version 1.117, 2017/07/30 16:07:06 |
version 1.135, 2018/11/04 16:30:28 |
|
|
.\" |
.\" |
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
.\" |
.\" |
.Dd July 30, 2017 |
.Dd November 3, 2018 |
.Dt SYSCTL 7 |
.Dt SYSCTL 7 |
.Os |
.Os |
.Sh NAME |
.Sh NAME |
Line 278 privilege may change the value. |
|
Line 278 privilege may change the value. |
|
.It kern.arandom integer no |
.It kern.arandom integer no |
.It kern.argmax integer no |
.It kern.argmax integer no |
.It kern.boothowto integer no |
.It kern.boothowto integer no |
.It kern.boottime struct timeval no |
.It kern.boottime struct timespec no |
.It kern.buildinfo string no |
.It kern.buildinfo string no |
.\".It kern.bufq node not applicable |
.\".It kern.bufq node not applicable |
.It kern.ccpu integer no |
.It kern.ccpu integer no |
Line 293 privilege may change the value. |
|
Line 293 privilege may change the value. |
|
.It kern.domainname string yes |
.It kern.domainname string yes |
.It kern.drivers struct kinfo_drivers no |
.It kern.drivers struct kinfo_drivers no |
.It kern.dump_on_panic integer yes |
.It kern.dump_on_panic integer yes |
|
.It kern.expose_address integer yes |
.It kern.file struct file no |
.It kern.file struct file no |
.It kern.forkfsleep integer yes |
.It kern.forkfsleep integer yes |
.It kern.fscale integer no |
.It kern.fscale integer no |
Line 358 privilege may change the value. |
|
Line 359 privilege may change the value. |
|
.It kern.sched node not applicable |
.It kern.sched node not applicable |
.It kern.securelevel integer raise only |
.It kern.securelevel integer raise only |
.It kern.somaxkva integer yes |
.It kern.somaxkva integer yes |
|
.It kern.sooptions integer yes |
.It kern.synchronized_io integer no |
.It kern.synchronized_io integer no |
.It kern.timecounter node not applicable |
.It kern.timecounter node not applicable |
.It kern.timex struct no |
.It kern.timex struct no |
Line 372 privilege may change the value. |
|
Line 374 privilege may change the value. |
|
.El |
.El |
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li kern.aio_listio_max |
.It Li kern.aio_listio_max |
The maximum number of asynchronous |
The maximum number of asynchronous I/O operations in a single list |
.Tn I/O |
I/O call. |
operations in a single list I/O call. |
|
Like with all variables related to |
Like with all variables related to |
.Xr aio 3 , |
.Xr aio 3 , |
the variable may be created and removed dynamically |
the variable may be created and removed dynamically |
Line 384 The maximum number of asynchronous I/O o |
|
Line 385 The maximum number of asynchronous I/O o |
|
.It Li kern.arandom |
.It Li kern.arandom |
This variable picks a random number each time it is queried. |
This variable picks a random number each time it is queried. |
The used random number generator |
The used random number generator |
.Pf ( Tn RNG ) |
.Pf ( RNG ) |
is based on |
is based on |
.Xr arc4random 3 . |
.Xr arc4random 3 . |
.It Li kern.argmax ( Dv KERN_ARGMAX ) |
.It Li kern.argmax ( Dv KERN_ARGMAX ) |
Line 396 Flags passed from the boot loader; see |
|
Line 397 Flags passed from the boot loader; see |
|
for the meanings of the flags. |
for the meanings of the flags. |
.It Li kern.boottime ( Dv KERN_BOOTTIME ) |
.It Li kern.boottime ( Dv KERN_BOOTTIME ) |
A |
A |
.Vt struct timeval |
.Vt struct timespec |
structure is returned. |
structure is returned. |
This structure contains the time that the system was booted. |
This structure contains the time that the system was booted. |
|
That time is defined (for this purpose) to be the time at |
|
which the kernel first started accumulating clock ticks. |
.It Li kern.bufq |
.It Li kern.bufq |
This variable contains information on the |
This variable contains information on the |
.Xr bufq 9 |
.Xr bufq 9 |
Line 514 field is always a NUL terminated string. |
|
Line 517 field is always a NUL terminated string. |
|
The |
The |
.Va d_bmajor |
.Va d_bmajor |
field will be set to \-1 if the driver doesn't have a block device. |
field will be set to \-1 if the driver doesn't have a block device. |
|
.It Li kern.expose_address |
|
Expose kernel addresses in |
|
.Xr sysctl 3 |
|
calls used by |
|
.Xr fstat 1 |
|
and |
|
.Xr sockstat 1 . |
|
Defaults to |
|
.Dv 0 . |
|
Turning it on renders KASLR ineffective. |
.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC ) |
.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC ) |
Perform a crash dump on system |
