version 1.61, 2011/02/02 09:07:32 |
version 1.90, 2015/07/11 16:47:49 |
|
|
.\" |
.\" |
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
.\" |
.\" |
.Dd February 1, 2011 |
.Dd July 11, 2015 |
.Dt SYSCTL 7 |
.Dt SYSCTL 7 |
.Os |
.Os |
.Sh NAME |
.Sh NAME |
Line 142 The highest valid file system type numbe |
|
Line 142 The highest valid file system type numbe |
|
Returns configuration information about the file system type given as a fourth |
Returns configuration information about the file system type given as a fourth |
level identifier. |
level identifier. |
.It Li vfs.generic.usermount ( VFS_USERMOUNT ) |
.It Li vfs.generic.usermount ( VFS_USERMOUNT ) |
Determines if non superuser mounts are allowed, default to no |
Determines if non superuser mounts are allowed, defaults to |
.Dv 0 . |
.Dv 0 . |
.It Li vfs.generic.magiclinks ( VFS_MAGICLINKS ) |
.It Li vfs.generic.magiclinks ( VFS_MAGICLINKS ) |
Controls if expansion of variables is going to be performed on pathnames |
Controls if expansion of variables is going to be performed on pathnames |
Line 164 capabilities with the following third le |
|
Line 164 capabilities with the following third le |
|
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li vfs.wapbl.flush_disk_cache |
.It Li vfs.wapbl.flush_disk_cache |
Controls whether to attempt to flush the disk cache on each commit. |
Controls whether to attempt to flush the disk cache on each commit. |
It defaults to 1 and it should always be on to ensure data integrity in |
It defaults to 1 and it should always be on to ensure integrity |
case of a crash. |
of file system metadata in the event of a power loss. |
For slow disks, turning it off can improve performance. |
For slow disks, turning it off can improve performance. |
.It Li vfs.wapbl.verbose_commit |
.It Li vfs.wapbl.verbose_commit |
For each transaction log commit, print the number of bytes written |
For each transaction log commit, print the number of bytes written |
Line 198 privilege may change the value. |
|
Line 198 privilege may change the value. |
|
.It hw.machine_arch string no |
.It hw.machine_arch string no |
.It hw.model string no |
.It hw.model string no |
.It hw.ncpu integer no |
.It hw.ncpu integer no |
|
.It hw.ncpuonline integer no |
.It hw.pagesize integer no |
.It hw.pagesize integer no |
.It hw.physmem integer no |
.It hw.physmem integer no |
.It hw.physmem64 quad no |
.It hw.physmem64 quad no |
.It hw.usermem integer no |
.It hw.usermem integer no |
.It hw.usermem64 quad no |
.It hw.usermem64 quad no |
.El |
.El |
.Pp |
|
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li hw.alignbytes ( HW_ALIGNBYTES ) |
.It Li hw.alignbytes ( HW_ALIGNBYTES ) |
Alignment constraint for all possible data types. |
Alignment constraint for all possible data types. |
Line 249 The machine CPU class. |
|
Line 249 The machine CPU class. |
|
.It Li hw.model ( HW_MODEL ) |
.It Li hw.model ( HW_MODEL ) |
The machine model. |
The machine model. |
.It Li hw.ncpu ( HW_NCPU ) |
.It Li hw.ncpu ( HW_NCPU ) |
The number of CPUs. |
The number of CPUs configured. |
|
.It Li hw.ncpuonline ( HW_NCPUONLINE ) |
|
The number of CPUs online. |
.It Li hw.pagesize ( HW_PAGESIZE ) |
.It Li hw.pagesize ( HW_PAGESIZE ) |
The software page size. |
The software page size. |
.It Li hw.physmem ( HW_PHYSMEM ) |
.It Li hw.physmem ( HW_PHYSMEM ) |
Line 277 privilege may change the value. |
|
Line 279 privilege may change the value. |
|
.It kern.argmax integer no |
.It kern.argmax integer no |
.It kern.boothowto integer no |
.It kern.boothowto integer no |
.It kern.boottime struct timeval no |
.It kern.boottime struct timeval no |
|
.It kern.buildinfo string no |
.\".It kern.bufq node not applicable |
.\".It kern.bufq node not applicable |
.It kern.ccpu integer no |
.It kern.ccpu integer no |
