2781 lines
95 KiB
Groff
2781 lines
95 KiB
Groff
.\" $NetBSD: sysctl.7,v 1.139.2.1 2019/11/18 19:45:00 martin Exp $
|
|
.\"
|
|
.\" Copyright (c) 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95
|
|
.\"
|
|
.Dd June 1, 2019
|
|
.Dt SYSCTL 7
|
|
.Os
|
|
.Sh NAME
|
|
.Nm sysctl
|
|
.Nd system information variables
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Xr sysctl 3
|
|
library function and the
|
|
.Xr sysctl 8
|
|
utility are used to get and set values of system variables, maintained
|
|
by the kernel.
|
|
The variables are organized in a tree and identified by a sequence of
|
|
numbers, conventionally separated by dots with the topmost identifier
|
|
at the left side.
|
|
The numbers have corresponding text names.
|
|
The
|
|
.Xr sysctlnametomib 3
|
|
function or the
|
|
.Fl M
|
|
argument to the
|
|
.Xr sysctl 8
|
|
utility can be used to convert the text representation to the
|
|
numeric one.
|
|
.Pp
|
|
The individual sysctl variables are described below, both the textual
|
|
and numeric form where applicable.
|
|
The textual names can be used as argument to the
|
|
.Xr sysctl 8
|
|
utility and in the file
|
|
.Pa /etc/sysctl.conf .
|
|
The numeric names are usually defined as preprocessor constants and
|
|
are intended for use by programs.
|
|
Every such constant expands to one integer, which identifies the
|
|
sysctl variable relative to the upper level of the tree.
|
|
See the
|
|
.Xr sysctl 3
|
|
manual page for programming examples.
|
|
.Ss Top level names
|
|
The top level names are defined with a
|
|
.Va CTL_
|
|
prefix in
|
|
.In sys/sysctl.h ,
|
|
and are as follows.
|
|
The next and subsequent levels down are found in the include files
|
|
listed here, and described in separate sections below.
|
|
.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits"
|
|
.It Sy Name Ta Sy Constant Ta Sy Next level names Ta Sy Description
|
|
.It kern Ta Dv CTL_KERN Ta In sys/sysctl.h Ta High kernel limits
|
|
.It vm Ta Dv CTL_VM Ta In uvm/uvm_param.h Ta Virtual memory
|
|
.It vfs Ta Dv CTL_VFS Ta In sys/mount.h Ta Filesystem
|
|
.It net Ta Dv CTL_NET Ta In sys/socket.h Ta Networking
|
|
.It debug Ta Dv CTL_DEBUG Ta In sys/sysctl.h Ta Debugging
|
|
.It hw Ta Dv CTL_HW Ta In sys/sysctl.h Ta Generic CPU, I/O
|
|
.It machdep Ta Dv CTL_MACHDEP Ta In sys/sysctl.h Ta Machine dependent
|
|
.It user Ta Dv CTL_USER Ta In sys/sysctl.h Ta User-level
|
|
.It ddb Ta Dv CTL_DDB Ta In sys/sysctl.h Ta In-kernel debugger
|
|
.It proc Ta Dv CTL_PROC Ta In sys/sysctl.h Ta Per-process
|
|
.It vendor Ta Dv CTL_VENDOR Ta ? Ta Vendor specific
|
|
.It emul Ta Dv CTL_EMUL Ta In sys/sysctl.h Ta Emulation settings
|
|
.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h Ta Security settings
|
|
.El
|
|
.Ss The debug.* subtree
|
|
The debugging variables vary from system to system.
|
|
A debugging variable may be added or deleted without need to recompile
|
|
.Nm
|
|
to know about it.
|
|
Each time it runs,
|
|
.Nm
|
|
gets the list of debugging variables from the kernel and
|
|
displays their current values.
|
|
The system defines twenty
|
|
.Vt ( struct ctldebug )
|
|
variables named
|
|
.Dv debug0
|
|
through
|
|
.Dv debug19 .
|
|
They are declared as separate variables so that they can be
|
|
individually initialized at the location of their associated variable.
|
|
The loader prevents multiple use of the same variable by issuing errors
|
|
if a variable is initialized in more than one place.
|
|
For example, to export the variable
|
|
.Va dospecialcheck
|
|
as a debugging variable, the following declaration would be used:
|
|
.Pp
|
|
.Bd -literal -offset indent -compact
|
|
int dospecialcheck = 1;
|
|
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
|
|
.Ed
|
|
.Pp
|
|
Note that the dynamic implementation of
|
|
.Nm
|
|
currently in use largely makes this particular
|
|
.Nm
|
|
interface obsolete.
|
|
See
|
|
.Xr sysctl 8
|
|
.\" and
|
|
.\" .Xr sysctl 9
|
|
for more information.
|
|
.Ss The vfs.* subtree
|
|
A distinguished second level name,
|
|
.Li vfs.generic ( Dv VFS_GENERIC ) ,
|
|
is used to get general information about all file systems.
|
|
It has the following third level identifiers:
|
|
.Bl -tag -width "123456"
|
|
.It Li vfs.generic.maxtypenum ( Dv VFS_MAXTYPENUM )
|
|
The highest valid file system type number.
|
|
.It Li vfs.generic.conf ( Dv VFS_CONF )
|
|
Returns configuration information about the file system type given as a fourth
|
|
level identifier.
|
|
.It Li vfs.generic.usermount ( Dv VFS_USERMOUNT )
|
|
Determines if non superuser mounts are allowed, defaults to
|
|
.Dv 0 .
|
|
.It Li vfs.generic.magiclinks ( Dv VFS_MAGICLINKS )
|
|
Controls if expansion of variables is going to be performed on pathnames
|
|
or not.
|
|
Defaults to no variable expansion,
|
|
.Dv 0 .
|
|
Variables are of the form
|
|
.Li @name
|
|
and the variables supported are described in
|
|
.Xr symlink 7
|
|
under
|
|
.Dq "MAGIC SYMLINKS" .
|
|
.El
|
|
.Pp
|
|
A second level name for controlling the
|
|
.Xr wapbl 4
|
|
(Write Ahead Physical Block Logging file system journalling)
|
|
capabilities with the following third level identifiers:
|
|
.Bl -tag -width "123456"
|
|
.It Li vfs.wapbl.flush_disk_cache
|
|
Controls whether to attempt to flush the disk cache on each commit.
|
|
It defaults to 1 and it should always be on to ensure integrity
|
|
of file system metadata in the event of a power loss.
|
|
For slow disks, turning it off can improve performance.
|
|
.It Li vfs.wapbl.verbose_commit
|
|
For each transaction log commit, print the number of bytes written
|
|
and the time it took to commit as seconds.nanoseconds.
|
|
.El
|
|
.Pp
|
|
The remaining second level identifiers are the file system names, identified
|
|
by the type number returned by a
|
|
.Xr statvfs 2
|
|
call or from
|
|
.Li vfs.generic.conf .
|
|
.Pp
|
|
The third level identifiers available for each file system
|
|
are given in the header file that defines the mount
|
|
argument structure for that file system.
|
|
.Ss The hw.* subtree
|
|
The string and integer information available for the
|
|
.Li hw
|
|
level is detailed below.
|
|
The changeable column shows whether a process with appropriate
|
|
privilege may change the value.
|
|
.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent
|
|
.It Sy Second level name Ta Sy Type Ta Sy Changeable
|
|
.It hw.alignbytes integer no
|
|
.It hw.byteorder integer no
|
|
.It hw.cnmagic string yes
|
|
.It hw.disknames string no
|
|
.It hw.diskstats struct no
|
|
.It hw.machine string no
|
|
.It hw.machine_arch string no
|
|
.It hw.model string no
|
|
.It hw.ncpu integer no
|
|
.It hw.ncpuonline integer no
|
|
.It hw.pagesize integer no
|
|
.It hw.physmem integer no
|
|
.It hw.physmem64 quad no
|
|
.It hw.usermem integer no
|
|
.It hw.usermem64 quad no
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li hw.alignbytes ( Dv HW_ALIGNBYTES )
|
|
Alignment constraint for all possible data types.
|
|
This shows the value
|
|
.Dv ALIGNBYTES
|
|
in
|
|
.In machine/param.h ,
|
|
at the kernel compilation time.
|
|
.It Li hw.byteorder ( Dv HW_BYTEORDER )
|
|
The byteorder (4321, or 1234).
|
|
.It Li hw.cnmagic ( Dv HW_CNMAGIC )
|
|
The console magic key sequence.
|
|
.It Li hw.disknames ( Dv HW_DISKNAMES )
|
|
The list of (space separated) disk device names on the system.
|
|
.It Li hw.iostatnames ( Dv HW_IOSTATNAMES )
|
|
A space separated list of devices that will have I/O statistics
|
|
collected on them.
|
|
.It Li hw.iostats ( Dv HW_IOSTATS )
|
|
Return statistical information on the NFS mounts, disk and tape
|
|
devices on the system.
|
|
An array of
|
|
.Vt struct io_sysctl
|
|
structures is returned,
|
|
whose size depends on the current number of such objects in the system.
|
|
The third level name is the size of the
|
|
.Vt struct io_sysctl .
|
|
The type of object can be determined by examining the
|
|
.Va type
|
|
element of
|
|
.Vt struct io_sysctl .
|
|
Which can be
|
|
.Dv IOSTAT_DISK
|
|
(disk drive),
|
|
.Dv IOSTAT_TAPE
|
|
(tape drive), or
|
|
.Dv IOSTAT_NFS
|
|
(NFS mount).
|
|
.It Li hw.machine ( Dv HW_MACHINE )
|
|
The machine class.
|
|
.It Li hw.machine_arch ( Dv HW_MACHINE_ARCH )
|
|
The machine CPU class.
|
|
.It Li hw.model ( Dv HW_MODEL )
|
|
The machine model.
|
|
.It Li hw.ncpu ( Dv HW_NCPU )
|
|
The number of CPUs configured.
|
|
.It Li hw.ncpuonline ( Dv HW_NCPUONLINE )
|
|
The number of CPUs online.
|
|
.It Li hw.pagesize ( Dv HW_PAGESIZE )
|
|
The software page size.
|
|
.It Li hw.physmem ( Dv HW_PHYSMEM )
|
|
The bytes of physical memory as a 32-bit integer.
|
|
.It Li hw.physmem64 ( Dv HW_PHYSMEM64 )
|
|
The bytes of physical memory as a 64-bit integer.
|
|
.It Li hw.usermem ( Dv HW_USERMEM )
|
|
The bytes of non-kernel memory as a 32-bit integer.
|
|
.It Li hw.usermem64 ( Dv HW_USERMEM64 )
|
|
The bytes of non-kernel memory as a 64-bit integer.
|
|
.El
|
|
.Ss The kern.* subtree
|
|
This subtree includes data generally related to the kernel.
|
|
The string and integer information available for the
|
|
.Li kern
|
|
level is detailed below.
|
|
The changeable column shows whether a process with appropriate
|
|
privilege may change the value.
|
|
.Bl -column "kern.posix_reader_writer_locks" \
|
|
"struct kinfo_drivers" "not applicable"
|
|
.It Sy Second level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.aio_listio_max integer yes
|
|
.It kern.aio_max integer yes
|
|
.It kern.arandom integer no
|
|
.It kern.argmax integer no
|
|
.It kern.boothowto integer no
|
|
.It kern.boottime struct timespec no
|
|
.It kern.buildinfo string no
|
|
.\".It kern.bufq node not applicable
|
|
.It kern.ccpu integer no
|
|
.It kern.clockrate struct clockinfo no
|
|
.It kern.consdev integer no
|
|
.It kern.coredump node not applicable
|
|
.It kern.cp_id struct no
|
|
.It kern.cp_time uint64_t[\|] no
|
|
.It kern.cryptodevallowsoft integer yes
|
|
.It kern.defcorename string yes
|
|
.It kern.detachall integer yes
|
|
.It kern.domainname string yes
|
|
.It kern.drivers struct kinfo_drivers no
|
|
.It kern.dump_on_panic integer yes
|
|
.It kern.expose_address integer yes
|
|
.It kern.file struct file no
|
|
.It kern.forkfsleep integer yes
|
|
.It kern.fscale integer no
|
|
.It kern.fsync integer no
|
|
.It kern.hardclock_ticks integer no
|
|
.It kern.hostid integer yes
|
|
.It kern.hostname string yes
|
|
.It kern.iov_max integer no
|
|
.It kern.ipc node not applicable
|
|
.It kern.job_control integer no
|
|
.It kern.labeloffset integer no
|
|
.It kern.labelsector integer no
|
|
.It kern.login_name_max integer no
|
|
.It kern.logsigexit integer yes
|
|
.It kern.mapped_files integer no
|
|
.It kern.maxfiles integer yes
|
|
.It kern.maxlwp integer yes
|
|
.It kern.maxpartitions integer no
|
|
.It kern.maxphys integer no
|
|
.It kern.maxproc integer yes
|
|
.It kern.maxptys integer yes
|
|
.It kern.maxvnodes integer yes
|
|
.It kern.messages integer yes
|
|
.It kern.mbuf node not applicable
|
|
.It kern.memlock integer no
|
|
.It kern.memlock_range integer no
|
|
.It kern.memory_protection integer no
|
|
.It kern.module node not applicable
|
|
.It kern.monotonic_clock integer no
|
|
.It kern.mqueue node not applicable
|
|
.It kern.msgbuf integer no
|
|
.It kern.msgbufsize integer no
|
|
.It kern.ngroups integer no
|
|
.\".It kern.no_sa_support integer yes
|
|
.It kern.ntptime struct ntptimeval no
|
|
.It kern.osrelease string no
|
|
.It kern.osrevision integer no
|
|
.It kern.ostype string no
|
|
.\".It kern.panic_now integer yes
|
|
.It kern.pipe node not applicable
|
|
.It kern.pool struct pool_sysctl no
|
|
.\" .It kern.posix node not applicable
|
|
.It kern.posix1version integer no
|
|
.It kern.posix_aio integer no
|
|
.It kern.posix_barriers integer no
|
|
.It kern.posix_reader_writer_locks integer no
|
|
.\".It kern.posix_sched integer yes
|
|
.It kern.posix_semaphores integer no
|
|
.It kern.posix_spin_locks integer no
|
|
.It kern.posix_threads integer no
|
|
.It kern.posix_timers integer no
|
|
.It kern.proc struct kinfo_proc no
|
|
.It kern.proc2 struct kinfo_proc2 no
|
|
.It kern.proc_args string no
|
|
.It kern.profiling node not applicable
|
|
.\".It kern.pset node not applicable
|
|
.It kern.rawpartition integer no
|
|
.It kern.root_device string no
|
|
.It kern.root_partition integer no
|
|
.It kern.rtc_offset integer yes
|
|
.It kern.saved_ids integer no
|
|
.It kern.sbmax integer yes
|
|
.It kern.sched node not applicable
|
|
.It kern.securelevel integer raise only
|
|
.It kern.somaxkva integer yes
|
|
.It kern.sooptions integer yes
|
|
.It kern.synchronized_io integer no
|
|
.It kern.timecounter node not applicable
|
|
.It kern.timex struct no
|
|
.It kern.tkstat node not applicable
|
|
.It kern.tty node not applicable
|
|
.It kern.urandom integer no
|
|
.It kern.usercrypto integer yes
|
|
.It kern.userasymcrypto integer yes
|
|
.It kern.veriexec node not applicable
|
|
.It kern.version string no
|
|
.It kern.vnode struct vnode no
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.aio_listio_max
|
|
The maximum number of asynchronous I/O operations in a single list
|
|
I/O call.
