
integer |
yes |
kern.saved_ids |
integer |
no |
kern.sbmax |
integer |
yes |
kern.sched |
node |
not applicable |
kern.securelevel |
integer |
raise only |
kern.somaxkva |
integer |
yes |
kern.sooptions |
integer |
yes |
kern.synchronized_io |
integer |
no |
kern.timecounter |
node |
not applicable |
kern.timex |
struct |
no |
kern.tkstat |
node |
not applicable |
kern.tty |
node |
not applicable |
kern.urandom |
integer |
no |
kern.usercrypto |
integer |
yes |
kern.userasymcrypto |
integer |
yes |
kern.veriexec |
node |
not applicable |
kern.version |
string |
no |
kern.vnode |
struct vnode |
no |
kern.aio_listio_max
- The maximum number of asynchronous I/O operations in a single list I/O
call. Like with all variables related to
aio(3), the variable may be
created and removed dynamically upon loading or unloading the
corresponding kernel module.
kern.aio_max
- The maximum number of asynchronous I/O operations.
kern.arandom
(KERN_ARND
)
- This variable returns up to 256 bytes of random data. Multiple queries can
be used to obtain an infinite amount of non-blocking cryptographically
secure random data. The used random number generator (RNG) is based on
arc4random(3).
kern.argmax
(KERN_ARGMAX
)
- The maximum bytes of argument to
execve(2).
kern.boothowto
- Flags passed from the boot loader; see
reboot(2) for the meanings
of the flags.
kern.boottime
(KERN_BOOTTIME
)
- A struct timespec structure is returned. This
structure contains the time that the system was booted. That time is
defined (for this purpose) to be the time at which the kernel first
started accumulating clock ticks.
kern.bufq
- This variable contains information on the
bufq(9) subsystem. Currently,
the only third level name implemented is
kern.bufq.strategies
which provides a list of
buffer queue strategies currently available.
kern.buildinfo
- When the kernel is built, the build environment may optionally provide
arbitrary information to be stored in this variable.
kern.ccpu
(KERN_CCPU
)
- The scheduler exponential decay value.
kern.clockrate
(KERN_CLOCKRATE
)
- A struct clockinfo structure is returned. This
structure contains the clock, statistics clock and profiling clock
frequencies, the number of micro-seconds per hz tick, and the clock skew
rate. Refer to hz(9) for
additional details.
kern.consdev
(KERN_CONSDEV
)
- Console device.
kern.coredump
- Settings related to set-id processes coredumps. By default, set-id
processes do not dump core in situations where other processes would. The
settings in this node allows an administrator to change this behavior.
The third level name is
kern.coredump.setid
and fourth level variables
are described below.
Fourth level name |
Type |
Changeable |
kern.coredump.setid.dump |
integer |
yes |
kern.coredump.setid.group |
integer |
yes |
kern.coredump.setid.mode |
integer |
yes |
kern.coredump.setid.owner |
integer |
yes |
kern.coredump.setid.path |
string |
yes |
kern.coredump.setid.dump
- If non-zero, set-id processes will dump core.
kern.coredump.setid.group
- The group-id for the set-id processes' coredump.
kern.coredump.setid.mode
- The mode for the set-id processes' coredump. See
chmod(1).
kern.coredump.setid.owner
- The user-id that will be used as the owner of the set-id processes'
coredump.
kern.coredump.setid.path
- The path to which set-id processes' coredumps will be saved to. Same
syntax as kern.defcorename.
kern.cp_id
(KERN_CP_ID
)
- Mapping of CPU number to CPU id.
kern.cp_time
(KERN_CP_TIME
)
- Returns an array of
CPUSTATES
uint64_ts. This array contains the number of clock
ticks spent in different CPU states. On multi-processor systems, the sum
across all CPUs is returned unless appropriate space is given for one data
set for each CPU. Data for a specific CPU can also be obtained by adding
the number of the CPU at the end of the MIB, enlarging it by one.
kern.cryptodevallowsoft
- This variable controls userland access to hardware versus software
transforms in the crypto(4)
system. The available values are as follows:
<
0
- Always force userlevel requests to use software transforms.
=
0
- If present, use hardware and grant userlevel requests for
non-accelerated transforms (handling the latter in software).
>
0
- Allow user requests only for transforms which are
hardware-accelerated.
kern.defcorename
(KERN_DEFCORENAME
)
- Default template for the name of core dump files (see also
proc.pid.corename
in the per-process variables
proc.*
, and
core(5) for format of this
template). The default value is %n.core and can be
changed with the kernel configuration option options
DEFCORENAME
(see
options(4) ).
kern.detachall
- Detach all devices at shutdown.
kern.domainname
(KERN_DOMAINNAME
)
- Get or set the YP domain name.
kern.drivers
(KERN_DRIVERS
)
- Return an array of struct kinfo_drivers that
contains the name and major device numbers of all the device drivers in
the current kernel. The d_name field is always a NUL
terminated string. The d_bmajor field will be set to
-1 if the driver doesn't have a block device.
kern.expose_address
- Expose kernel addresses in
sysctl(3) calls used by
fstat(1) and
sockstat(1). If it is set
to
0
access is not allowed. If it is set to
1
then only processes that have opened
/dev/kmem can have access. If it is set to
2
every process is allowed. Defaults to
0
for KASLR
kernels and
1
otherwise. Allowing general access renders KASLR
ineffective; allowing only kmem accessing programs weakens KASLR if those
programs can be subverted to leak the addresses.
kern.dump_on_panic
(KERN_DUMP_ON_PANIC
)
- Perform a crash dump on system
panic(9).
kern.file
(KERN_FILE
)
- Return the entire file table. The returned data consists of a single
struct filelist followed by an array of
struct file, whose size depends on the current
number of such objects in the system.
kern.forkfsleep
(KERN_FORKFSLEEP
)
- If fork(2) system call fails
due to limit on number of processes (either the global maxproc limit or
user's one), wait for this many milliseconds before returning
EAGAIN
error to process. Useful to keep heavily
forking runaway processes in bay. Default zero (no sleep). Maximum is 20
seconds.
kern.fscale
(KERN_FSCALE
)
- The kernel fixed-point scale factor.
kern.fsync
(KERN_FSYNC
)
- Return 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) File Synchronization Option is available
on this system, otherwise 0.
kern.hardclock_ticks
(KERN_HARDCLOCK_TICKS
)
- Returns the number of
hardclock(9) ticks.
kern.hist
- This variable contains kernel history data if the kernel was configured
for any of the options
UVHMIST
,
USB_DEBUG
, BIOHIST
, or
SCDEBUG
. (See
options(4) for more
details.) The third-level names correspond to each available history
table. The values of the history tables are in an internal format, and can
be decoded by the vmstat(1)
utility's -U
and -u
options; the -l
option can be used to see which
tables are available.
kern.hostid
(KERN_HOSTID
)
- Get or set the host identifier. This is aimed to replace the legacy
gethostid(3) and
sethostid(3) system
calls.
kern.hostname
(KERN_HOSTNAME
)
- Get or set the
hostname(1).
kern.iov_max
(KERN_IOV_MAX
)
- Return the maximum number of iovec structures that a
process has available for use with
preadv(2),
pwritev(2),
readv(2),
recvmsg(2),
sendmsg(2) and
writev(2).
kern.ipc
(KERN_SYSVIPC
)
- Return information about the SysV IPC parameters. The third level names
for the ipc variables are detailed below.
Third level name |
Type |
Changeable |
kern.ipc.sysvmsg |
integer |
no |
kern.ipc.sysvsem |
integer |
no |
kern.ipc.sysvshm |
integer |
no |
kern.ipc.sysvipc_info |
struct |
no |
kern.ipc.shmmax |
integer |
yes |
kern.ipc.shmmni |
integer |
yes |
kern.ipc.shmseg |
integer |
yes |
kern.ipc.shmmaxpgs |
integer |
yes |
kern.ipc.shm_use_phys |
integer |
yes |
kern.ipc.msgmni |
integer |
yes |
kern.ipc.msgseg |
integer |
yes |
kern.ipc.semmni |
integer |
yes |
kern.ipc.semmns |
integer |
yes |
kern.ipc.semmnu |
integer |
yes |
kern.ipc.sysvmsg
(KERN_SYSVIPC_MSG
)
- Returns 1 if System V style message queue functionality is available
on this system, otherwise 0.
kern.ipc.sysvsem
(KERN_SYSVIPC_SEM
)
- Returns 1 if System V style semaphore functionality is available on
this system, otherwise 0.
kern.ipc.sysvshm
(KERN_SYSVIPC_SHM
)
- Returns 1 if System V style share memory functionality is available on
this system, otherwise 0.
kern.ipc.sysvipc_info
(KERN_SYSVIPC_INFO
)
- Return System V style IPC configuration and run-time information. The
fourth level name selects the System V style IPC facility.
Fourth level name |
Type |
KERN_SYSVIPC_MSG_INFO |
struct msg_sysctl_info |
KERN_SYSVIPC_SEM_INFO |
struct sem_sysctl_info |
KERN_SYSVIPC_SHM_INFO |
struct shm_sysctl_info |
KERN_SYSVIPC_MSG_INFO
- Return information on the System V style message facility. The
msg_sysctl_info structure is defined in
<sys/msg.h>
.
KERN_SYSVIPC_SEM_INFO
- Return information on the System V style semaphore facility. The
sem_sysctl_info structure is defined in
<sys/sem.h>
.
KERN_SYSVIPC_SHM_INFO
- Return information on the System V style shared memory facility.