.It kern.clockrate struct clockinfo no |
.It kern.clockrate struct clockinfo no |
Line 306 privilege may change the value. |
|
Line 309 privilege may change the value. |
|
.It kern.logsigexit integer yes |
.It kern.logsigexit integer yes |
.It kern.mapped_files integer no |
.It kern.mapped_files integer no |
.It kern.maxfiles integer yes |
.It kern.maxfiles integer yes |
|
.It kern.maxlwp integer yes |
.It kern.maxpartitions integer no |
.It kern.maxpartitions integer no |
.It kern.maxphys integer no |
.It kern.maxphys integer no |
.It kern.maxproc integer yes |
.It kern.maxproc integer yes |
Line 328 privilege may change the value. |
|
Line 332 privilege may change the value. |
|
.It kern.ostype string no |
.It kern.ostype string no |
.\".It kern.panic_now integer yes |
.\".It kern.panic_now integer yes |
.It kern.pipe node not applicable |
.It kern.pipe node not applicable |
|
.It kern.pool struct pool_sysctl no |
.\" .It kern.posix node not applicable |
.\" .It kern.posix node not applicable |
.It kern.posix1version integer no |
.It kern.posix1version integer no |
.It kern.posix_aio integer no |
.It kern.posix_aio integer no |
Line 356 privilege may change the value. |
|
Line 361 privilege may change the value. |
|
.It kern.timecounter node not applicable |
.It kern.timecounter node not applicable |
.It kern.timex struct no |
.It kern.timex struct no |
.It kern.tkstat node not applicable |
.It kern.tkstat node not applicable |
|
.It kern.tty node not applicable |
.It kern.urandom integer no |
.It kern.urandom integer no |
.It kern.usercrypto integer yes |
.It kern.usercrypto integer yes |
.It kern.userasymcrypto integer yes |
.It kern.userasymcrypto integer yes |
|
|
.Vt struct timeval |
.Vt struct timeval |
structure is returned. |
structure is returned. |
This structure contains the time that the system was booted. |
This structure contains the time that the system was booted. |
|
.It Li kern.buildinfo |
|
When the kernel is built, the build environment may optionally provide |
|
arbitrary information to be stored in this variable. |
.\" .It Li kern.bufq |
.\" .It Li kern.bufq |
.\" XXX: Undocumented. |
.\" XXX: Undocumented. |
.It Li kern.ccpu ( KERN_CCPU ) |
.It Li kern.ccpu ( KERN_CCPU ) |
Line 595 The fourth level name selects the System |
|
Line 604 The fourth level name selects the System |
|
.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info |
.It KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info |
.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info |
.It KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info |
.El |
.El |
.Pp |
|
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li KERN_SYSVIPC_MSG_INFO |
.It Li KERN_SYSVIPC_MSG_INFO |
Return information on the System V style message facility. |
Return information on the System V style message facility. |
|
|
The maximum number of open files that may be open in the system. |
The maximum number of open files that may be open in the system. |
.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) |
.It Li kern.maxpartitions ( KERN_MAXPARTITIONS ) |
The maximum number of partitions allowed per disk. |
The maximum number of partitions allowed per disk. |
|
.It Li kern.maxlwp |
|
The maximum number of Lightweight Processes (threads) the system allows |
|
per uid. |
.It Li kern.maxphys ( KERN_MAXPHYS ) |
.It Li kern.maxphys ( KERN_MAXPHYS ) |
Maximum raw I/O transfer size. |
Maximum raw I/O transfer size. |
.It Li kern.maxproc ( KERN_MAXPROC ) |
.It Li kern.maxproc ( KERN_MAXPROC ) |
Line 734 The third level names for the settings a |
|
Line 745 The third level names for the settings a |
|
.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent |
.Bl -column "kern.module.autoload" "integer" "Changeable" -offset indent |
.It Sy Third level name Type Changeable |