|
|
Like with all variables related to
|
|
.Xr aio 3 ,
|
|
the variable may be created and removed dynamically
|
|
upon loading or unloading the corresponding kernel module.
|
|
.It Li kern.aio_max
|
|
The maximum number of asynchronous I/O operations.
|
|
.It Li kern.arandom ( Dv KERN_ARND )
|
|
This variable returns up to 256 bytes of random data.
|
|
Multiple queries can be used to obtain an infinite amount of
|
|
non-blocking cryptographically secure random data.
|
|
The used random number generator
|
|
.Pf ( RNG )
|
|
is based on
|
|
.Xr arc4random 3 .
|
|
.It Li kern.argmax ( Dv KERN_ARGMAX )
|
|
The maximum bytes of argument to
|
|
.Xr execve 2 .
|
|
.It Li kern.boothowto
|
|
Flags passed from the boot loader; see
|
|
.Xr reboot 2
|
|
for the meanings of the flags.
|
|
.It Li kern.boottime ( Dv KERN_BOOTTIME )
|
|
A
|
|
.Vt struct timespec
|
|
structure is returned.
|
|
This structure contains the time that the system was booted.
|
|
That time is defined (for this purpose) to be the time at
|
|
which the kernel first started accumulating clock ticks.
|
|
.It Li kern.bufq
|
|
This variable contains information on the
|
|
.Xr bufq 9
|
|
subsystem.
|
|
Currently, the only third level name implemented is
|
|
.Dv kern.bufq.strategies
|
|
which provides a list of buffer queue strategies currently available.
|
|
.It Li kern.buildinfo
|
|
When the kernel is built, the build environment may optionally provide
|
|
arbitrary information to be stored in this variable.
|
|
.It Li kern.ccpu ( Dv KERN_CCPU )
|
|
The scheduler exponential decay value.
|
|
.It Li kern.clockrate ( Dv KERN_CLOCKRATE )
|
|
A
|
|
.Vt struct clockinfo
|
|
structure is returned.
|
|
This structure contains the clock, statistics clock and profiling clock
|
|
frequencies, the number of micro-seconds per hz tick, and the clock
|
|
skew rate.
|
|
Refer to
|
|
.Xr hz 9
|
|
for additional details.
|
|
.It Li kern.consdev ( Dv KERN_CONSDEV )
|
|
Console device.
|
|
.It Li kern.coredump
|
|
Settings related to set-id processes coredumps.
|
|
By default, set-id processes do not dump core in situations where
|
|
other processes would.
|
|
The settings in this node allows an administrator to change this
|
|
behavior.
|
|
.Pp
|
|
The third level name is
|
|
.Dv kern.coredump.setid
|
|
and fourth level variables are described below.
|
|
.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent
|
|
.It Sy Fourth level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.coredump.setid.dump integer yes
|
|
.It kern.coredump.setid.group integer yes
|
|
.It kern.coredump.setid.mode integer yes
|
|
.It kern.coredump.setid.owner integer yes
|
|
.It kern.coredump.setid.path string yes
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.coredump.setid.dump
|
|
If non-zero, set-id processes will dump core.
|
|
.It Li kern.coredump.setid.group
|
|
The group-id for the set-id processes' coredump.
|
|
.It Li kern.coredump.setid.mode
|
|
The mode for the set-id processes' coredump.
|
|
See
|
|
.Xr chmod 1 .
|
|
.It Li kern.coredump.setid.owner
|
|
The user-id that will be used as the owner of the set-id processes'
|
|
coredump.
|
|
.It Li kern.coredump.setid.path
|
|
The path to which set-id processes' coredumps will be saved to.
|
|
Same syntax as kern.defcorename.
|
|
.El
|
|
.It Li kern.cp_id ( Dv KERN_CP_ID )
|
|
Mapping of CPU number to CPU id.
|
|
.It Li kern.cp_time ( Dv KERN_CP_TIME )
|
|
Returns an array of
|
|
.Dv CPUSTATES
|
|
.Vt uint64_t Ns s .
|
|
This array contains the
|
|
number of clock ticks spent in different CPU states.
|
|
On multi-processor systems, the sum across all CPUs is returned unless
|
|
appropriate space is given for one data set for each CPU.
|
|
Data for a specific CPU can also be obtained by adding the number of the
|
|
CPU at the end of the MIB, enlarging it by one.
|
|
.It Li kern.cryptodevallowsoft
|
|
This variable controls userland access to hardware versus software transforms
|
|
in the
|
|
.Xr crypto 4
|
|
system.
|
|
The available values are as follows:
|
|
.Bl -tag -width XX0 -offset indent
|
|
.It Dv < 0
|
|
Always force userlevel requests to use software transforms.
|
|
.It Dv = 0
|
|
If present, use hardware and grant userlevel requests for
|
|
non-accelerated transforms (handling the latter in software).
|
|
.It Dv > 0
|
|
Allow user requests only for transforms which are hardware-accelerated.
|
|
.El
|
|
.It Li kern.defcorename ( Dv KERN_DEFCORENAME )
|
|
Default template for the name of core dump files (see also
|
|
.Li proc.pid.corename
|
|
in the per-process variables
|
|
.Li proc.* ,
|
|
and
|
|
.Xr core 5
|
|
for format of this template).
|
|
The default value is
|
|
.Pa %n.core
|
|
and can be changed with the kernel configuration option
|
|
.Cd options DEFCORENAME
|
|
(see
|
|
.Xr options 4
|
|
).
|
|
.It Li kern.detachall
|
|
Detach all devices at shutdown.
|
|
.It Li kern.domainname ( Dv KERN_DOMAINNAME )
|
|
Get or set the YP domain name.
|
|
.It Li kern.drivers ( Dv KERN_DRIVERS )
|
|
Return an array of
|
|
.Vt struct kinfo_drivers
|
|
that contains the name and major device numbers of all the device drivers
|
|
in the current kernel.
|
|
The
|
|
.Va d_name
|
|
field is always a NUL terminated string.
|
|
The
|
|
.Va d_bmajor
|
|
field will be set to \-1 if the driver doesn't have a block device.
|
|
.It Li kern.expose_address
|
|
Expose kernel addresses in
|
|
.Xr sysctl 3
|
|
calls used by
|
|
.Xr fstat 1
|
|
and
|
|
.Xr sockstat 1 .
|
|
If it is set to
|
|
.Dv 0
|
|
access is not allowed.
|
|
If it is set to
|
|
.Dv 1
|
|
then only processes that have opened
|
|
.Pa /dev/kmem
|
|
can have access.
|
|
If it is set to
|
|
.Dv 2
|
|
every process is allowed.
|
|
Defaults to
|
|
.Dv 0
|
|
for
|
|
.Dv KASLR
|
|
kernels
|
|
and
|
|
.Dv 1
|
|
otherwise.
|
|
Allowing general access renders KASLR ineffective; allowing only kmem
|
|
accessing programs weakens KASLR if those programs can be subverted
|
|
to leak the addresses.
|
|
.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC )
|
|
Perform a crash dump on system
|
|
.Xr panic 9 .
|
|
.It Li kern.file ( Dv KERN_FILE )
|
|
Return the entire file table.
|
|
The returned data consists of a single
|
|
.Vt struct filelist
|
|
followed by an array of
|
|
.Vt struct file ,
|
|
whose size depends on the current number of such objects in the system.
|
|
.It Li kern.forkfsleep ( Dv KERN_FORKFSLEEP )
|
|
If
|
|
.Xr fork 2
|
|
system call fails due to limit on number of processes (either
|
|
the global maxproc limit or user's one), wait for this many
|
|
milliseconds before returning
|
|
.Er EAGAIN
|
|
error to process.
|
|
Useful to keep heavily forking runaway processes in bay.
|
|
Default zero (no sleep).
|
|
Maximum is 20 seconds.
|
|
.It Li kern.fscale ( Dv KERN_FSCALE )
|
|
The kernel fixed-point scale factor.
|
|
.It Li kern.fsync ( Dv KERN_FSYNC )
|
|
Return 1 if the
|
|
.St -p1003.1b-93
|
|
File Synchronization Option is available
|
|
on this system,
|
|
otherwise\ 0.
|
|
.It Li kern.hardclock_ticks ( Dv KERN_HARDCLOCK_TICKS )
|
|
Returns the number of
|
|
.Xr hardclock 9
|
|
ticks.
|
|
.It Li kern.hist
|
|
This variable contains kernel history data if the kernel was
|
|
configured for any of the options
|
|
.Dv UVHMIST ,
|
|
.Dv USB_DEBUG ,
|
|
.Dv BIOHIST ,
|
|
or
|
|
.Dv SCDEBUG .
|
|
(See
|
|
.Xr options 4
|
|
for more details.)
|
|
The third-level names correspond to each available history table.
|
|
The values of the history tables are in an internal format, and can be
|
|
decoded by the
|
|
.Xr vmstat 1
|
|
utility's
|
|
.Fl U
|
|
and
|
|
.Fl u
|
|
options;
|
|
the
|
|
.Fl l
|
|
option can be used to see which tables are available.
|
|
.It Li kern.hostid ( Dv KERN_HOSTID )
|
|
Get or set the host identifier.
|
|
This is aimed to replace the legacy
|
|
.Xr gethostid 3
|
|
and
|
|
.Xr sethostid 3
|
|
system calls.
|
|
.It Li kern.hostname ( Dv KERN_HOSTNAME )
|
|
Get or set the
|
|
.Xr hostname 1 .
|
|
.It Li kern.iov_max ( Dv KERN_IOV_MAX )
|
|
Return the maximum number of
|
|
.Vt iovec
|
|
structures that a process has available for use with
|
|
.Xr preadv 2 ,
|
|
.Xr pwritev 2 ,
|
|
.Xr readv 2 ,
|
|
.Xr recvmsg 2 ,
|
|
.Xr sendmsg 2
|
|
and
|
|
.Xr writev 2 .
|
|
.It Li kern.ipc ( Dv KERN_SYSVIPC )
|
|
Return information about the SysV IPC parameters.
|
|
The third level names for the ipc variables are detailed below.
|
|
.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.ipc.sysvmsg integer no
|
|
.It kern.ipc.sysvsem integer no
|
|
.It kern.ipc.sysvshm integer no
|
|
.It kern.ipc.sysvipc_info struct no
|
|
.It kern.ipc.shmmax integer yes
|
|
.It kern.ipc.shmmni integer yes
|
|
.It kern.ipc.shmseg integer yes
|
|
.It kern.ipc.shmmaxpgs integer yes
|
|
.It kern.ipc.shm_use_phys integer yes
|
|
.It kern.ipc.msgmni integer yes
|
|
.It kern.ipc.msgseg integer yes
|
|
.It kern.ipc.semmni integer yes
|
|
.It kern.ipc.semmns integer yes
|
|
.It kern.ipc.semmnu integer yes
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.ipc.sysvmsg ( Dv KERN_SYSVIPC_MSG )
|
|
Returns 1 if System V style message queue functionality is available
|
|
on this system,
|
|
otherwise\ 0.
|
|
.It Li kern.ipc.sysvsem ( Dv KERN_SYSVIPC_SEM )
|
|
Returns 1 if System V style semaphore functionality is available
|
|
on this system,
|
|
otherwise\ 0.
|
|
.It Li kern.ipc.sysvshm ( Dv KERN_SYSVIPC_SHM )
|
|
Returns 1 if System V style share memory functionality is available
|
|
on this system,
|
|
otherwise\ 0.
|
|
.It Li kern.ipc.sysvipc_info ( Dv KERN_SYSVIPC_INFO )
|
|
Return System V style IPC configuration and run-time information.
|
|
The fourth level name selects the System V style IPC facility.
|
|
.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent
|
|
.It Sy Fourth level name Ta Sy Type
|
|
.It KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info
|
|
.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info
|
|
.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li KERN_SYSVIPC_MSG_INFO
|
|
Return information on the System V style message facility.
|
|
The
|
|
.Sy msg_sysctl_info
|
|
structure is defined in
|
|
.In sys/msg.h .
|
|
.It Li KERN_SYSVIPC_SEM_INFO
|
|
Return information on the System V style semaphore facility.
|
|
The
|
|
.Sy sem_sysctl_info
|
|
structure is defined in
|
|
.In sys/sem.h .
|
|
.It Li KERN_SYSVIPC_SHM_INFO
|
|
Return information on the System V style shared memory facility.
|
|
The
|
|
.Sy shm_sysctl_info
|
|
structure is defined in
|
|
.In sys/shm.h .
|
|
.El
|
|
.It Li kern.ipc.shmmax ( Dv KERN_SYSVIPC_SHMMAX )
|
|
Max shared memory segment size in bytes.
|
|
.It Li kern.ipc.shmmni ( Dv KERN_SYSVIPC_SHMMNI )
|
|
Max number of shared memory identifiers.
|
|
.It Li kern.ipc.shmseg ( Dv KERN_SYSVIPC_SHMSEG )
|
|
Max shared memory segments per process.
|
|
.It Li kern.ipc.shmmaxpgs ( Dv KERN_SYSVIPC_SHMMAXPGS )
|
|
Max amount of shared memory in pages.
|
|
.It Li kern.ipc.shm_use_phys ( Dv KERN_SYSVIPC_SHMUSEPHYS )
|
|
Locking of shared memory in physical memory.
|
|
If 0, memory can be swapped
|
|
out, otherwise it will be locked in physical memory.
|
|
.It Li kern.ipc.msgmni
|
|
Max number of message queue identifiers.
|
|
.It Li kern.ipc.msgseg
|
|
Max number of number of message segments.
|
|
.It Li kern.ipc.semmni
|
|
Max number of number of semaphore identifiers.
|
|
.It Li kern.ipc.semmns
|
|
Max number of number of semaphores in system.
|
|
.It Li kern.ipc.semmnu
|
|
Max number of undo structures in system.
|
|
.El
|
|
.It Li kern.job_control ( Dv KERN_JOB_CONTROL )
|
|
Return 1 if job control is available on this system, otherwise\ 0.
|
|
.It Li kern.labeloffset ( Dv KERN_LABELOFFSET )
|
|
The offset within the sector specified by
|
|
.Dv KERN_LABELSECTOR
|
|
of the
|
|
.Xr disklabel 5 .
|
|
.It Li kern.labelsector ( Dv KERN_LABELSECTOR )
|
|
The sector number containing the
|
|
.Xr disklabel 5 .
|
|
.It Li kern.login_name_max ( Dv KERN_LOGIN_NAME_MAX )
|
|
The size of the storage required for a login name, in bytes,
|
|
including the terminating NUL.
|
|
.It Li kern.logsigexit ( Dv KERN_LOGSIGEXIT )
|
|
If this flag is non-zero, the kernel will
|
|
.Xr log 9
|
|
all process exits due to signals which create a
|
|
.Xr core 5
|
|
file, and whether the coredump was created.
|
|
.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES )
|
|
Returns 1 if the
|
|
.St -p1003.1b-93
|
|
Memory Mapped Files Option is available on this system,
|
|
otherwise\ 0.
|
|
.It Li kern.maxfiles ( Dv KERN_MAXFILES )
|
|
The maximum number of open files that may be open in the system.
