NetBSD/share/man/man7/sysctl.7

2781 lines
95 KiB
Groff

.\" $NetBSD: sysctl.7,v 1.139.2.1 2019/11/18 19:45:00 martin Exp $
.\"
.\" Copyright (c) 1993
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95
.\"
.Dd June 1, 2019
.Dt SYSCTL 7
.Os
.Sh NAME
.Nm sysctl
.Nd system information variables
.Sh DESCRIPTION
The
.Xr sysctl 3
library function and the
.Xr sysctl 8
utility are used to get and set values of system variables, maintained
by the kernel.
The variables are organized in a tree and identified by a sequence of
numbers, conventionally separated by dots with the topmost identifier
at the left side.
The numbers have corresponding text names.
The
.Xr sysctlnametomib 3
function or the
.Fl M
argument to the
.Xr sysctl 8
utility can be used to convert the text representation to the
numeric one.
.Pp
The individual sysctl variables are described below, both the textual
and numeric form where applicable.
The textual names can be used as argument to the
.Xr sysctl 8
utility and in the file
.Pa /etc/sysctl.conf .
The numeric names are usually defined as preprocessor constants and
are intended for use by programs.
Every such constant expands to one integer, which identifies the
sysctl variable relative to the upper level of the tree.
See the
.Xr sysctl 3
manual page for programming examples.
.Ss Top level names
The top level names are defined with a
.Va CTL_
prefix in
.In sys/sysctl.h ,
and are as follows.
The next and subsequent levels down are found in the include files
listed here, and described in separate sections below.
.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits"
.It Sy Name Ta Sy Constant Ta Sy Next level names Ta Sy Description
.It kern Ta Dv CTL_KERN Ta In sys/sysctl.h Ta High kernel limits
.It vm Ta Dv CTL_VM Ta In uvm/uvm_param.h Ta Virtual memory
.It vfs Ta Dv CTL_VFS Ta In sys/mount.h Ta Filesystem
.It net Ta Dv CTL_NET Ta In sys/socket.h Ta Networking
.It debug Ta Dv CTL_DEBUG Ta In sys/sysctl.h Ta Debugging
.It hw Ta Dv CTL_HW Ta In sys/sysctl.h Ta Generic CPU, I/O
.It machdep Ta Dv CTL_MACHDEP Ta In sys/sysctl.h Ta Machine dependent
.It user Ta Dv CTL_USER Ta In sys/sysctl.h Ta User-level
.It ddb Ta Dv CTL_DDB Ta In sys/sysctl.h Ta In-kernel debugger
.It proc Ta Dv CTL_PROC Ta In sys/sysctl.h Ta Per-process
.It vendor Ta Dv CTL_VENDOR Ta ? Ta Vendor specific
.It emul Ta Dv CTL_EMUL Ta In sys/sysctl.h Ta Emulation settings
.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h Ta Security settings
.El
.Ss The debug.* subtree
The debugging variables vary from system to system.
A debugging variable may be added or deleted without need to recompile
.Nm
to know about it.
Each time it runs,
.Nm
gets the list of debugging variables from the kernel and
displays their current values.
The system defines twenty
.Vt ( struct ctldebug )
variables named
.Dv debug0
through
.Dv debug19 .
They are declared as separate variables so that they can be
individually initialized at the location of their associated variable.
The loader prevents multiple use of the same variable by issuing errors
if a variable is initialized in more than one place.
For example, to export the variable
.Va dospecialcheck
as a debugging variable, the following declaration would be used:
.Pp
.Bd -literal -offset indent -compact
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
.Ed
.Pp
Note that the dynamic implementation of
.Nm
currently in use largely makes this particular
.Nm
interface obsolete.
See
.Xr sysctl 8
.\" and
.\" .Xr sysctl 9
for more information.
.Ss The vfs.* subtree
A distinguished second level name,
.Li vfs.generic ( Dv VFS_GENERIC ) ,
is used to get general information about all file systems.
It has the following third level identifiers:
.Bl -tag -width "123456"
.It Li vfs.generic.maxtypenum ( Dv VFS_MAXTYPENUM )
The highest valid file system type number.
.It Li vfs.generic.conf ( Dv VFS_CONF )
Returns configuration information about the file system type given as a fourth
level identifier.
.It Li vfs.generic.usermount ( Dv VFS_USERMOUNT )
Determines if non superuser mounts are allowed, defaults to
.Dv 0 .
.It Li vfs.generic.magiclinks ( Dv VFS_MAGICLINKS )
Controls if expansion of variables is going to be performed on pathnames
or not.
Defaults to no variable expansion,
.Dv 0 .
Variables are of the form
.Li @name
and the variables supported are described in
.Xr symlink 7
under
.Dq "MAGIC SYMLINKS" .
.El
.Pp
A second level name for controlling the
.Xr wapbl 4
(Write Ahead Physical Block Logging file system journalling)
capabilities with the following third level identifiers:
.Bl -tag -width "123456"
.It Li vfs.wapbl.flush_disk_cache
Controls whether to attempt to flush the disk cache on each commit.
It defaults to 1 and it should always be on to ensure integrity
of file system metadata in the event of a power loss.
For slow disks, turning it off can improve performance.
.It Li vfs.wapbl.verbose_commit
For each transaction log commit, print the number of bytes written
and the time it took to commit as seconds.nanoseconds.
.El
.Pp
The remaining second level identifiers are the file system names, identified
by the type number returned by a
.Xr statvfs 2
call or from
.Li vfs.generic.conf .
.Pp
The third level identifiers available for each file system
are given in the header file that defines the mount
argument structure for that file system.
.Ss The hw.* subtree
The string and integer information available for the
.Li hw
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It hw.alignbytes integer no
.It hw.byteorder integer no
.It hw.cnmagic string yes
.It hw.disknames string no
.It hw.diskstats struct no
.It hw.machine string no
.It hw.machine_arch string no
.It hw.model string no
.It hw.ncpu integer no
.It hw.ncpuonline integer no
.It hw.pagesize integer no
.It hw.physmem integer no
.It hw.physmem64 quad no
.It hw.usermem integer no
.It hw.usermem64 quad no
.El
.Bl -tag -width "123456"
.It Li hw.alignbytes ( Dv HW_ALIGNBYTES )
Alignment constraint for all possible data types.
This shows the value
.Dv ALIGNBYTES
in
.In machine/param.h ,
at the kernel compilation time.
.It Li hw.byteorder ( Dv HW_BYTEORDER )
The byteorder (4321, or 1234).
.It Li hw.cnmagic ( Dv HW_CNMAGIC )
The console magic key sequence.
.It Li hw.disknames ( Dv HW_DISKNAMES )
The list of (space separated) disk device names on the system.
.It Li hw.iostatnames ( Dv HW_IOSTATNAMES )
A space separated list of devices that will have I/O statistics
collected on them.
.It Li hw.iostats ( Dv HW_IOSTATS )
Return statistical information on the NFS mounts, disk and tape
devices on the system.
An array of
.Vt struct io_sysctl
structures is returned,
whose size depends on the current number of such objects in the system.
The third level name is the size of the
.Vt struct io_sysctl .
The type of object can be determined by examining the
.Va type
element of
.Vt struct io_sysctl .
Which can be
.Dv IOSTAT_DISK
(disk drive),
.Dv IOSTAT_TAPE
(tape drive), or
.Dv IOSTAT_NFS
(NFS mount).
.It Li hw.machine ( Dv HW_MACHINE )
The machine class.
.It Li hw.machine_arch ( Dv HW_MACHINE_ARCH )
The machine CPU class.
.It Li hw.model ( Dv HW_MODEL )
The machine model.
.It Li hw.ncpu ( Dv HW_NCPU )
The number of CPUs configured.
.It Li hw.ncpuonline ( Dv HW_NCPUONLINE )
The number of CPUs online.
.It Li hw.pagesize ( Dv HW_PAGESIZE )
The software page size.
.It Li hw.physmem ( Dv HW_PHYSMEM )
The bytes of physical memory as a 32-bit integer.
.It Li hw.physmem64 ( Dv HW_PHYSMEM64 )
The bytes of physical memory as a 64-bit integer.
.It Li hw.usermem ( Dv HW_USERMEM )
The bytes of non-kernel memory as a 32-bit integer.
.It Li hw.usermem64 ( Dv HW_USERMEM64 )
The bytes of non-kernel memory as a 64-bit integer.
.El
.Ss The kern.* subtree
This subtree includes data generally related to the kernel.
The string and integer information available for the
.Li kern
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "kern.posix_reader_writer_locks" \
"struct kinfo_drivers" "not applicable"
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It kern.aio_listio_max integer yes
.It kern.aio_max integer yes
.It kern.arandom integer no
.It kern.argmax integer no
.It kern.boothowto integer no
.It kern.boottime struct timespec no
.It kern.buildinfo string no
.\".It kern.bufq node not applicable
.It kern.ccpu integer no
.It kern.clockrate struct clockinfo no
.It kern.consdev integer no
.It kern.coredump node not applicable
.It kern.cp_id struct no
.It kern.cp_time uint64_t[\|] no
.It kern.cryptodevallowsoft integer yes
.It kern.defcorename string yes
.It kern.detachall integer yes
.It kern.domainname string yes
.It kern.drivers struct kinfo_drivers no
.It kern.dump_on_panic integer yes
.It kern.expose_address integer yes
.It kern.file struct file no
.It kern.forkfsleep integer yes
.It kern.fscale integer no
.It kern.fsync integer no
.It kern.hardclock_ticks integer no
.It kern.hostid integer yes
.It kern.hostname string yes
.It kern.iov_max integer no
.It kern.ipc node not applicable
.It kern.job_control integer no
.It kern.labeloffset integer no
.It kern.labelsector integer no
.It kern.login_name_max integer no
.It kern.logsigexit integer yes
.It kern.mapped_files integer no
.It kern.maxfiles integer yes
.It kern.maxlwp integer yes
.It kern.maxpartitions integer no
.It kern.maxphys integer no
.It kern.maxproc integer yes
.It kern.maxptys integer yes
.It kern.maxvnodes integer yes
.It kern.messages integer yes
.It kern.mbuf node not applicable
.It kern.memlock integer no
.It kern.memlock_range integer no
.It kern.memory_protection integer no
.It kern.module node not applicable
.It kern.monotonic_clock integer no
.It kern.mqueue node not applicable
.It kern.msgbuf integer no
.It kern.msgbufsize integer no
.It kern.ngroups integer no
.\".It kern.no_sa_support integer yes
.It kern.ntptime struct ntptimeval no
.It kern.osrelease string no
.It kern.osrevision integer no
.It kern.ostype string no
.\".It kern.panic_now integer yes
.It kern.pipe node not applicable
.It kern.pool struct pool_sysctl no
.\" .It kern.posix node not applicable
.It kern.posix1version integer no
.It kern.posix_aio integer no
.It kern.posix_barriers integer no
.It kern.posix_reader_writer_locks integer no
.\".It kern.posix_sched integer yes
.It kern.posix_semaphores integer no
.It kern.posix_spin_locks integer no
.It kern.posix_threads integer no
.It kern.posix_timers integer no
.It kern.proc struct kinfo_proc no
.It kern.proc2 struct kinfo_proc2 no
.It kern.proc_args string no
.It kern.profiling node not applicable
.\".It kern.pset node not applicable
.It kern.rawpartition integer no
.It kern.root_device string no
.It kern.root_partition integer no
.It kern.rtc_offset integer yes
.It kern.saved_ids integer no
.It kern.sbmax integer yes
.It kern.sched node not applicable
.It kern.securelevel integer raise only
.It kern.somaxkva integer yes
.It kern.sooptions integer yes
.It kern.synchronized_io integer no
.It kern.timecounter node not applicable
.It kern.timex struct no
.It kern.tkstat node not applicable
.It kern.tty node not applicable
.It kern.urandom integer no
.It kern.usercrypto integer yes
.It kern.userasymcrypto integer yes
.It kern.veriexec node not applicable
.It kern.version string no
.It kern.vnode struct vnode no
.El
.Bl -tag -width "123456"
.It Li kern.aio_listio_max
The maximum number of asynchronous I/O operations in a single list
I/O call.