The shm_sysctl_info structure is defined in
<sys/shm.h>
.
kern.ipc.shmmax
(KERN_SYSVIPC_SHMMAX
)
- Max shared memory segment size in bytes.
kern.ipc.shmmni
(KERN_SYSVIPC_SHMMNI
)
- Max number of shared memory identifiers.
kern.ipc.shmseg
(KERN_SYSVIPC_SHMSEG
)
- Max shared memory segments per process.
kern.ipc.shmmaxpgs
(KERN_SYSVIPC_SHMMAXPGS
)
- Max amount of shared memory in pages.
kern.ipc.shm_use_phys
(KERN_SYSVIPC_SHMUSEPHYS
)
- Locking of shared memory in physical memory. If 0, memory can be
swapped out, otherwise it will be locked in physical memory.
kern.ipc.msgmni
- Max number of message queue identifiers.
kern.ipc.msgseg
- Max number of number of message segments.
kern.ipc.semmni
- Max number of number of semaphore identifiers.
kern.ipc.semmns
- Max number of number of semaphores in system.
kern.ipc.semmnu
- Max number of undo structures in system.
kern.job_control
(KERN_JOB_CONTROL
)
- Return 1 if job control is available on this system,
otherwise 0.
kern.labeloffset
(KERN_LABELOFFSET
)
- The offset within the sector specified by
KERN_LABELSECTOR
of the
disklabel(5).
kern.labelsector
(KERN_LABELSECTOR
)
- The sector number containing the
disklabel(5).
kern.login_name_max
(KERN_LOGIN_NAME_MAX
)
- The size of the storage required for a login name, in bytes, including the
terminating NUL.
kern.logsigexit
(KERN_LOGSIGEXIT
)
- If this flag is non-zero, the kernel will
log(9) all process exits due to
signals which create a core(5)
file, and whether the coredump was created.
kern.mapped_files
(KERN_MAPPED_FILES
)
- Returns 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) Memory Mapped Files Option is available
on this system, otherwise 0.
kern.maxfiles
(KERN_MAXFILES
)
- The maximum number of open files that may be open in the system. This also
controls the maximum file locks per unprivilegied user enforced by
fnctl(2) and
flock(2).
kern.maxpartitions
(KERN_MAXPARTITIONS
)
- The maximum number of partitions allowed per disk.
kern.maxlwp
- The maximum number of Lightweight Processes (threads) the system allows
per uid.
kern.maxphys
(KERN_MAXPHYS
)
- Maximum raw I/O transfer size.
kern.maxproc
(KERN_MAXPROC
)
- The maximum number of simultaneous processes the system will allow.
kern.maxptys
(KERN_MAXPTYS
)
- The maximum number of pseudo terminals. This value can be both raised and
lowered, though it cannot be set lower than number of currently used ptys.
See also pty(4).
kern.maxvnodes
(KERN_MAXVNODES
)
- The maximum number of vnodes available on the system. This can only be
raised.
kern.mbuf
(KERN_MBUF
)
- Return information about the mbuf control variables. Mbufs are data
structures which store network packets and other data structures in the
networking code, see mbuf(9).
The third level names for the mbuf variables are detailed below. The
changeable column shows whether a process with appropriate privilege may
change the value.
Third level name |
Type |
Changeable |
kern.mbuf.mblowat |
integer |
yes |
kern.mbuf.mclbytes |
integer |
yes |
kern.mbuf.mcllowat |
integer |
yes |
kern.mbuf.msize |
integer |
yes |
kern.mbuf.nmbclusters |
integer |
yes |
The variables are as follows:
kern.mbuf.mblowat
(MBUF_MBLOWAT
)
- The mbuf low water mark.
kern.mbuf.mclbytes
(MBUF_MCLBYTES
)
- The mbuf cluster size.
kern.mbuf.mcllowat
(MBUF_MCLLOWAT
)
- The mbuf cluster low water mark.
kern.mbuf.msize
(MBUF_MSIZE
)
- The mbuf base size.
kern.mbuf.nmbclusters
(MBUF_NMBCLUSTERS
)
- The limit on the number of mbuf clusters. The variable can only be
increased, and only increased on machines with direct-mapped pool
pages.
kern.memlock
(KERN_MEMLOCK
)
- Returns 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) Process Memory Locking Option is
available on this system, otherwise 0.
kern.memlock_range
(KERN_MEMLOCK_RANGE
)
- Returns 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) Range Memory Locking Option is available
on this system, otherwise 0.
kern.memory_protection
(KERN_MEMORY_PROTECTION
)
- Returns 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) Memory Protection Option is available on
this system, otherwise 0.
kern.messages
- Kernel console message verbosity. See
⟨sys/reboot.h⟩
Value |
Verbosity |
sys/reboot.h equivalent |
0 |
Silent |
AB_SILENT |
1 |
Quiet |
AB_QUIET |
2 |
Normal |
AB_NORMAL |
3 |
Verbose |
AB_VERBOSE |
4 |
Debug |
AB_DEBUG |
kern.module
- Settings related to kernel modules. The third level names for the settings
are described below.
Third level name |
Type |
Changeable |
kern.module.autoload |
integer |
yes |
kern.module.autotime |
integer |
yes |
kern.module.verbose |
boolean |
yes |
The variables are as follows:
kern.module.autoload
- A boolean that controls whether kernel modules are loaded
automatically. See
module(7) for additional
details.
kern.module.autotime
- An integer that controls the delay before an attempt is made to
automatically unload a module that was auto-loaded. Setting this value
to zero disables the auto-unload function.
kern.module.verbose
- A boolean that enables or disables verbose debug messages related to
kernel modules.
kern.monotonic_clock
(KERN_MONOTONIC_CLOCK
)
- Returns the standard version the implementation of the
IEEE Std 1003.1b-1993 (“POSIX.1b”)
Monotonic Clock Option conforms to, otherwise 0.
kern.mqueue
- Settings related to POSIX message queues; see
mqueue(3). This node is
created dynamically when the corresponding kernel module is loaded. The
third level names for the settings are described below.
Third level name |
Type |
Changeable |
kern.mqueue.mq_open_max |
integer |
yes |
kern.mqueue.mq_prio_max |
integer |
yes |
kern.mqueue.mq_max_msgsize |
integer |
yes |
kern.mqueue.mq_def_maxmsg |
integer |
yes |
kern.mqueue.mq_max_maxmsg |
integer |
yes |
The variables are:
kern.mqueue.mq_open_max
- The maximum number of message queue descriptors any single process can
open.
kern.mqueue.mq_prio_max
- The maximum priority of a message.
kern.mqueue.mq_max_msgsize
- The maximum size of a message in a message queue.
kern.mqueue.mq_def_maxmsg
- The default maximum message count.
kern.mqueue.mq_max_maxmsg
- The maximum number of messages in a message queue.
kern.msgbuf
(KERN_MSGBUF
)
- The kernel message buffer, rotated so that the head of the circular kernel
message buffer is at the start of the returned data. The returned data may
contain NUL bytes.
kern.msgbufsize
(KERN_MSGBUFSIZE
)
- The maximum number of characters that the kernel message buffer can
hold.
kern.ngroups
(KERN_NGROUPS
)
- The maximum number of supplemental groups.
kern.ntptime
(KERN_NTPTIME
)
- A struct ntptimeval structure is returned. This
structure contains data used by the
ntpd(8) program.
kern.osrelease
(KERN_OSRELEASE
)
- The system release string.
kern.osrevision
(KERN_OSREV
)
- The system revision string.
kern.ostype
(KERN_OSTYPE
)
- The system type string.
kern.pipe
(KERN_PIPE
)
- Pipe settings. The third level names for the integer pipe settings is
detailed below. The changeable column shows whether a process with
appropriate privilege may change the value.
Third level name |
Type |
Changeable |
kern.pipe.kvasiz |
integer |
yes |
kern.pipe.maxbigpipes |
integer |
yes |
kern.pipe.maxkvasz |
integer |
yes |
kern.pipe.limitkva |
integer |
yes |
kern.pipe.nbigpipes |
integer |
yes |
The variables are as follows:
kern.pipe.kvasiz
(KERN_PIPE_KVASIZ
)
- Amount of kernel memory consumed by pipe buffers.
kern.pipe.maxbigpipes
(KERN_PIPE_MAXBIGPIPES
)
- Maximum number of “big” pipes.
kern.pipe.maxkvasz
(KERN_PIPE_MAXKVASZ
)
- Maximum amount of kernel memory to be used for pipes.
kern.pipe.limitkva
(KERN_PIPE_LIMITKVA
)
- Limit for direct transfers via page loan.
kern.pipe.nbigpipes
(KERN_PIPE_NBIGPIPES
)
- Number of “big” pipes.
kern.pool
- Provides statistics about the
pool(9) and
pool_cache(9)
subsystems.
kern.posix1version
(KERN_POSIX1
)
- The version of ISO/IEC 9945 (IEEE Std 1003.1
(“POSIX.1”)) with which the system attempts to
comply.
kern.posix_aio
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Asynchronous I/O option to which
the system attempts to conform.
kern.posix_barriers
(KERN_POSIX_BARRIERS
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Barriers option to which the
system attempts to conform, otherwise 0.
kern.posix_reader_writer_locks
(KERN_POSIX_READER_WRITER_LOCKS
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Read-Write Locks option to which
the system attempts to conform, otherwise 0.
kern.posix_semaphores
(KERN_POSIX_SEMAPHORES
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Semaphores option to which the
system attempts to conform, otherwise 0.
kern.posix_spin_locks
(KERN_POSIX_SPIN_LOCKS
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Spin Locks option to which the
system attempts to conform, otherwise 0.
kern.posix_threads
(KERN_POSIX_THREADS
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Threads option to which the
system attempts to conform, otherwise 0.
kern.posix_timers
(KERN_POSIX_TIMERS
)
- The version of IEEE Std 1003.1
(“POSIX.1”) and its Timers option to which the system
attempts to conform, otherwise 0.
kern.proc
(KERN_PROC
)
- Return the entire process table, or a subset of it. An array of
struct kinfo_proc structures is returned, whose size
depends on the current number of such objects in the system. The third and
fourth level numeric names are as follows:
Third level name |
Fourth level is: |
KERN_PROC_ALL |
None |
KERN_PROC_GID |
A group ID |
KERN_PROC_PID |
A process ID |
KERN_PROC_PGRP |
A process group |
KERN_PROC_RGID |
A real group ID |
KERN_PROC_RUID |
A real user ID |
KERN_PROC_SESSION |
A session ID |
KERN_PROC_TTY |
A tty device |
KERN_PROC_UID |
A user ID |
kern.proc2
(KERN_PROC2
)
- As for
KERN_PROC
, but an array of
struct kinfo_proc2 structures are returned. The
fifth level name is the size of the struct
kinfo_proc2 and the sixth level name is the number of structures to
return.
kern.proc_args
(KERN_PROC_ARGS
)
- Return the argv or environment strings (or the number thereof) of a
process. Multiple strings are returned separated by NUL characters. The
third level name is the process ID. The fourth level name is as follows:
kern.profiling
(KERN_PROF
)
- Return profiling information about the kernel. If the kernel is not
compiled for profiling, attempts to retrieve any of the
KERN_PROF
values will fail with
EOPNOTSUPP
. The third level names for the string
and integer profiling information is detailed below. The changeable column
shows whether a process with appropriate privilege may change the value.