|
|
.It Li kern.maxpartitions ( Dv KERN_MAXPARTITIONS )
|
|
The maximum number of partitions allowed per disk.
|
|
.It Li kern.maxlwp
|
|
The maximum number of Lightweight Processes (threads) the system allows
|
|
per uid.
|
|
.It Li kern.maxphys ( Dv KERN_MAXPHYS )
|
|
Maximum raw I/O transfer size.
|
|
.It Li kern.maxproc ( Dv KERN_MAXPROC )
|
|
The maximum number of simultaneous processes the system will allow.
|
|
.It Li kern.maxptys ( Dv KERN_MAXPTYS )
|
|
The maximum number of pseudo terminals.
|
|
This value can be both raised and lowered, though it cannot
|
|
be set lower than number of currently used ptys.
|
|
See also
|
|
.Xr pty 4 .
|
|
.It Li kern.maxvnodes ( Dv KERN_MAXVNODES )
|
|
The maximum number of vnodes available on the system.
|
|
This can only be raised.
|
|
.It Li kern.mbuf ( Dv KERN_MBUF )
|
|
Return information about the mbuf control variables.
|
|
Mbufs are data structures which store network packets and other data
|
|
structures in the networking code, see
|
|
.Xr mbuf 9 .
|
|
The third level names for the mbuf variables are detailed below.
|
|
The changeable column shows whether a process with appropriate
|
|
privilege may change the value.
|
|
.Bl -column "kern.mbuf.nmbclusters" "integer" "Changeable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.\" XXX Changeable? really?
|
|
.It kern.mbuf.mblowat integer yes
|
|
.It kern.mbuf.mclbytes integer yes
|
|
.It kern.mbuf.mcllowat integer yes
|
|
.It kern.mbuf.msize integer yes
|
|
.It kern.mbuf.nmbclusters integer yes
|
|
.El
|
|
.Pp
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.mbuf.mblowat ( Dv MBUF_MBLOWAT )
|
|
The mbuf low water mark.
|
|
.It Li kern.mbuf.mclbytes ( Dv MBUF_MCLBYTES )
|
|
The mbuf cluster size.
|
|
.It Li kern.mbuf.mcllowat ( Dv MBUF_MCLLOWAT )
|
|
The mbuf cluster low water mark.
|
|
.It Li kern.mbuf.msize ( Dv MBUF_MSIZE )
|
|
The mbuf base size.
|
|
.It Li kern.mbuf.nmbclusters ( Dv MBUF_NMBCLUSTERS )
|
|
The limit on the number of mbuf clusters.
|
|
The variable can only be increased, and only increased on machines with
|
|
direct-mapped pool pages.
|
|
.El
|
|
.It Li kern.memlock ( Dv KERN_MEMLOCK )
|
|
Returns 1 if the
|
|
.St -p1003.1b-93
|
|
Process Memory Locking Option is available on this system,
|
|
otherwise\ 0.
|
|
.It Li kern.memlock_range ( Dv KERN_MEMLOCK_RANGE )
|
|
Returns 1 if the
|
|
.St -p1003.1b-93
|
|
Range Memory Locking Option is available on this system,
|
|
otherwise\ 0.
|
|
.It Li kern.memory_protection ( Dv KERN_MEMORY_PROTECTION )
|
|
Returns 1 if the
|
|
.St -p1003.1b-93
|
|
Memory Protection Option is available on this system,
|
|
otherwise\ 0.
|
|
.It Li kern.messages
|
|
Kernel console message verbosity.
|
|
See
|
|
.Aq Pa sys/reboot.h
|
|
.Bl -column "verbosity" "setting" -offset indent
|
|
.It Sy Value Ta Sy Verbosity Ta Sy sys/reboot.h equivalent
|
|
.It 0 Ta Silent Ta Sy AB_SILENT
|
|
.It 1 Ta Quiet Ta Sy AB_QUIET
|
|
.It 2 Ta Normal Ta Sy AB_NORMAL
|
|
.It 3 Ta Verbose Ta Sy AB_VERBOSE
|
|
.It 4 Ta Debug Ta Sy AB_DEBUG
|
|
.El
|
|
.It Li kern.module
|
|
Settings related to kernel modules.
|
|
The third level names for the settings are described below.
|
|
.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.module.autoload integer yes
|
|
.It kern.module.autotime integer yes
|
|
.It kern.module.verbose boolean yes
|
|
.El
|
|
.Pp
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.module.autoload
|
|
A boolean that controls whether kernel modules are loaded automatically.
|
|
See
|
|
.Xr module 7
|
|
for additional details.
|
|
.It Li kern.module.autotime
|
|
An integer that controls the delay before an attempt is made to
|
|
automatically unload a module that was auto-loaded.
|
|
Setting this value to zero disables the auto-unload function.
|
|
.It Li kern.module.verbose
|
|
A boolean that enables or disables verbose
|
|
debug messages related to kernel modules.
|
|
.El
|
|
.It Li kern.monotonic_clock ( Dv KERN_MONOTONIC_CLOCK )
|
|
Returns the standard version the implementation of the
|
|
.St -p1003.1b-93
|
|
Monotonic Clock Option conforms to,
|
|
otherwise\ 0.
|
|
.It Li kern.mqueue
|
|
Settings related to POSIX message queues; see
|
|
.Xr mqueue 3 .
|
|
This node is created dynamically when
|
|
the corresponding kernel module is loaded.
|
|
The third level names for the settings are described below.
|
|
.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.mqueue.mq_open_max integer yes
|
|
.It kern.mqueue.mq_prio_max integer yes
|
|
.It kern.mqueue.mq_max_msgsize integer yes
|
|
.It kern.mqueue.mq_def_maxmsg integer yes
|
|
.It kern.mqueue.mq_max_maxmsg integer yes
|
|
.El
|
|
.Pp
|
|
The variables are:
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.mqueue.mq_open_max
|
|
The maximum number of message queue descriptors any single process can open.
|
|
.It Li kern.mqueue.mq_prio_max
|
|
The maximum priority of a message.
|
|
.It Li kern.mqueue.mq_max_msgsize
|
|
The maximum size of a message in a message queue.
|
|
.It Li kern.mqueue.mq_def_maxmsg
|
|
The default maximum message count.
|
|
.It Li kern.mqueue.mq_max_maxmsg
|
|
The maximum number of messages in a message queue.
|
|
.El
|
|
.It Li kern.msgbuf ( Dv KERN_MSGBUF )
|
|
The kernel message buffer, rotated so that the head of the circular kernel
|
|
message buffer is at the start of the returned data.
|
|
The returned data may contain NUL bytes.
|
|
.It Li kern.msgbufsize ( Dv KERN_MSGBUFSIZE )
|
|
The maximum number of characters that the kernel message buffer can hold.
|
|
.It Li kern.ngroups ( Dv KERN_NGROUPS )
|
|
The maximum number of supplemental groups.
|
|
.\" .It Li kern.no_sa_support
|
|
.\" XXX: Undocumented.
|
|
.It Li kern.ntptime ( Dv KERN_NTPTIME )
|
|
A
|
|
.Vt struct ntptimeval
|
|
structure is returned.
|
|
This structure contains data used by the
|
|
.Xr ntpd 8
|
|
program.
|
|
.It Li kern.osrelease ( Dv KERN_OSRELEASE )
|
|
The system release string.
|
|
.It Li kern.osrevision ( Dv KERN_OSREV )
|
|
The system revision string.
|
|
.It Li kern.ostype ( Dv KERN_OSTYPE )
|
|
The system type string.
|
|
.\".It Li kern.panic_now
|
|
.\" XXX: Undocumented.
|
|
.It Li kern.pipe ( Dv KERN_PIPE )
|
|
Pipe settings.
|
|
The third level names for the integer pipe settings is detailed below.
|
|
The changeable column shows whether a process with appropriate
|
|
privilege may change the value.
|
|
.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.pipe.kvasiz integer yes
|
|
.It kern.pipe.maxbigpipes integer yes
|
|
.It kern.pipe.maxkvasz integer yes
|
|
.It kern.pipe.limitkva integer yes
|
|
.It kern.pipe.nbigpipes integer yes
|
|
.El
|
|
.Pp
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.pipe.kvasiz ( Dv KERN_PIPE_KVASIZ )
|
|
Amount of kernel memory consumed by pipe buffers.
|
|
.It Li kern.pipe.maxbigpipes ( Dv KERN_PIPE_MAXBIGPIPES )
|
|
Maximum number of
|
|
.Dq big
|
|
pipes.
|
|
.It Li kern.pipe.maxkvasz ( Dv KERN_PIPE_MAXKVASZ )
|
|
Maximum amount of kernel memory to be used for pipes.
|
|
.It Li kern.pipe.limitkva ( Dv KERN_PIPE_LIMITKVA )
|
|
Limit for direct transfers via page loan.
|
|
.It Li kern.pipe.nbigpipes ( Dv KERN_PIPE_NBIGPIPES )
|
|
Number of
|
|
.Dq big
|
|
pipes.
|
|
.El
|
|
.It Li kern.pool
|
|
Provides statistics about the
|
|
.Xr pool 9
|
|
and
|
|
.Xr pool_cache 9
|
|
subsystems.
|
|
.\" XXX: Undocumented .It Li kern.posix ( ? )
|
|
.\" This is a node in which the only variable is semmax.
|
|
.It Li kern.posix1version ( Dv KERN_POSIX1 )
|
|
The version of ISO/IEC 9945
|
|
.Pq St -p1003.1
|
|
with which the system attempts to comply.
|
|
.It Li kern.posix_aio
|
|
The version of
|
|
.St -p1003.1
|
|
and its Asynchronous I/O option to which the system attempts to conform.
|
|
.It Li kern.posix_barriers ( Dv KERN_POSIX_BARRIERS )
|
|
The version of
|
|
.St -p1003.1
|
|
and its
|
|
Barriers
|
|
option to which the system attempts to conform,
|
|
otherwise\ 0.
|
|
.It Li kern.posix_reader_writer_locks ( Dv KERN_POSIX_READER_WRITER_LOCKS )
|
|
The version of
|
|
.St -p1003.1
|
|
and its
|
|
Read-Write Locks
|
|
option to which the system attempts to conform,
|
|
otherwise\ 0.
|
|
.\".It Li kern.posix_sched
|
|
.\" XXX: Undocumented.
|
|
.It Li kern.posix_semaphores ( Dv KERN_POSIX_SEMAPHORES )
|
|
The version of
|
|
.St -p1003.1
|
|
and its
|
|
Semaphores
|
|
option to which the system attempts to conform,
|
|
otherwise\ 0.
|
|
.It Li kern.posix_spin_locks ( Dv KERN_POSIX_SPIN_LOCKS )
|
|
The version of
|
|
.St -p1003.1
|
|
and its
|
|
Spin Locks
|
|
option to which the system attempts to conform,
|
|
otherwise\ 0.
|
|
.It Li kern.posix_threads ( Dv KERN_POSIX_THREADS )
|
|
The version of
|
|
.St -p1003.1
|
|
and its
|
|
Threads
|
|
option to which the system attempts to conform,
|
|
otherwise\ 0.
|
|
.It Li kern.posix_timers ( Dv KERN_POSIX_TIMERS )
|
|
The version of
|
|
.St -p1003.1
|
|
and its
|
|
Timers
|
|
option to which the system attempts to conform,
|
|
otherwise\ 0.
|
|
.It Li kern.proc ( Dv KERN_PROC )
|
|
Return the entire process table, or a subset of it.
|
|
An array of
|
|
.Vt struct kinfo_proc
|
|
structures is returned,
|
|
whose size depends on the current number of such objects in the system.
|
|
The third and fourth level numeric names are as follows:
|
|
.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent
|
|
.It Sy Third level name Ta Sy Fourth level is :
|
|
.It KERN_PROC_ALL None
|
|
.It KERN_PROC_GID A group ID
|
|
.It KERN_PROC_PID A process ID
|
|
.It KERN_PROC_PGRP A process group
|
|
.It KERN_PROC_RGID A real group ID
|
|
.It KERN_PROC_RUID A real user ID
|
|
.It KERN_PROC_SESSION A session ID
|
|
.It KERN_PROC_TTY A tty device
|
|
.It KERN_PROC_UID A user ID
|
|
.El
|
|
.It Li kern.proc2 ( Dv KERN_PROC2 )
|
|
As for
|
|
.Dv KERN_PROC ,
|
|
but an array of
|
|
.Vt struct kinfo_proc2
|
|
structures are returned.
|
|
The fifth level name is the size of the
|
|
.Vt struct kinfo_proc2
|
|
and the sixth level name is the number of structures to return.
|
|
.It Li kern.proc_args ( Dv KERN_PROC_ARGS )
|
|
Return the argv or environment strings (or the number thereof)
|
|
of a process.
|
|
Multiple strings are returned separated by NUL characters.
|
|
The third level name is the process ID.
|
|
The fourth level name is as follows:
|
|
.Bl -column "KERN_PROG_PATHNAME" "The full pathname of the executable" -offset indent
|
|
.It Dv KERN_PROC_ARGV The argv strings
|
|
.It Dv KERN_PROC_ENV The environ strings
|
|
.It Dv KERN_PROC_NARGV The number of argv strings
|
|
.It Dv KERN_PROC_NENV The number of environ strings
|
|
.It Dv KERN_PROC_PATHNAME The full pathname of the executable
|
|
.It Dv KERN_PROC_CWD The current working directory
|
|
.El
|
|
.It Li kern.profiling ( Dv KERN_PROF )
|
|
Return profiling information about the kernel.
|
|
If the kernel is not compiled for profiling,
|
|
attempts to retrieve any of the
|
|
.Dv KERN_PROF
|
|
values will fail with
|
|
.Er EOPNOTSUPP .
|
|
The third level names for the string and integer profiling information
|
|
is detailed below.
|
|
The changeable column shows whether a process with appropriate
|
|
privilege may change the value.
|
|
.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.profiling.count u_short[\|] yes
|
|
.It kern.profiling.froms u_short[\|] yes
|
|
.It kern.profiling.gmonparam struct gmonparam no
|
|
.It kern.profiling.state integer yes
|
|
.It kern.profiling.tos struct tostruct yes
|
|
.El
|
|
.Pp
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.profiling.count ( Dv GPROF_COUNT )
|
|
Array of statistical program counter counts.
|
|
.It Li kern.profiling.froms ( Dv GPROF_FROMS )
|
|
Array indexed by program counter of call-from points.
|
|
.It Li kern.profiling.gmonparams ( Dv GPROF_GMONPARAM )
|
|
Structure giving the sizes of the above arrays.
|
|
.It Li kern.profiling.state ( Dv GPROF_STATE )
|
|
Profiling state.
|
|
If set to
|
|
.Dv GMON_PROF_ON ,
|
|
starts profiling.
|
|
If set to
|
|
.Dv GMON_PROF_OFF ,
|
|
stops profiling.
|
|
.It Li kern.profiling.tos ( Dv GPROF_TOS )
|
|
Array of
|
|
.Vt struct tostruct
|
|
describing destination of calls and their counts.
|
|
.El
|
|
.\" .It Li kern.pset
|
|
.\" XXX: Undocumented.
|
|
.It Li kern.rawpartition ( Dv KERN_RAWPARTITION )
|
|
The raw partition of a disk (a == 0).
|
|
.It Li kern.root_device ( Dv KERN_ROOT_DEVICE )
|
|
The name of the root device (e.g.,
|
|
.Dq wd0 ) .