Like with all variables related to
.Xr aio 3 ,
the variable may be created and removed dynamically
upon loading or unloading the corresponding kernel module.
.It Li kern.aio_max
The maximum number of asynchronous I/O operations.
.It Li kern.arandom ( Dv KERN_ARND )
This variable returns up to 256 bytes of random data.
Multiple queries can be used to obtain an infinite amount of
non-blocking cryptographically secure random data.
The used random number generator
.Pf ( RNG )
is based on
.Xr arc4random 3 .
.It Li kern.argmax ( Dv KERN_ARGMAX )
The maximum bytes of argument to
.Xr execve 2 .
.It Li kern.boothowto
Flags passed from the boot loader; see
.Xr reboot 2
for the meanings of the flags.
.It Li kern.boottime ( Dv KERN_BOOTTIME )
A
.Vt struct timespec
structure is returned.
This structure contains the time that the system was booted.
That time is defined (for this purpose) to be the time at
which the kernel first started accumulating clock ticks.
.It Li kern.bufq
This variable contains information on the
.Xr bufq 9
subsystem.
Currently, the only third level name implemented is
.Dv kern.bufq.strategies
which provides a list of buffer queue strategies currently available.
.It Li kern.buildinfo
When the kernel is built, the build environment may optionally provide
arbitrary information to be stored in this variable.
.It Li kern.ccpu ( Dv KERN_CCPU )
The scheduler exponential decay value.
.It Li kern.clockrate ( Dv KERN_CLOCKRATE )
A
.Vt struct clockinfo
structure is returned.
This structure contains the clock, statistics clock and profiling clock
frequencies, the number of micro-seconds per hz tick, and the clock
skew rate.
Refer to
.Xr hz 9
for additional details.
.It Li kern.consdev ( Dv KERN_CONSDEV )
Console device.
.It Li kern.coredump
Settings related to set-id processes coredumps.
By default, set-id processes do not dump core in situations where
other processes would.
The settings in this node allows an administrator to change this
behavior.
.Pp
The third level name is
.Dv kern.coredump.setid
and fourth level variables are described below.
.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent
.It Sy Fourth level name Ta Sy Type Ta Sy Changeable
.It kern.coredump.setid.dump integer yes
.It kern.coredump.setid.group integer yes
.It kern.coredump.setid.mode integer yes
.It kern.coredump.setid.owner integer yes
.It kern.coredump.setid.path string yes
.El
.Bl -tag -width "123456"
.It Li kern.coredump.setid.dump
If non-zero, set-id processes will dump core.
.It Li kern.coredump.setid.group
The group-id for the set-id processes' coredump.
.It Li kern.coredump.setid.mode
The mode for the set-id processes' coredump.
See
.Xr chmod 1 .
.It Li kern.coredump.setid.owner
The user-id that will be used as the owner of the set-id processes'
coredump.
.It Li kern.coredump.setid.path
The path to which set-id processes' coredumps will be saved to.
Same syntax as kern.defcorename.
.El
.It Li kern.cp_id ( Dv KERN_CP_ID )
Mapping of CPU number to CPU id.
.It Li kern.cp_time ( Dv KERN_CP_TIME )
Returns an array of
.Dv CPUSTATES
.Vt uint64_t Ns s .
This array contains the
number of clock ticks spent in different CPU states.
On multi-processor systems, the sum across all CPUs is returned unless
appropriate space is given for one data set for each CPU.
Data for a specific CPU can also be obtained by adding the number of the
CPU at the end of the MIB, enlarging it by one.
.It Li kern.cryptodevallowsoft
This variable controls userland access to hardware versus software transforms
in the
.Xr crypto 4
system.
The available values are as follows:
.Bl -tag -width XX0 -offset indent
.It Dv < 0
Always force userlevel requests to use software transforms.
.It Dv = 0
If present, use hardware and grant userlevel requests for
non-accelerated transforms (handling the latter in software).
.It Dv > 0
Allow user requests only for transforms which are hardware-accelerated.
.El
.It Li kern.defcorename ( Dv KERN_DEFCORENAME )
Default template for the name of core dump files (see also
.Li proc.pid.corename
in the per-process variables
.Li proc.* ,
and
.Xr core 5
for format of this template).
The default value is
.Pa %n.core
and can be changed with the kernel configuration option
.Cd options DEFCORENAME
(see
.Xr options 4
).
.It Li kern.detachall
Detach all devices at shutdown.
.It Li kern.domainname ( Dv KERN_DOMAINNAME )
Get or set the YP domain name.
.It Li kern.drivers ( Dv KERN_DRIVERS )
Return an array of
.Vt struct kinfo_drivers
that contains the name and major device numbers of all the device drivers
in the current kernel.
The
.Va d_name
field is always a NUL terminated string.
The
.Va d_bmajor
field will be set to \-1 if the driver doesn't have a block device.
.It Li kern.expose_address
Expose kernel addresses in
.Xr sysctl 3
calls used by
.Xr fstat 1
and
.Xr sockstat 1 .
If it is set to
.Dv 0
access is not allowed.
If it is set to
.Dv 1
then only processes that have opened
.Pa /dev/kmem
can have access.
If it is set to
.Dv 2
every process is allowed.
Defaults to
.Dv 0
for
.Dv KASLR
kernels
and
.Dv 1
otherwise.
Allowing general access renders KASLR ineffective; allowing only kmem
accessing programs weakens KASLR if those programs can be subverted
to leak the addresses.
.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC )
Perform a crash dump on system
.Xr panic 9 .
.It Li kern.file ( Dv KERN_FILE )
Return the entire file table.
The returned data consists of a single
.Vt struct filelist
followed by an array of
.Vt struct file ,
whose size depends on the current number of such objects in the system.
.It Li kern.forkfsleep ( Dv KERN_FORKFSLEEP )
If
.Xr fork 2
system call fails due to limit on number of processes (either
the global maxproc limit or user's one), wait for this many
milliseconds before returning
.Er EAGAIN
error to process.
Useful to keep heavily forking runaway processes in bay.
Default zero (no sleep).
Maximum is 20 seconds.
.It Li kern.fscale ( Dv KERN_FSCALE )
The kernel fixed-point scale factor.
.It Li kern.fsync ( Dv KERN_FSYNC )
Return 1 if the
.St -p1003.1b-93
File Synchronization Option is available
on this system,
otherwise\ 0.
.It Li kern.hardclock_ticks ( Dv KERN_HARDCLOCK_TICKS )
Returns the number of
.Xr hardclock 9
ticks.
.It Li kern.hist
This variable contains kernel history data if the kernel was
configured for any of the options
.Dv UVHMIST ,
.Dv USB_DEBUG ,
.Dv BIOHIST ,
or
.Dv SCDEBUG .
(See
.Xr options 4
for more details.)
The third-level names correspond to each available history table.
The values of the history tables are in an internal format, and can be
decoded by the
.Xr vmstat 1
utility's
.Fl U
and
.Fl u
options;
the
.Fl l
option can be used to see which tables are available.
.It Li kern.hostid ( Dv KERN_HOSTID )
Get or set the host identifier.
This is aimed to replace the legacy
.Xr gethostid 3
and
.Xr sethostid 3
system calls.
.It Li kern.hostname ( Dv KERN_HOSTNAME )
Get or set the
.Xr hostname 1 .
.It Li kern.iov_max ( Dv KERN_IOV_MAX )
Return the maximum number of
.Vt iovec
structures that a process has available for use with
.Xr preadv 2 ,
.Xr pwritev 2 ,
.Xr readv 2 ,
.Xr recvmsg 2 ,
.Xr sendmsg 2
and
.Xr writev 2 .
.It Li kern.ipc ( Dv KERN_SYSVIPC )
Return information about the SysV IPC parameters.
The third level names for the ipc variables are detailed below.
.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.ipc.sysvmsg integer no
.It kern.ipc.sysvsem integer no
.It kern.ipc.sysvshm integer no
.It kern.ipc.sysvipc_info struct no
.It kern.ipc.shmmax integer yes
.It kern.ipc.shmmni integer yes
.It kern.ipc.shmseg integer yes
.It kern.ipc.shmmaxpgs integer yes
.It kern.ipc.shm_use_phys integer yes
.It kern.ipc.msgmni integer yes
.It kern.ipc.msgseg integer yes
.It kern.ipc.semmni integer yes
.It kern.ipc.semmns integer yes
.It kern.ipc.semmnu integer yes
.El
.Bl -tag -width "123456"
.It Li kern.ipc.sysvmsg ( Dv KERN_SYSVIPC_MSG )
Returns 1 if System V style message queue functionality is available
on this system,
otherwise\ 0.
.It Li kern.ipc.sysvsem ( Dv KERN_SYSVIPC_SEM )
Returns 1 if System V style semaphore functionality is available
on this system,
otherwise\ 0.
.It Li kern.ipc.sysvshm ( Dv KERN_SYSVIPC_SHM )
Returns 1 if System V style share memory functionality is available
on this system,
otherwise\ 0.
.It Li kern.ipc.sysvipc_info ( Dv KERN_SYSVIPC_INFO )
Return System V style IPC configuration and run-time information.
The fourth level name selects the System V style IPC facility.
.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent
.It Sy Fourth level name Ta Sy Type
.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info
.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info
.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info
.El
.Bl -tag -width "123456"
.It Li KERN_SYSVIPC_MSG_INFO
Return information on the System V style message facility.
The
.Sy msg_sysctl_info
structure is defined in
.In sys/msg.h .
.It Li KERN_SYSVIPC_SEM_INFO
Return information on the System V style semaphore facility.
The
.Sy sem_sysctl_info
structure is defined in
.In sys/sem.h .
.It Li KERN_SYSVIPC_SHM_INFO
Return information on the System V style shared memory facility.
The
.Sy shm_sysctl_info
structure is defined in
.In sys/shm.h .
.El
.It Li kern.ipc.shmmax ( Dv KERN_SYSVIPC_SHMMAX )
Max shared memory segment size in bytes.
.It Li kern.ipc.shmmni ( Dv KERN_SYSVIPC_SHMMNI )
Max number of shared memory identifiers.
.It Li kern.ipc.shmseg ( Dv KERN_SYSVIPC_SHMSEG )
Max shared memory segments per process.
.It Li kern.ipc.shmmaxpgs ( Dv KERN_SYSVIPC_SHMMAXPGS )
Max amount of shared memory in pages.
.It Li kern.ipc.shm_use_phys ( Dv KERN_SYSVIPC_SHMUSEPHYS )
Locking of shared memory in physical memory.
If 0, memory can be swapped
out, otherwise it will be locked in physical memory.
.It Li kern.ipc.msgmni
Max number of message queue identifiers.
.It Li kern.ipc.msgseg
Max number of number of message segments.
.It Li kern.ipc.semmni
Max number of number of semaphore identifiers.
.It Li kern.ipc.semmns
Max number of number of semaphores in system.
.It Li kern.ipc.semmnu
Max number of undo structures in system.
.El
.It Li kern.job_control ( Dv KERN_JOB_CONTROL )
Return 1 if job control is available on this system, otherwise\ 0.
.It Li kern.labeloffset ( Dv KERN_LABELOFFSET )
The offset within the sector specified by
.Dv KERN_LABELSECTOR
of the
.Xr disklabel 5 .
.It Li kern.labelsector ( Dv KERN_LABELSECTOR )
The sector number containing the
.Xr disklabel 5 .
.It Li kern.login_name_max ( Dv KERN_LOGIN_NAME_MAX )
The size of the storage required for a login name, in bytes,
including the terminating NUL.
.It Li kern.logsigexit ( Dv KERN_LOGSIGEXIT )
If this flag is non-zero, the kernel will
.Xr log 9
all process exits due to signals which create a
.Xr core 5
file, and whether the coredump was created.
.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES )
Returns 1 if the
.St -p1003.1b-93
Memory Mapped Files Option is available on this system,
otherwise\ 0.