Third level name |
Type |
Changeable |
kern.profiling.count |
u_short[] |
yes |
kern.profiling.froms |
u_short[] |
yes |
kern.profiling.gmonparam |
struct gmonparam |
no |
kern.profiling.state |
integer |
yes |
kern.profiling.tos |
struct tostruct |
yes |
The variables are as follows:
kern.profiling.count
(GPROF_COUNT
)
- Array of statistical program counter counts.
kern.profiling.froms
(GPROF_FROMS
)
- Array indexed by program counter of call-from points.
kern.profiling.gmonparams
(GPROF_GMONPARAM
)
- Structure giving the sizes of the above arrays.
kern.profiling.state
(GPROF_STATE
)
- Profiling state. If set to
GMON_PROF_ON
,
starts profiling. If set to GMON_PROF_OFF
,
stops profiling.
kern.profiling.tos
(GPROF_TOS
)
- Array of struct tostruct describing destination
of calls and their counts.
kern.rawpartition
(KERN_RAWPARTITION
)
- The raw partition of a disk (a == 0).
kern.root_device
(KERN_ROOT_DEVICE
)
- The name of the root device (e.g., “wd0”).
kern.root_partition
(KERN_ROOT_PARTITION
)
- The root partition on the root device (a == 0).
kern.rtc_offset
(KERN_RTC_OFFSET
)
- Return the offset of real time clock from UTC in minutes.
kern.saved_ids
(KERN_SAVED_IDS
)
- Returns 1 if saved set-group and saved set-user ID is available.
kern.sbmax
(KERN_SBMAX
)
- Maximum socket buffer size in bytes.
kern.securelevel
(KERN_SECURELVL
)
- See
secmodel_securelevel(9).
kern.sched
(dynamic
)
- Influence the scheduling of LWPs, their priorisation and how they are
distributed on and moved between CPUs.
Third level name |
Type |
Changeable |
kern.sched.cacheht_time |
integer |
yes |
kern.sched.balance_period |
integer |
yes |
kern.sched.average_weight |
integer |
yes |
kern.sched.min_catch |
integer |
yes |
kern.sched.timesoftints |
integer |
yes |
kern.sched.kpreempt_pri |
integer |
yes |
kern.sched.upreempt_pri |
integer |
yes |
kern.sched.maxts |
integer |
yes |
kern.sched.mints |
integer |
yes |
kern.sched.name |
string |
no |
kern.sched.rtts |
integer |
no |
kern.sched.pri_min |
integer |
no |
kern.sched.pri_max |
integer |
no |
The variables are as follows:
kern.sched.cacheht_time
(dynamic
)
- Cache hotness time in which a LWP is kept on one particular CPU and
not moved to another CPU. This reduces the overhead of flushing and
reloading caches. Defaults to 3ms. Needs to be given in
“hz” units, see
mstohz(9).
kern.sched.balance_period
(dynamic
)
- Interval at which the CPU queues are checked for re-balancing.
Defaults to 300ms. Needs to be given in “hz” units, see
mstohz(9).
kern.sched.average_weight
(dynamic
)
- Can be used to influence how likely LWPs are to be migrated from one
CPU's queue of LWPs that are ready to run to a different, idle CPU.
The value gives the percentage for weighting the average count of
migratable threads from the past against the current number of
migratable threads. A small value gives more weight to the past, a
larger values more weight on the current situation. Defaults to 50 and
must be between 0 and 100.
kern.sched.min_catch
(dynamic
)
- Minimum count of migratable (runable) threads for catching (stealing)
from another CPU. Defaults to 1 but can be increased to decrease
chance of thread migration between CPUs.
kern.sched.timesoftints
(dynamic
)
- Enable tracking of CPU time for soft interrupts as part of a LWP's
real execution time. Set to a non-zero value to enable, and see
ps(1) for printing CPU
times.
kern.sched.kpreempt_pri
(dynamic
)
- Minimum priority to trigger kernel preemption.
kern.sched.upreempt_pri
(dynamic
)
- Minimum priority to trigger user preemption.
kern.sched.maxts
(dynamic
)
- Scheduler specific maximal time quantum (in milliseconds). Must be set
to a value larger than “mints” and between 10 and
“hz” as given by the
kern.clockrate
sysctl. Provided by the M2
scheduler.
kern.sched.mints
(dynamic
)
- Scheduler specific minimal time quantum (in milliseconds). Must be set
to a value smaller than “maxts” and between 1 and
“hz” as given by the “kern.clockrate”
sysctl. Provided by the M2 scheduler.
kern.sched.name
(dynamic
)
- Scheduler name. Provided both by the M2 and the 4BSD scheduler.
kern.sched.rtts
(dynamic
)
- Fixed scheduler specific round-robin time quantum in milliseconds.
Provided both by the M2 and the 4BSD scheduler.
kern.sched.pri_min
(dynamic
)
- Minimal POSIX real-time priority. See
sched(3).
kern.sched.pri_max
(dynamic
)
- Maximal POSIX real-time priority. See
sched(3).
kern.somaxkva
(KERN_SOMAXKVA
)
- Maximum amount of kernel memory to be used for socket buffers in
bytes.
kern.sooptions
- Set the default socket option flags for
socket(2) creation. See
setsockopt(2) for a list
of supported flags.
kern.synchronized_io
(KERN_SYNCHRONIZED_IO
)
- Returns 1 if the IEEE Std 1003.1b-1993
(“POSIX.1b”) Synchronized I/O Option is available on
this system, otherwise 0.
kern.timecounter
(dynamic
)
- Display and control the timecounter source of the system.
Third level name |
Type |
Changeable |
kern.timecounter.choice |
string |
no |
kern.timecounter.hardware |
string |
yes |
kern.timecounter.timestepwarnings |
integer |
yes |
The variables are as follows:
kern.timecounter.choice
(dynamic
)
- The list of available timecounters with their quality and
frequency.
kern.timecounter.hardware
(dynamic
)
- The currently selected timecounter source.
kern.timecounter.timestepwarnings
(dynamic
)
- If non-zero display a message each time the time is stepped.
kern.timex
(KERN_TIMEX
)
- Not available.
kern.tkstat
(KERN_TKSTAT
)
- Return information about the number of characters sent and received on
ttys. The third level names for the tty statistic variables are detailed
below. The changeable column shows whether a process with appropriate
privilege may change the value.
Third level name |
Type |
Changeable |
kern.tkstat.cancc |
quad |
no |
kern.tkstat.nin |
quad |
no |
kern.tkstat.nout |
quad |
no |
kern.tkstat.rawcc |
quad |
no |
The variables are as follows:
kern.tkstat.cancc
(KERN_TKSTAT_CANCC
)
- The number of canonical input characters.
kern.tkstat.nin
(KERN_TKSTAT_NIN
)
- The total number of input characters.
kern.tkstat.nout
(KERN_TKSTAT_NOUT
)
- The total number of output characters.
kern.tkstat.rawcc
(KERN_TKSTAT_RAWCC
)
- The number of raw input characters.
kern.tty
- The third level names for the tty setup variables are detailed below. The
changeable column shows whether a process with appropriate privilege may
change the value.
Third level name |
Type |
Changeable |
kern.tty.qsize |
int |
yes |
The variables are as follows:
kern.tty.qsize
- Control/display the size of the default input and output queues
selected during tty creation. Is converted to a power of two and its
range is between
1024
and
65536
.
kern.uidinfo
- Resource usage for the current user.
Third level name |
Type |
Changeable |
kern.uidinfo.proccnt |
integer |
no |
kern.uidinfo.lwpcnt |
integer |
no |
kern.uidinfo.lockcnt |
integer |
no |
kern.uidinfo.semcnt |
integer |
no |
kern.uidinfo.sbsize |
integer |
no |
kern.uidinfo.proccnt
- Returns the number of active processes for the current user.
kern.uidinfo.lwpcnt
- Returns the number of active threads for the current user; the first
thread of each process is not counted.
kern.uidinfo.lockcnt
- Number of locks held by the current user.
kern.uidinfo.semcnt
- Number of semaphores held by the current user.
kern.uidinfo.sbsize
- Number of bytes in socket buffers allocated to the current user.
kern.urandom
(KERN_URND
)
- Random integer value.
kern.usercrypto
- When enabled, allows userland to
open(2) the
/dev/crypto special device, used by the
crypto(4) system.
kern.userasymcrypto
- Enables or disables the use of software asymmetric crypto support in the
crypto(4) system.
kern.veriexec
- Runtime information for
veriexec(8).