Perform a crash dump on system |
.Xr panic 9 . |
.Xr panic 9 . |
Line 787 The third level names for the settings a |
|
Line 800 The third level names for the settings a |
|
.It Sy Third level name Ta Sy Type Ta Sy Changeable |
.It Sy Third level name Ta Sy Type Ta Sy Changeable |
.It kern.module.autoload integer yes |
.It kern.module.autoload integer yes |
.It kern.module.autotime integer yes |
.It kern.module.autotime integer yes |
.It kern.module.verbose integer yes |
.It kern.module.verbose boolean yes |
.El |
.El |
.Pp |
.Pp |
The variables are as follows: |
The variables are as follows: |
Line 811 Returns the standard version the impleme |
|
Line 824 Returns the standard version the impleme |
|
Monotonic Clock Option conforms to, |
Monotonic Clock Option conforms to, |
otherwise\ 0. |
otherwise\ 0. |
.It Li kern.mqueue |
.It Li kern.mqueue |
Settings related to |
Settings related to POSIX message queues; see |
.Tn POSIX |
|
message queues; see |
|
.Xr mqueue 3 . |
.Xr mqueue 3 . |
This node is created dynamically when |
This node is created dynamically when |
the corresponding kernel module is loaded. |
the corresponding kernel module is loaded. |
Line 1052 Return the offset of real time clock fro |
|
Line 1063 Return the offset of real time clock fro |
|
.It Li kern.saved_ids ( Dv KERN_SAVED_IDS ) |
.It Li kern.saved_ids ( Dv KERN_SAVED_IDS ) |
Returns 1 if saved set-group and saved set-user ID is available. |
Returns 1 if saved set-group and saved set-user ID is available. |
.It Li kern.sbmax ( Dv KERN_SBMAX ) |
.It Li kern.sbmax ( Dv KERN_SBMAX ) |
Maximum socket buffer size. |
Maximum socket buffer size in bytes. |
.\" XXX units? |
|
.It Li kern.securelevel ( Dv KERN_SECURELVL ) |
.It Li kern.securelevel ( Dv KERN_SECURELVL ) |
See |
See |
.Xr secmodel_securelevel 9 . |
.Xr secmodel_securelevel 9 . |
|
|
.Xr sched 3 . |
.Xr sched 3 . |
.El |
.El |
.It Li kern.somaxkva ( Dv KERN_SOMAXKVA ) |
.It Li kern.somaxkva ( Dv KERN_SOMAXKVA ) |
Maximum amount of kernel memory to be used for socket buffers. |
Maximum amount of kernel memory to be used for socket buffers in bytes. |
.\" XXX units? |
.It Li kern.sooptions |
|
Set the default socket option flags for |
|
.Xr socket 2 |
|
creation. |
|
See |
|
.Xr setsockopt 2 |
|
for a list of supported flags. |
.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO ) |
.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO ) |
Returns 1 if the |
Returns 1 if the |
.St -p1003.1b-93 |
.St -p1003.1b-93 |
Line 1495 This cannot be set to less than 1024 or |
|
Line 1511 This cannot be set to less than 1024 or |
|
.It Li ip.checkinterface |
.It Li ip.checkinterface |
If set to non-zero, the host will reject packets addressed to it |
If set to non-zero, the host will reject packets addressed to it |
that arrive on an interface not bound to that address. |
that arrive on an interface not bound to that address. |
Currently, this must be disabled if ipnat is used to translate the |
Currently, this must be disabled if NAT is used to translate the |
destination address to another local interface, or if addresses |
destination address to another local interface, or if addresses |
are added to the loopback interface instead of the interface where |
are added to the loopback interface instead of the interface where |
the packets for those packets are received. |
the packets for those packets are received. |
Line 2017 Default UDP receive buffer size. |
|
Line 2033 Default UDP receive buffer size. |
|
Default UDP send buffer size. |
Default UDP send buffer size. |
.El |
.El |
.Pp |
.Pp |
We reuse net.*.tcp for |
We reuse net.*.tcp for TCP over IPv6, |
.Tn TCP |
|
over |
|
.Tn IPv6 , |
|
and therefore we do not have variables net.*.tcp6. |
and therefore we do not have variables net.*.tcp6. |
Variables net.inet6.udp6 have identical meaning to net.inet.udp. |
Variables net.inet6.udp6 have identical meaning to net.inet.udp. |
Please refer to |
Please refer to |
Line 2047 The currently defined variable and names |
|
Line 2060 The currently defined variable and names |
|
.It esp_auth integer yes |
.It esp_auth integer yes |
.It ah_keymin integer yes |
.It ah_keymin integer yes |
.El |
.El |
.Pp |
|
The variables are as follows: |
The variables are as follows: |
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li debug |
.It Li debug |
Turn on debugging message from within the kernel. |
Turn on debugging message from within the kernel. |