.It Sy Third level name Type Changeable |
.It kern.module.autoload integer yes |
.It kern.module.autoload integer yes |
|
.It kern.module.autotime integer yes |
.It kern.module.verbose integer yes |
.It kern.module.verbose integer yes |
.El |
.El |
.Pp |
.Pp |
Line 744 A boolean that controls whether kernel m |
|
Line 756 A boolean that controls whether kernel m |
|
See |
See |
.Xr module 7 |
.Xr module 7 |
for additional details. |
for additional details. |
|
.It Li kern.module.autotime |
|
An integer that controls the delay before an attempt is made to |
|
automatically unload a module that was auto-loaded. |
|
Setting this value to zero disables the auto-unload function. |
.It Li kern.module.verbose |
.It Li kern.module.verbose |
A boolean that enables or disables verbose |
A boolean that enables or disables verbose |
debug messages related to kernel modules. |
debug messages related to kernel modules. |
|
|
.Dq big |
.Dq big |
pipes. |
pipes. |
.El |
.El |
|
.It Li kern.pool |
|
Provides statistics about the |
|
.Xr pool 9 |
|
and |
|
.Xr pool_cache 9 |
|
subsystems. |
.\" XXX: Undocumented .It Li kern.posix ( ? ) |
.\" XXX: Undocumented .It Li kern.posix ( ? ) |
.\" This is a node in which the only variable is semmax. |
.\" This is a node in which the only variable is semmax. |
.It Li kern.posix1version ( KERN_POSIX1 ) |
.It Li kern.posix1version ( KERN_POSIX1 ) |
Line 1048 The total number of output characters. |
|
Line 1070 The total number of output characters. |
|
.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) |
.It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC ) |
The number of raw input characters. |
The number of raw input characters. |
.El |
.El |
|
.It Li kern.tty |
|
The third level names for the tty setup variables are detailed below. |
|
The changeable column shows whether a process |
|
with appropriate privilege may change the value. |
|
.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent |
|
.It Sy Third level name Type Changeable |
|
.It kern.tty.qsize int yes |
|
.El |
|
.Pp |
|
The variables are as follows: |
|
.Bl -tag -width "123456" |
|
.It Li kern.tty.qsize |
|
Control/display the size of the default input and output queues selected |
|
during tty creation. |
|
Is converted to a power of two and its range is between |
|
.Dv 1024 |
|
and |
|
.Dv 65536 . |
|
.El |
|
.It Li kern.uidinfo |
|
Resource usage for the current user. |
|
.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent |
|
.It Sy Third level name Type Changeable |
|
.It kern.uidinfo.proccnt integer no |
|
.It kern.uidinfo.lwpcnt integer no |
|
.It kern.uidinfo.lockcnt integer no |
|
.It kern.uidinfo.sbsize integer no |
|
.El |
|
.Bl -tag -width "123456" |
|
.It Li kern.uidinfo.proccnt |
|
Returns the number of active processes for the current user. |
|
.It Li kern.uidinfo.lwpcnt |
|
Returns the number of active threads for the current user; the first thread |
|
of each process is not counted. |
|
.It Li kern.uidinfo.lockcnt |
|
Number of locks held by the current user. |
|
.It Li kern.uidinfo.sbsize |
|
Number of bytes in socket buffers allocated to the current user. |
|
.El |
.It Li kern.urandom ( KERN_URND ) |
.It Li kern.urandom ( KERN_URND ) |
Random integer value. |
Random integer value. |
.It Li kern.usercrypto |
.It Li kern.usercrypto |
Line 1085 point, the file system type, and the num |
|
Line 1146 point, the file system type, and the num |
|
.It Li kern.veriexec.strict |
.It Li kern.veriexec.strict |
Controls the strict level of Veriexec. |
Controls the strict level of Veriexec. |
See |
See |
.Xr security 8 |
.Xr security 7 |
for more information on each level's implications. |
for more information on each level's implications. |
.It Li kern.veriexec.verbose |
.It Li kern.veriexec.verbose |