.It Li kern.maxfiles ( Dv KERN_MAXFILES )
The maximum number of open files that may be open in the system.
.It Li kern.maxpartitions ( Dv KERN_MAXPARTITIONS )
The maximum number of partitions allowed per disk.
.It Li kern.maxlwp
The maximum number of Lightweight Processes (threads) the system allows
per uid.
.It Li kern.maxphys ( Dv KERN_MAXPHYS )
Maximum raw I/O transfer size.
.It Li kern.maxproc ( Dv KERN_MAXPROC )
The maximum number of simultaneous processes the system will allow.
.It Li kern.maxptys ( Dv KERN_MAXPTYS )
The maximum number of pseudo terminals.
This value can be both raised and lowered, though it cannot
be set lower than number of currently used ptys.
See also
.Xr pty 4 .
.It Li kern.maxvnodes ( Dv KERN_MAXVNODES )
The maximum number of vnodes available on the system.
This can only be raised.
.It Li kern.mbuf ( Dv KERN_MBUF )
Return information about the mbuf control variables.
Mbufs are data structures which store network packets and other data
structures in the networking code, see
.Xr mbuf 9 .
The third level names for the mbuf variables are detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.\" XXX Changeable? really?
.It kern.mbuf.mblowat integer yes
.It kern.mbuf.mclbytes integer yes
.It kern.mbuf.mcllowat integer yes
.It kern.mbuf.msize integer yes
.It kern.mbuf.nmbclusters integer yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.mbuf.mblowat ( Dv MBUF_MBLOWAT )
The mbuf low water mark.
.It Li kern.mbuf.mclbytes ( Dv MBUF_MCLBYTES )
The mbuf cluster size.
.It Li kern.mbuf.mcllowat ( Dv MBUF_MCLLOWAT )
The mbuf cluster low water mark.
.It Li kern.mbuf.msize ( Dv MBUF_MSIZE )
The mbuf base size.
.It Li kern.mbuf.nmbclusters ( Dv MBUF_NMBCLUSTERS )
The limit on the number of mbuf clusters.
The variable can only be increased, and only increased on machines with
direct-mapped pool pages.
.El
.It Li kern.memlock ( Dv KERN_MEMLOCK )
Returns 1 if the
.St -p1003.1b-93
Process Memory Locking Option is available on this system,
otherwise\ 0.
.It Li kern.memlock_range ( Dv KERN_MEMLOCK_RANGE )
Returns 1 if the
.St -p1003.1b-93
Range Memory Locking Option is available on this system,
otherwise\ 0.
.It Li kern.memory_protection ( Dv KERN_MEMORY_PROTECTION )
Returns 1 if the
.St -p1003.1b-93
Memory Protection Option is available on this system,
otherwise\ 0.
.It Li kern.messages
Kernel console message verbosity.
See
.Aq Pa sys/reboot.h
.Bl -column "verbosity" "setting" -offset indent
.It Sy Value Ta Sy Verbosity Ta Sy sys/reboot.h equivalent
.It 0 Ta Silent Ta Sy AB_SILENT
.It 1 Ta Quiet Ta Sy AB_QUIET
.It 2 Ta Normal Ta Sy AB_NORMAL
.It 3 Ta Verbose Ta Sy AB_VERBOSE
.It 4 Ta Debug Ta Sy AB_DEBUG
.El
.It Li kern.module
Settings related to kernel modules.
The third level names for the settings are described below.
.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.module.autoload integer yes
.It kern.module.autotime integer yes
.It kern.module.verbose boolean yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.module.autoload
A boolean that controls whether kernel modules are loaded automatically.
See
.Xr module 7
for additional details.
.It Li kern.module.autotime
An integer that controls the delay before an attempt is made to
automatically unload a module that was auto-loaded.
Setting this value to zero disables the auto-unload function.
.It Li kern.module.verbose
A boolean that enables or disables verbose
debug messages related to kernel modules.
.El
.It Li kern.monotonic_clock ( Dv KERN_MONOTONIC_CLOCK )
Returns the standard version the implementation of the
.St -p1003.1b-93
Monotonic Clock Option conforms to,
otherwise\ 0.
.It Li kern.mqueue
Settings related to POSIX message queues; see
.Xr mqueue 3 .
This node is created dynamically when
the corresponding kernel module is loaded.
The third level names for the settings are described below.
.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.mqueue.mq_open_max integer yes
.It kern.mqueue.mq_prio_max integer yes
.It kern.mqueue.mq_max_msgsize integer yes
.It kern.mqueue.mq_def_maxmsg integer yes
.It kern.mqueue.mq_max_maxmsg integer yes
.El
.Pp
The variables are:
.Bl -tag -width "123456"
.It Li kern.mqueue.mq_open_max
The maximum number of message queue descriptors any single process can open.
.It Li kern.mqueue.mq_prio_max
The maximum priority of a message.
.It Li kern.mqueue.mq_max_msgsize
The maximum size of a message in a message queue.
.It Li kern.mqueue.mq_def_maxmsg
The default maximum message count.
.It Li kern.mqueue.mq_max_maxmsg
The maximum number of messages in a message queue.
.El
.It Li kern.msgbuf ( Dv KERN_MSGBUF )
The kernel message buffer, rotated so that the head of the circular kernel
message buffer is at the start of the returned data.
The returned data may contain NUL bytes.
.It Li kern.msgbufsize ( Dv KERN_MSGBUFSIZE )
The maximum number of characters that the kernel message buffer can hold.
.It Li kern.ngroups ( Dv KERN_NGROUPS )
The maximum number of supplemental groups.
.\" .It Li kern.no_sa_support
.\" XXX: Undocumented.
.It Li kern.ntptime ( Dv KERN_NTPTIME )
A
.Vt struct ntptimeval
structure is returned.
This structure contains data used by the
.Xr ntpd 8
program.
.It Li kern.osrelease ( Dv KERN_OSRELEASE )
The system release string.
.It Li kern.osrevision ( Dv KERN_OSREV )
The system revision string.
.It Li kern.ostype ( Dv KERN_OSTYPE )
The system type string.
.\".It Li kern.panic_now
.\" XXX: Undocumented.
.It Li kern.pipe ( Dv KERN_PIPE )
Pipe settings.
The third level names for the integer pipe settings is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.pipe.kvasiz integer yes
.It kern.pipe.maxbigpipes integer yes
.It kern.pipe.maxkvasz integer yes
.It kern.pipe.limitkva integer yes
.It kern.pipe.nbigpipes integer yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.pipe.kvasiz ( Dv KERN_PIPE_KVASIZ )
Amount of kernel memory consumed by pipe buffers.
.It Li kern.pipe.maxbigpipes ( Dv KERN_PIPE_MAXBIGPIPES )
Maximum number of
.Dq big
pipes.
.It Li kern.pipe.maxkvasz ( Dv KERN_PIPE_MAXKVASZ )
Maximum amount of kernel memory to be used for pipes.
.It Li kern.pipe.limitkva ( Dv KERN_PIPE_LIMITKVA )
Limit for direct transfers via page loan.
.It Li kern.pipe.nbigpipes ( Dv KERN_PIPE_NBIGPIPES )
Number of
.Dq big
pipes.
.El
.It Li kern.pool
Provides statistics about the
.Xr pool 9
and
.Xr pool_cache 9
subsystems.
.\" XXX: Undocumented .It Li kern.posix ( ? )
.\" This is a node in which the only variable is semmax.
.It Li kern.posix1version ( Dv KERN_POSIX1 )
The version of ISO/IEC 9945
.Pq St -p1003.1
with which the system attempts to comply.
.It Li kern.posix_aio
The version of
.St -p1003.1
and its Asynchronous I/O option to which the system attempts to conform.
.It Li kern.posix_barriers ( Dv KERN_POSIX_BARRIERS )
The version of
.St -p1003.1
and its
Barriers
option to which the system attempts to conform,
otherwise\ 0.
.It Li kern.posix_reader_writer_locks ( Dv KERN_POSIX_READER_WRITER_LOCKS )
The version of
.St -p1003.1
and its
Read-Write Locks
option to which the system attempts to conform,
otherwise\ 0.
.\".It Li kern.posix_sched
.\" XXX: Undocumented.
.It Li kern.posix_semaphores ( Dv KERN_POSIX_SEMAPHORES )
The version of
.St -p1003.1
and its
Semaphores
option to which the system attempts to conform,
otherwise\ 0.
.It Li kern.posix_spin_locks ( Dv KERN_POSIX_SPIN_LOCKS )
The version of
.St -p1003.1
and its
Spin Locks
option to which the system attempts to conform,
otherwise\ 0.
.It Li kern.posix_threads ( Dv KERN_POSIX_THREADS )
The version of
.St -p1003.1
and its
Threads
option to which the system attempts to conform,
otherwise\ 0.
.It Li kern.posix_timers ( Dv KERN_POSIX_TIMERS )
The version of
.St -p1003.1
and its
Timers
option to which the system attempts to conform,
otherwise\ 0.
.It Li kern.proc ( Dv KERN_PROC )
Return the entire process table, or a subset of it.
An array of
.Vt struct kinfo_proc
structures is returned,
whose size depends on the current number of such objects in the system.
The third and fourth level numeric names are as follows:
.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent
.It Sy Third level name Ta Sy Fourth level is :
.It KERN_PROC_ALL None
.It KERN_PROC_GID A group ID
.It KERN_PROC_PID A process ID
.It KERN_PROC_PGRP A process group
.It KERN_PROC_RGID A real group ID
.It KERN_PROC_RUID A real user ID
.It KERN_PROC_SESSION A session ID
.It KERN_PROC_TTY A tty device
.It KERN_PROC_UID A user ID
.El
.It Li kern.proc2 ( Dv KERN_PROC2 )
As for
.Dv KERN_PROC ,
but an array of
.Vt struct kinfo_proc2
structures are returned.
The fifth level name is the size of the
.Vt struct kinfo_proc2
and the sixth level name is the number of structures to return.
.It Li kern.proc_args ( Dv KERN_PROC_ARGS )
Return the argv or environment strings (or the number thereof)
of a process.
Multiple strings are returned separated by NUL characters.
The third level name is the process ID.
The fourth level name is as follows:
.Bl -column "KERN_PROG_PATHNAME" "The full pathname of the executable" -offset indent
.It Dv KERN_PROC_ARGV The argv strings
.It Dv KERN_PROC_ENV The environ strings
.It Dv KERN_PROC_NARGV The number of argv strings
.It Dv KERN_PROC_NENV The number of environ strings
.It Dv KERN_PROC_PATHNAME The full pathname of the executable
.It Dv KERN_PROC_CWD The current working directory
.El
.It Li kern.profiling ( Dv KERN_PROF )
Return profiling information about the kernel.
If the kernel is not compiled for profiling,
attempts to retrieve any of the
.Dv KERN_PROF
values will fail with
.Er EOPNOTSUPP .
The third level names for the string and integer profiling information
is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.profiling.count u_short[\|] yes
.It kern.profiling.froms u_short[\|] yes
.It kern.profiling.gmonparam struct gmonparam no
.It kern.profiling.state integer yes
.It kern.profiling.tos struct tostruct yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.profiling.count ( Dv GPROF_COUNT )
Array of statistical program counter counts.
.It Li kern.profiling.froms ( Dv GPROF_FROMS )
Array indexed by program counter of call-from points.
.It Li kern.profiling.gmonparams ( Dv GPROF_GMONPARAM )
Structure giving the sizes of the above arrays.
.It Li kern.profiling.state ( Dv GPROF_STATE )
Profiling state.
If set to
.Dv GMON_PROF_ON ,
starts profiling.
If set to
.Dv GMON_PROF_OFF ,
stops profiling.
.It Li kern.profiling.tos ( Dv GPROF_TOS )
Array of
.Vt struct tostruct
describing destination of calls and their counts.
.El
.\" .It Li kern.pset
.\" XXX: Undocumented.
.It Li kern.rawpartition ( Dv KERN_RAWPARTITION )
The raw partition of a disk (a == 0).