Third level name |
Type |
Changeable |
kern.veriexec.algorithms |
string |
no |
kern.veriexec.count |
node |
not applicable |
kern.veriexec.strict |
integer |
yes |
kern.veriexec.verbose |
integer |
yes |
kern.veriexec.algorithms
- Returns a string with the supported algorithms in Veriexec.
kern.veriexec.count
- Sub-nodes are added to this node as new mounts are monitored by
Veriexec. Each mount will be under its own
tableN node. Under each node there will be
three variables, indicating the mount point, the file system type, and
the number of entries.
kern.veriexec.strict
- Controls the strict level of Veriexec. See
security(7) for more
information on each level's implications.
kern.veriexec.verbose
- Controls the verbosity level of Veriexec. If 0, only the minimal
indication required will be given about what's happening - fingerprint
mismatches, removal of entries from the tables, modification of a
fingerprinted file. If 1, more messages will be printed (ie., when a
file with a valid fingerprint is accessed). Verbose level 2 is debug
mode.
kern.version
(KERN_VERSION
)
- The system version string.
kern.vnode
(KERN_VNODE
)
- Return the entire vnode table. Note, the vnode table is not necessarily a
consistent snapshot of the system. The returned data consists of an array
whose size depends on the current number of such objects in the system.
Each element of the array contains the kernel address of a vnode
struct vnode * followed by the vnode itself
struct vnode.
The set of variables defined is architecture dependent. Most architectures
define at least the following variables.
The string and integer information available for the net
level is detailed below. The changeable column shows whether a process with
appropriate privilege may change the value. The second and third levels are
typically the protocol family and protocol number, though this is not always
the case.
Second level name |
Type |
Changeable |
net.route |
routing messages |
no |
net.inet |
IPv4 values |
yes |
net.inet6 |
IPv6 values |
yes |
net.key |
IPsec key management values |
yes |
net.route
(PF_ROUTE
)
- Return the entire routing table or a subset of it. The data is returned as
a sequence of routing messages (see
route(4) for the header file,
format and meaning). The length of each message is contained in the
message header.
The third level name is a protocol number, which is currently
always 0. The fourth level name is an address family, which may
be set to 0 to select all address families. The fifth and sixth level
names are as follows:
Fifth level name |
Sixth level is: |
NET_RT_FLAGS |
rtflags |
NET_RT_DUMP |
None |
NET_RT_IFLIST |
None |
net.inet
(PF_INET
)
- Get or set various global information about the IPv4 (Internet Protocol
version 4). The third level name is the protocol. The fourth level name is
the variable name. The currently defined protocols and names are:
Protocol |
Variable |
Type |
Changeable |
arp |
down |
integer |
yes |
arp |
keep |
integer |
yes |
arp |
log_movements |
integer |
yes |
arp |
log_permanent_modify |
integer |
yes |
arp |
log_unknown_network |
integer |
yes |
arp |
log_wrong_iface |
integer |
yes |
carp |
allow |
integer |
yes |
carp |
preempt |
integer |
yes |
carp |
log |
integer |
yes |
carp |
arpbalance |
integer |
yes |
icmp |
errppslimit |
integer |
yes |
icmp |
maskrepl |
integer |
yes |
icmp |
rediraccept |
integer |
yes |
icmp |
redirtimeout |
integer |
yes |
icmp |
bmcastecho |
integer |
yes |
ip |
allowsrcrt |
integer |
yes |
ip |
anonportalgo.selected |
string |
yes |
ip |
anonportalgo.available |
string |
yes |
ip |
anonportalgo.reserve |
struct |
yes |
ip |
anonportmax |
integer |
yes |
ip |
anonportmin |
integer |
yes |
ip |
checkinterface |
integer |
yes |
ip |
dad_count |
integer |
yes |
ip |
directed-broadcast |
integer |
yes |
ip |
do_loopback_cksum |
integer |
yes |
ip |
forwarding |
integer |
yes |
ip |
forwsrcrt |
integer |
yes |
ip |
gifttl |
integer |
yes |
ip |
grettl |
integer |
yes |
ip |
hashsize |
integer |
yes |
ip |
hostzerobroadcast |
integer |
yes |
ip |
lowportmin |
integer |
yes |
ip |
lowportmax |
integer |
yes |
ip |
maxflows |
integer |
yes |
ip |
maxfragpackets |
integer |
yes |
ip |
mtudisc |
integer |
yes |
ip |
mtudisctimeout |
integer |
yes |
ip |
random_id |
integer |
yes |
ip |
redirect |
integer |
yes |
ip |
subnetsarelocal |
integer |
yes |
ip |
ttl |
integer |
yes |
tcp |
rfc1323 |
integer |
yes |
tcp |
sendspace |
integer |
yes |
tcp |
recvspace |
integer |
yes |
tcp |
mssdflt |
integer |
yes |
tcp |
syn_cache_limit |
integer |
yes |
tcp |
syn_bucket_limit |
integer |
yes |
tcp |
syn_cache_interval |
integer |
yes |
tcp |
init_win |
integer |
yes |
tcp |
init_win_local |
integer |
yes |
tcp |
mss_ifmtu |
integer |
yes |
tcp |
win_scale |
integer |
yes |
tcp |
timestamps |
integer |
yes |
tcp |
cwm |
integer |
yes |
tcp |
cwm_burstsize |
integer |
yes |
tcp |
ack_on_push |
integer |
yes |
tcp |
keepidle |
integer |
yes |
tcp |
keepintvl |
integer |
yes |
tcp |
keepcnt |
integer |
yes |
tcp |
slowhz |
integer |
no |
tcp |
keepinit |
integer |
yes |
tcp |
log_refused |
integer |
yes |
tcp |
rstppslimit |
integer |
yes |
tcp |
ident |
struct |
no |
tcp |
drop |
struct |
no |
tcp |
sack.enable |
integer |
yes |
tcp |
sack.globalholes |
integer |
no |
tcp |
sack.globalmaxholes |
integer |
yes |
tcp |
sack.maxholes |
integer |
yes |
tcp |
ecn.enable |
integer |
yes |
tcp |
ecn.maxretries |
integer |
yes |
tcp |
congctl.selected |
string |
yes |
tcp |
congctl.available |
string |
yes |
tcp |
abc.enable |
integer |
yes |
tcp |
abc.aggressive |
integer |
yes |
udp |
checksum |
integer |
yes |
udp |
do_loopback_cksum |
integer |
yes |
udp |
recvspace |
integer |
yes |
udp |
sendspace |
integer |
yes |
The variables are as follows:
arp.down
- Failed ARP entry lifetime.
arp.keep
- Valid ARP entry lifetime.
carp.allow
- If set to 0, incoming
carp(4) packets will not
be processed. If set to any other value, processing will occur.
Enabled by default.
carp.arpbalance
- If set to any value other than 0, the ARP balancing functionality of
carp(4) is enabled. When
ARP requests are received for an IP address which is part of any
virtual host, carp will hash the source IP in the ARP request to
select one of the virtual hosts from the set of all the virtual hosts
which have that IP address. The master of that host will respond with
the correct virtual MAC address. Disabled by default.
carp.log
- If set to any value other than 0,
carp(4) will log errors.
Disabled by default.
carp.preempt
- If set to 0, carp(4) will
not attempt to become master if it is receiving advertisements from
another active master. If set to any other value, carp will become
master of the virtual host if it believes it can send advertisements
more frequently than the current master. Disabled by default.
ip.allowsrcrt
- If set to 1, the host accepts source routed packets.
ip.anonportalgo.available
- The available RFC 6056 port randomization algorithms.
ip.anonportalgo.reserve
- A bitmask of ports that will not be used during anonymous or
privileged port selection.
ip.anonportalgo.selected
- The currently selected RFC 6056 port randomization algorithm.
ip.anonportmax
- The highest port number to use for TCP and UDP ephemeral port
allocation. This cannot be set to less than 1024 or greater than
65535, and must be greater than
ip.anonportmin
.
ip.anonportmin
- The lowest port number to use for TCP and UDP ephemeral port
allocation. This cannot be set to less than 1024 or greater than
65535.
ip.checkinterface
- If set to non-zero, the host will reject packets addressed to it that
arrive on an interface not bound to that address. Currently, this must
be disabled if NAT is used to translate the destination address to
another local interface, or if addresses are added to the loopback
interface instead of the interface where the packets for those packets
are received.
ip.dad_count
- The number of arp(4) probes
sent for Address Conflict Detection. Set to 0 to disable this.
ip.directed-broadcast
- If set to 1, enables directed broadcast behavior for the host.
ip.do_loopback_cksum
- Perform IP checksum on loopback.
ip.forwarding
- If set to 1, enables IP forwarding for the host, meaning that the host
is acting as a router.
ip.forwsrcrt
- If set to 1, enables forwarding of source-routed packets for the host.
This value may only be changed if the kernel security level is less
than 1.
ip.gifttl
- The maximum time-to-live (hop count) value for an IPv4 packet
generated by gif(4) tunnel
interface.
ip.grettl
- The maximum time-to-live (hop count) value for an IPv4 packet
generated by gre(4) tunnel
interface.
ip.hashsize
- The size of IPv4 Fast Forward hash table. This value must be a power
of 2 (64, 256...). A larger hash table size results in fewer
collisions. Also see
ip.maxflows
.
ip.hostzerobroadcast
- All zeroes address is broadcast address.
ip.lowportmax
- The highest port number to use for TCP and UDP reserved port
allocation. This cannot be set to less than 0 or greater than 1024,
and must be greater than
ip.lowportmin
.
ip.lowportmin
- The lowest port number to use for TCP and UDP reserved port
allocation. This cannot be set to less than 0 or greater than 1024,
and must be smaller than
ip.lowportmax
.
ip.maxflows
- IPv4 Fast Forwarding is enabled by default. If set to 0, IPv4 Fast
Forwarding is disabled.
ip.maxflows
controls
the maximum amount of flows which can be created. The default value is
256.
ip.maxfragpackets
- The maximum number of fragmented packets the node will accept. 0 means
that the node will not accept any fragmented packets. -1 means that
the node will accept as many fragmented packets as it receives. The
flag is provided basically for avoiding possible DoS attacks.