Controls the verbosity level of Veriexec. |
Controls the verbosity level of Veriexec. |
Line 1134 protocol number, though this is not alwa |
|
Line 1195 protocol number, though this is not alwa |
|
.It net.inet6 IPv6 values yes |
.It net.inet6 IPv6 values yes |
.It net.key IPsec key management values yes |
.It net.key IPsec key management values yes |
.El |
.El |
.Pp |
|
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li net.route ( PF_ROUTE ) |
.It Li net.route ( PF_ROUTE ) |
.\" XXX really? |
.\" XXX really? |
Line 1164 The currently defined protocols and name |
|
Line 1224 The currently defined protocols and name |
|
.It Sy Protocol name Variable name Type Changeable |
.It Sy Protocol name Variable name Type Changeable |
.It arp down integer yes |
.It arp down integer yes |
.It arp keep integer yes |
.It arp keep integer yes |
|
.It arp log_movements integer yes |
|
.It arp log_permanent_modify integer yes |
|
.It arp log_unknown_network integer yes |
|
.It arp log_wrong_iface integer yes |
.It arp prune integer yes |
.It arp prune integer yes |
.It arp refresh integer yes |
.It arp refresh integer yes |
.It carp allow integer yes |
.It carp allow integer yes |
Line 1176 The currently defined protocols and name |
|
Line 1240 The currently defined protocols and name |
|
.It icmp redirtimeout integer yes |
.It icmp redirtimeout integer yes |
.It icmp bmcastecho integer yes |
.It icmp bmcastecho integer yes |
.It ip allowsrcrt integer yes |
.It ip allowsrcrt integer yes |
|
.It ip anonportalgo.selected string yes |
|
.It ip anonportalgo.available string yes |
|
.It ip anonportalgo.reserve struct yes |
.It ip anonportmax integer yes |
.It ip anonportmax integer yes |
.It ip anonportmin integer yes |
.It ip anonportmin integer yes |
.It ip checkinterface integer yes |
.It ip checkinterface integer yes |
Line 1278 believes it can send advertisements more |
|
Line 1345 believes it can send advertisements more |
|
Disabled by default. |
Disabled by default. |
.It Li ip.allowsrcrt |
.It Li ip.allowsrcrt |
If set to 1, the host accepts source routed packets. |
If set to 1, the host accepts source routed packets. |
|
.It Li ip.anonportalgo.available |
|
The available RFC 6056 port randomization algorithms. |
|
.It Li ip.anonportalgo.reserve |
|
A bitmask of ports that will not be used during anonymous or privileged |
|
port selection. |
|
.It Li ip.anonportalgo.selected |
|
The currently selected RFC 6056 port randomization algorithm. |
.It Li ip.anonportmax |
.It Li ip.anonportmax |
The highest port number to use for TCP and UDP ephemeral port allocation. |
The highest port number to use for TCP and UDP ephemeral port allocation. |
This cannot be set to less than 1024 or greater than 65535, and must |
This cannot be set to less than 1024 or greater than 65535, and must |
Line 1415 Number of ticks to delay sending an ACK. |
|
Line 1489 Number of ticks to delay sending an ACK. |
|
Perform TCP checksum on loopback. |
Perform TCP checksum on loopback. |
.It Li tcp.init_win |
.It Li tcp.init_win |
A value indicating the TCP initial congestion window. |
A value indicating the TCP initial congestion window. |
If this value is 0, an auto-tuning algorithm designed to use an initial |
The valid range |
window of approximately 4K bytes is in use. |
is 0 to 10 (maximum specified by RFC6928), |
Otherwise, this value indicates a fixed number of packets. |
with a default of 4 (approximately 4K per RFC3390). |
.It Li tcp.init_win_local |
.It Li tcp.init_win_local |
Like |
Like |
.Li tcp.init_win , |
.Li tcp.init_win , |
Line 1514 It has no effect unless tcp.abc.enable i |
|
Line 1588 It has no effect unless tcp.abc.enable i |
|
If set to 1, UDP checksums are being computed. |
If set to 1, UDP checksums are being computed. |
Received non-zero UDP checksums are always checked. |