The value is a bitmap, as defined in |
The value is a bitmap, as defined in |
.In netkey/key_debug.h . |
.In netipsec/key_debug.h . |
.It Li enabled |
.It Li enabled |
Control processing of IPsec control messages. |
Control processing of IPsec control messages. |
.Bl -tag -width indent |
.Bl -tag -width indent |
Line 2065 Allow IPsec processing when SPD policies |
|
Line 2077 Allow IPsec processing when SPD policies |
|
Force IPsec processing even when SPD policies are not present. |
Force IPsec processing even when SPD policies are not present. |
.El |
.El |
.It Li used |
.It Li used |
Based on if IPsec is enabled, and SPD rule existance, show if |
Based on if IPsec is enabled, and SPD rule existence, show if |
IPsec is being used. |
IPsec is being used. |
Note that currently once IPsec is being used, it cannot be disabled. |
Note that currently once IPsec is being used, it cannot be disabled. |
.It Li spi_try |
.It Li spi_try |
Line 2097 Minimum AH key length, in bits, |
|
Line 2109 Minimum AH key length, in bits, |
|
The value is used when the kernel creates proposal payload |
The value is used when the kernel creates proposal payload |
on ACQUIRE PF_KEY message. |
on ACQUIRE PF_KEY message. |
.El |
.El |
|
.It Li net.local ( Dv PF_LOCAL ) |
|
Get or set various global information about |
|
.Dv AF_LOCAL |
|
type sockets. |
|
For some variables, the third level name is the variable name: |
|
.Bl -column "Variable" "integer" "Changeable" -offset indent |
|
.It Sy Variable Type Ta Sy Changeable |
|
.It inflight integer no |
|
.It deferred integer no |
|
.El |
|
The variables are as follows: |
|
.Bl -tag -width "123456" |
|
.It Li inflight |
|
The number of file descriptors currently passed between processes, |
|
.Qq in flight . |
|
.It Li deferred |
|
The number of file descriptors passed between processes that have been |
|
deferred for cleanup by a kernel task. |
|
.El |
|
.Pp |
|
Other variables are specific to a socket type: |
|
.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent |
|
.It Sy "Socket Type" Sy Variable Type Ta Sy Changeable |
|
.It dgram pcblist struct no |
|
.It dgram recvspace integer yes |
|
.It dgram sendspace integer yes |
|
.It seqpacket pcblist struct no |
|
.It stream pcblist struct no |
|
.It stream recvspace integer yes |
|
.It stream sendspace integer yes |
|
.El |
|
The variables are as follows: |
|
.Bl -tag -width "123456" |
|
.It Li dgram.pcblist |
|
The Protocol Control Block list structure for datagram sockets. |
|
Parsed by |
|
.Xr netstat 1 |
|
or |
|
.Xr sockstat 1 . |
|
.It Li dgram.recvspace |
|
The default datagram receive buffer size. |
|
.It Li dgram.sendspace |
|
The default datagram send buffer size. |
|
.It Li seqpacket.pcblist |
|
The Protocol Control Block list structure for Sequential Packet sockets. |
|
Parsed by |
|
.Xr netstat 1 |
|
or |
|
.Xr sockstat 1 . |
|
.It Li stream.pcblist |
|
The Protocol Control Block list structure for stream sockets. |
|
Parsed by |
|
.Xr netstat 1 |
|
or |
|
.Xr sockstat 1 . |
|
.It Li stream.recvspace |
|
The default stream receive buffer size. |
|
.It Li stream.sendspace |
|
The default stream send buffer size. |
|
.El |
.El |
.El |
.Ss The proc.* subtree |
.Ss The proc.* subtree |
The string and integer information available for the |
The string and integer information available for the |
Line 2453 The information available for the |
|
Line 2525 The information available for the |
|
level is detailed below. |
level is detailed below. |
The changeable column shows whether a process with appropriate |
The changeable column shows whether a process with appropriate |
privilege may change the value. |
privilege may change the value. |
.\" XXX sort |
|
.Bl -column "Second level name" "integer" "Changeable" -offset indent |
.Bl -column "Second level name" "integer" "Changeable" -offset indent |
.It Sy Second level name Ta Sy Type Ta Sy Changeable |
.It Sy Second level name Ta Sy Type Ta Sy Changeable |
.It ddb.radix integer yes |
.It ddb.commandonenter string yes |
|
.It ddb.dumpstack integer yes |
|
.It ddb.fromconsole integer yes |
|
.It ddb.lines integer yes |
.It ddb.maxoff integer yes |
.It ddb.maxoff integer yes |
.It ddb.maxwidth integer yes |
.It ddb.maxwidth integer yes |
.It ddb.lines integer yes |
|
.It ddb.tabstops integer yes |
|
.It ddb.onpanic integer yes |
.It ddb.onpanic integer yes |
.It ddb.fromconsole integer yes |
.It ddb.panicstackframes integer yes |
|