ip.mtudisc
- If set to 1, enables Path MTU Discovery (RFC 1191). When Path MTU
Discovery is enabled, the transmitted TCP segment size will be
determined by the advertised maximum segment size (MSS) from the
remote end, as constrained by the path MTU. If MTU Discovery is
disabled, the transmitted segment size will never be greater than
tcp.mssdflt
(the local maximum segment
size).
ip.mtudisctimeout
- The number of seconds in which a route added by the Path MTU Discovery
engine will time out. When the route times out, the Path MTU Discovery
engine will attempt to probe a larger path MTU.
ip.random_id
- Assign random ip_id values.
ip.redirect
- If set to 1, ICMP redirects may be sent by the host. This option is
ignored unless the host is routing IP packets, and should normally be
enabled on all systems.
ip.subnetsarelocal
- If set to 1, subnets are to be considered local addresses.
ip.ttl
- The maximum time-to-live (hop count) value for an IP packet sourced by
the system. This value applies to normal transport protocols, not to
ICMP.
icmp.errppslimit
- The variable specifies the maximum number of outgoing ICMP error
messages, per second. ICMP error messages that exceeded the value are
subject to rate limitation and will not go out from the node. Negative
value disables rate limitation.
icmp.maskrepl
- If set to 1, ICMP network mask requests are to be answered.
icmp.rediraccept
- If set to non-zero, the host will accept ICMP redirect packets. Note
that routers will never accept ICMP redirect packets, and the variable
is meaningful on IP hosts only.
icmp.redirtimeout
- The variable specifies lifetime of routing entries generated by
incoming ICMP redirect. This defaults to 600 seconds.
icmp.returndatabytes
- Number of bytes to return in an ICMP error message.
icmp.bmcastecho
- If set to 1, enables responding to ICMP echo or timestamp request to
the broadcast address.
tcp.ack_on_push
- If set to 1, TCP is to immediately transmit an ACK upon reception of a
packet with PUSH set. This can avoid losing a round trip time in some
rare situations, but has the caveat of potentially defeating TCP's
delayed ACK algorithm. Use of this option is generally not
recommended, but the variable exists in case your configuration really
needs it.
tcp.cwm
- If set to 1, enables use of the Hughes/Touch/Heidemann Congestion
Window Monitoring algorithm. This algorithm prevents line-rate bursts
of packets that could otherwise occur when data begins flowing on an
idle TCP connection. These line-rate bursts can contribute to network
and router congestion. This can be particularly useful on World Wide
Web servers which support HTTP/1.1, which has lingering
connections.
tcp.cwm_burstsize
- The Congestion Window Monitoring allowed burst size, in terms of
packet count.
tcp.delack_ticks
- Number of ticks to delay sending an ACK.
tcp.do_loopback_cksum
- Perform TCP checksum on loopback.
tcp.init_win
- A value indicating the TCP initial congestion window. The valid range
is 0 to 10 (maximum specified by RFC6928), with a default of 4
(approximately 4K per RFC3390).
tcp.init_win_local
- Like
tcp.init_win
, but used when communicating
with hosts on a local network.
tcp.keepcnt
- Number of keepalive probes sent before declaring a connection dead. If
set to zero, there is no limit; keepalives will be sent until some
kind of response is received from the peer.
tcp.keepidle
- Time a connection must be idle before keepalives are sent (if
keepalives are enabled for the connection). See also tcp.slowhz.
tcp.keepintvl
- Time after a keepalive probe is sent until, in the absence of any
response, another probe is sent. See also tcp.slowhz.
tcp.log_refused
- If set to 1, refused TCP connections to the host will be logged.
tcp.keepinit
- Timeout in seconds during connection establishment.
tcp.mss_ifmtu
- If set to 1, TCP calculates the outgoing maximum segment size based on
the MTU of the appropriate interface. If set to 0, it is calculated
based on the greater of the MTU of the interface, and the largest
(non-loopback) interface MTU on the system.
tcp.mssdflt
- The default maximum segment size both advertised to the peer and to
use when either the peer does not advertise a maximum segment size to
us during connection setup or Path MTU Discovery
(
ip.mtudisc
) is disabled. Do not change this
value unless you really know what you are doing.
tcp.recvspace
- The default TCP receive buffer size.
tcp.rfc1323
- If set to 1, enables RFC 1323 extensions to TCP.
tcp.rstppslimit
- The variable specifies the maximum number of outgoing TCP RST packets,
per second. TCP RST packet that exceeded the value are subject to rate
limitation and will not go out from the node. Negative value disables
rate limitation.
tcp.ident
- Return the user ID of a connected socket pair. (RFC1413 Identification
Protocol lookups.)
tcp.drop
- Drop a TCP socket pair connection.
tcp.sack.enable
- If set to 1, enables RFC 2018 Selective ACKnowledgement.
tcp.sack.globalholes
- Global number of TCP SACK holes.
tcp.sack.globalmaxholes
- Global maximum number of TCP SACK holes.
tcp.sack.maxholes
- Maximum number of TCP SACK holes allowed per connection.
tcp.ecn.enable
- If set to 1, enables RFC 3168 Explicit Congestion Notification.
tcp.ecn.maxretries
- Number of times to retry sending the ECN-setup packet.
tcp.sendspace
- The default TCP send buffer size.
tcp.slowhz
- The units for tcp.keepidle and tcp.keepintvl; those variables are in
ticks of a clock that ticks tcp.slowhz times per second. (That is,
their values must be divided by the tcp.slowhz value to get times in
seconds.)
tcp.syn_bucket_limit
- The maximum number of entries allowed per hash bucket in the TCP
compressed state engine.
tcp.syn_cache_limit
- The maximum number of entries allowed in the TCP compressed state
engine.
tcp.timestamps
- If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp
options, used for measuring TCP round trip times, are enabled.
tcp.win_scale
- If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale
options, for increasing the TCP window size, are enabled.
tcp.congctl.available
- The available TCP congestion control algorithms.
tcp.congctl.selected
- The currently selected TCP congestion control algorithm.
tcp.abc.enable
- If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). If set to
0, use traditional Packet Counting.
tcp.abc.aggressive
- Choose the L parameter found in RFC 3465. L is the maximum cwnd
increase for an ack during slow start. If set to 1, use L=2*SMSS. If
set to 0, use L=1*SMSS. It has no effect unless tcp.abc.enable is set
to 1.
udp.checksum
- If set to 1, UDP checksums are being computed. Received non-zero UDP
checksums are always checked. Disabling UDP checksums is strongly
discouraged.
udp.recvspace
- The default UDP receive buffer size.
udp.sendspace
- The default UDP send buffer size.
For variables net.*.ipsec, please refer to
ipsec(4).
net.inet6
(PF_INET6
)
- Get or set various global information about the IPv6 (Internet Protocol
version 6). The third level name is the protocol. The fourth level name is
the variable name. The currently defined protocols and names are:
Protocol |
Variable |
Type |
Changeable |
icmp6 |
errppslimit |
integer |
yes |
icmp6 |
mtudisc_hiwat |
integer |
yes |
icmp6 |
mtudisc_lowat |
integer |
yes |
icmp6 |
nd6_debug |
integer |
yes |
icmp6 |
nd6_delay |
integer |
yes |
icmp6 |
nd6_maxnudhint |
integer |
yes |
icmp6 |
nd6_mmaxtries |
integer |
yes |
icmp6 |
nd6_prune |
integer |
yes |
icmp6 |
nd6_umaxtries |
integer |
yes |
icmp6 |
nd6_useloopback |
integer |
yes |
icmp6 |
nodeinfo |
integer |
yes |
icmp6 |
rediraccept |
integer |
yes |
icmp6 |
redirtimeout |
integer |
yes |
ip6 |
accept_rtadv |
integer |
yes |
ip6 |
addctlpolicy |
struct in6_addrpolicy |
no |
ip6 |
anonportalgo.selected |
string |
yes |
ip6 |
anonportalgo.available |
string |
yes |
ip6 |
anonportalgo.reserve |
struct |
yes |
ip6 |
anonportmax |
integer |
yes |
ip6 |
anonportmin |
integer |
yes |
ip6 |
auto_flowlabel |
integer |
yes |
ip6 |
dad_count |
integer |
yes |
ip6 |
defmcasthlim |
integer |
yes |
ip6 |
forwarding |
integer |
yes |
ip6 |
gifhlim |
integer |
yes |
ip6 |
hashsize |
integer |
yes |
ip6 |
hlim |
integer |
yes |
ip6 |
hdrnestlimit |
integer |
yes |
ip6 |
kame_version |
string |
no |
ip6 |
keepfaith |
integer |
yes |
ip6 |
log_interval |
integer |
yes |
ip6 |
lowportmax |
integer |
yes |
ip6 |
lowportmin |
integer |
yes |
ip6 |
maxdynroutes |
integer |
yes |
ip6 |
maxifprefixes |
integer |
yes |
ip6 |
maxifdefrouters |
integer |
yes |
ip6 |
maxflows |
integer |
yes |
ip6 |
maxfragpackets |
integer |
yes |
ip6 |
maxfrags |
integer |
yes |
ip6 |
neighborgcthresh |
integer |
yes |
ip6 |
redirect |
integer |
yes |
ip6 |
rr_prune |
integer |
yes |
ip6 |
use_deprecated |
integer |
yes |
ip6 |
v6only |
integer |
yes |
udp6 |
do_loopback_cksum |
integer |
yes |
udp6 |
recvspace |
integer |
yes |
udp6 |
sendspace |
integer |
yes |
The variables are as follows:
ip6.accept_rtadv
- If set to non-zero, the node will accept ICMPv6 router advertisement
packets and autoconfigures address prefixes and default routers. The
node must be a host (not a router) for the option to be
meaningful.
ip6.anonportalgo.available
- The available RFC 6056 port randomization algorithms.
ip6.anonportalgo.reserve
- A bitmask of ports that will not be used during anonymous or
privileged port selection.
ip6.anonportalgo.selected
- The currently selected RFC 6056 port randomization algorithm.
ip6.anonportmax
- The highest port number to use for TCP and UDP ephemeral port
allocation. This cannot be set to less than 1024 or greater than
65535, and must be greater than
ip6.anonportmin
.