.It Li kern.root_device ( Dv KERN_ROOT_DEVICE )
The name of the root device (e.g.,
.Dq wd0 ) .
.It Li kern.root_partition ( Dv KERN_ROOT_PARTITION )
The root partition on the root device (a == 0).
.It Li kern.rtc_offset ( Dv KERN_RTC_OFFSET )
Return the offset of real time clock from UTC in minutes.
.It Li kern.saved_ids ( Dv KERN_SAVED_IDS )
Returns 1 if saved set-group and saved set-user ID is available.
.It Li kern.sbmax ( Dv KERN_SBMAX )
Maximum socket buffer size in bytes.
.It Li kern.securelevel ( Dv KERN_SECURELVL )
See
.Xr secmodel_securelevel 9 .
.It Li kern.sched ( dynamic )
Influence the scheduling of LWPs, their priorisation and how they are
distributed on and moved between CPUs.
.Bl -column "kern.sched.balance_period" "integer" "Changeable" -offset indent
.It Sy Third level name Sy Type Sy Changeable
.It kern.sched.cacheht_time integer yes
.It kern.sched.balance_period integer yes
.It kern.sched.average_weight integer yes
.It kern.sched.min_catch integer yes
.It kern.sched.timesoftints integer yes
.It kern.sched.kpreempt_pri integer yes
.It kern.sched.upreempt_pri integer yes
.It kern.sched.maxts integer yes
.It kern.sched.mints integer yes
.It kern.sched.name string no
.It kern.sched.rtts integer no
.It kern.sched.pri_min integer no
.It kern.sched.pri_max integer no
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.sched.cacheht_time ( dynamic )
Cache hotness time in which a LWP is kept on one particular CPU
and not moved to another CPU.
This reduces the overhead of flushing and reloading caches.
Defaults to 3ms.
Needs to be given in
.Dq hz
units, see
.Xr mstohz 9 .
.It Li kern.sched.balance_period ( dynamic )
Interval at which the CPU queues are checked for re-balancing.
Defaults to 300ms.
Needs to be given in
.Dq hz
units, see
.Xr mstohz 9 .
.It Li kern.sched.average_weight ( dynamic )
Can be used to influence how likely LWPs are to be migrated from
one CPU's queue of LWPs that are ready to run to a different, idle CPU.
The value gives the percentage for weighting the average count of
migratable threads from the past against the current number of
migratable threads.
A small value gives more weight to the past, a larger values more weight
on the current situation.
Defaults to 50 and must be between 0 and 100.
.It Li kern.sched.min_catch ( dynamic )
Minimum count of migratable (runable) threads for catching (stealing)
from another CPU.
Defaults to 1 but can be increased to decrease chance of thread
migration between CPUs.
.It Li kern.sched.timesoftints ( dynamic )
Enable tracking of CPU time for soft interrupts
as part of a LWP's real execution time.
Set to a non-zero value to enable,
and see
.Xr ps 1
for printing CPU times.
.It Li kern.sched.kpreempt_pri ( dynamic )
Minimum priority to trigger kernel preemption.
.It Li kern.sched.upreempt_pri ( dynamic )
Minimum priority to trigger user preemption.
.It Li kern.sched.maxts ( dynamic )
Scheduler specific maximal time quantum (in milliseconds).
Must be set to a value larger than
.Dq mints
and between 10 and
.Dq hz
as given by the
.Dv kern.clockrate
sysctl.
Provided by the M2 scheduler.
.It Li kern.sched.mints ( dynamic )
Scheduler specific minimal time quantum (in milliseconds).
Must be set to a value smaller than
.Dq maxts
and between 1 and
.Dq hz
as given by the
.Dq kern.clockrate
sysctl.
Provided by the M2 scheduler.
.It Li kern.sched.name ( dynamic )
Scheduler name.
Provided both by the M2 and the 4BSD scheduler.
.It Li kern.sched.rtts ( dynamic )
Fixed scheduler specific round-robin time quantum in milliseconds.
Provided both by the M2 and the 4BSD scheduler.
.It Li kern.sched.pri_min ( dynamic )
Minimal POSIX real-time priority.
See
.Xr sched 3 .
.It Li kern.sched.pri_max ( dynamic )
Maximal POSIX real-time priority.
See
.Xr sched 3 .
.El
.It Li kern.somaxkva ( Dv KERN_SOMAXKVA )
Maximum amount of kernel memory to be used for socket buffers in bytes.
.It Li kern.sooptions
Set the default socket option flags for
.Xr socket 2
creation.
See
.Xr setsockopt 2
for a list of supported flags.
.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO )
Returns 1 if the
.St -p1003.1b-93
Synchronized I/O Option is available on this system,
otherwise\ 0.
.It Li kern.timecounter ( dynamic )
Display and control the timecounter source of the system.
.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.timecounter.choice string no
.It kern.timecounter.hardware string yes
.It kern.timecounter.timestepwarnings integer yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.timecounter.choice ( dynamic )
The list of available timecounters with their quality and frequency.
.It Li kern.timecounter.hardware ( dynamic )
The currently selected timecounter source.
.It Li kern.timecounter.timestepwarnings ( dynamic )
If non-zero display a message each time the time is stepped.
.El
.It Li kern.timex ( Dv KERN_TIMEX )
Not available.
.It Li kern.tkstat ( Dv KERN_TKSTAT )
Return information about the number of characters sent and received
on ttys.
The third level names for the tty statistic variables are detailed below.
The changeable column shows whether a process
with appropriate privilege may change the value.
.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.tkstat.cancc quad no
.It kern.tkstat.nin quad no
.It kern.tkstat.nout quad no
.It kern.tkstat.rawcc quad no
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.tkstat.cancc ( Dv KERN_TKSTAT_CANCC )
The number of canonical input characters.
.It Li kern.tkstat.nin ( Dv KERN_TKSTAT_NIN )
The total number of input characters.
.It Li kern.tkstat.nout ( Dv KERN_TKSTAT_NOUT )
The total number of output characters.
.It Li kern.tkstat.rawcc ( Dv KERN_TKSTAT_RAWCC )
The number of raw input characters.
.El
.It Li kern.tty
The third level names for the tty setup variables are detailed below.
The changeable column shows whether a process
with appropriate privilege may change the value.
.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.tty.qsize int yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li kern.tty.qsize
Control/display the size of the default input and output queues selected
during tty creation.
Is converted to a power of two and its range is between
.Dv 1024
and
.Dv 65536 .
.El
.It Li kern.uidinfo
Resource usage for the current user.
.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.uidinfo.proccnt integer no
.It kern.uidinfo.lwpcnt integer no
.It kern.uidinfo.lockcnt integer no
.It kern.uidinfo.semcnt integer no
.It kern.uidinfo.sbsize integer no
.El
.Bl -tag -width "123456"
.It Li kern.uidinfo.proccnt
Returns the number of active processes for the current user.
.It Li kern.uidinfo.lwpcnt
Returns the number of active threads for the current user; the first thread
of each process is not counted.
.It Li kern.uidinfo.lockcnt
Number of locks held by the current user.
.It Li kern.uidinfo.semcnt
Number of semaphores held by the current user.
.It Li kern.uidinfo.sbsize
Number of bytes in socket buffers allocated to the current user.
.El
.It Li kern.urandom ( Dv KERN_URND )
Random integer value.
.It Li kern.usercrypto
When enabled, allows userland to
.Xr open 2
the
.Pa /dev/crypto
special device, used by the
.Xr crypto 4
system.
.It Li kern.userasymcrypto
Enables or disables the use of software asymmetric crypto support in the
.Xr crypto 4
system.
.It Li kern.veriexec
Runtime information for
.Xr veriexec 8 .
.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It kern.veriexec.algorithms string no
.It kern.veriexec.count node not applicable
.It kern.veriexec.strict integer yes
.It kern.veriexec.verbose integer yes
.El
.Bl -tag -width "123456"
.It Li kern.veriexec.algorithms
Returns a string with the supported algorithms in Veriexec.
.It Li kern.veriexec.count
Sub-nodes are added to this node as new mounts are monitored by Veriexec.
Each mount will be under its own
.No tableN
node.
Under each node there will be three variables, indicating the mount
point, the file system type, and the number of entries.
.It Li kern.veriexec.strict
Controls the strict level of Veriexec.
See
.Xr security 7
for more information on each level's implications.
.It Li kern.veriexec.verbose
Controls the verbosity level of Veriexec.
If 0, only the minimal
indication required will be given about what's happening - fingerprint
mismatches, removal of entries from the tables, modification of a
fingerprinted file.
If 1, more messages will be printed (ie., when a file with a valid
fingerprint is accessed).
Verbose level 2 is debug mode.
.El
.It Li kern.version ( Dv KERN_VERSION )
The system version string.
.It Li kern.vnode ( Dv KERN_VNODE )
Return the entire vnode table.
Note, the vnode table is not necessarily a consistent snapshot of
the system.
The returned data consists of an array whose size depends on the
current number of such objects in the system.
Each element of the array contains the kernel address of a vnode
.Vt struct vnode *
followed by the vnode itself
.Vt struct vnode .
.\" XXX: Undocumented: kern.lwp: no children?
.El
.Ss The machdep.* subtree
The set of variables defined is architecture dependent.
Most architectures define at least the following variables.
.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It Li machdep.booted_kernel string no
.El
.\" XXX: Document the above.
.Ss The net.* subtree
The string and integer information available for the
.Li net
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
The second and third levels are typically the protocol family and
protocol number, though this is not always the case.
.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It net.route routing messages no
.It net.inet IPv4 values yes
.It net.inet6 IPv6 values yes
.It net.key IPsec key management values yes
.El
.Bl -tag -width "123456"
.It Li net.route ( Dv PF_ROUTE )
.\" XXX really?
Return the entire routing table or a subset of it.
The data is returned as a sequence of routing messages (see
.Xr route 4
for the header file, format and meaning).
The length of each message is contained in the message header.
.Pp
The third level name is a protocol number, which is currently always\ 0.
The fourth level name is an address family, which may be set to 0 to
select all address families.
The fifth and sixth level names are as follows:
.Bl -column "Fifth level name" "Sixth level is:" -offset indent
.It Sy Fifth level name Ta Sy Sixth level is :
.It NET_RT_FLAGS rtflags
.It NET_RT_DUMP None
.It NET_RT_IFLIST None
.El
.It Li net.inet ( Dv PF_INET )
Get or set various global information about the IPv4
.Pq Internet Protocol version 4 .
The third level name is the protocol.
The fourth level name is the variable name.
The currently defined protocols and names are:
.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent
.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable
.It arp down integer yes
.It arp keep integer yes
.It arp log_movements integer yes
.It arp log_permanent_modify integer yes
.It arp log_unknown_network integer yes
.It arp log_wrong_iface integer yes
.It carp allow integer yes
.It carp preempt integer yes
.It carp log integer yes
.It carp arpbalance integer yes
.It icmp errppslimit integer yes
.It icmp maskrepl integer yes
.It icmp rediraccept integer yes
.It icmp redirtimeout integer yes
.It icmp bmcastecho integer yes
.It ip allowsrcrt integer yes
.It ip anonportalgo.selected string yes
.It ip anonportalgo.available string yes
.It ip anonportalgo.reserve struct yes
.It ip anonportmax integer yes
.It ip anonportmin integer yes
.It ip checkinterface integer yes
.It ip dad_count integer yes
.It ip directed-broadcast integer yes
.It ip do_loopback_cksum integer yes
.It ip forwarding integer yes
.It ip forwsrcrt integer yes
.It ip gifttl integer yes
.It ip grettl integer yes
.It ip hashsize integer yes
.It ip hostzerobroadcast integer yes
.It ip lowportmin integer yes
.It ip lowportmax integer yes
.It ip maxflows integer yes
.It ip maxfragpackets integer yes
.It ip mtudisc integer yes
.It ip mtudisctimeout integer yes
.It ip random_id integer yes
.It ip redirect integer yes
.It ip subnetsarelocal integer yes
.It ip ttl integer yes
.It tcp rfc1323 integer yes
.It tcp sendspace integer yes
.It tcp recvspace integer yes
.It tcp mssdflt integer yes
.It tcp syn_cache_limit integer yes
.It tcp syn_bucket_limit integer yes
.It tcp syn_cache_interval integer yes
.It tcp init_win integer yes
.It tcp init_win_local integer yes
.It tcp mss_ifmtu integer yes
.It tcp win_scale integer yes
.It tcp timestamps integer yes
.It tcp cwm integer yes
.It tcp cwm_burstsize integer yes
.It tcp ack_on_push integer yes
.It tcp keepidle integer yes
.It tcp keepintvl integer yes
.It tcp keepcnt integer yes
.It tcp slowhz integer no
.It tcp keepinit integer yes
.It tcp log_refused integer yes
.It tcp rstppslimit integer yes
.It tcp ident struct no
.It tcp drop struct no
.It tcp sack.enable integer yes
.It tcp sack.globalholes integer no
.It tcp sack.globalmaxholes integer yes
.It tcp sack.maxholes integer yes
.It tcp ecn.enable integer yes
.It tcp ecn.maxretries integer yes
.It tcp congctl.selected string yes
.It tcp congctl.available string yes
.It tcp abc.enable integer yes
.It tcp abc.aggressive integer yes
.It udp checksum integer yes
.It udp do_loopback_cksum integer yes
.It udp recvspace integer yes
.It udp sendspace integer yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li arp.down
Failed ARP entry lifetime.