.It ddb.radix integer yes |
|
.It ddb.tabstops integer yes |
.It ddb.tee_msgbuf integer yes |
.It ddb.tee_msgbuf integer yes |
.It ddb.commandonenter string yes |
|
.El |
.El |
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li ddb.radix ( Dv DDBCTL_RADIX ) |
.It Li ddb.commandonenter |
The input and output radix. |
If not empty, the string is used as the DDB command to be executed each time |
|
DDB is entered. |
|
.It Li ddb.dumpstack |
|
A value of 1 causes a stack trace to be printed on entering ddb from a panic. |
|
A value of 0 disables this behaviour. |
|
The default value is 1. |
|
.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE ) |
|
If not zero, DDB may be entered by sending a break on a serial |
|
console or by a special key sequence on a graphics console. |
|
.It Li ddb.lines ( Dv DDBCTL_LINES ) |
|
Number of display lines. |
.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF ) |
.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF ) |
The maximum symbol offset. |
The maximum symbol offset. |
.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH ) |
.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH ) |
The maximum output line width. |
The maximum output line width. |
.It Li ddb.lines ( Dv DDBCTL_LINES ) |
|
Number of display lines. |
|
.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS ) |
|
Tab width. |
|
.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC ) |
.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC ) |
If greater than zero, DDB will be entered if the kernel panics. |
If greater than zero, DDB will be entered if the kernel panics. |
A value of 1 causes the system to enter DDB on panic, while a value of 2 |
A value of 1 causes the system to enter DDB on panic. |
causes the kernel to attempt to print out a stack trace before entering DDB. |
|
A value of 0 causes the kernel to attempt to print a stack trace, then |
A value of 0 causes the kernel to attempt to print a stack trace, then |
reboot, while a value of \-1 means neither a stack trace will be printed |
reboot, while a value of \-1 means neither a stack trace will be printed |
nor DDB entered. |
nor DDB entered. |
.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE ) |
.It Li ddb.panicstackframes |
If not zero, DDB may be entered by sending a break on a serial |
Number of stack frames to display on panic. |
console or by a special key sequence on a graphics console. |
Useful to avoid scrolling away the interesting frames on a glass tty. |
|
Default value is |
|
.Dv 65535 |
|
(all frames), useful value around |
|
.Dv 10 . |
|
.It Li ddb.radix ( Dv DDBCTL_RADIX ) |
|
The input and output radix. |
|
.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS ) |
|
Tab width. |
.It Li ddb.tee_msgbuf |
.It Li ddb.tee_msgbuf |
If not zero, DDB will output also to the kernel message buffer. |
If not zero, DDB will output also to the kernel message buffer. |
.It Li ddb.commandonenter |
|
If not empty, a command to be executed on each enter to the |
|
.Tn DDB . |
|
.\" |
|
.\" XXX: (a) ddb.commandonenter is missing in ddb(4); |
|
.\" (b) No DDBCTL definitions for tee_msgbuf and commandonenter. |
|
.El |
.El |
.Pp |
.Pp |
Some of these |
Some of these MIB |
.Tn MIB |
|
nodes are also available as variables from within the debugger. |
nodes are also available as variables from within the debugger. |
See |
See |
.Xr ddb 4 |
.Xr ddb 4 |
Line 2519 The available second level names are: |
|
Line 2598 The available second level names are: |
|
Available settings are detailed below. |
Available settings are detailed below. |
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li security.curtain |
.It Li security.curtain |
If non-zero, will filter return objects according to the user |
If non-zero, will filter return objects according to the user ID |
.Tn ID |
|
requesting information about them, preventing users from |
requesting information about them, preventing users from |
accessing any objects they do not own. |
accessing any objects they do not own. |
.Pp |
.Pp |
|
|
.Xr secmodel 9 |
.Xr secmodel 9 |
for more information. |
for more information. |
.It Li security.pax |
.It Li security.pax |
Settings for PaX -- exploit mitigation features. |
Settings for PaX \(em exploit mitigation features. |
For more information on any of the PaX features, please see |
For more information on any of the PaX features, please see |
.Xr paxctl 8 |
.Xr paxctl 8 |
and |
and |