ip6.anonportmin
- The lowest port number to use for TCP and UDP ephemeral port
allocation. This cannot be set to less than 1024 or greater than
65535.
ip6.auto_flowlabel
- On connected transport protocol packets, fill IPv6 flowlabel field to
help intermediate routers to identify packet flows.
ip6.dad_count
- The variable configures number of IPv6 DAD (duplicated address
detection) probe packets. The packets will be generated when IPv6
interface addresses are configured.
ip6.defmcasthlim
- The default hop limit value for an IPv6 multicast packet sourced by
the node. This value applies to all the transport protocols on top of
IPv6. There are APIs to override the value, as documented in
ip6(4).
ip6.forwarding
- If set to 1, enables IPv6 forwarding for the node, meaning that the
node is acting as a router. If set to 0, disables IPv6 forwarding for
the node, meaning that the node is acting as a host. IPv6
specification defines node behavior for “router” case
and “host” case quite differently, and changing this
variable during operation may cause serious trouble. It is recommended
to configure the variable at bootstrap time, and bootstrap time
only.
ip6.gifhlim
- The maximum hop limit value for an IPv6 packet generated by
gif(4) tunnel
interface.
ip6.hdrnestlimit
- The number of IPv6 extension headers permitted on incoming IPv6
packets. If set to 0, the node will accept as many extension headers
as possible.
ip6.hashsize
- The size of IPv6 Fast Forward hash table. This value must be a power
of 2 (64, 256, ...). A larger hash table size results in fewer
collisions. Also see
ip6.maxflows
.
ip6.hlim
- The default hop limit value for an IPv6 unicast packet sourced by the
node. This value applies to all the transport protocols on top of
IPv6. There are APIs to override the value, as documented in
ip6(4).
ip6.kame_version
- The string identifies the version of KAME IPv6 stack implemented in
the kernel.
ip6.keepfaith
- If set to non-zero, it enables “FAITH” TCP relay
IPv6-to-IPv4 translator code in the kernel. Refer
faith(4) and
faithd(8) for
detail.
ip6.log_interval
- The variable controls amount of logs generated by IPv6 packet
forwarding engine, by setting interval between log output (in
seconds).
ip6.lowportmax
- The highest port number to use for TCP and UDP reserved port
allocation. This cannot be set to less than 0 or greater than 1024,
and must be greater than
ip6.lowportmin
.
ip6.lowportmin
- The lowest port number to use for TCP and UDP reserved port
allocation. This cannot be set to less than 0 or greater than 1024,
and must be smaller than
ip6.lowportmax
.
ip6.maxdynroutes
- Maximum number of routes created by redirect. Set it to negative to
disable. The default value is 4096.
ip6.maxifprefixes
- Maximum number of prefixes created by route advertisements per
interface. Set it to negative to disable. The default value is
16.
ip6.maxifdefrouters
16
- Maximum number of default routers created by route advertisements per
interface. Set it to negative to disable. The default value is
16.
ip6.maxflows
- IPv6 Fast Forwarding is enabled by default. If set to 0, IPv6 Fast
Forwarding is disabled.
ip6.maxflows
controls
the maximum amount of flows which can be created. The default value is
256.
ip6.maxfragpackets
- The maximum number of fragmented packets the node will accept. 0 means
that the node will not accept any fragmented packets. -1 means that
the node will accept as many fragmented packets as it receives. The
flag is provided basically for avoiding possible DoS attacks.
ip6.maxfrags
- The maximum number of fragments the node will accept. 0 means that the
node will not accept any fragments. -1 means that the node will accept
as many fragments as it receives. The flag is provided basically for
avoiding possible DoS attacks.
ip6.neighborgcthresh
- Maximum number of entries in neighbor cache per interface. Set to
negative to disable. The default value is 2048.
ip6.redirect
- If set to 1, ICMPv6 redirects may be sent by the node. This option is
ignored unless the node is routing IP packets, and should normally be
enabled on all systems.
ip6.rr_prune
- The variable specifies interval between IPv6 router renumbering prefix
babysitting, in seconds.
ip6.use_deprecated
- The variable controls use of deprecated address, specified in RFC 2462
5.5.4.
ip6.v6only
- The variable specifies initial value for
IPV6_V6ONLY
socket option for
AF_INET6
socket. Please refer to
ip6(4) for detail.
icmp6.errppslimit
- The variable specifies the maximum number of outgoing ICMPv6 error
messages, per second. ICMPv6 error messages that exceeded the value
are subject to rate limitation and will not go out from the node.
Negative value disables rate limitation.
icmp6.mtudisc_hiwat
-
icmp6.mtudisc_lowat
- The variables define the maximum number of routing table entries,
created due to path MTU discovery (prevents denial-of-service attacks
with ICMPv6 too big messages). When IPv6 path MTU discovery happens,
we keep path MTU information into the routing table. If the number of
routing table entries exceed the value, the kernel will not attempt to
keep the path MTU information.
icmp6.mtudisc_hiwat
is used when we have
verified ICMPv6 too big messages.
icmp6.mtudisc_lowat
is used when we have
unverified ICMPv6 too big messages. Verification is performed by using
address/port pairs kept in connected pcbs. Negative value disables the
upper limit.
icmp6.nd6_debug
- If set to non-zero, kernel IPv6 neighbor discovery code will generate
debugging messages. The debug outputs are useful to diagnose IPv6
interoperability issues. The flag must be set to 0 for normal
operation.
icmp6.nd6_delay
- The variable specifies
DELAY_FIRST_PROBE_TIME
timing constant in IPv6 neighbor discovery specification (RFC 2461),
in seconds.
icmp6.nd6_maxnudhint
- IPv6 neighbor discovery permits upper layer protocols to supply
reachability hints, to avoid unnecessary neighbor discovery exchanges.
The variable defines the number of consecutive hints the neighbor
discovery layer will take. For example, by setting the variable to 3,
neighbor discovery layer will take 3 consecutive hints in maximum.
After receiving 3 hints, neighbor discovery layer will perform normal
neighbor discovery process.
icmp6.nd6_mmaxtries
- The variable specifies
MAX_MULTICAST_SOLICIT
constant in IPv6 neighbor discovery specification (RFC 2461).
icmp6.nd6_prune
- The variable specifies interval between IPv6 neighbor cache
babysitting, in seconds.
icmp6.nd6_umaxtries
- The variable specifies
MAX_UNICAST_SOLICIT
constant in IPv6 neighbor discovery specification (RFC 2461).
icmp6.nd6_useloopback
- If set to non-zero, kernel IPv6 stack will use loopback interface for
local traffic.
icmp6.nodeinfo
- The variable enables responses to ICMPv6 node information queries. If
you set the variable to 0, responses will not be generated for ICMPv6
node information queries. Since node information queries can have a
security impact, it is possible to fine tune which responses should be
answered. Two separate bits can be set.
- 1
- Respond to ICMPv6 FQDN queries, e.g.
ping6
-w
.
- 2
- Respond to ICMPv6 node addresses queries, e.g.
ping6 -a
.
icmp6.rediraccept
- If set to non-zero, the host will accept ICMPv6 redirect packets. Note
that IPv6 routers will never accept ICMPv6 redirect packets, and the
variable is meaningful on IPv6 hosts (non-router) only.
icmp6.redirtimeout
- The variable specifies lifetime of routing entries generated by
incoming ICMPv6 redirect.
udp6.do_loopback_cksum
- Perform UDP checksum on loopback.
udp6.recvspace
- Default UDP receive buffer size.
udp6.sendspace
- Default UDP send buffer size.
We reuse net.*.tcp for TCP over IPv6, and therefore we do not
have variables net.*.tcp6. Variables net.inet6.udp6 have identical
meaning to net.inet.udp. Please refer to PF_INET
section above. For variables net.*.ipsec6, please refer to
ipsec(4).
net.key
(PF_KEY
)
- Get or set various global information about the IPsec key management. The
third level name is the variable name. The currently defined variable and
names are:
Variable |
Type |
Changeable |
debug |
integer |
yes |
enabled |
integer |
yes |
used |
integer |
no |
spi_try |
integer |
yes |
spi_min_value |
integer |
yes |
spi_max_value |
integer |
yes |
larval_lifetime |
integer |
yes |
blockacq_count |
integer |
yes |
blockacq_lifetime |
integer |
yes |
esp_keymin |
integer |
yes |
esp_auth |
integer |
yes |
ah_keymin |
integer |
yes |
The variables are as follows:
debug
- Turn on debugging message from within the kernel. The value is a
bitmap, as defined in
<netipsec/key_debug.h>
.
enabled
- Control processing of IPsec control messages.
- 0
- Never allow IPsec processing
- 1
- Allow IPsec processing when SPD policies are present.
- 2
- Force IPsec processing even when SPD policies are not
present.
used
- Based on if IPsec is enabled, and SPD rule existence, show if IPsec is
being used. Note that currently once IPsec is being used, it cannot be
disabled.
spi_try
- The number of times the kernel will try to obtain an unique SPI when
it generates it from random number generator.
spi_min_value
- Minimum SPI value when generating it within the kernel.
spi_max_value
- Maximum SPI value when generating it within the kernel.
larval_lifetime
- Lifetime for LARVAL SAD entries, in seconds.
blockacq_count
- Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE
message. It avoids flood of ACQUIRE PF_KEY from being sent from the
kernel to the key management daemon.
blockacq_lifetime
- Lifetime of ACQUIRE PF_KEY message.
esp_keymin
- Minimum ESP key length, in bits. The value is used when the kernel
creates proposal payload on ACQUIRE PF_KEY message.
esp_auth
- Whether ESP authentication should be used or not. Non-zero value
indicates that ESP authentication should be used. The value is used
when the kernel creates proposal payload on ACQUIRE PF_KEY
message.
ah_keymin
- Minimum AH key length, in bits, The value is used when the kernel
creates proposal payload on ACQUIRE PF_KEY message.
net.local
(PF_LOCAL
)
- Get or set various global information about
AF_LOCAL
type sockets. For some variables, the
third level name is the variable name:
Variable |
Type |
Changeable |
inflight |
integer |
no |
deferred |
integer |
no |
The variables are as follows:
inflight
- The number of file descriptors currently passed between processes,
“in flight”.
deferred
- The number of file descriptors passed between processes that have been
deferred for cleanup by a kernel task.