|
|
.It Li kern.root_partition ( Dv KERN_ROOT_PARTITION )
|
|
The root partition on the root device (a == 0).
|
|
.It Li kern.rtc_offset ( Dv KERN_RTC_OFFSET )
|
|
Return the offset of real time clock from UTC in minutes.
|
|
.It Li kern.saved_ids ( Dv KERN_SAVED_IDS )
|
|
Returns 1 if saved set-group and saved set-user ID is available.
|
|
.It Li kern.sbmax ( Dv KERN_SBMAX )
|
|
Maximum socket buffer size in bytes.
|
|
.It Li kern.securelevel ( Dv KERN_SECURELVL )
|
|
See
|
|
.Xr secmodel_securelevel 9 .
|
|
.It Li kern.sched ( dynamic )
|
|
Influence the scheduling of LWPs, their priorisation and how they are
|
|
distributed on and moved between CPUs.
|
|
.Bl -column "kern.sched.balance_period" "integer" "Changeable" -offset indent
|
|
.It Sy Third level name Sy Type Sy Changeable
|
|
.It kern.sched.cacheht_time integer yes
|
|
.It kern.sched.balance_period integer yes
|
|
.It kern.sched.average_weight integer yes
|
|
.It kern.sched.min_catch integer yes
|
|
.It kern.sched.timesoftints integer yes
|
|
.It kern.sched.kpreempt_pri integer yes
|
|
.It kern.sched.upreempt_pri integer yes
|
|
.It kern.sched.maxts integer yes
|
|
.It kern.sched.mints integer yes
|
|
.It kern.sched.name string no
|
|
.It kern.sched.rtts integer no
|
|
.It kern.sched.pri_min integer no
|
|
.It kern.sched.pri_max integer no
|
|
.El
|
|
.Pp
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.sched.cacheht_time ( dynamic )
|
|
Cache hotness time in which a LWP is kept on one particular CPU
|
|
and not moved to another CPU.
|
|
This reduces the overhead of flushing and reloading caches.
|
|
Defaults to 3ms.
|
|
Needs to be given in
|
|
.Dq hz
|
|
units, see
|
|
.Xr mstohz 9 .
|
|
.It Li kern.sched.balance_period ( dynamic )
|
|
Interval at which the CPU queues are checked for re-balancing.
|
|
Defaults to 300ms.
|
|
Needs to be given in
|
|
.Dq hz
|
|
units, see
|
|
.Xr mstohz 9 .
|
|
.It Li kern.sched.average_weight ( dynamic )
|
|
Can be used to influence how likely LWPs are to be migrated from
|
|
one CPU's queue of LWPs that are ready to run to a different, idle CPU.
|
|
The value gives the percentage for weighting the average count of
|
|
migratable threads from the past against the current number of
|
|
migratable threads.
|
|
A small value gives more weight to the past, a larger values more weight
|
|
on the current situation.
|
|
Defaults to 50 and must be between 0 and 100.
|
|
.It Li kern.sched.min_catch ( dynamic )
|
|
Minimum count of migratable (runable) threads for catching (stealing)
|
|
from another CPU.
|
|
Defaults to 1 but can be increased to decrease chance of thread
|
|
migration between CPUs.
|
|
.It Li kern.sched.timesoftints ( dynamic )
|
|
Enable tracking of CPU time for soft interrupts
|
|
as part of a LWP's real execution time.
|
|
Set to a non-zero value to enable,
|
|
and see
|
|
.Xr ps 1
|
|
for printing CPU times.
|
|
.It Li kern.sched.kpreempt_pri ( dynamic )
|
|
Minimum priority to trigger kernel preemption.
|
|
.It Li kern.sched.upreempt_pri ( dynamic )
|
|
Minimum priority to trigger user preemption.
|
|
.It Li kern.sched.maxts ( dynamic )
|
|
Scheduler specific maximal time quantum (in milliseconds).
|
|
Must be set to a value larger than
|
|
.Dq mints
|
|
and between 10 and
|
|
.Dq hz
|
|
as given by the
|
|
.Dv kern.clockrate
|
|
sysctl.
|
|
Provided by the M2 scheduler.
|
|
.It Li kern.sched.mints ( dynamic )
|
|
Scheduler specific minimal time quantum (in milliseconds).
|
|
Must be set to a value smaller than
|
|
.Dq maxts
|
|
and between 1 and
|
|
.Dq hz
|
|
as given by the
|
|
.Dq kern.clockrate
|
|
sysctl.
|
|
Provided by the M2 scheduler.
|
|
.It Li kern.sched.name ( dynamic )
|
|
Scheduler name.
|
|
Provided both by the M2 and the 4BSD scheduler.
|
|
.It Li kern.sched.rtts ( dynamic )
|
|
Fixed scheduler specific round-robin time quantum in milliseconds.
|
|
Provided both by the M2 and the 4BSD scheduler.
|
|
.It Li kern.sched.pri_min ( dynamic )
|
|
Minimal POSIX real-time priority.
|
|
See
|
|
.Xr sched 3 .
|
|
.It Li kern.sched.pri_max ( dynamic )
|
|
Maximal POSIX real-time priority.
|
|
See
|
|
.Xr sched 3 .
|
|
.El
|
|
.It Li kern.somaxkva ( Dv KERN_SOMAXKVA )
|
|
Maximum amount of kernel memory to be used for socket buffers in bytes.
|
|
.It Li kern.sooptions
|
|
Set the default socket option flags for
|
|
.Xr socket 2
|
|
creation.
|
|
See
|
|
.Xr setsockopt 2
|
|
for a list of supported flags.
|
|
.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO )
|
|
Returns 1 if the
|
|
.St -p1003.1b-93
|
|
Synchronized I/O Option is available on this system,
|
|
otherwise\ 0.
|
|
.It Li kern.timecounter ( dynamic )
|
|
Display and control the timecounter source of the system.
|
|
.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.timecounter.choice string no
|
|
.It kern.timecounter.hardware string yes
|
|
.It kern.timecounter.timestepwarnings integer yes
|
|
.El
|
|
.Pp
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.timecounter.choice ( dynamic )
|
|
The list of available timecounters with their quality and frequency.
|
|
.It Li kern.timecounter.hardware ( dynamic )
|
|
The currently selected timecounter source.
|
|
.It Li kern.timecounter.timestepwarnings ( dynamic )
|
|
If non-zero display a message each time the time is stepped.
|
|
.El
|
|
.It Li kern.timex ( Dv KERN_TIMEX )
|
|
Not available.
|
|
.It Li kern.tkstat ( Dv KERN_TKSTAT )
|
|
Return information about the number of characters sent and received
|
|
on ttys.
|
|
The third level names for the tty statistic variables are detailed below.
|
|
The changeable column shows whether a process
|
|
with appropriate privilege may change the value.
|
|
.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.tkstat.cancc quad no
|
|
.It kern.tkstat.nin quad no
|
|
.It kern.tkstat.nout quad no
|
|
.It kern.tkstat.rawcc quad no
|
|
.El
|
|
.Pp
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.tkstat.cancc ( Dv KERN_TKSTAT_CANCC )
|
|
The number of canonical input characters.
|
|
.It Li kern.tkstat.nin ( Dv KERN_TKSTAT_NIN )
|
|
The total number of input characters.
|
|
.It Li kern.tkstat.nout ( Dv KERN_TKSTAT_NOUT )
|
|
The total number of output characters.
|
|
.It Li kern.tkstat.rawcc ( Dv KERN_TKSTAT_RAWCC )
|
|
The number of raw input characters.
|
|
.El
|
|
.It Li kern.tty
|
|
The third level names for the tty setup variables are detailed below.
|
|
The changeable column shows whether a process
|
|
with appropriate privilege may change the value.
|
|
.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.tty.qsize int yes
|
|
.El
|
|
.Pp
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.tty.qsize
|
|
Control/display the size of the default input and output queues selected
|
|
during tty creation.
|
|
Is converted to a power of two and its range is between
|
|
.Dv 1024
|
|
and
|
|
.Dv 65536 .
|
|
.El
|
|
.It Li kern.uidinfo
|
|
Resource usage for the current user.
|
|
.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.uidinfo.proccnt integer no
|
|
.It kern.uidinfo.lwpcnt integer no
|
|
.It kern.uidinfo.lockcnt integer no
|
|
.It kern.uidinfo.semcnt integer no
|
|
.It kern.uidinfo.sbsize integer no
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.uidinfo.proccnt
|
|
Returns the number of active processes for the current user.
|
|
.It Li kern.uidinfo.lwpcnt
|
|
Returns the number of active threads for the current user; the first thread
|
|
of each process is not counted.
|
|
.It Li kern.uidinfo.lockcnt
|
|
Number of locks held by the current user.
|
|
.It Li kern.uidinfo.semcnt
|
|
Number of semaphores held by the current user.
|
|
.It Li kern.uidinfo.sbsize
|
|
Number of bytes in socket buffers allocated to the current user.
|
|
.El
|
|
.It Li kern.urandom ( Dv KERN_URND )
|
|
Random integer value.
|
|
.It Li kern.usercrypto
|
|
When enabled, allows userland to
|
|
.Xr open 2
|
|
the
|
|
.Pa /dev/crypto
|
|
special device, used by the
|
|
.Xr crypto 4
|
|
system.
|
|
.It Li kern.userasymcrypto
|
|
Enables or disables the use of software asymmetric crypto support in the
|
|
.Xr crypto 4
|
|
system.
|
|
.It Li kern.veriexec
|
|
Runtime information for
|
|
.Xr veriexec 8 .
|
|
.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.It kern.veriexec.algorithms string no
|
|
.It kern.veriexec.count node not applicable
|
|
.It kern.veriexec.strict integer yes
|
|
.It kern.veriexec.verbose integer yes
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li kern.veriexec.algorithms
|
|
Returns a string with the supported algorithms in Veriexec.
|
|
.It Li kern.veriexec.count
|
|
Sub-nodes are added to this node as new mounts are monitored by Veriexec.
|
|
Each mount will be under its own
|
|
.No tableN
|
|
node.
|
|
Under each node there will be three variables, indicating the mount
|
|
point, the file system type, and the number of entries.
|
|
.It Li kern.veriexec.strict
|
|
Controls the strict level of Veriexec.
|
|
See
|
|
.Xr security 7
|
|
for more information on each level's implications.
|
|
.It Li kern.veriexec.verbose
|
|
Controls the verbosity level of Veriexec.
|
|
If 0, only the minimal
|
|
indication required will be given about what's happening - fingerprint
|
|
mismatches, removal of entries from the tables, modification of a
|
|
fingerprinted file.
|
|
If 1, more messages will be printed (ie., when a file with a valid
|
|
fingerprint is accessed).
|
|
Verbose level 2 is debug mode.
|
|
.El
|
|
.It Li kern.version ( Dv KERN_VERSION )
|
|
The system version string.
|
|
.It Li kern.vnode ( Dv KERN_VNODE )
|
|
Return the entire vnode table.
|
|
Note, the vnode table is not necessarily a consistent snapshot of
|
|
the system.
|
|
The returned data consists of an array whose size depends on the
|
|
current number of such objects in the system.
|
|
Each element of the array contains the kernel address of a vnode
|
|
.Vt struct vnode *
|
|
followed by the vnode itself
|
|
.Vt struct vnode .
|
|
.\" XXX: Undocumented: kern.lwp: no children?
|
|
.El
|
|
.Ss The machdep.* subtree
|
|
The set of variables defined is architecture dependent.
|
|
Most architectures define at least the following variables.
|
|
.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent
|
|
.It Sy Second level name Ta Sy Type Ta Sy Changeable
|
|
.It Li machdep.booted_kernel string no
|
|
.El
|
|
.\" XXX: Document the above.
|
|
.Ss The net.* subtree
|
|
The string and integer information available for the
|
|
.Li net
|
|
level is detailed below.
|
|
The changeable column shows whether a process with appropriate
|
|
privilege may change the value.
|
|
The second and third levels are typically the protocol family and
|
|
protocol number, though this is not always the case.
|
|
.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent
|
|
.It Sy Second level name Ta Sy Type Ta Sy Changeable
|
|
.It net.route routing messages no
|
|
.It net.inet IPv4 values yes
|
|
.It net.inet6 IPv6 values yes
|
|
.It net.key IPsec key management values yes
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li net.route ( Dv PF_ROUTE )
|
|
.\" XXX really?
|
|
Return the entire routing table or a subset of it.
|
|
The data is returned as a sequence of routing messages (see
|
|
.Xr route 4
|
|
for the header file, format and meaning).
|
|
The length of each message is contained in the message header.
|
|
.Pp
|
|
The third level name is a protocol number, which is currently always\ 0.
|
|
The fourth level name is an address family, which may be set to 0 to
|
|
select all address families.
|
|
The fifth and sixth level names are as follows:
|
|
.Bl -column "Fifth level name" "Sixth level is:" -offset indent
|
|
.It Sy Fifth level name Ta Sy Sixth level is :
|
|
.It NET_RT_FLAGS rtflags
|
|
.It NET_RT_DUMP None
|
|
.It NET_RT_IFLIST None
|
|
.El
|
|
.It Li net.inet ( Dv PF_INET )
|
|
Get or set various global information about the IPv4
|
|
.Pq Internet Protocol version 4 .
|
|
The third level name is the protocol.
|
|
The fourth level name is the variable name.
|
|
The currently defined protocols and names are:
|
|
.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent
|
|
.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable
|
|
.It arp down integer yes
|
|
.It arp keep integer yes
|
|
.It arp log_movements integer yes
|
|
.It arp log_permanent_modify integer yes
|
|
.It arp log_unknown_network integer yes
|
|
.It arp log_wrong_iface integer yes
|
|
.It carp allow integer yes
|
|
.It carp preempt integer yes
|
|
.It carp log integer yes
|
|
.It carp arpbalance integer yes
|
|
.It icmp errppslimit integer yes
|
|
.It icmp maskrepl integer yes
|
|
.It icmp rediraccept integer yes
|
|
.It icmp redirtimeout integer yes
|
|
.It icmp bmcastecho integer yes
|
|
.It ip allowsrcrt integer yes
|
|
.It ip anonportalgo.selected string yes
|
|
.It ip anonportalgo.available string yes
|
|
.It ip anonportalgo.reserve struct yes
|
|
.It ip anonportmax integer yes
|
|
.It ip anonportmin integer yes
|
|
.It ip checkinterface integer yes
|
|
.It ip dad_count integer yes
|
|
.It ip directed-broadcast integer yes
|
|
.It ip do_loopback_cksum integer yes
|
|
.It ip forwarding integer yes
|
|
.It ip forwsrcrt integer yes
|
|
.It ip gifttl integer yes
|
|
.It ip grettl integer yes
|
|
.It ip hashsize integer yes
|
|
.It ip hostzerobroadcast integer yes
|
|
.It ip lowportmin integer yes
|
|
.It ip lowportmax integer yes
|
|
.It ip maxflows integer yes
|
|
.It ip maxfragpackets integer yes
|
|
.It ip mtudisc integer yes
|
|
.It ip mtudisctimeout integer yes
|
|
.It ip random_id integer yes
|
|
.It ip redirect integer yes
|
|
.It ip subnetsarelocal integer yes
|
|
.It ip ttl integer yes
|
|
.It tcp rfc1323 integer yes
|
|
.It tcp sendspace integer yes
|
|
.It tcp recvspace integer yes
|
|
.It tcp mssdflt integer yes
|
|
.It tcp syn_cache_limit integer yes
|
|
.It tcp syn_bucket_limit integer yes
|
|
.It tcp syn_cache_interval integer yes
|
|
.It tcp init_win integer yes
|
|
.It tcp init_win_local integer yes
|
|
.It tcp mss_ifmtu integer yes
|
|
.It tcp win_scale integer yes
|
|
.It tcp timestamps integer yes
|
|
.It tcp cwm integer yes
|
|
.It tcp cwm_burstsize integer yes
|
|
.It tcp ack_on_push integer yes
|
|
.It tcp keepidle integer yes
|
|
.It tcp keepintvl integer yes
|
|
.It tcp keepcnt integer yes
|
|
.It tcp slowhz integer no
|
|
.It tcp keepinit integer yes
|
|
.It tcp log_refused integer yes
|
|
.It tcp rstppslimit integer yes
|
|
.It tcp ident struct no
|
|
.It tcp drop struct no
|
|
.It tcp sack.enable integer yes
|
|
.It tcp sack.globalholes integer no
|
|
.It tcp sack.globalmaxholes integer yes
|
|
.It tcp sack.maxholes integer yes
|
|
.It tcp ecn.enable integer yes
|
|
.It tcp ecn.maxretries integer yes
|
|
.It tcp congctl.selected string yes
|
|
.It tcp congctl.available string yes
|
|
.It tcp abc.enable integer yes
|
|
.It tcp abc.aggressive integer yes
|
|
.It udp checksum integer yes
|
|
.It udp do_loopback_cksum integer yes
|
|
.It udp recvspace integer yes
|
|
.It udp sendspace integer yes
|
|
.El
|
|
.Pp
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li arp.down
|
|
Failed ARP entry lifetime.