.It Li arp.keep
Valid ARP entry lifetime.
.It Li carp.allow
If set to 0, incoming
.Xr carp 4
packets will not be processed.
If set to any other value, processing will occur.
Enabled by default.
.It Li carp.arpbalance
If set to any value other than 0, the ARP balancing functionality of
.Xr carp 4
is enabled.
When ARP requests are received for an IP address which is part of any virtual
host, carp will hash the source IP in the ARP request to select one of the
virtual hosts from the set of all the virtual hosts which have that IP address.
The master of that host will respond with the correct virtual MAC address.
Disabled by default.
.It Li carp.log
If set to any value other than 0,
.Xr carp 4
will log errors.
Disabled by default.
.It Li carp.preempt
If set to 0,
.Xr carp 4
will not attempt to become master if it is receiving advertisements from
another active master.
If set to any other value, carp will become master of the virtual host if it
believes it can send advertisements more frequently than the current master.
Disabled by default.
.It Li ip.allowsrcrt
If set to 1, the host accepts source routed packets.
.It Li ip.anonportalgo.available
The available RFC 6056 port randomization algorithms.
.It Li ip.anonportalgo.reserve
A bitmask of ports that will not be used during anonymous or privileged
port selection.
.It Li ip.anonportalgo.selected
The currently selected RFC 6056 port randomization algorithm.
.It Li ip.anonportmax
The highest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535, and must
be greater than
.Li ip.anonportmin .
.It Li ip.anonportmin
The lowest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535.
.It Li ip.checkinterface
If set to non-zero, the host will reject packets addressed to it
that arrive on an interface not bound to that address.
Currently, this must be disabled if NAT is used to translate the
destination address to another local interface, or if addresses
are added to the loopback interface instead of the interface where
the packets for those packets are received.
.It Li ip.dad_count
The number of
.Xr arp 4
probes sent for Address Conflict Detection.
Set to 0 to disable this.
.It Li ip.directed-broadcast
If set to 1, enables directed broadcast behavior for the host.
.It Li ip.do_loopback_cksum
Perform IP checksum on loopback.
.It Li ip.forwarding
If set to 1, enables IP forwarding for the host,
meaning that the host is acting as a router.
.It Li ip.forwsrcrt
If set to 1, enables forwarding of source-routed packets for the host.
This value may only be changed if the kernel security level is less than 1.
.It Li ip.gifttl
The maximum time-to-live (hop count) value for an IPv4 packet generated by
.Xr gif 4
tunnel interface.
.It Li ip.grettl
The maximum time-to-live (hop count) value for an IPv4 packet generated by
.Xr gre 4
tunnel interface.
.It Li ip.hashsize
The size of IPv4 Fast Forward hash table.
This value must be a power of 2 (64, 256...).
A larger hash table size results in fewer collisions.
Also see
.Li ip.maxflows .
.It Li ip.hostzerobroadcast
All zeroes address is broadcast address.
.It Li ip.lowportmax
The highest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be greater than
.Li ip.lowportmin .
.It Li ip.lowportmin
The lowest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be smaller than
.Li ip.lowportmax .
.It Li ip.maxflows
IPv4 Fast Forwarding is enabled by default.
If set to 0, IPv4 Fast Forwarding is disabled.
.Li ip.maxflows
controls the maximum amount of flows which can be created.
The default value is 256.
.It Li ip.maxfragpackets
The maximum number of fragmented packets the node will accept.
0 means that the node will not accept any fragmented packets.
\-1 means that the node will accept as many fragmented packets as it receives.
The flag is provided basically for avoiding possible DoS attacks.
.It Li ip.mtudisc
If set to 1, enables Path MTU Discovery (RFC 1191).
When Path MTU Discovery is enabled, the transmitted TCP segment
size will be determined by the advertised maximum segment size
(MSS) from the remote end, as constrained by the path MTU.
If MTU Discovery is disabled, the transmitted segment size will
never be greater than
.Li tcp.mssdflt
(the local maximum segment size).
.It Li ip.mtudisctimeout
The number of seconds in which a route added by the Path MTU
Discovery engine will time out.
When the route times out, the Path
MTU Discovery engine will attempt to probe a larger path MTU.
.It Li ip.random_id
Assign random ip_id values.
.It Li ip.redirect
If set to 1, ICMP redirects may be sent by the host.
This option is ignored unless the host is routing IP packets,
and should normally be enabled on all systems.
.It Li ip.subnetsarelocal
If set to 1, subnets are to be considered local addresses.
.It Li ip.ttl
The maximum time-to-live (hop count) value for an IP packet sourced by
the system.
This value applies to normal transport protocols, not to ICMP.
.It Li icmp.errppslimit
The variable specifies the maximum number of outgoing ICMP error messages,
per second.
ICMP error messages that exceeded the value are subject to rate limitation
and will not go out from the node.
Negative value disables rate limitation.
.It Li icmp.maskrepl
If set to 1, ICMP network mask requests are to be answered.
.It Li icmp.rediraccept
If set to non-zero, the host will accept ICMP redirect packets.
Note that routers will never accept ICMP redirect packets,
and the variable is meaningful on IP hosts only.
.It Li icmp.redirtimeout
The variable specifies lifetime of routing entries generated by incoming
ICMP redirect.
This defaults to 600 seconds.
.It Li icmp.returndatabytes
Number of bytes to return in an ICMP error message.
.It Li icmp.bmcastecho
If set to 1, enables responding to ICMP echo or timestamp request to the
broadcast address.
.It Li tcp.ack_on_push
If set to 1, TCP is to immediately transmit an ACK upon reception of
a packet with PUSH set.
This can avoid losing a round trip time in some rare situations,
but has the caveat of potentially defeating TCP's delayed ACK algorithm.
Use of this option is generally not recommended, but
the variable exists in case your configuration really needs it.
.It Li tcp.cwm
If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window
Monitoring algorithm.
This algorithm prevents line-rate bursts of packets that could
otherwise occur when data begins flowing on an idle TCP connection.
These line-rate bursts can contribute to network and router congestion.
This can be particularly useful on World Wide Web servers
which support HTTP/1.1, which has lingering connections.
.It Li tcp.cwm_burstsize
The Congestion Window Monitoring allowed burst size, in terms
of packet count.
.It Li tcp.delack_ticks
Number of ticks to delay sending an ACK.
.It Li tcp.do_loopback_cksum
Perform TCP checksum on loopback.
.It Li tcp.init_win
A value indicating the TCP initial congestion window.
The valid range
is 0 to 10 (maximum specified by RFC6928),
with a default of 4 (approximately 4K per RFC3390).
.It Li tcp.init_win_local
Like
.Li tcp.init_win ,
but used when communicating with hosts on a local network.
.It Li tcp.keepcnt
Number of keepalive probes sent before declaring a connection dead.
If set to zero, there is no limit;
keepalives will be sent until some kind of
response is received from the peer.
.It Li tcp.keepidle
Time a connection must be idle before keepalives are sent (if keepalives
are enabled for the connection).
See also tcp.slowhz.
.It Li tcp.keepintvl
Time after a keepalive probe is sent until, in the absence of any response,
another probe is sent.
See also tcp.slowhz.
.It Li tcp.log_refused
If set to 1, refused TCP connections to the host will be logged.
.It Li tcp.keepinit
Timeout in seconds during connection establishment.
.It Li tcp.mss_ifmtu
If set to 1, TCP calculates the outgoing maximum segment size based on
the MTU of the appropriate interface.
If set to 0, it is calculated based on the greater of the MTU of the
interface, and the largest (non-loopback) interface MTU on the system.
.It Li tcp.mssdflt
The default maximum segment size both advertised to the peer
and to use when either the peer does not advertise a maximum segment size to
us during connection setup or Path MTU Discovery
.Li ( ip.mtudisc )
is disabled.
Do not change this value unless you really know what you are doing.
.It Li tcp.recvspace
The default TCP receive buffer size.
.It Li tcp.rfc1323
If set to 1, enables RFC 1323 extensions to TCP.
.It Li tcp.rstppslimit
The variable specifies the maximum number of outgoing TCP RST packets,
per second.
TCP RST packet that exceeded the value are subject to rate limitation
and will not go out from the node.
Negative value disables rate limitation.
.It Li tcp.ident
Return the user ID of a connected socket pair.
(RFC1413 Identification Protocol lookups.)
.It Li tcp.drop
Drop a TCP socket pair connection.
.It Li tcp.sack.enable
If set to 1, enables RFC 2018 Selective ACKnowledgement.
.It Li tcp.sack.globalholes
Global number of TCP SACK holes.
.It Li tcp.sack.globalmaxholes
Global maximum number of TCP SACK holes.
.It Li tcp.sack.maxholes
Maximum number of TCP SACK holes allowed per connection.
.It Li tcp.ecn.enable
If set to 1, enables RFC 3168 Explicit Congestion Notification.
.It Li tcp.ecn.maxretries
Number of times to retry sending the ECN-setup packet.
.It Li tcp.sendspace
The default TCP send buffer size.
.It Li tcp.slowhz
The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks
of a clock that ticks tcp.slowhz times per second.
(That is, their values
must be divided by the tcp.slowhz value to get times in seconds.)
.It Li tcp.syn_bucket_limit
The maximum number of entries allowed per hash bucket in the TCP
compressed state engine.
.It Li tcp.syn_cache_limit
The maximum number of entries allowed in the TCP compressed state
engine.
.It Li tcp.timestamps
If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options,
used for measuring TCP round trip times, are enabled.
.It Li tcp.win_scale
If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options,
for increasing the TCP window size, are enabled.
.It Li tcp.congctl.available
The available TCP congestion control algorithms.
.It Li tcp.congctl.selected
The currently selected TCP congestion control algorithm.
.It Li tcp.abc.enable
If set to 1, use RFC 3465 Appropriate Byte Counting (ABC).
If set to 0, use traditional Packet Counting.
.It Li tcp.abc.aggressive
Choose the L parameter found in RFC 3465.
L is the maximum cwnd increase for an ack during slow start.
If set to 1, use L=2*SMSS.
If set to 0, use L=1*SMSS.
It has no effect unless tcp.abc.enable is set to 1.
.It Li udp.checksum
If set to 1, UDP checksums are being computed.
Received non-zero UDP checksums are always checked.
Disabling UDP checksums is strongly discouraged.
.It Li udp.recvspace
The default UDP receive buffer size.
.It Li udp.sendspace
The default UDP send buffer size.
.El
.Pp
For variables net.*.ipsec, please refer to
.Xr ipsec 4 .
.It Li net.inet6 ( Dv PF_INET6 )
Get or set various global information about the IPv6
.Pq Internet Protocol version 6 .