Other variables are specific to a socket type:
Socket Type |
Sy Variable |
Type |
Changeable |
dgram |
pcblist |
struct |
no |
dgram |
recvspace |
integer |
yes |
dgram |
sendspace |
integer |
yes |
seqpacket |
pcblist |
struct |
no |
stream |
pcblist |
struct |
no |
stream |
recvspace |
integer |
yes |
stream |
sendspace |
integer |
yes |
The variables are as follows:
dgram.pcblist
- The Protocol Control Block list structure for datagram sockets. Parsed
by netstat(1) or
sockstat(1).
dgram.recvspace
- The default datagram receive buffer size.
dgram.sendspace
- The default datagram send buffer size.
seqpacket.pcblist
- The Protocol Control Block list structure for Sequential Packet
sockets. Parsed by
netstat(1) or
sockstat(1).
stream.pcblist
- The Protocol Control Block list structure for stream sockets. Parsed
by netstat(1) or
sockstat(1).
stream.recvspace
- The default stream receive buffer size.
stream.sendspace
- The default stream send buffer size.
The string and integer information available for the
proc
level is detailed below. The changeable column
shows whether a process with appropriate privilege may change the value. These
values are per-process, and as such may change from one process to another.
When a process is created, the default values are inherited from its parent.
When a set-user-ID or set-group-ID binary is executed, the value of
PROC_PID_CORENAME is reset to the system default value. The second level name
is either the magic value PROC_CURPROC, which points to the current process,
or the PID of the target process.
Third level name |
Type |
Changeable |
proc.pid.corename |
string |
yes |
proc.pid.rlimit |
node |
not applicable |
proc.pid.stopfork |
int |
yes |
proc.pid.stopexec |
int |
yes |
proc.pid.stopexit |
int |
yes |
proc.pid.paxflags |
int |
no |
proc.pid.corename
(PROC_PID_CORENAME
)
- The template used for the core dump file name (see
core(5) for details). The base
name must either be core or end with the suffix
.core (the super-user may set arbitrary names). By
default it points to
KERN_DEFCORENAME
.
proc.pid.rlimit
(PROC_PID_LIMIT
)
- Return resources limits, as defined for the
getrlimit(2) and
setrlimit(2) system
calls. The fourth level name is one of:
proc.pid.rlimit.cputime
(PROC_PID_LIMIT_CPU
)
- The maximum amount of CPU time (in seconds) to be used by each
process.
proc.pid.rlimit.filesize
(PROC_PID_LIMIT_FSIZE
)
- The largest size (in bytes) file that may be created.
proc.pid.rlimit.datasize
(PROC_PID_LIMIT_DATA
)
- The maximum size (in bytes) of the data segment for a process; this
defines how far a program may extend its break with the
sbrk(2) system call.
proc.pid.rlimit.stacksize
(PROC_PID_LIMIT_STACK
)
- The maximum size (in bytes) of the stack segment for a process; this
defines how far a program's stack segment may be extended. Stack
extension is performed automatically by the system.
proc.pid.rlimit.coredumpsize
(PROC_PID_LIMIT_CORE
)
- The largest size (in bytes) core file that may
be created.
proc.pid.rlimit.memoryuse
(PROC_PID_LIMIT_RSS
)
- The maximum size (in bytes) to which a process's resident set size may
grow. This imposes a limit on the amount of physical memory to be
given to a process; if memory is tight, the system will prefer to take
memory from processes that are exceeding their declared resident set
size.
proc.pid.rlimit.memorylocked
(PROC_PID_LIMIT_MEMLOCK
)
- The maximum size (in bytes) which a process may lock into memory using
the mlock(2)
function.
proc.pid.rlimit.maxproc
(PROC_PID_LIMIT_NPROC
)
- The maximum number of simultaneous processes for this user id.
proc.pid.rlimit.descriptors
(PROC_PID_LIMIT_NOFILE
)
- The maximum number of open files for this process.
proc.pid.rlimit.sbsize
(PROC_PID_LIMIT_SBSIZE
)
- The maximum size (in bytes) of the socket buffers set by the
setsockopt(2)
SO_RCVBUF
and
SO_SNDBUF
options.
proc.pid.rlimit.vmemoryuse
(PROC_PID_LIMIT_AS
)
- The maximum size (in bytes) which a process can obtain.
proc.pid.rlimit.maxlwp
(PROC_PID_LIMIT_NTHR
)
- The maximum number of threads that cen be created and running at one
time in the process. The first thread of each process is not counted
against this.
The fifth level name is one of soft
(PROC_PID_LIMIT_TYPE_SOFT
) or
hard
(PROC_PID_LIMIT_TYPE_HARD
), to select
respectively the soft or hard limit. Both are of type integer.
proc.pid.stopfork
(PROC_PID_STOPFORK
)
- If non zero, the process' children will be stopped after
fork(2) calls. The children
are created in the SSTOP state and are never scheduled for running before
being stopped. This feature enables attaching to a process with a debugger
such as gdb(1) before the
process has the opportunity to actually do anything.
This value is inherited by the process's children, and it also
applies to emulation specific system calls that fork a new process, such
as sproc
() or
clone
().
proc.pid.stopexec
(PROC_PID_STOPEXEC
)
- If non zero, the process will be stopped on the next
exec(3) call. The process
created by exec(3) is created
in the SSTOP state and is never scheduled for running before being
stopped. This feature enables attaching to a process with a debugger such
as gdb(1) before the process
has the opportunity to actually do anything.
This value is inherited by the process's children.
proc.pid.stopexit
(PROC_PID_STOPEXIT
)
- If non zero, the process will be stopped when it has cause to exit, either
by way of calling exit(3),
_exit(2), or by the receipt
of a specific signal. The process is stopped before any of its resources
or vm space is released allowing examination of the termination state of
the process before it disappears. This feature can be used to examine the
final conditions of the process's vmspace via
pmap(1) or its resource
settings with sysctl(8)
before it disappears.
This value is also inherited by the process's children.
proc.pid.paxflags
(PROC_PID_PAXFLAGS
)
- This read-only variable returns the current value of the process's pax
flags (see paxctl(8)).
The user.* subtree (CTL_USER
)
The string and integer information available for the
user
level is detailed below. The changeable column
shows whether a process with appropriate privilege may change the value.
Second level name |
Type |
Changeable |
user.atexit_max |
integer |
no |
user.bc_base_max |
integer |
no |
user.bc_dim_max |
integer |
no |
user.bc_scale_max |
integer |
no |
user.bc_string_max |
integer |
no |
user.coll_weights_max |
integer |
no |
user.cs_path |
string |
no |
user.expr_nest_max |
integer |
no |
user.line_max |
integer |
no |
user.posix2_c_bind |
integer |
no |
user.posix2_c_dev |
integer |
no |
user.posix2_char_term |
integer |
no |
user.posix2_fort_dev |
integer |
no |
user.posix2_fort_run |
integer |
no |
user.posix2_localedef |
integer |
no |
user.posix2_sw_dev |
integer |
no |
user.posix2_upe |
integer |
no |
user.posix2_version |
integer |
no |
user.re_dup_max |
integer |
no |
user.stream_max |
integer |
no |
user.stream_max |
integer |
no |
user.tzname_max |
integer |
no |
user.atexit_max
(USER_ATEXIT_MAX
)
- The maximum number of functions that may be registered with
atexit(3).
user.bc_base_max
(USER_BC_BASE_MAX
)
- The maximum ibase/obase values in the
bc(1) utility.
user.bc_dim_max
(USER_BC_DIM_MAX
)
- The maximum array size in the
bc(1) utility.
user.bc_scale_max
(USER_BC_SCALE_MAX
)
- The maximum scale value in the
bc(1) utility.
user.bc_string_max
(USER_BC_STRING_MAX
)
- The maximum string length in the
bc(1) utility.
user.coll_weights_max
(USER_COLL_WEIGHTS_MAX
)
- The maximum number of weights that can be assigned to any entry of the
LC_COLLATE order keyword in the locale definition file.
user.cs_path
(USER_CS_PATH
)
- Return a value for the
PATH
environment variable
that finds all the standard utilities.
user.expr_nest_max
(USER_EXPR_NEST_MAX
)
- The maximum number of expressions that can be nested within parenthesis by
the expr(1) utility.
user.line_max
(USER_LINE_MAX
)
- The maximum length in bytes of a text-processing utility's input
line.
user.posix2_char_term
(USER_POSIX2_CHAR_TERM
)
- Return 1 if the system supports at least one terminal type capable of all
operations described in IEEE Std 1003.2
(“POSIX.2”), otherwise 0.
user.posix2_c_bind
(USER_POSIX2_C_BIND
)
- Return 1 if the system's C-language development facilities support the
C-Language Bindings Option, otherwise 0.
user.posix2_c_dev
(USER_POSIX2_C_DEV
)
- Return 1 if the system supports the C-Language Development Utilities
Option, otherwise 0.
user.posix2_fort_dev
(USER_POSIX2_FORT_DEV
)
- Return 1 if the system supports the FORTRAN Development Utilities Option,
otherwise 0.
user.posix2_fort_run
(USER_POSIX2_FORT_RUN
)
- Return 1 if the system supports the FORTRAN Runtime Utilities Option,
otherwise 0.
user.posix2_localedef
(USER_POSIX2_LOCALEDEF
)
- Return 1 if the system supports the creation of locales,
otherwise 0.
user.posix2_sw_dev
(USER_POSIX2_SW_DEV
)
- Return 1 if the system supports the Software Development Utilities Option,
otherwise 0.
user.posix2_upe
(USER_POSIX2_UPE
)
- Return 1 if the system supports the User Portability Utilities Option,
otherwise 0.
user.posix2_version
(USER_POSIX2_VERSION
)
- The version of IEEE Std 1003.2
(“POSIX.2”) with which the system attempts to
comply.
user.re_dup_max
(USER_RE_DUP_MAX
)
- The maximum number of repeated occurrences of a regular expression
permitted when using interval notation.
user.stream_max
(USER_STREAM_MAX
)
- The minimum maximum number of streams that a process may have open at any
one time.
user.tzname_max
(USER_TZNAME_MAX
)
- The minimum maximum number of types supported for the name of a
timezone.