|
|
.It Li arp.keep
|
|
Valid ARP entry lifetime.
|
|
.It Li carp.allow
|
|
If set to 0, incoming
|
|
.Xr carp 4
|
|
packets will not be processed.
|
|
If set to any other value, processing will occur.
|
|
Enabled by default.
|
|
.It Li carp.arpbalance
|
|
If set to any value other than 0, the ARP balancing functionality of
|
|
.Xr carp 4
|
|
is enabled.
|
|
When ARP requests are received for an IP address which is part of any virtual
|
|
host, carp will hash the source IP in the ARP request to select one of the
|
|
virtual hosts from the set of all the virtual hosts which have that IP address.
|
|
The master of that host will respond with the correct virtual MAC address.
|
|
Disabled by default.
|
|
.It Li carp.log
|
|
If set to any value other than 0,
|
|
.Xr carp 4
|
|
will log errors.
|
|
Disabled by default.
|
|
.It Li carp.preempt
|
|
If set to 0,
|
|
.Xr carp 4
|
|
will not attempt to become master if it is receiving advertisements from
|
|
another active master.
|
|
If set to any other value, carp will become master of the virtual host if it
|
|
believes it can send advertisements more frequently than the current master.
|
|
Disabled by default.
|
|
.It Li ip.allowsrcrt
|
|
If set to 1, the host accepts source routed packets.
|
|
.It Li ip.anonportalgo.available
|
|
The available RFC 6056 port randomization algorithms.
|
|
.It Li ip.anonportalgo.reserve
|
|
A bitmask of ports that will not be used during anonymous or privileged
|
|
port selection.
|
|
.It Li ip.anonportalgo.selected
|
|
The currently selected RFC 6056 port randomization algorithm.
|
|
.It Li ip.anonportmax
|
|
The highest port number to use for TCP and UDP ephemeral port allocation.
|
|
This cannot be set to less than 1024 or greater than 65535, and must
|
|
be greater than
|
|
.Li ip.anonportmin .
|
|
.It Li ip.anonportmin
|
|
The lowest port number to use for TCP and UDP ephemeral port allocation.
|
|
This cannot be set to less than 1024 or greater than 65535.
|
|
.It Li ip.checkinterface
|
|
If set to non-zero, the host will reject packets addressed to it
|
|
that arrive on an interface not bound to that address.
|
|
Currently, this must be disabled if NAT is used to translate the
|
|
destination address to another local interface, or if addresses
|
|
are added to the loopback interface instead of the interface where
|
|
the packets for those packets are received.
|
|
.It Li ip.dad_count
|
|
The number of
|
|
.Xr arp 4
|
|
probes sent for Address Conflict Detection.
|
|
Set to 0 to disable this.
|
|
.It Li ip.directed-broadcast
|
|
If set to 1, enables directed broadcast behavior for the host.
|
|
.It Li ip.do_loopback_cksum
|
|
Perform IP checksum on loopback.
|
|
.It Li ip.forwarding
|
|
If set to 1, enables IP forwarding for the host,
|
|
meaning that the host is acting as a router.
|
|
.It Li ip.forwsrcrt
|
|
If set to 1, enables forwarding of source-routed packets for the host.
|
|
This value may only be changed if the kernel security level is less than 1.
|
|
.It Li ip.gifttl
|
|
The maximum time-to-live (hop count) value for an IPv4 packet generated by
|
|
.Xr gif 4
|
|
tunnel interface.
|
|
.It Li ip.grettl
|
|
The maximum time-to-live (hop count) value for an IPv4 packet generated by
|
|
.Xr gre 4
|
|
tunnel interface.
|
|
.It Li ip.hashsize
|
|
The size of IPv4 Fast Forward hash table.
|
|
This value must be a power of 2 (64, 256...).
|
|
A larger hash table size results in fewer collisions.
|
|
Also see
|
|
.Li ip.maxflows .
|
|
.It Li ip.hostzerobroadcast
|
|
All zeroes address is broadcast address.
|
|
.It Li ip.lowportmax
|
|
The highest port number to use for TCP and UDP reserved port allocation.
|
|
This cannot be set to less than 0 or greater than 1024, and must
|
|
be greater than
|
|
.Li ip.lowportmin .
|
|
.It Li ip.lowportmin
|
|
The lowest port number to use for TCP and UDP reserved port allocation.
|
|
This cannot be set to less than 0 or greater than 1024, and must
|
|
be smaller than
|
|
.Li ip.lowportmax .
|
|
.It Li ip.maxflows
|
|
IPv4 Fast Forwarding is enabled by default.
|
|
If set to 0, IPv4 Fast Forwarding is disabled.
|
|
.Li ip.maxflows
|
|
controls the maximum amount of flows which can be created.
|
|
The default value is 256.
|
|
.It Li ip.maxfragpackets
|
|
The maximum number of fragmented packets the node will accept.
|
|
0 means that the node will not accept any fragmented packets.
|
|
\-1 means that the node will accept as many fragmented packets as it receives.
|
|
The flag is provided basically for avoiding possible DoS attacks.
|
|
.It Li ip.mtudisc
|
|
If set to 1, enables Path MTU Discovery (RFC 1191).
|
|
When Path MTU Discovery is enabled, the transmitted TCP segment
|
|
size will be determined by the advertised maximum segment size
|
|
(MSS) from the remote end, as constrained by the path MTU.
|
|
If MTU Discovery is disabled, the transmitted segment size will
|
|
never be greater than
|
|
.Li tcp.mssdflt
|
|
(the local maximum segment size).
|
|
.It Li ip.mtudisctimeout
|
|
The number of seconds in which a route added by the Path MTU
|
|
Discovery engine will time out.
|
|
When the route times out, the Path
|
|
MTU Discovery engine will attempt to probe a larger path MTU.
|
|
.It Li ip.random_id
|
|
Assign random ip_id values.
|
|
.It Li ip.redirect
|
|
If set to 1, ICMP redirects may be sent by the host.
|
|
This option is ignored unless the host is routing IP packets,
|
|
and should normally be enabled on all systems.
|
|
.It Li ip.subnetsarelocal
|
|
If set to 1, subnets are to be considered local addresses.
|
|
.It Li ip.ttl
|
|
The maximum time-to-live (hop count) value for an IP packet sourced by
|
|
the system.
|
|
This value applies to normal transport protocols, not to ICMP.
|
|
.It Li icmp.errppslimit
|
|
The variable specifies the maximum number of outgoing ICMP error messages,
|
|
per second.
|
|
ICMP error messages that exceeded the value are subject to rate limitation
|
|
and will not go out from the node.
|
|
Negative value disables rate limitation.
|
|
.It Li icmp.maskrepl
|
|
If set to 1, ICMP network mask requests are to be answered.
|
|
.It Li icmp.rediraccept
|
|
If set to non-zero, the host will accept ICMP redirect packets.
|
|
Note that routers will never accept ICMP redirect packets,
|
|
and the variable is meaningful on IP hosts only.
|
|
.It Li icmp.redirtimeout
|
|
The variable specifies lifetime of routing entries generated by incoming
|
|
ICMP redirect.
|
|
This defaults to 600 seconds.
|
|
.It Li icmp.returndatabytes
|
|
Number of bytes to return in an ICMP error message.
|
|
.It Li icmp.bmcastecho
|
|
If set to 1, enables responding to ICMP echo or timestamp request to the
|
|
broadcast address.
|
|
.It Li tcp.ack_on_push
|
|
If set to 1, TCP is to immediately transmit an ACK upon reception of
|
|
a packet with PUSH set.
|
|
This can avoid losing a round trip time in some rare situations,
|
|
but has the caveat of potentially defeating TCP's delayed ACK algorithm.
|
|
Use of this option is generally not recommended, but
|
|
the variable exists in case your configuration really needs it.
|
|
.It Li tcp.cwm
|
|
If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window
|
|
Monitoring algorithm.
|
|
This algorithm prevents line-rate bursts of packets that could
|
|
otherwise occur when data begins flowing on an idle TCP connection.
|
|
These line-rate bursts can contribute to network and router congestion.
|
|
This can be particularly useful on World Wide Web servers
|
|
which support HTTP/1.1, which has lingering connections.
|
|
.It Li tcp.cwm_burstsize
|
|
The Congestion Window Monitoring allowed burst size, in terms
|
|
of packet count.
|
|
.It Li tcp.delack_ticks
|
|
Number of ticks to delay sending an ACK.
|
|
.It Li tcp.do_loopback_cksum
|
|
Perform TCP checksum on loopback.
|
|
.It Li tcp.init_win
|
|
A value indicating the TCP initial congestion window.
|
|
The valid range
|
|
is 0 to 10 (maximum specified by RFC6928),
|
|
with a default of 4 (approximately 4K per RFC3390).
|
|
.It Li tcp.init_win_local
|
|
Like
|
|
.Li tcp.init_win ,
|
|
but used when communicating with hosts on a local network.
|
|
.It Li tcp.keepcnt
|
|
Number of keepalive probes sent before declaring a connection dead.
|
|
If set to zero, there is no limit;
|
|
keepalives will be sent until some kind of
|
|
response is received from the peer.
|
|
.It Li tcp.keepidle
|
|
Time a connection must be idle before keepalives are sent (if keepalives
|
|
are enabled for the connection).
|
|
See also tcp.slowhz.
|
|
.It Li tcp.keepintvl
|
|
Time after a keepalive probe is sent until, in the absence of any response,
|
|
another probe is sent.
|
|
See also tcp.slowhz.
|
|
.It Li tcp.log_refused
|
|
If set to 1, refused TCP connections to the host will be logged.
|
|
.It Li tcp.keepinit
|
|
Timeout in seconds during connection establishment.
|
|
.It Li tcp.mss_ifmtu
|
|
If set to 1, TCP calculates the outgoing maximum segment size based on
|
|
the MTU of the appropriate interface.
|
|
If set to 0, it is calculated based on the greater of the MTU of the
|
|
interface, and the largest (non-loopback) interface MTU on the system.
|
|
.It Li tcp.mssdflt
|
|
The default maximum segment size both advertised to the peer
|
|
and to use when either the peer does not advertise a maximum segment size to
|
|
us during connection setup or Path MTU Discovery
|
|
.Li ( ip.mtudisc )
|
|
is disabled.
|
|
Do not change this value unless you really know what you are doing.
|
|
.It Li tcp.recvspace
|
|
The default TCP receive buffer size.
|
|
.It Li tcp.rfc1323
|
|
If set to 1, enables RFC 1323 extensions to TCP.
|
|
.It Li tcp.rstppslimit
|
|
The variable specifies the maximum number of outgoing TCP RST packets,
|
|
per second.
|
|
TCP RST packet that exceeded the value are subject to rate limitation
|
|
and will not go out from the node.
|
|
Negative value disables rate limitation.
|
|
.It Li tcp.ident
|
|
Return the user ID of a connected socket pair.
|
|
(RFC1413 Identification Protocol lookups.)
|
|
.It Li tcp.drop
|
|
Drop a TCP socket pair connection.
|
|
.It Li tcp.sack.enable
|
|
If set to 1, enables RFC 2018 Selective ACKnowledgement.
|
|
.It Li tcp.sack.globalholes
|
|
Global number of TCP SACK holes.
|
|
.It Li tcp.sack.globalmaxholes
|
|
Global maximum number of TCP SACK holes.
|
|
.It Li tcp.sack.maxholes
|
|
Maximum number of TCP SACK holes allowed per connection.
|
|
.It Li tcp.ecn.enable
|
|
If set to 1, enables RFC 3168 Explicit Congestion Notification.
|
|
.It Li tcp.ecn.maxretries
|
|
Number of times to retry sending the ECN-setup packet.
|
|
.It Li tcp.sendspace
|
|
The default TCP send buffer size.
|
|
.It Li tcp.slowhz
|
|
The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks
|
|
of a clock that ticks tcp.slowhz times per second.
|
|
(That is, their values
|
|
must be divided by the tcp.slowhz value to get times in seconds.)
|
|
.It Li tcp.syn_bucket_limit
|
|
The maximum number of entries allowed per hash bucket in the TCP
|
|
compressed state engine.
|
|
.It Li tcp.syn_cache_limit
|
|
The maximum number of entries allowed in the TCP compressed state
|
|
engine.
|
|
.It Li tcp.timestamps
|
|
If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options,
|
|
used for measuring TCP round trip times, are enabled.
|
|
.It Li tcp.win_scale
|
|
If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options,
|
|
for increasing the TCP window size, are enabled.
|
|
.It Li tcp.congctl.available
|
|
The available TCP congestion control algorithms.
|
|
.It Li tcp.congctl.selected
|
|
The currently selected TCP congestion control algorithm.
|
|
.It Li tcp.abc.enable
|
|
If set to 1, use RFC 3465 Appropriate Byte Counting (ABC).
|
|
If set to 0, use traditional Packet Counting.
|
|
.It Li tcp.abc.aggressive
|
|
Choose the L parameter found in RFC 3465.
|
|
L is the maximum cwnd increase for an ack during slow start.
|
|
If set to 1, use L=2*SMSS.
|
|
If set to 0, use L=1*SMSS.
|
|
It has no effect unless tcp.abc.enable is set to 1.
|
|
.It Li udp.checksum
|
|
If set to 1, UDP checksums are being computed.
|
|
Received non-zero UDP checksums are always checked.
|
|
Disabling UDP checksums is strongly discouraged.
|
|
.It Li udp.recvspace
|
|
The default UDP receive buffer size.
|
|
.It Li udp.sendspace
|
|
The default UDP send buffer size.
|
|
.El
|
|
.Pp
|
|
For variables net.*.ipsec, please refer to
|
|
.Xr ipsec 4 .