The third level name is the protocol.
The fourth level name is the variable name.
The currently defined protocols and names are:
.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent
.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable
.It icmp6 errppslimit integer yes
.It icmp6 mtudisc_hiwat integer yes
.It icmp6 mtudisc_lowat integer yes
.It icmp6 nd6_debug integer yes
.It icmp6 nd6_delay integer yes
.It icmp6 nd6_maxnudhint integer yes
.It icmp6 nd6_mmaxtries integer yes
.It icmp6 nd6_prune integer yes
.It icmp6 nd6_umaxtries integer yes
.It icmp6 nd6_useloopback integer yes
.It icmp6 nodeinfo integer yes
.It icmp6 rediraccept integer yes
.It icmp6 redirtimeout integer yes
.It ip6 accept_rtadv integer yes
.It ip6 addctlpolicy struct in6_addrpolicy no
.It ip6 anonportalgo.selected string yes
.It ip6 anonportalgo.available string yes
.It ip6 anonportalgo.reserve struct yes
.It ip6 anonportmax integer yes
.It ip6 anonportmin integer yes
.It ip6 auto_flowlabel integer yes
.It ip6 dad_count integer yes
.It ip6 defmcasthlim integer yes
.It ip6 forwarding integer yes
.It ip6 gifhlim integer yes
.It ip6 hashsize integer yes
.It ip6 hlim integer yes
.It ip6 hdrnestlimit integer yes
.It ip6 kame_version string no
.It ip6 keepfaith integer yes
.It ip6 log_interval integer yes
.It ip6 lowportmax integer yes
.It ip6 lowportmin integer yes
.It ip6 maxdynroutes integer yes
.It ip6 maxifprefixes integer yes
.It ip6 maxifdefrouters integer yes
.It ip6 maxflows integer yes
.It ip6 maxfragpackets integer yes
.It ip6 maxfrags integer yes
.It ip6 neighborgcthresh integer yes
.It ip6 redirect integer yes
.It ip6 rr_prune integer yes
.It ip6 use_deprecated integer yes
.It ip6 v6only integer yes
.It udp6 do_loopback_cksum integer yes
.It udp6 recvspace integer yes
.It udp6 sendspace integer yes
.El
.Pp
The variables are as follows:
.Bl -tag -width "123456"
.It Li ip6.accept_rtadv
If set to non-zero, the node will accept ICMPv6 router advertisement packets
and autoconfigures address prefixes and default routers.
The node must be a host
.Pq not a router
for the option to be meaningful.
.It Li ip6.anonportalgo.available
The available RFC 6056 port randomization algorithms.
.It Li ip6.anonportalgo.reserve
A bitmask of ports that will not be used during anonymous or privileged
port selection.
.It Li ip6.anonportalgo.selected
The currently selected RFC 6056 port randomization algorithm.
.It Li ip6.anonportmax
The highest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535, and must
be greater than
.Li ip6.anonportmin .
.It Li ip6.anonportmin
The lowest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535.
.It Li ip6.auto_flowlabel
On connected transport protocol packets,
fill IPv6 flowlabel field to help intermediate routers to identify packet flows.
.It Li ip6.dad_count
The variable configures number of IPv6 DAD
.Pq duplicated address detection
probe packets.
The packets will be generated when IPv6 interface addresses are configured.
.It Li ip6.defmcasthlim
The default hop limit value for an IPv6 multicast packet sourced by the node.
This value applies to all the transport protocols on top of IPv6.
There are APIs to override the value, as documented in
.Xr ip6 4 .
.It Li ip6.forwarding
If set to 1, enables IPv6 forwarding for the node,
meaning that the node is acting as a router.
If set to 0, disables IPv6 forwarding for the node,
meaning that the node is acting as a host.
IPv6 specification defines node behavior for
.Dq router
case and
.Dq host
case quite differently, and changing this variable during operation
may cause serious trouble.
It is recommended to configure the variable at bootstrap time,
and bootstrap time only.
.It Li ip6.gifhlim
The maximum hop limit value for an IPv6 packet generated by
.Xr gif 4
tunnel interface.
.It Li ip6.hdrnestlimit
The number of IPv6 extension headers permitted on incoming IPv6 packets.
If set to 0, the node will accept as many extension headers as possible.
.It Li ip6.hashsize
The size of IPv6 Fast Forward hash table.
This value must be a power of 2 (64, 256, ...).
A larger hash table size results in fewer collisions.
Also see
.Li ip6.maxflows .
.It Li ip6.hlim
The default hop limit value for an IPv6 unicast packet sourced by the node.
This value applies to all the transport protocols on top of IPv6.
There are APIs to override the value, as documented in
.Xr ip6 4 .
.It Li ip6.kame_version
The string identifies the version of KAME IPv6 stack implemented in the kernel.
.It Li ip6.keepfaith
If set to non-zero, it enables
.Dq FAITH
TCP relay IPv6-to-IPv4 translator code in the kernel.
Refer
.Xr faith 4
and
.Xr faithd 8
for detail.
.It Li ip6.log_interval
The variable controls amount of logs generated by IPv6 packet
forwarding engine, by setting interval between log output
.Pq in seconds .
.It Li ip6.lowportmax
The highest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be greater than
.Li ip6.lowportmin .
.It Li ip6.lowportmin
The lowest port number to use for TCP and UDP reserved port allocation.
This cannot be set to less than 0 or greater than 1024, and must
be smaller than
.Li ip6.lowportmax .
.It Li ip6.maxdynroutes
Maximum number of routes created by redirect.
Set it to negative to disable.
The default value is 4096.
.It Li ip6.maxifprefixes
Maximum number of prefixes created by route advertisements per interface.
Set it to negative to disable.
The default value is 16.
.It Li ip6.maxifdefrouters 16
Maximum number of default routers created by route advertisements per interface.
Set it to negative to disable.
The default value is 16.
.It Li ip6.maxflows
IPv6 Fast Forwarding is enabled by default.
If set to 0, IPv6 Fast Forwarding is disabled.
.Li ip6.maxflows
controls the maximum amount of flows which can be created.
The default value is 256.
.It Li ip6.maxfragpackets
The maximum number of fragmented packets the node will accept.
0 means that the node will not accept any fragmented packets.
\-1 means that the node will accept as many fragmented packets as it receives.
The flag is provided basically for avoiding possible DoS attacks.
.It Li ip6.maxfrags
The maximum number of fragments the node will accept.
0 means that the node will not accept any fragments.
\-1 means that the node will accept as many fragments as it receives.
The flag is provided basically for avoiding possible DoS attacks.
.It Li ip6.neighborgcthresh
Maximum number of entries in neighbor cache per interface.
Set to negative to disable.
The default value is 2048.
.It Li ip6.redirect
If set to 1, ICMPv6 redirects may be sent by the node.
This option is ignored unless the node is routing IP packets,
and should normally be enabled on all systems.
.It Li ip6.rr_prune
The variable specifies interval between IPv6 router renumbering prefix
babysitting, in seconds.
.It Li ip6.use_deprecated
The variable controls use of deprecated address, specified in RFC 2462 5.5.4.
.It Li ip6.v6only
The variable specifies initial value for
.Dv IPV6_V6ONLY
socket option for
.Dv AF_INET6
socket.
Please refer to
.Xr ip6 4
for detail.
.It Li icmp6.errppslimit
The variable specifies the maximum number of outgoing ICMPv6 error messages,
per second.
ICMPv6 error messages that exceeded the value are subject to rate limitation
and will not go out from the node.
Negative value disables rate limitation.
.It Li icmp6.mtudisc_hiwat
.It Li icmp6.mtudisc_lowat
The variables define the maximum number of routing table entries,
created due to path MTU discovery
.Pq prevents denial-of-service attacks with ICMPv6 too big messages .
When IPv6 path MTU discovery happens, we keep path MTU information into
the routing table.
If the number of routing table entries exceed the value,
the kernel will not attempt to keep the path MTU information.
.Li icmp6.mtudisc_hiwat
is used when we have verified ICMPv6 too big messages.
.Li icmp6.mtudisc_lowat
is used when we have unverified ICMPv6 too big messages.
Verification is performed by using address/port pairs kept in connected pcbs.
Negative value disables the upper limit.
.It Li icmp6.nd6_debug
If set to non-zero, kernel IPv6 neighbor discovery code will generate
debugging messages.
The debug outputs are useful to diagnose IPv6 interoperability issues.
The flag must be set to 0 for normal operation.
.It Li icmp6.nd6_delay
The variable specifies
.Dv DELAY_FIRST_PROBE_TIME
timing constant in IPv6 neighbor discovery specification
.Pq RFC 2461 ,
in seconds.
.It Li icmp6.nd6_maxnudhint
IPv6 neighbor discovery permits upper layer protocols to supply reachability
hints, to avoid unnecessary neighbor discovery exchanges.
The variable defines the number of consecutive hints the neighbor discovery
layer will take.
For example, by setting the variable to 3, neighbor discovery layer
will take 3 consecutive hints in maximum.
After receiving 3 hints, neighbor discovery layer will perform
normal neighbor discovery process.
.It Li icmp6.nd6_mmaxtries
The variable specifies
.Dv MAX_MULTICAST_SOLICIT
constant in IPv6 neighbor discovery specification
.Pq RFC 2461 .
.It Li icmp6.nd6_prune
The variable specifies interval between IPv6 neighbor cache babysitting,
in seconds.
.It Li icmp6.nd6_umaxtries
The variable specifies
.Dv MAX_UNICAST_SOLICIT
constant in IPv6 neighbor discovery specification
.Pq RFC 2461 .
.It Li icmp6.nd6_useloopback
If set to non-zero, kernel IPv6 stack will use loopback interface for
local traffic.
.It Li icmp6.nodeinfo
The variable enables responses to ICMPv6 node information queries.
If you set the variable to 0, responses will not be generated for
ICMPv6 node information queries.
Since node information queries can have a security impact, it is
possible to fine tune which responses should be answered.
Two separate bits can be set.
.Bl -tag -width "12345"
.It 1
Respond to ICMPv6 FQDN queries, e.g.
.Li ping6 -w .
.It 2
Respond to ICMPv6 node addresses queries, e.g.
.Li ping6 -a .
.El
.It Li icmp6.rediraccept
If set to non-zero, the host will accept ICMPv6 redirect packets.
Note that IPv6 routers will never accept ICMPv6 redirect packets,
and the variable is meaningful on IPv6 hosts
.Pq non-router
only.
.It Li icmp6.redirtimeout
The variable specifies lifetime of routing entries generated by incoming
ICMPv6 redirect.
.It Li udp6.do_loopback_cksum
Perform UDP checksum on loopback.
.It Li udp6.recvspace
Default UDP receive buffer size.
.It Li udp6.sendspace
Default UDP send buffer size.
.El
.Pp
We reuse net.*.tcp for TCP over IPv6,
and therefore we do not have variables net.*.tcp6.
Variables net.inet6.udp6 have identical meaning to net.inet.udp.
Please refer to
.Li PF_INET
section above.
For variables net.*.ipsec6, please refer to
.Xr ipsec 4 .
.It Li net.key ( Dv PF_KEY )
Get or set various global information about the IPsec key management.
The third level name is the variable name.
The currently defined variable and names are:
.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent
.It Sy Variable Type Ta Sy Changeable
.It debug integer yes
.It enabled integer yes
.It used integer no
.It spi_try integer yes
.It spi_min_value integer yes
.It spi_max_value integer yes
.It larval_lifetime integer yes
.It blockacq_count integer yes
.It blockacq_lifetime integer yes
.It esp_keymin integer yes
.It esp_auth integer yes
.It ah_keymin integer yes
.El
The variables are as follows:
.Bl -tag -width "123456"
.It Li debug
Turn on debugging message from within the kernel.
The value is a bitmap, as defined in
.In netipsec/key_debug.h .
.It Li enabled
Control processing of IPsec control messages.
.Bl -tag -width indent
.It 0
Never allow IPsec processing
.It 1
Allow IPsec processing when SPD policies are present.