The vm.* subtree (CTL_VM
)
The string and integer information available for the vm
level is detailed below. The changeable column shows whether a process with
appropriate privilege may change the value.
Second level name |
Type |
Changeable |
vm.anonmax |
int |
yes |
vm.anonmin |
int |
yes |
vm.bufcache |
int |
yes |
vm.bufmem |
int |
no |
vm.bufmem_hiwater |
int |
yes |
vm.bufmem_lowater |
int |
yes |
vm.execmax |
int |
yes |
vm.execmin |
int |
yes |
vm.filemax |
int |
yes |
vm.filemin |
int |
yes |
vm.loadavg |
struct loadavg |
no |
vm.maxslp |
int |
no |
vm.nkmempages |
int |
no |
vm.uspace |
int |
no |
vm.uvmexp |
struct uvmexp |
no |
vm.uvmexp2 |
struct uvmexp_sysctl |
no |
vm.vmmeter |
struct vmtotal |
no |
vm.proc.map |
struct kinfo_vmentry |
no |
vm.guard_size |
unsigned int |
no |
vm.thread_guard_size |
unsigned int |
yes |
vm.anonmax
(VM_ANONMAX
)
- The percentage of physical memory which will be reclaimed from other types
of memory usage to store anonymous application data.
vm.anonmin
(VM_ANONMIN
)
- The percentage of physical memory which will be always be available for
anonymous application data.
vm.bufcache
(VM_BUFCACHE
)
- The percentage of physical memory which will be available for the buffer
cache.
vm.bufmem
(VM_BUFMEM
)
- The amount of kernel memory that is being used by the buffer cache.
vm.bufmem_lowater
(VM_BUFMEM_LOWATER
)
- The minimum amount of kernel memory to reserve for the buffer cache.
vm.bufmem_hiwater
(VM_BUFMEM_HIWATER
)
- The maximum amount of kernel memory to be used for the buffer cache.
vm.execmax
(VM_EXECMAX
)
- The percentage of physical memory which will be reclaimed from other types
of memory usage to store cached executable data.
vm.execmin
(VM_EXECMIN
)
- The percentage of physical memory which will be always be available for
cached executable data.
vm.filemax
(VM_FILEMAX
)
- The percentage of physical memory which will be reclaimed from other types
of memory usage to store cached file data.
vm.filemin
(VM_FILEMIN
)
- The percentage of physical memory which will be always be available for
cached file data.
vm.loadavg
(VM_LOADAVG
)
- Return the load average history. The returned data consists of a
struct loadavg.
vm.maxslp
(VM_MAXSLP
)
- The value of the maxslp kernel global variable.
vm.vmmeter
(VM_METER
)
- Return system wide virtual memory statistics. The returned data consists
of a struct vmtotal.
- vm.user_va0_disable
- A flag which controls whether user processes can map virtual
address 0.
vm.proc.map
(VM_PROC
)
- The third level is
VM_PROC_MAP
, the fourth is the
pid of the process to display the vm object entries for, and the fifth is
the size of struct kinfo_vmentry. Returns an array
of struct kinfo_vmentry objects.
vm.uspace
(VM_USPACE
)
- The number of bytes allocated for each kernel stack.
vm.uvmexp
(VM_UVMEXP
)
- Return system wide virtual memory statistics. The returned data consists
of a struct uvmexp.
vm.uvmexp2
(VM_UVMEXP2
)
- Return system wide virtual memory statistics. The returned data consists
of a struct uvmexp_sysctl.
vm.guard_size
- Return system wide guard size for the main thread of a program.
vm.thread_guard_size
- Return system wide default size for the guard area of all other threads of
a program.
The ddb.* subtree (CTL_DDB
)
The information available for the ddb
level is detailed
below. The changeable column shows whether a process with appropriate
privilege may change the value.
Second level name |
Type |
Changeable |
ddb.commandonenter |
string |
yes |
ddb.dumpstack |
integer |
yes |
ddb.fromconsole |
integer |
yes |
ddb.lines |
integer |
yes |
ddb.maxoff |
integer |
yes |
ddb.maxwidth |
integer |
yes |
ddb.onpanic |
integer |
yes |
ddb.panicstackframes |
integer |
yes |
ddb.radix |
integer |
yes |
ddb.tabstops |
integer |
yes |
ddb.tee_msgbuf |
integer |
yes |
ddb.commandonenter
- If not empty, the string is used as the DDB command to be executed each
time DDB is entered.
ddb.dumpstack
- A value of 1 causes a stack trace to be printed on entering ddb from a
panic. A value of 0 disables this behaviour. The default value is 1.
ddb.fromconsole
(DDBCTL_FROMCONSOLE
)
- If not zero, DDB may be entered by sending a break on a serial console or
by a special key sequence on a graphics console.
ddb.lines
(DDBCTL_LINES
)
- Number of display lines.
ddb.maxoff
(DDBCTL_MAXOFF
)
- The maximum symbol offset.
ddb.maxwidth
(DDBCTL_MAXWIDTH
)
- The maximum output line width.
ddb.onpanic
(DDBCTL_ONPANIC
)
- If greater than zero, DDB will be entered if the kernel panics. A value of
1 causes the system to enter DDB on panic. A value of 0 causes the kernel
to attempt to print a stack trace, then reboot, while a value of -1 means
neither a stack trace will be printed nor DDB entered.
ddb.panicstackframes
- Number of stack frames to display on panic. Useful to avoid scrolling away
the interesting frames on a glass tty. Default value is
65535
(all frames), useful value around
10
.
ddb.radix
(DDBCTL_RADIX
)
- The input and output radix.
ddb.tabstops
(DDBCTL_TABSTOPS
)
- Tab width.
ddb.tee_msgbuf
- If not zero, DDB will output also to the kernel message buffer.
Some of these MIB nodes are also available as variables from
within the debugger. See ddb(4)
for more details.
The security.* subtree
(CTL_SECURITY
)
The security
level contains various security-related
settings for the system. The available second level names are:
Available settings are detailed below.
security.curtain
- If non-zero, will filter return objects according to the user ID
requesting information about them, preventing users from accessing any
objects they do not own.
At the moment, it affects
ps(1),
netstat(1) (for
PF_INET
, PF_INET6
, and
PF_UNIX
PCBs), and
w(1).
security.models
- NetBSD supports pluggable security models. Every
security model used, whether if loaded as a module or built with the
system, is required to add an entry to this node with at least one
element, “name”, indicating the name of the security model.
In addition to the name, any settings and other information
private to the security model will be available under this node. See
secmodel(9) for more
information.
security.pax
- Settings for PaX — exploit mitigation features. For more
information on any of the PaX features, please see
paxctl(8) and
security(7). The available
third and fourth level names are:
security.pax.aslr.enabled
- Enable PaX ASLR (Address Space Layout Randomization).
The value of this knob must be non-zero for PaX ASLR to be
enabled, even if a program is set to explicit enable.
security.pax.aslr.global
- Specifies the default global policy for programs without an explicit
enable/disable flag.
When non-zero, all programs will get PaX ASLR, except
those exempted with
paxctl(8). Otherwise,
all programs will not get PaX ASLR, except those specifically marked
as such with
paxctl(8).
security.pax.mprotect.enabled
- Enable PaX MPROTECT restrictions.
These are
mprotect(2)
restrictions to better enforce a W^X policy. The value of this knob
must be non-zero for PaX MPROTECT to be enabled, even if a program
is set to explicit enable.
security.pax.mprotect.global
- Specifies the default global policy for programs without an explicit
enable/disable flag.
When non-zero, all programs will get the PaX MPROTECT
restrictions, except those exempted with
paxctl(8). Otherwise,
all programs will not get the PaX MPROTECT restrictions, except
those specifically marked as such with
paxctl(8).
security.pax.mprotect.ptrace
- This variable allows
ptrace(2) to override
PaX MPROTECT permissions. It can have the following values:
- 0
- Does not let override any permissions.
- 1
- Disables PaX MPROTECT from processes that start executing while
traced (default).
- 2
- Bypasses PaX MPROTECT for all processes being traced.
security.pax.segvguard.enabled
- Enable PaX Segvguard.
PaX Segvguard can detect and prevent certain exploitation
attempts, where an attacker may try for example to brute-force
function return addresses of respawning daemons.
Note: The NetBSD
interface and implementation of the Segvguard is still experimental,
and may change in future releases.
security.pax.segvguard.expiry_timeout
- If the max number was not reached within this timeout (in seconds),
the entry will expire.
security.pax.segvguard.global
- Specifies the default global policy for programs without an explicit
enable/disable flag.
When non-zero, all programs will get the PaX Segvguard,
except those exempted with
paxctl(8). Otherwise,
no program will get the PaX Segvguard restrictions, except those
specifically marked as such with
paxctl(8).
security.pax.segvguard.max_crashes
- The maximum number of segfaults a program can receive before
suspension.
security.pax.segvguard.suspend_timeout
- Number of seconds to suspend a user from running a faulting program
when the limit was exceeded.
The vendor.* subtree (CTL_VENDOR
)
The vendor
toplevel name is reserved to be used by
vendors who wish to have their own private MIB tree. Intended use is to store
values under “vendor.<yourname>.*”.
The sysctl
variables first appeared in
4.4BSD.