|
|
.It Li net.inet6 ( Dv PF_INET6 )
|
|
Get or set various global information about the IPv6
|
|
.Pq Internet Protocol version 6 .
|
|
The third level name is the protocol.
|
|
The fourth level name is the variable name.
|
|
The currently defined protocols and names are:
|
|
.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent
|
|
.It Sy Protocol Variable Ta Sy Type Ta Sy Changeable
|
|
.It icmp6 errppslimit integer yes
|
|
.It icmp6 mtudisc_hiwat integer yes
|
|
.It icmp6 mtudisc_lowat integer yes
|
|
.It icmp6 nd6_debug integer yes
|
|
.It icmp6 nd6_delay integer yes
|
|
.It icmp6 nd6_maxnudhint integer yes
|
|
.It icmp6 nd6_mmaxtries integer yes
|
|
.It icmp6 nd6_prune integer yes
|
|
.It icmp6 nd6_umaxtries integer yes
|
|
.It icmp6 nd6_useloopback integer yes
|
|
.It icmp6 nodeinfo integer yes
|
|
.It icmp6 rediraccept integer yes
|
|
.It icmp6 redirtimeout integer yes
|
|
.It ip6 accept_rtadv integer yes
|
|
.It ip6 addctlpolicy struct in6_addrpolicy no
|
|
.It ip6 anonportalgo.selected string yes
|
|
.It ip6 anonportalgo.available string yes
|
|
.It ip6 anonportalgo.reserve struct yes
|
|
.It ip6 anonportmax integer yes
|
|
.It ip6 anonportmin integer yes
|
|
.It ip6 auto_flowlabel integer yes
|
|
.It ip6 dad_count integer yes
|
|
.It ip6 defmcasthlim integer yes
|
|
.It ip6 forwarding integer yes
|
|
.It ip6 gifhlim integer yes
|
|
.It ip6 hashsize integer yes
|
|
.It ip6 hlim integer yes
|
|
.It ip6 hdrnestlimit integer yes
|
|
.It ip6 kame_version string no
|
|
.It ip6 keepfaith integer yes
|
|
.It ip6 log_interval integer yes
|
|
.It ip6 lowportmax integer yes
|
|
.It ip6 lowportmin integer yes
|
|
.It ip6 maxdynroutes integer yes
|
|
.It ip6 maxifprefixes integer yes
|
|
.It ip6 maxifdefrouters integer yes
|
|
.It ip6 maxflows integer yes
|
|
.It ip6 maxfragpackets integer yes
|
|
.It ip6 maxfrags integer yes
|
|
.It ip6 neighborgcthresh integer yes
|
|
.It ip6 redirect integer yes
|
|
.It ip6 rr_prune integer yes
|
|
.It ip6 use_deprecated integer yes
|
|
.It ip6 v6only integer yes
|
|
.It udp6 do_loopback_cksum integer yes
|
|
.It udp6 recvspace integer yes
|
|
.It udp6 sendspace integer yes
|
|
.El
|
|
.Pp
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li ip6.accept_rtadv
|
|
If set to non-zero, the node will accept ICMPv6 router advertisement packets
|
|
and autoconfigures address prefixes and default routers.
|
|
The node must be a host
|
|
.Pq not a router
|
|
for the option to be meaningful.
|
|
.It Li ip6.anonportalgo.available
|
|
The available RFC 6056 port randomization algorithms.
|
|
.It Li ip6.anonportalgo.reserve
|
|
A bitmask of ports that will not be used during anonymous or privileged
|
|
port selection.
|
|
.It Li ip6.anonportalgo.selected
|
|
The currently selected RFC 6056 port randomization algorithm.
|
|
.It Li ip6.anonportmax
|
|
The highest port number to use for TCP and UDP ephemeral port allocation.
|
|
This cannot be set to less than 1024 or greater than 65535, and must
|
|
be greater than
|
|
.Li ip6.anonportmin .
|
|
.It Li ip6.anonportmin
|
|
The lowest port number to use for TCP and UDP ephemeral port allocation.
|
|
This cannot be set to less than 1024 or greater than 65535.
|
|
.It Li ip6.auto_flowlabel
|
|
On connected transport protocol packets,
|
|
fill IPv6 flowlabel field to help intermediate routers to identify packet flows.
|
|
.It Li ip6.dad_count
|
|
The variable configures number of IPv6 DAD
|
|
.Pq duplicated address detection
|
|
probe packets.
|
|
The packets will be generated when IPv6 interface addresses are configured.
|
|
.It Li ip6.defmcasthlim
|
|
The default hop limit value for an IPv6 multicast packet sourced by the node.
|
|
This value applies to all the transport protocols on top of IPv6.
|
|
There are APIs to override the value, as documented in
|
|
.Xr ip6 4 .
|
|
.It Li ip6.forwarding
|
|
If set to 1, enables IPv6 forwarding for the node,
|
|
meaning that the node is acting as a router.
|
|
If set to 0, disables IPv6 forwarding for the node,
|
|
meaning that the node is acting as a host.
|
|
IPv6 specification defines node behavior for
|
|
.Dq router
|
|
case and
|
|
.Dq host
|
|
case quite differently, and changing this variable during operation
|
|
may cause serious trouble.
|
|
It is recommended to configure the variable at bootstrap time,
|
|
and bootstrap time only.
|
|
.It Li ip6.gifhlim
|
|
The maximum hop limit value for an IPv6 packet generated by
|
|
.Xr gif 4
|
|
tunnel interface.
|
|
.It Li ip6.hdrnestlimit
|
|
The number of IPv6 extension headers permitted on incoming IPv6 packets.
|
|
If set to 0, the node will accept as many extension headers as possible.
|
|
.It Li ip6.hashsize
|
|
The size of IPv6 Fast Forward hash table.
|
|
This value must be a power of 2 (64, 256, ...).
|
|
A larger hash table size results in fewer collisions.
|
|
Also see
|
|
.Li ip6.maxflows .
|
|
.It Li ip6.hlim
|
|
The default hop limit value for an IPv6 unicast packet sourced by the node.
|
|
This value applies to all the transport protocols on top of IPv6.
|
|
There are APIs to override the value, as documented in
|
|
.Xr ip6 4 .
|
|
.It Li ip6.kame_version
|
|
The string identifies the version of KAME IPv6 stack implemented in the kernel.
|
|
.It Li ip6.keepfaith
|
|
If set to non-zero, it enables
|
|
.Dq FAITH
|
|
TCP relay IPv6-to-IPv4 translator code in the kernel.
|
|
Refer
|
|
.Xr faith 4
|
|
and
|
|
.Xr faithd 8
|
|
for detail.
|
|
.It Li ip6.log_interval
|
|
The variable controls amount of logs generated by IPv6 packet
|
|
forwarding engine, by setting interval between log output
|
|
.Pq in seconds .
|
|
.It Li ip6.lowportmax
|
|
The highest port number to use for TCP and UDP reserved port allocation.
|
|
This cannot be set to less than 0 or greater than 1024, and must
|
|
be greater than
|
|
.Li ip6.lowportmin .
|
|
.It Li ip6.lowportmin
|
|
The lowest port number to use for TCP and UDP reserved port allocation.
|
|
This cannot be set to less than 0 or greater than 1024, and must
|
|
be smaller than
|
|
.Li ip6.lowportmax .
|
|
.It Li ip6.maxdynroutes
|
|
Maximum number of routes created by redirect.
|
|
Set it to negative to disable.
|
|
The default value is 4096.
|
|
.It Li ip6.maxifprefixes
|
|
Maximum number of prefixes created by route advertisements per interface.
|
|
Set it to negative to disable.
|
|
The default value is 16.
|
|
.It Li ip6.maxifdefrouters 16
|
|
Maximum number of default routers created by route advertisements per interface.
|
|
Set it to negative to disable.
|
|
The default value is 16.
|
|
.It Li ip6.maxflows
|
|
IPv6 Fast Forwarding is enabled by default.
|
|
If set to 0, IPv6 Fast Forwarding is disabled.
|
|
.Li ip6.maxflows
|
|
controls the maximum amount of flows which can be created.
|
|
The default value is 256.
|
|
.It Li ip6.maxfragpackets
|
|
The maximum number of fragmented packets the node will accept.
|
|
0 means that the node will not accept any fragmented packets.
|
|
\-1 means that the node will accept as many fragmented packets as it receives.
|
|
The flag is provided basically for avoiding possible DoS attacks.
|
|
.It Li ip6.maxfrags
|
|
The maximum number of fragments the node will accept.
|
|
0 means that the node will not accept any fragments.
|
|
\-1 means that the node will accept as many fragments as it receives.
|
|
The flag is provided basically for avoiding possible DoS attacks.
|
|
.It Li ip6.neighborgcthresh
|
|
Maximum number of entries in neighbor cache per interface.
|
|
Set to negative to disable.
|
|
The default value is 2048.
|
|
.It Li ip6.redirect
|
|
If set to 1, ICMPv6 redirects may be sent by the node.
|
|
This option is ignored unless the node is routing IP packets,
|
|
and should normally be enabled on all systems.
|
|
.It Li ip6.rr_prune
|
|
The variable specifies interval between IPv6 router renumbering prefix
|
|
babysitting, in seconds.
|
|
.It Li ip6.use_deprecated
|
|
The variable controls use of deprecated address, specified in RFC 2462 5.5.4.
|
|
.It Li ip6.v6only
|
|
The variable specifies initial value for
|
|
.Dv IPV6_V6ONLY
|
|
socket option for
|
|
.Dv AF_INET6
|
|
socket.
|
|
Please refer to
|
|
.Xr ip6 4
|
|
for detail.
|
|
.It Li icmp6.errppslimit
|
|
The variable specifies the maximum number of outgoing ICMPv6 error messages,
|
|
per second.
|
|
ICMPv6 error messages that exceeded the value are subject to rate limitation
|
|
and will not go out from the node.
|
|
Negative value disables rate limitation.
|
|
.It Li icmp6.mtudisc_hiwat
|
|
.It Li icmp6.mtudisc_lowat
|
|
The variables define the maximum number of routing table entries,
|
|
created due to path MTU discovery
|
|
.Pq prevents denial-of-service attacks with ICMPv6 too big messages .
|
|
When IPv6 path MTU discovery happens, we keep path MTU information into
|
|
the routing table.
|
|
If the number of routing table entries exceed the value,
|
|
the kernel will not attempt to keep the path MTU information.
|
|
.Li icmp6.mtudisc_hiwat
|
|
is used when we have verified ICMPv6 too big messages.
|
|
.Li icmp6.mtudisc_lowat
|
|
is used when we have unverified ICMPv6 too big messages.
|
|
Verification is performed by using address/port pairs kept in connected pcbs.
|
|
Negative value disables the upper limit.
|
|
.It Li icmp6.nd6_debug
|
|
If set to non-zero, kernel IPv6 neighbor discovery code will generate
|
|
debugging messages.
|
|
The debug outputs are useful to diagnose IPv6 interoperability issues.
|
|
The flag must be set to 0 for normal operation.
|
|
.It Li icmp6.nd6_delay
|
|
The variable specifies
|
|
.Dv DELAY_FIRST_PROBE_TIME
|
|
timing constant in IPv6 neighbor discovery specification
|
|
.Pq RFC 2461 ,
|
|
in seconds.
|
|
.It Li icmp6.nd6_maxnudhint
|
|
IPv6 neighbor discovery permits upper layer protocols to supply reachability
|
|
hints, to avoid unnecessary neighbor discovery exchanges.
|
|
The variable defines the number of consecutive hints the neighbor discovery
|
|
layer will take.
|
|
For example, by setting the variable to 3, neighbor discovery layer
|
|
will take 3 consecutive hints in maximum.
|
|
After receiving 3 hints, neighbor discovery layer will perform
|
|
normal neighbor discovery process.
|
|
.It Li icmp6.nd6_mmaxtries
|
|
The variable specifies
|
|
.Dv MAX_MULTICAST_SOLICIT
|
|
constant in IPv6 neighbor discovery specification
|
|
.Pq RFC 2461 .
|
|
.It Li icmp6.nd6_prune
|
|
The variable specifies interval between IPv6 neighbor cache babysitting,
|
|
in seconds.
|
|
.It Li icmp6.nd6_umaxtries
|
|
The variable specifies
|
|
.Dv MAX_UNICAST_SOLICIT
|
|
constant in IPv6 neighbor discovery specification
|
|
.Pq RFC 2461 .
|
|
.It Li icmp6.nd6_useloopback
|
|
If set to non-zero, kernel IPv6 stack will use loopback interface for
|
|
local traffic.
|
|
.It Li icmp6.nodeinfo
|
|
The variable enables responses to ICMPv6 node information queries.
|
|
If you set the variable to 0, responses will not be generated for
|
|
ICMPv6 node information queries.
|
|
Since node information queries can have a security impact, it is
|
|
possible to fine tune which responses should be answered.
|
|
Two separate bits can be set.
|
|
.Bl -tag -width "12345"
|
|
.It 1
|
|
Respond to ICMPv6 FQDN queries, e.g.
|
|
.Li ping6 -w .
|
|
.It 2
|
|
Respond to ICMPv6 node addresses queries, e.g.
|
|
.Li ping6 -a .
|
|
.El
|
|
.It Li icmp6.rediraccept
|
|
If set to non-zero, the host will accept ICMPv6 redirect packets.
|
|
Note that IPv6 routers will never accept ICMPv6 redirect packets,
|
|
and the variable is meaningful on IPv6 hosts
|
|
.Pq non-router
|
|
only.
|
|
.It Li icmp6.redirtimeout
|
|
The variable specifies lifetime of routing entries generated by incoming
|
|
ICMPv6 redirect.
|
|
.It Li udp6.do_loopback_cksum
|
|
Perform UDP checksum on loopback.
|
|
.It Li udp6.recvspace
|
|
Default UDP receive buffer size.
|
|
.It Li udp6.sendspace
|
|
Default UDP send buffer size.
|
|
.El
|
|
.Pp
|
|
We reuse net.*.tcp for TCP over IPv6,
|
|
and therefore we do not have variables net.*.tcp6.
|
|
Variables net.inet6.udp6 have identical meaning to net.inet.udp.
|
|
Please refer to
|
|
.Li PF_INET
|
|
section above.
|
|
For variables net.*.ipsec6, please refer to
|
|
.Xr ipsec 4 .
|
|
.It Li net.key ( Dv PF_KEY )
|
|
Get or set various global information about the IPsec key management.
|
|
The third level name is the variable name.
|
|
The currently defined variable and names are:
|
|
.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent
|
|
.It Sy Variable Type Ta Sy Changeable
|
|
.It debug integer yes
|
|
.It enabled integer yes
|
|
.It used integer no
|
|
.It spi_try integer yes
|
|
.It spi_min_value integer yes
|
|
.It spi_max_value integer yes
|
|
.It larval_lifetime integer yes
|
|
.It blockacq_count integer yes
|
|
.It blockacq_lifetime integer yes
|
|
.It esp_keymin integer yes
|
|
.It esp_auth integer yes
|
|
.It ah_keymin integer yes
|
|
.El
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li debug
|
|
Turn on debugging message from within the kernel.
|
|
The value is a bitmap, as defined in
|
|
.In netipsec/key_debug.h .
|
|
.It Li enabled
|
|
Control processing of IPsec control messages.