.It 2
Force IPsec processing even when SPD policies are not present.
.El
.It Li used
Based on if IPsec is enabled, and SPD rule existence, show if
IPsec is being used.
Note that currently once IPsec is being used, it cannot be disabled.
.It Li spi_try
The number of times the kernel will try to obtain an unique SPI
when it generates it from random number generator.
.It Li spi_min_value
Minimum SPI value when generating it within the kernel.
.It Li spi_max_value
Maximum SPI value when generating it within the kernel.
.It Li larval_lifetime
Lifetime for LARVAL SAD entries, in seconds.
.It Li blockacq_count
Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message.
It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the
key management daemon.
.It Li blockacq_lifetime
Lifetime of ACQUIRE PF_KEY message.
.It Li esp_keymin
Minimum ESP key length, in bits.
The value is used when the kernel creates proposal payload
on ACQUIRE PF_KEY message.
.It Li esp_auth
Whether ESP authentication should be used or not.
Non-zero value indicates that ESP authentication should be used.
The value is used when the kernel creates proposal payload
on ACQUIRE PF_KEY message.
.It Li ah_keymin
Minimum AH key length, in bits,
The value is used when the kernel creates proposal payload
on ACQUIRE PF_KEY message.
.El
.It Li net.local ( Dv PF_LOCAL )
Get or set various global information about
.Dv AF_LOCAL
type sockets.
For some variables, the third level name is the variable name:
.Bl -column "Variable" "integer" "Changeable" -offset indent
.It Sy Variable Type Ta Sy Changeable
.It inflight integer no
.It deferred integer no
.El
The variables are as follows:
.Bl -tag -width "123456"
.It Li inflight
The number of file descriptors currently passed between processes,
.Qq in flight .
.It Li deferred
The number of file descriptors passed between processes that have been
deferred for cleanup by a kernel task.
.El
.Pp
Other variables are specific to a socket type:
.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent
.It Sy "Socket Type" Sy Variable Type Ta Sy Changeable
.It dgram pcblist struct no
.It dgram recvspace integer yes
.It dgram sendspace integer yes
.It seqpacket pcblist struct no
.It stream pcblist struct no
.It stream recvspace integer yes
.It stream sendspace integer yes
.El
The variables are as follows:
.Bl -tag -width "123456"
.It Li dgram.pcblist
The Protocol Control Block list structure for datagram sockets.
Parsed by
.Xr netstat 1
or
.Xr sockstat 1 .
.It Li dgram.recvspace
The default datagram receive buffer size.
.It Li dgram.sendspace
The default datagram send buffer size.
.It Li seqpacket.pcblist
The Protocol Control Block list structure for Sequential Packet sockets.
Parsed by
.Xr netstat 1
or
.Xr sockstat 1 .
.It Li stream.pcblist
The Protocol Control Block list structure for stream sockets.
Parsed by
.Xr netstat 1
or
.Xr sockstat 1 .
.It Li stream.recvspace
The default stream receive buffer size.
.It Li stream.sendspace
The default stream send buffer size.
.El
.El
.Ss The proc.* subtree
The string and integer information available for the
.Li proc
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
These values are per-process,
and as such may change from one process to another.
When a process is created,
the default values are inherited from its parent.
When a set-user-ID or set-group-ID binary is executed, the
value of PROC_PID_CORENAME is reset to the system default value.
The second level name is either the magic value PROC_CURPROC, which
points to the current process, or the PID of the target process.
.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent
.It Sy Third level name Ta Sy Type Ta Sy Changeable
.It proc.pid.corename string yes
.It proc.pid.rlimit node not applicable
.It proc.pid.stopfork int yes
.It proc.pid.stopexec int yes
.It proc.pid.stopexit int yes
.It proc.pid.paxflags int no
.El
.Bl -tag -width "123456"
.It Li proc.pid.corename ( Dv PROC_PID_CORENAME )
The template used for the core dump file name (see
.Xr core 5
for details).
The base name must either be
.Pa core
or end with the suffix
.Pa .core
(the super-user may set arbitrary names).
By default it points to
.Dv KERN_DEFCORENAME .
.It Li proc.pid.rlimit ( Dv PROC_PID_LIMIT )
Return resources limits, as defined for the
.Xr getrlimit 2
and
.Xr setrlimit 2
system calls.
The fourth level name is one of:
.Bl -tag -width "123456"
.It Li proc.pid.rlimit.cputime ( Dv PROC_PID_LIMIT_CPU )
The maximum amount of CPU time (in seconds) to be used by each process.
.It Li proc.pid.rlimit.filesize ( Dv PROC_PID_LIMIT_FSIZE )
The largest size (in bytes) file that may be created.
.It Li proc.pid.rlimit.datasize ( Dv PROC_PID_LIMIT_DATA )
The maximum size (in bytes) of the data segment for a process;
this defines how far a program may extend its break with the
.Xr sbrk 2
system call.
.It Li proc.pid.rlimit.stacksize ( Dv PROC_PID_LIMIT_STACK )
The maximum size (in bytes) of the stack segment for a process;
this defines how far a program's stack segment may be extended.
Stack extension is performed automatically by the system.
.It Li proc.pid.rlimit.coredumpsize ( Dv PROC_PID_LIMIT_CORE )
The largest size (in bytes)
.Pa core
file that may be created.
.It Li proc.pid.rlimit.memoryuse ( Dv PROC_PID_LIMIT_RSS )
The maximum size (in bytes) to which a process's resident set size may
grow.
This imposes a limit on the amount of physical memory to be given to
a process; if memory is tight, the system will prefer to take memory
from processes that are exceeding their declared resident set size.
.It Li proc.pid.rlimit.memorylocked ( Dv PROC_PID_LIMIT_MEMLOCK )
The maximum size (in bytes) which a process may lock into memory
using the
.Xr mlock 2
function.
.It Li proc.pid.rlimit.maxproc ( Dv PROC_PID_LIMIT_NPROC )
The maximum number of simultaneous processes for this user id.
.It Li proc.pid.rlimit.descriptors ( Dv PROC_PID_LIMIT_NOFILE )
The maximum number of open files for this process.
.It Li proc.pid.rlimit.sbsize ( Dv PROC_PID_LIMIT_SBSIZE )
The maximum size (in bytes) of the socket buffers
set by the
.Xr setsockopt 2
.Dv SO_RCVBUF
and
.Dv SO_SNDBUF
options.
.It Li proc.pid.rlimit.vmemoryuse ( Dv PROC_PID_LIMIT_AS )
The maximum size (in bytes) which a process can obtain.
.It Li proc.pid.rlimit.maxlwp ( Dv PROC_PID_LIMIT_NTHR )
The maximum number of threads that cen be created and running at one time in
the process.
The first thread of each process is not counted against this.
.El
.Pp
The fifth level name is one of
.Li soft ( Dv PROC_PID_LIMIT_TYPE_SOFT )
or
.Li hard ( Dv PROC_PID_LIMIT_TYPE_HARD ) ,
to select respectively the soft or hard limit.
Both are of type integer.
.It Li proc.pid.stopfork ( Dv PROC_PID_STOPFORK )
If non zero, the process' children will be stopped after
.Xr fork 2
calls.
The children are created in the SSTOP state and are never scheduled
for running before being stopped.
This feature enables attaching to a process with a debugger such as
.Xr gdb 1
before the process has the opportunity to actually do anything.
.Pp
This value is inherited by the process's children, and it also
applies to emulation specific system calls that fork a new process, such as
.Fn sproc
or
.Fn clone .
.It Li proc.pid.stopexec ( Dv PROC_PID_STOPEXEC )
If non zero, the process will be stopped on the next
.Xr exec 3
call.
The process created by
.Xr exec 3
is created in the SSTOP state and is never scheduled for running
before being stopped.
This feature enables attaching to a process with a debugger such as
.Xr gdb 1
before the process has the opportunity to actually do anything.
.Pp
This value is inherited by the process's children.
.It Li proc.pid.stopexit ( Dv PROC_PID_STOPEXIT )
If non zero, the process will be stopped when it has cause to exit,
either by way of calling
.Xr exit 3 ,
.Xr _exit 2 ,
or by the receipt of a specific signal.
The process is stopped before any of its resources or vm space is
released allowing examination of the termination state of the process
before it disappears.
This feature can be used to examine the final conditions of the
process's vmspace via
.Xr pmap 1
or its resource settings with
.Xr sysctl 8
before it disappears.
.Pp
This value is also inherited by the process's children.
.It Li proc.pid.paxflags ( Dv PROC_PID_PAXFLAGS )
This read-only variable returns the current value of the process's pax
flags (see
.Xr paxctl 8 ) .
.El
.Ss The user.* subtree ( Dv CTL_USER )
The string and integer information available for the
.Li user
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It user.atexit_max integer no
.It user.bc_base_max integer no
.It user.bc_dim_max integer no
.It user.bc_scale_max integer no
.It user.bc_string_max integer no
.It user.coll_weights_max integer no
.It user.cs_path string no
.It user.expr_nest_max integer no
.It user.line_max integer no
.It user.posix2_c_bind integer no
.It user.posix2_c_dev integer no
.It user.posix2_char_term integer no
.It user.posix2_fort_dev integer no
.It user.posix2_fort_run integer no
.It user.posix2_localedef integer no
.It user.posix2_sw_dev integer no
.It user.posix2_upe integer no
.It user.posix2_version integer no
.It user.re_dup_max integer no
.It user.stream_max integer no
.It user.stream_max integer no
.It user.tzname_max integer no
.El
.Bl -tag -width "123456"
.It Li user.atexit_max ( Dv USER_ATEXIT_MAX )
The maximum number of functions that may be registered with
.Xr atexit 3 .
.It Li user.bc_base_max ( Dv USER_BC_BASE_MAX )
The maximum ibase/obase values in the
.Xr bc 1
utility.
.It Li user.bc_dim_max ( Dv USER_BC_DIM_MAX )
The maximum array size in the
.Xr bc 1
utility.
.It Li user.bc_scale_max ( Dv USER_BC_SCALE_MAX )
The maximum scale value in the
.Xr bc 1
utility.
.It Li user.bc_string_max ( Dv USER_BC_STRING_MAX )
The maximum string length in the
.Xr bc 1
utility.
.It Li user.coll_weights_max ( Dv USER_COLL_WEIGHTS_MAX )
The maximum number of weights that can be assigned to any entry of
the LC_COLLATE order keyword in the locale definition file.
.It Li user.cs_path ( USER_CS_PATH )
Return a value for the
.Ev PATH
environment variable that finds all the standard utilities.
.It Li user.expr_nest_max ( Dv USER_EXPR_NEST_MAX )
The maximum number of expressions that can be nested within
parenthesis by the
.Xr expr 1
utility.
.It Li user.line_max ( Dv USER_LINE_MAX )
The maximum length in bytes of a text-processing utility's input
line.
.It Li user.posix2_char_term ( Dv USER_POSIX2_CHAR_TERM )
Return 1 if the system supports at least one terminal type capable of
all operations described in
.St -p1003.2 ,
otherwise\ 0.
.It Li user.posix2_c_bind ( Dv USER_POSIX2_C_BIND )
Return 1 if the system's C-language development facilities support the
C-Language Bindings Option, otherwise\ 0.
.It Li user.posix2_c_dev ( Dv USER_POSIX2_C_DEV )
Return 1 if the system supports the C-Language Development Utilities Option,
otherwise\ 0.
.It Li user.posix2_fort_dev ( Dv USER_POSIX2_FORT_DEV )
Return 1 if the system supports the FORTRAN Development Utilities Option,
otherwise\ 0.
.It Li user.posix2_fort_run ( Dv USER_POSIX2_FORT_RUN )
Return 1 if the system supports the FORTRAN Runtime Utilities Option,
otherwise\ 0.
.It Li user.posix2_localedef ( Dv USER_POSIX2_LOCALEDEF )
Return 1 if the system supports the creation of locales, otherwise\ 0.