|
|
.Bl -tag -width indent
|
|
.It 0
|
|
Never allow IPsec processing
|
|
.It 1
|
|
Allow IPsec processing when SPD policies are present.
|
|
.It 2
|
|
Force IPsec processing even when SPD policies are not present.
|
|
.El
|
|
.It Li used
|
|
Based on if IPsec is enabled, and SPD rule existence, show if
|
|
IPsec is being used.
|
|
Note that currently once IPsec is being used, it cannot be disabled.
|
|
.It Li spi_try
|
|
The number of times the kernel will try to obtain an unique SPI
|
|
when it generates it from random number generator.
|
|
.It Li spi_min_value
|
|
Minimum SPI value when generating it within the kernel.
|
|
.It Li spi_max_value
|
|
Maximum SPI value when generating it within the kernel.
|
|
.It Li larval_lifetime
|
|
Lifetime for LARVAL SAD entries, in seconds.
|
|
.It Li blockacq_count
|
|
Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message.
|
|
It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the
|
|
key management daemon.
|
|
.It Li blockacq_lifetime
|
|
Lifetime of ACQUIRE PF_KEY message.
|
|
.It Li esp_keymin
|
|
Minimum ESP key length, in bits.
|
|
The value is used when the kernel creates proposal payload
|
|
on ACQUIRE PF_KEY message.
|
|
.It Li esp_auth
|
|
Whether ESP authentication should be used or not.
|
|
Non-zero value indicates that ESP authentication should be used.
|
|
The value is used when the kernel creates proposal payload
|
|
on ACQUIRE PF_KEY message.
|
|
.It Li ah_keymin
|
|
Minimum AH key length, in bits,
|
|
The value is used when the kernel creates proposal payload
|
|
on ACQUIRE PF_KEY message.
|
|
.El
|
|
.It Li net.local ( Dv PF_LOCAL )
|
|
Get or set various global information about
|
|
.Dv AF_LOCAL
|
|
type sockets.
|
|
For some variables, the third level name is the variable name:
|
|
.Bl -column "Variable" "integer" "Changeable" -offset indent
|
|
.It Sy Variable Type Ta Sy Changeable
|
|
.It inflight integer no
|
|
.It deferred integer no
|
|
.El
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li inflight
|
|
The number of file descriptors currently passed between processes,
|
|
.Qq in flight .
|
|
.It Li deferred
|
|
The number of file descriptors passed between processes that have been
|
|
deferred for cleanup by a kernel task.
|
|
.El
|
|
.Pp
|
|
Other variables are specific to a socket type:
|
|
.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent
|
|
.It Sy "Socket Type" Sy Variable Type Ta Sy Changeable
|
|
.It dgram pcblist struct no
|
|
.It dgram recvspace integer yes
|
|
.It dgram sendspace integer yes
|
|
.It seqpacket pcblist struct no
|
|
.It stream pcblist struct no
|
|
.It stream recvspace integer yes
|
|
.It stream sendspace integer yes
|
|
.El
|
|
The variables are as follows:
|
|
.Bl -tag -width "123456"
|
|
.It Li dgram.pcblist
|
|
The Protocol Control Block list structure for datagram sockets.
|
|
Parsed by
|
|
.Xr netstat 1
|
|
or
|
|
.Xr sockstat 1 .
|
|
.It Li dgram.recvspace
|
|
The default datagram receive buffer size.
|
|
.It Li dgram.sendspace
|
|
The default datagram send buffer size.
|
|
.It Li seqpacket.pcblist
|
|
The Protocol Control Block list structure for Sequential Packet sockets.
|
|
Parsed by
|
|
.Xr netstat 1
|
|
or
|
|
.Xr sockstat 1 .
|
|
.It Li stream.pcblist
|
|
The Protocol Control Block list structure for stream sockets.
|
|
Parsed by
|
|
.Xr netstat 1
|
|
or
|
|
.Xr sockstat 1 .
|
|
.It Li stream.recvspace
|
|
The default stream receive buffer size.
|
|
.It Li stream.sendspace
|
|
The default stream send buffer size.
|
|
.El
|
|
.El
|
|
.Ss The proc.* subtree
|
|
The string and integer information available for the
|
|
.Li proc
|
|
level is detailed below.
|
|
The changeable column shows whether a process with appropriate
|
|
privilege may change the value.
|
|
These values are per-process,
|
|
and as such may change from one process to another.
|
|
When a process is created,
|
|
the default values are inherited from its parent.
|
|
When a set-user-ID or set-group-ID binary is executed, the
|
|
value of PROC_PID_CORENAME is reset to the system default value.
|
|
The second level name is either the magic value PROC_CURPROC, which
|
|
points to the current process, or the PID of the target process.
|
|
.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent
|
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable
|
|
.It proc.pid.corename string yes
|
|
.It proc.pid.rlimit node not applicable
|
|
.It proc.pid.stopfork int yes
|
|
.It proc.pid.stopexec int yes
|
|
.It proc.pid.stopexit int yes
|
|
.It proc.pid.paxflags int no
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li proc.pid.corename ( Dv PROC_PID_CORENAME )
|
|
The template used for the core dump file name (see
|
|
.Xr core 5
|
|
for details).
|
|
The base name must either be
|
|
.Pa core
|
|
or end with the suffix
|
|
.Pa .core
|
|
(the super-user may set arbitrary names).
|
|
By default it points to
|
|
.Dv KERN_DEFCORENAME .
|
|
.It Li proc.pid.rlimit ( Dv PROC_PID_LIMIT )
|
|
Return resources limits, as defined for the
|
|
.Xr getrlimit 2
|
|
and
|
|
.Xr setrlimit 2
|
|
system calls.
|
|
The fourth level name is one of:
|
|
.Bl -tag -width "123456"
|
|
.It Li proc.pid.rlimit.cputime ( Dv PROC_PID_LIMIT_CPU )
|
|
The maximum amount of CPU time (in seconds) to be used by each process.
|
|
.It Li proc.pid.rlimit.filesize ( Dv PROC_PID_LIMIT_FSIZE )
|
|
The largest size (in bytes) file that may be created.
|
|
.It Li proc.pid.rlimit.datasize ( Dv PROC_PID_LIMIT_DATA )
|
|
The maximum size (in bytes) of the data segment for a process;
|
|
this defines how far a program may extend its break with the
|
|
.Xr sbrk 2
|
|
system call.
|
|
.It Li proc.pid.rlimit.stacksize ( Dv PROC_PID_LIMIT_STACK )
|
|
The maximum size (in bytes) of the stack segment for a process;
|
|
this defines how far a program's stack segment may be extended.
|
|
Stack extension is performed automatically by the system.
|
|
.It Li proc.pid.rlimit.coredumpsize ( Dv PROC_PID_LIMIT_CORE )
|
|
The largest size (in bytes)
|
|
.Pa core
|
|
file that may be created.
|
|
.It Li proc.pid.rlimit.memoryuse ( Dv PROC_PID_LIMIT_RSS )
|
|
The maximum size (in bytes) to which a process's resident set size may
|
|
grow.
|
|
This imposes a limit on the amount of physical memory to be given to
|
|
a process; if memory is tight, the system will prefer to take memory
|
|
from processes that are exceeding their declared resident set size.
|
|
.It Li proc.pid.rlimit.memorylocked ( Dv PROC_PID_LIMIT_MEMLOCK )
|
|
The maximum size (in bytes) which a process may lock into memory
|
|
using the
|
|
.Xr mlock 2
|
|
function.
|
|
.It Li proc.pid.rlimit.maxproc ( Dv PROC_PID_LIMIT_NPROC )
|
|
The maximum number of simultaneous processes for this user id.
|
|
.It Li proc.pid.rlimit.descriptors ( Dv PROC_PID_LIMIT_NOFILE )
|
|
The maximum number of open files for this process.
|
|
.It Li proc.pid.rlimit.sbsize ( Dv PROC_PID_LIMIT_SBSIZE )
|
|
The maximum size (in bytes) of the socket buffers
|
|
set by the
|
|
.Xr setsockopt 2
|
|
.Dv SO_RCVBUF
|
|
and
|
|
.Dv SO_SNDBUF
|
|
options.
|
|
.It Li proc.pid.rlimit.vmemoryuse ( Dv PROC_PID_LIMIT_AS )
|
|
The maximum size (in bytes) which a process can obtain.
|
|
.It Li proc.pid.rlimit.maxlwp ( Dv PROC_PID_LIMIT_NTHR )
|
|
The maximum number of threads that cen be created and running at one time in
|
|
the process.
|
|
The first thread of each process is not counted against this.
|
|
.El
|
|
.Pp
|
|
The fifth level name is one of
|
|
.Li soft ( Dv PROC_PID_LIMIT_TYPE_SOFT )
|
|
or
|
|
.Li hard ( Dv PROC_PID_LIMIT_TYPE_HARD ) ,
|
|
to select respectively the soft or hard limit.
|
|
Both are of type integer.
|
|
.It Li proc.pid.stopfork ( Dv PROC_PID_STOPFORK )
|
|
If non zero, the process' children will be stopped after
|
|
.Xr fork 2
|
|
calls.
|
|
The children are created in the SSTOP state and are never scheduled
|
|
for running before being stopped.
|
|
This feature enables attaching to a process with a debugger such as
|
|
.Xr gdb 1
|
|
before the process has the opportunity to actually do anything.
|
|
.Pp
|
|
This value is inherited by the process's children, and it also
|
|
applies to emulation specific system calls that fork a new process, such as
|
|
.Fn sproc
|
|
or
|
|
.Fn clone .
|
|
.It Li proc.pid.stopexec ( Dv PROC_PID_STOPEXEC )
|
|
If non zero, the process will be stopped on the next
|
|
.Xr exec 3
|
|
call.
|
|
The process created by
|
|
.Xr exec 3
|
|
is created in the SSTOP state and is never scheduled for running
|
|
before being stopped.
|
|
This feature enables attaching to a process with a debugger such as
|
|
.Xr gdb 1
|
|
before the process has the opportunity to actually do anything.
|
|
.Pp
|
|
This value is inherited by the process's children.
|
|
.It Li proc.pid.stopexit ( Dv PROC_PID_STOPEXIT )
|
|
If non zero, the process will be stopped when it has cause to exit,
|
|
either by way of calling
|
|
.Xr exit 3 ,
|
|
.Xr _exit 2 ,
|
|
or by the receipt of a specific signal.
|
|
The process is stopped before any of its resources or vm space is
|
|
released allowing examination of the termination state of the process
|
|
before it disappears.
|
|
This feature can be used to examine the final conditions of the
|
|
process's vmspace via
|
|
.Xr pmap 1
|
|
or its resource settings with
|
|
.Xr sysctl 8
|
|
before it disappears.
|
|
.Pp
|
|
This value is also inherited by the process's children.
|
|
.It Li proc.pid.paxflags ( Dv PROC_PID_PAXFLAGS )
|
|
This read-only variable returns the current value of the process's pax
|
|
flags (see
|
|
.Xr paxctl 8 ) .
|
|
.El
|
|
.Ss The user.* subtree ( Dv CTL_USER )
|
|
The string and integer information available for the
|
|
.Li user
|
|
level is detailed below.
|
|
The changeable column shows whether a process with appropriate
|
|
privilege may change the value.
|
|
.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent
|
|
.It Sy Second level name Ta Sy Type Ta Sy Changeable
|
|
.It user.atexit_max integer no
|
|
.It user.bc_base_max integer no
|
|
.It user.bc_dim_max integer no
|
|
.It user.bc_scale_max integer no
|
|
.It user.bc_string_max integer no
|
|
.It user.coll_weights_max integer no
|
|
.It user.cs_path string no
|
|
.It user.expr_nest_max integer no
|
|
.It user.line_max integer no
|
|
.It user.posix2_c_bind integer no
|
|
.It user.posix2_c_dev integer no
|
|
.It user.posix2_char_term integer no
|
|
.It user.posix2_fort_dev integer no
|
|
.It user.posix2_fort_run integer no
|
|
.It user.posix2_localedef integer no
|
|
.It user.posix2_sw_dev integer no
|
|
.It user.posix2_upe integer no
|
|
.It user.posix2_version integer no
|
|
.It user.re_dup_max integer no
|
|
.It user.stream_max integer no
|
|
.It user.stream_max integer no
|
|
.It user.tzname_max integer no
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li user.atexit_max ( Dv USER_ATEXIT_MAX )
|
|
The maximum number of functions that may be registered with
|
|
.Xr atexit 3 .
|
|
.It Li user.bc_base_max ( Dv USER_BC_BASE_MAX )
|
|
The maximum ibase/obase values in the
|
|
.Xr bc 1
|
|
utility.
|
|
.It Li user.bc_dim_max ( Dv USER_BC_DIM_MAX )
|
|
The maximum array size in the
|
|
.Xr bc 1
|
|
utility.
|
|
.It Li user.bc_scale_max ( Dv USER_BC_SCALE_MAX )
|
|
The maximum scale value in the
|
|
.Xr bc 1
|
|
utility.
|
|
.It Li user.bc_string_max ( Dv USER_BC_STRING_MAX )
|
|
The maximum string length in the
|
|
.Xr bc 1
|
|
utility.
|
|
.It Li user.coll_weights_max ( Dv USER_COLL_WEIGHTS_MAX )
|
|
The maximum number of weights that can be assigned to any entry of
|
|
the LC_COLLATE order keyword in the locale definition file.
|
|
.It Li user.cs_path ( USER_CS_PATH )
|
|
Return a value for the
|
|
.Ev PATH
|
|
environment variable that finds all the standard utilities.
|
|
.It Li user.expr_nest_max ( Dv USER_EXPR_NEST_MAX )
|
|
The maximum number of expressions that can be nested within
|
|
parenthesis by the
|
|
.Xr expr 1
|
|
utility.
|
|
.It Li user.line_max ( Dv USER_LINE_MAX )
|
|
The maximum length in bytes of a text-processing utility's input
|
|
line.
|
|
.It Li user.posix2_char_term ( Dv USER_POSIX2_CHAR_TERM )
|
|
Return 1 if the system supports at least one terminal type capable of
|
|
all operations described in
|
|
.St -p1003.2 ,
|
|
otherwise\ 0.
|
|
.It Li user.posix2_c_bind ( Dv USER_POSIX2_C_BIND )
|
|
Return 1 if the system's C-language development facilities support the
|
|
C-Language Bindings Option, otherwise\ 0.
|
|
.It Li user.posix2_c_dev ( Dv USER_POSIX2_C_DEV )
|
|
Return 1 if the system supports the C-Language Development Utilities Option,
|
|
otherwise\ 0.
|
|
.It Li user.posix2_fort_dev ( Dv USER_POSIX2_FORT_DEV )
|
|
Return 1 if the system supports the FORTRAN Development Utilities Option,
|
|
otherwise\ 0.
|
|
.It Li user.posix2_fort_run ( Dv USER_POSIX2_FORT_RUN )
|
|
Return 1 if the system supports the FORTRAN Runtime Utilities Option,
|
|
otherwise\ 0.
|
|
.It Li user.posix2_localedef ( Dv USER_POSIX2_LOCALEDEF )
|
|
Return 1 if the system supports the creation of locales, otherwise\ 0.
|
|
.It Li user.posix2_sw_dev ( Dv USER_POSIX2_SW_DEV )
|
|
Return 1 if the system supports the Software Development Utilities Option,
|
|
otherwise\ 0.