.It Li user.posix2_sw_dev ( Dv USER_POSIX2_SW_DEV )
Return 1 if the system supports the Software Development Utilities Option,
otherwise\ 0.
.It Li user.posix2_upe ( Dv USER_POSIX2_UPE )
Return 1 if the system supports the User Portability Utilities Option,
otherwise\ 0.
.It Li user.posix2_version ( Dv USER_POSIX2_VERSION )
The version of
.St -p1003.2
with which the system attempts to comply.
.It Li user.re_dup_max ( Dv USER_RE_DUP_MAX )
The maximum number of repeated occurrences of a regular expression
permitted when using interval notation.
.It Li user.stream_max ( Dv USER_STREAM_MAX )
The minimum maximum number of streams that a process may have open
at any one time.
.It Li user.tzname_max ( Dv USER_TZNAME_MAX )
The minimum maximum number of types supported for the name of a
timezone.
.El
.Ss The vm.* subtree ( Dv CTL_VM )
The string and integer information available for the
.Li vm
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It vm.anonmax int yes
.It vm.anonmin int yes
.It vm.bufcache int yes
.It vm.bufmem int no
.It vm.bufmem_hiwater int yes
.It vm.bufmem_lowater int yes
.It vm.execmax int yes
.It vm.execmin int yes
.It vm.filemax int yes
.It vm.filemin int yes
.It vm.loadavg struct loadavg no
.It vm.maxslp int no
.It vm.nkmempages int no
.It vm.uspace int no
.It vm.uvmexp struct uvmexp no
.It vm.uvmexp2 struct uvmexp_sysctl no
.It vm.vmmeter struct vmtotal no
.It vm.proc.map struct kinfo_vmentry no
.It vm.guard_size unsigned int no
.It vm.thread_guard_size unsigned int yes
.El
.Bl -tag -width "123456"
.It Li vm.anonmax ( Dv VM_ANONMAX )
The percentage of physical memory which will be reclaimed
from other types of memory usage to store anonymous application data.
.It Li vm.anonmin ( Dv VM_ANONMIN )
The percentage of physical memory which will be always be available for
anonymous application data.
.It Li vm.bufcache ( Dv VM_BUFCACHE )
The percentage of physical memory which will be available
for the buffer cache.
.It Li vm.bufmem ( Dv VM_BUFMEM )
The amount of kernel memory that is being used by the buffer cache.
.It Li vm.bufmem_lowater ( Dv VM_BUFMEM_LOWATER )
The minimum amount of kernel memory to reserve for the
buffer cache.
.It Li vm.bufmem_hiwater ( Dv VM_BUFMEM_HIWATER )
The maximum amount of kernel memory to be used for the
buffer cache.
.It Li vm.execmax ( Dv VM_EXECMAX )
The percentage of physical memory which will be reclaimed
from other types of memory usage to store cached executable data.
.It Li vm.execmin ( Dv VM_EXECMIN )
The percentage of physical memory which will be always be available for
cached executable data.
.It Li vm.filemax ( Dv VM_FILEMAX )
The percentage of physical memory which will be reclaimed
from other types of memory usage to store cached file data.
.It Li vm.filemin ( Dv VM_FILEMIN )
The percentage of physical memory which will be always be available for
cached file data.
.It Li vm.loadavg ( Dv VM_LOADAVG )
Return the load average history.
The returned data consists of a
.Vt struct loadavg .
.It Li vm.maxslp ( Dv VM_MAXSLP )
The value of the maxslp kernel global variable.
.It Li vm.vmmeter ( Dv VM_METER )
Return system wide virtual memory statistics.
The returned data consists of a
.Vt struct vmtotal .
.It vm.user_va0_disable
A flag which controls whether user processes can map virtual address\ 0.
.It Li vm.proc.map ( Dv VM_PROC )
The third level is
.Dv VM_PROC_MAP ,
the fourth is the pid of the process to display the vm object entries for, and
the fifth is the size of
.Vt struct kinfo_vmentry .
Returns an array of
.Vt struct kinfo_vmentry
objects.
.It Li vm.uspace ( Dv VM_USPACE )
The number of bytes allocated for each kernel stack.
.It Li vm.uvmexp ( Dv VM_UVMEXP )
Return system wide virtual memory statistics.
The returned data consists of a
.Vt struct uvmexp .
.It Li vm.uvmexp2 ( Dv VM_UVMEXP2 )
Return system wide virtual memory statistics.
The returned data consists of a
.Vt struct uvmexp_sysctl .
.It Li vm.guard_size
Return system wide guard size for the main thread of a program.
.It Li vm.thread_guard_size
Return system wide default size for the guard area of all other threads
of a program.
.\" XXX vm.idlezero
.El
.Ss The ddb.* subtree ( Dv CTL_DDB )
The information available for the
.Li ddb
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
.Bl -column "Second level name" "integer" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It ddb.commandonenter string yes
.It ddb.dumpstack integer yes
.It ddb.fromconsole integer yes
.It ddb.lines integer yes
.It ddb.maxoff integer yes
.It ddb.maxwidth integer yes
.It ddb.onpanic integer yes
.It ddb.panicstackframes integer yes
.It ddb.radix integer yes
.It ddb.tabstops integer yes
.It ddb.tee_msgbuf integer yes
.El
.Bl -tag -width "123456"
.It Li ddb.commandonenter
If not empty, the string is used as the DDB command to be executed each time
DDB is entered.
.It Li ddb.dumpstack
A value of 1 causes a stack trace to be printed on entering ddb from a panic.
A value of 0 disables this behaviour.
The default value is 1.
.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE )
If not zero, DDB may be entered by sending a break on a serial
console or by a special key sequence on a graphics console.
.It Li ddb.lines ( Dv DDBCTL_LINES )
Number of display lines.
.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF )
The maximum symbol offset.
.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH )
The maximum output line width.
.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC )
If greater than zero, DDB will be entered if the kernel panics.
A value of 1 causes the system to enter DDB on panic.
A value of 0 causes the kernel to attempt to print a stack trace, then
reboot, while a value of \-1 means neither a stack trace will be printed
nor DDB entered.
.It Li ddb.panicstackframes
Number of stack frames to display on panic.
Useful to avoid scrolling away the interesting frames on a glass tty.
Default value is
.Dv 65535
(all frames), useful value around
.Dv 10 .
.It Li ddb.radix ( Dv DDBCTL_RADIX )
The input and output radix.
.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS )
Tab width.
.It Li ddb.tee_msgbuf
If not zero, DDB will output also to the kernel message buffer.
.El
.Pp
Some of these MIB
nodes are also available as variables from within the debugger.
See
.Xr ddb 4
for more details.
.Ss The security.* subtree ( Dv CTL_SECURITY )
The
.Li security
level contains various security-related settings for
the system.
The available second level names are:
.Bl -column "Second level name" "integer" "Changeable" -offset indent
.It Sy Second level name Ta Sy Type Ta Sy Changeable
.It Li security.curtain integer yes
.It Li security.models node not applicable
.It Li security.pax node not applicable
.El
.Pp
Available settings are detailed below.
.Bl -tag -width "123456"
.It Li security.curtain
If non-zero, will filter return objects according to the user ID
requesting information about them, preventing users from
accessing any objects they do not own.
.Pp
At the moment, it affects
.Xr ps 1 ,
.Xr netstat 1
(for
.Dv PF_INET ,
.Dv PF_INET6 ,
and
.Dv PF_UNIX
PCBs), and
.Xr w 1 .
.It Li security.models
.Nx
supports pluggable security models.
Every security model used, whether if loaded as a module or built with the system,
is required to add an entry to this node with at least one element,
.Dq name ,
indicating the name of the security model.
.Pp
In addition to the name, any settings and other information private to the
security model will be available under this node.
See
.Xr secmodel 9
for more information.
.It Li security.pax
Settings for PaX \(em exploit mitigation features.
For more information on any of the PaX features, please see
.Xr paxctl 8
and
.Xr security 7 .
The available third and fourth level names are:
.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \
-offset 2n
.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable
.It Li security.pax.aslr.enabled integer yes
.\".It Li security.pax.aslr.exec_len integer yes
.It Li security.pax.aslr.global integer yes
.\".It Li security.pax.aslr.mmap_len integer yes
.\".It Li security.pax.aslr.stack_len integer yes
.It Li security.pax.mprotect.enabled integer yes
.It Li security.pax.mprotect.global integer yes
.It Li security.pax.mprotect.ptrace integer yes
.It Li security.pax.segvguard.enabled integer yes
.It Li security.pax.segvguard.expiry_timeout integer yes
.It Li security.pax.segvguard.global integer yes
.It Li security.pax.segvguard.max_crashes integer yes
.It Li security.pax.segvguard.suspend_timeout integer yes
.El
.Bl -tag -width "123456"
.It Li security.pax.aslr.enabled
Enable PaX ASLR (Address Space Layout Randomization).
.Pp
The value of this
knob must be non-zero for PaX ASLR to be enabled, even if a program is set to
explicit enable.
.\".It Li security.pax.aslr.exec_len
.\" XXX: Undocumented.
.It Li security.pax.aslr.global
Specifies the default global policy for programs without an
explicit enable/disable flag.
.Pp
When non-zero, all programs will get PaX ASLR, except those exempted with
.Xr paxctl 8 .
Otherwise, all programs will not get PaX ASLR, except those specifically
marked as such with
.Xr paxctl 8 .
.\".It Li security.pax.aslr.mmap_len
.\" XXX: Undocumented.
.\" .It Li security.pax.aslr.stack_len
.\" XXX: Undocumented.
.It Li security.pax.mprotect.enabled
Enable PaX MPROTECT restrictions.
.Pp
These are
.Xr mprotect 2
restrictions to better enforce a W^X policy.
The value of this
knob must be non-zero for PaX MPROTECT to be enabled, even if a
program is set to explicit enable.
.It Li security.pax.mprotect.global
Specifies the default global policy for programs without an
explicit enable/disable flag.
.Pp
When non-zero, all programs will get the PaX MPROTECT restrictions,
except those exempted with
.Xr paxctl 8 .
Otherwise, all programs will not get the PaX MPROTECT restrictions,
except those specifically marked as such with
.Xr paxctl 8 .
.It Li security.pax.mprotect.ptrace
This variable allows
.Xr ptrace 2
to override PaX MPROTECT permissions.
It can have the following values:
.Bl -tag -width XX -compact
.It 0
Does not let override any permissions.
.It 1
Disables PaX MPROTECT from processes that start executing while traced (default).
.It 2
Bypasses PaX MPROTECT for all processes being traced.
.El
.It Li security.pax.segvguard.enabled
Enable PaX Segvguard.
.Pp
PaX Segvguard can detect and prevent certain exploitation attempts, where
an attacker may try for example to brute-force function return addresses
of respawning daemons.
.Pp
.Em Note :
The
.Nx
interface and implementation of the Segvguard is still experimental, and may
change in future releases.
.It Li security.pax.segvguard.expiry_timeout
If the max number was not reached within this timeout (in seconds), the entry
will expire.
.It Li security.pax.segvguard.global
Specifies the default global policy for programs without an
explicit enable/disable flag.
.Pp
When non-zero, all programs will get the PaX Segvguard,
except those exempted with
.Xr paxctl 8 .
Otherwise, no program will get the PaX Segvguard restrictions,
except those specifically marked as such with
.Xr paxctl 8 .
.It Li security.pax.segvguard.max_crashes
The maximum number of segfaults a program can receive before suspension.
.It Li security.pax.segvguard.suspend_timeout
Number of seconds to suspend a user from running a faulting program when the
limit was exceeded.
.El
.El
.Ss The vendor.* subtree ( Dv CTL_VENDOR )
The
.Li vendor
toplevel name is reserved to be used by vendors who wish to
have their own private MIB tree.
Intended use is to store values under
.Dq vendor.<yourname>.* .
.Sh SEE ALSO
.Xr sysctl 3 ,
.Xr ipsec 4 ,
.Xr tcp 4 ,
.Xr security 7 ,
.Xr sysctl 8
.Sh HISTORY
The
.Nm
variables first appeared in
.Bx 4.4 .