|
|
.It Li user.posix2_upe ( Dv USER_POSIX2_UPE )
|
|
Return 1 if the system supports the User Portability Utilities Option,
|
|
otherwise\ 0.
|
|
.It Li user.posix2_version ( Dv USER_POSIX2_VERSION )
|
|
The version of
|
|
.St -p1003.2
|
|
with which the system attempts to comply.
|
|
.It Li user.re_dup_max ( Dv USER_RE_DUP_MAX )
|
|
The maximum number of repeated occurrences of a regular expression
|
|
permitted when using interval notation.
|
|
.It Li user.stream_max ( Dv USER_STREAM_MAX )
|
|
The minimum maximum number of streams that a process may have open
|
|
at any one time.
|
|
.It Li user.tzname_max ( Dv USER_TZNAME_MAX )
|
|
The minimum maximum number of types supported for the name of a
|
|
timezone.
|
|
.El
|
|
.Ss The vm.* subtree ( Dv CTL_VM )
|
|
The string and integer information available for the
|
|
.Li vm
|
|
level is detailed below.
|
|
The changeable column shows whether a process with appropriate
|
|
privilege may change the value.
|
|
.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent
|
|
.It Sy Second level name Ta Sy Type Ta Sy Changeable
|
|
.It vm.anonmax int yes
|
|
.It vm.anonmin int yes
|
|
.It vm.bufcache int yes
|
|
.It vm.bufmem int no
|
|
.It vm.bufmem_hiwater int yes
|
|
.It vm.bufmem_lowater int yes
|
|
.It vm.execmax int yes
|
|
.It vm.execmin int yes
|
|
.It vm.filemax int yes
|
|
.It vm.filemin int yes
|
|
.It vm.loadavg struct loadavg no
|
|
.It vm.maxslp int no
|
|
.It vm.nkmempages int no
|
|
.It vm.uspace int no
|
|
.It vm.uvmexp struct uvmexp no
|
|
.It vm.uvmexp2 struct uvmexp_sysctl no
|
|
.It vm.vmmeter struct vmtotal no
|
|
.It vm.proc.map struct kinfo_vmentry no
|
|
.It vm.guard_size unsigned int no
|
|
.It vm.thread_guard_size unsigned int yes
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li vm.anonmax ( Dv VM_ANONMAX )
|
|
The percentage of physical memory which will be reclaimed
|
|
from other types of memory usage to store anonymous application data.
|
|
.It Li vm.anonmin ( Dv VM_ANONMIN )
|
|
The percentage of physical memory which will be always be available for
|
|
anonymous application data.
|
|
.It Li vm.bufcache ( Dv VM_BUFCACHE )
|
|
The percentage of physical memory which will be available
|
|
for the buffer cache.
|
|
.It Li vm.bufmem ( Dv VM_BUFMEM )
|
|
The amount of kernel memory that is being used by the buffer cache.
|
|
.It Li vm.bufmem_lowater ( Dv VM_BUFMEM_LOWATER )
|
|
The minimum amount of kernel memory to reserve for the
|
|
buffer cache.
|
|
.It Li vm.bufmem_hiwater ( Dv VM_BUFMEM_HIWATER )
|
|
The maximum amount of kernel memory to be used for the
|
|
buffer cache.
|
|
.It Li vm.execmax ( Dv VM_EXECMAX )
|
|
The percentage of physical memory which will be reclaimed
|
|
from other types of memory usage to store cached executable data.
|
|
.It Li vm.execmin ( Dv VM_EXECMIN )
|
|
The percentage of physical memory which will be always be available for
|
|
cached executable data.
|
|
.It Li vm.filemax ( Dv VM_FILEMAX )
|
|
The percentage of physical memory which will be reclaimed
|
|
from other types of memory usage to store cached file data.
|
|
.It Li vm.filemin ( Dv VM_FILEMIN )
|
|
The percentage of physical memory which will be always be available for
|
|
cached file data.
|
|
.It Li vm.loadavg ( Dv VM_LOADAVG )
|
|
Return the load average history.
|
|
The returned data consists of a
|
|
.Vt struct loadavg .
|
|
.It Li vm.maxslp ( Dv VM_MAXSLP )
|
|
The value of the maxslp kernel global variable.
|
|
.It Li vm.vmmeter ( Dv VM_METER )
|
|
Return system wide virtual memory statistics.
|
|
The returned data consists of a
|
|
.Vt struct vmtotal .
|
|
.It vm.user_va0_disable
|
|
A flag which controls whether user processes can map virtual address\ 0.
|
|
.It Li vm.proc.map ( Dv VM_PROC )
|
|
The third level is
|
|
.Dv VM_PROC_MAP ,
|
|
the fourth is the pid of the process to display the vm object entries for, and
|
|
the fifth is the size of
|
|
.Vt struct kinfo_vmentry .
|
|
Returns an array of
|
|
.Vt struct kinfo_vmentry
|
|
objects.
|
|
.It Li vm.uspace ( Dv VM_USPACE )
|
|
The number of bytes allocated for each kernel stack.
|
|
.It Li vm.uvmexp ( Dv VM_UVMEXP )
|
|
Return system wide virtual memory statistics.
|
|
The returned data consists of a
|
|
.Vt struct uvmexp .
|
|
.It Li vm.uvmexp2 ( Dv VM_UVMEXP2 )
|
|
Return system wide virtual memory statistics.
|
|
The returned data consists of a
|
|
.Vt struct uvmexp_sysctl .
|
|
.It Li vm.guard_size
|
|
Return system wide guard size for the main thread of a program.
|
|
.It Li vm.thread_guard_size
|
|
Return system wide default size for the guard area of all other threads
|
|
of a program.
|
|
.\" XXX vm.idlezero
|
|
.El
|
|
.Ss The ddb.* subtree ( Dv CTL_DDB )
|
|
The information available for the
|
|
.Li ddb
|
|
level is detailed below.
|
|
The changeable column shows whether a process with appropriate
|
|
privilege may change the value.
|
|
.Bl -column "Second level name" "integer" "Changeable" -offset indent
|
|
.It Sy Second level name Ta Sy Type Ta Sy Changeable
|
|
.It ddb.commandonenter string yes
|
|
.It ddb.dumpstack integer yes
|
|
.It ddb.fromconsole integer yes
|
|
.It ddb.lines integer yes
|
|
.It ddb.maxoff integer yes
|
|
.It ddb.maxwidth integer yes
|
|
.It ddb.onpanic integer yes
|
|
.It ddb.panicstackframes integer yes
|
|
.It ddb.radix integer yes
|
|
.It ddb.tabstops integer yes
|
|
.It ddb.tee_msgbuf integer yes
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li ddb.commandonenter
|
|
If not empty, the string is used as the DDB command to be executed each time
|
|
DDB is entered.
|
|
.It Li ddb.dumpstack
|
|
A value of 1 causes a stack trace to be printed on entering ddb from a panic.
|
|
A value of 0 disables this behaviour.
|
|
The default value is 1.
|
|
.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE )
|
|
If not zero, DDB may be entered by sending a break on a serial
|
|
console or by a special key sequence on a graphics console.
|
|
.It Li ddb.lines ( Dv DDBCTL_LINES )
|
|
Number of display lines.
|
|
.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF )
|
|
The maximum symbol offset.
|
|
.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH )
|
|
The maximum output line width.
|
|
.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC )
|
|
If greater than zero, DDB will be entered if the kernel panics.
|
|
A value of 1 causes the system to enter DDB on panic.
|
|
A value of 0 causes the kernel to attempt to print a stack trace, then
|
|
reboot, while a value of \-1 means neither a stack trace will be printed
|
|
nor DDB entered.
|
|
.It Li ddb.panicstackframes
|
|
Number of stack frames to display on panic.
|
|
Useful to avoid scrolling away the interesting frames on a glass tty.
|
|
Default value is
|
|
.Dv 65535
|
|
(all frames), useful value around
|
|
.Dv 10 .
|
|
.It Li ddb.radix ( Dv DDBCTL_RADIX )
|
|
The input and output radix.
|
|
.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS )
|
|
Tab width.
|
|
.It Li ddb.tee_msgbuf
|
|
If not zero, DDB will output also to the kernel message buffer.
|
|
.El
|
|
.Pp
|
|
Some of these MIB
|
|
nodes are also available as variables from within the debugger.
|
|
See
|
|
.Xr ddb 4
|
|
for more details.
|
|
.Ss The security.* subtree ( Dv CTL_SECURITY )
|
|
The
|
|
.Li security
|
|
level contains various security-related settings for
|
|
the system.
|
|
The available second level names are:
|
|
.Bl -column "Second level name" "integer" "Changeable" -offset indent
|
|
.It Sy Second level name Ta Sy Type Ta Sy Changeable
|
|
.It Li security.curtain integer yes
|
|
.It Li security.models node not applicable
|
|
.It Li security.pax node not applicable
|
|
.El
|
|
.Pp
|
|
Available settings are detailed below.
|
|
.Bl -tag -width "123456"
|
|
.It Li security.curtain
|
|
If non-zero, will filter return objects according to the user ID
|
|
requesting information about them, preventing users from
|
|
accessing any objects they do not own.
|
|
.Pp
|
|
At the moment, it affects
|
|
.Xr ps 1 ,
|
|
.Xr netstat 1
|
|
(for
|
|
.Dv PF_INET ,
|
|
.Dv PF_INET6 ,
|
|
and
|
|
.Dv PF_UNIX
|
|
PCBs), and
|
|
.Xr w 1 .
|
|
.It Li security.models
|
|
.Nx
|
|
supports pluggable security models.
|
|
Every security model used, whether if loaded as a module or built with the system,
|
|
is required to add an entry to this node with at least one element,
|
|
.Dq name ,
|
|
indicating the name of the security model.
|
|
.Pp
|
|
In addition to the name, any settings and other information private to the
|
|
security model will be available under this node.
|
|
See
|
|
.Xr secmodel 9
|
|
for more information.
|
|
.It Li security.pax
|
|
Settings for PaX \(em exploit mitigation features.
|
|
For more information on any of the PaX features, please see
|
|
.Xr paxctl 8
|
|
and
|
|
.Xr security 7 .
|
|
The available third and fourth level names are:
|
|
.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \
|
|
-offset 2n
|
|
.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable
|
|
.It Li security.pax.aslr.enabled integer yes
|
|
.\".It Li security.pax.aslr.exec_len integer yes
|
|
.It Li security.pax.aslr.global integer yes
|
|
.\".It Li security.pax.aslr.mmap_len integer yes
|
|
.\".It Li security.pax.aslr.stack_len integer yes
|
|
.It Li security.pax.mprotect.enabled integer yes
|
|
.It Li security.pax.mprotect.global integer yes
|
|
.It Li security.pax.mprotect.ptrace integer yes
|
|
.It Li security.pax.segvguard.enabled integer yes
|
|
.It Li security.pax.segvguard.expiry_timeout integer yes
|
|
.It Li security.pax.segvguard.global integer yes
|
|
.It Li security.pax.segvguard.max_crashes integer yes
|
|
.It Li security.pax.segvguard.suspend_timeout integer yes
|
|
.El
|
|
.Bl -tag -width "123456"
|
|
.It Li security.pax.aslr.enabled
|
|
Enable PaX ASLR (Address Space Layout Randomization).
|
|
.Pp
|
|
The value of this
|
|
knob must be non-zero for PaX ASLR to be enabled, even if a program is set to
|
|
explicit enable.
|
|
.\".It Li security.pax.aslr.exec_len
|
|
.\" XXX: Undocumented.
|
|
.It Li security.pax.aslr.global
|
|
Specifies the default global policy for programs without an
|
|
explicit enable/disable flag.
|
|
.Pp
|
|
When non-zero, all programs will get PaX ASLR, except those exempted with
|
|
.Xr paxctl 8 .
|
|
Otherwise, all programs will not get PaX ASLR, except those specifically
|
|
marked as such with
|
|
.Xr paxctl 8 .
|
|
.\".It Li security.pax.aslr.mmap_len
|
|
.\" XXX: Undocumented.
|
|
.\" .It Li security.pax.aslr.stack_len
|
|
.\" XXX: Undocumented.
|
|
.It Li security.pax.mprotect.enabled
|
|
Enable PaX MPROTECT restrictions.
|
|
.Pp
|
|
These are
|
|
.Xr mprotect 2
|
|
restrictions to better enforce a W^X policy.
|
|
The value of this
|
|
knob must be non-zero for PaX MPROTECT to be enabled, even if a
|
|
program is set to explicit enable.
|
|
.It Li security.pax.mprotect.global
|
|
Specifies the default global policy for programs without an
|
|
explicit enable/disable flag.
|
|
.Pp
|
|
When non-zero, all programs will get the PaX MPROTECT restrictions,
|
|
except those exempted with
|
|
.Xr paxctl 8 .
|
|
Otherwise, all programs will not get the PaX MPROTECT restrictions,
|
|
except those specifically marked as such with
|
|
.Xr paxctl 8 .
|
|
.It Li security.pax.mprotect.ptrace
|
|
This variable allows
|
|
.Xr ptrace 2
|
|
to override PaX MPROTECT permissions.
|
|
It can have the following values:
|
|
.Bl -tag -width XX -compact
|
|
.It 0
|
|
Does not let override any permissions.
|
|
.It 1
|
|
Disables PaX MPROTECT from processes that start executing while traced (default).
|
|
.It 2
|
|
Bypasses PaX MPROTECT for all processes being traced.
|
|
.El
|
|
.It Li security.pax.segvguard.enabled
|
|
Enable PaX Segvguard.
|
|
.Pp
|
|
PaX Segvguard can detect and prevent certain exploitation attempts, where
|
|
an attacker may try for example to brute-force function return addresses
|
|
of respawning daemons.
|
|
.Pp
|
|
.Em Note :
|
|
The
|
|
.Nx
|
|
interface and implementation of the Segvguard is still experimental, and may
|
|
change in future releases.
|
|
.It Li security.pax.segvguard.expiry_timeout
|
|
If the max number was not reached within this timeout (in seconds), the entry
|
|
will expire.
|
|
.It Li security.pax.segvguard.global
|
|
Specifies the default global policy for programs without an
|
|
explicit enable/disable flag.
|
|
.Pp
|
|
When non-zero, all programs will get the PaX Segvguard,
|
|
except those exempted with
|
|
.Xr paxctl 8 .
|
|
Otherwise, no program will get the PaX Segvguard restrictions,
|
|
except those specifically marked as such with
|
|
.Xr paxctl 8 .
|
|
.It Li security.pax.segvguard.max_crashes
|
|
The maximum number of segfaults a program can receive before suspension.
|
|
.It Li security.pax.segvguard.suspend_timeout
|
|
Number of seconds to suspend a user from running a faulting program when the
|
|
limit was exceeded.
|
|
.El
|
|
.El
|
|
.Ss The vendor.* subtree ( Dv CTL_VENDOR )
|
|
The
|
|
.Li vendor
|
|
toplevel name is reserved to be used by vendors who wish to
|
|
have their own private MIB tree.
|
|
Intended use is to store values under
|
|
.Dq vendor.<yourname>.* .
|
|
.Sh SEE ALSO
|
|
.Xr sysctl 3 ,
|
|
.Xr ipsec 4 ,
|
|
.Xr tcp 4 ,
|
|
.Xr security 7 ,
|
|
.Xr sysctl 8
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
variables first appeared in
|
|
.Bx 4.4 .
|