Received non-zero UDP checksums are always checked. |
Disabling UDP checksums is strongly discouraged. |
Disabling UDP checksums is strongly discouraged. |
.It Li udp.sendspace |
|
The default UDP send buffer size. |
|
.It Li udp.recvspace |
.It Li udp.recvspace |
The default UDP receive buffer size. |
The default UDP receive buffer size. |
|
.It Li udp.sendspace |
|
The default UDP send buffer size. |
.El |
.El |
.Pp |
.Pp |
For variables net.*.ipsec, please refer to |
For variables net.*.ipsec, please refer to |
Line 1544 The currently defined protocols and name |
|
Line 1618 The currently defined protocols and name |
|
.It icmp6 rediraccept integer yes |
.It icmp6 rediraccept integer yes |
.It icmp6 redirtimeout integer yes |
.It icmp6 redirtimeout integer yes |
.It ip6 accept_rtadv integer yes |
.It ip6 accept_rtadv integer yes |
|
.It ip6 anonportalgo.selected string yes |
|
.It ip6 anonportalgo.available string yes |
|
.It ip6 anonportalgo.reserve struct yes |
.It ip6 anonportmax integer yes |
.It ip6 anonportmax integer yes |
.It ip6 anonportmin integer yes |
.It ip6 anonportmin integer yes |
.It ip6 auto_flowlabel integer yes |
.It ip6 auto_flowlabel integer yes |
Line 1559 The currently defined protocols and name |
|
Line 1636 The currently defined protocols and name |
|
.It ip6 log_interval integer yes |
.It ip6 log_interval integer yes |
.It ip6 lowportmax integer yes |
.It ip6 lowportmax integer yes |
.It ip6 lowportmin integer yes |
.It ip6 lowportmin integer yes |
|
.It ip6 maxdynroutes integer yes |
|
.It ip6 maxifprefixes integer yes |
|
.It ip6 maxifdefrouters integer yes |
.It ip6 maxflows integer yes |
.It ip6 maxflows integer yes |
.It ip6 maxfragpackets integer yes |
.It ip6 maxfragpackets integer yes |
.It ip6 maxfrags integer yes |
.It ip6 maxfrags integer yes |
|
.It ip6 neighborgcthresh integer yes |
.It ip6 redirect integer yes |
.It ip6 redirect integer yes |
.It ip6 rr_prune integer yes |
.It ip6 rr_prune integer yes |
.It ip6 use_deprecated integer yes |
.It ip6 use_deprecated integer yes |
Line 1579 and autoconfigures address prefixes and |
|
Line 1660 and autoconfigures address prefixes and |
|
The node must be a host |
The node must be a host |
.Pq not a router |
.Pq not a router |
for the option to be meaningful. |
for the option to be meaningful. |
|
.It Li ip6.anonportalgo.available |
|
The available RFC 6056 port randomization algorithms. |
|
.It Li ip6.anonportalgo.reserve |
|
A bitmask of ports that will not be used during anonymous or privileged |
|
port selection. |
|
.It Li ip6.anonportalgo.selected |
|
The currently selected RFC 6056 port randomization algorithm. |
.It Li ip6.anonportmax |
.It Li ip6.anonportmax |
The highest port number to use for TCP and UDP ephemeral port allocation. |
The highest port number to use for TCP and UDP ephemeral port allocation. |
This cannot be set to less than 1024 or greater than 65535, and must |
This cannot be set to less than 1024 or greater than 65535, and must |
Line 1656 The lowest port number to use for TCP an |
|
Line 1744 The lowest port number to use for TCP an |
|
This cannot be set to less than 0 or greater than 1024, and must |
This cannot be set to less than 0 or greater than 1024, and must |
be smaller than |
be smaller than |
.Li ip6.lowportmax . |
.Li ip6.lowportmax . |
|
.It Li ip6.maxdynroutes |
|
Maximum number of routes created by redirect. |
|
Set it to negative to disable. |
|
The default value is 4096. |
|
.It Li ip6.maxifprefixes |
|
Maximum number of prefixes created by route advertisements per interface. |
|
Set it to negative to disable. |
|
The default value is 16. |
|
.It Li ip6.maxifdefrouters 16 |
|
Maximum number of default routers created by route advertisements per interface. |
|
Set it to negative to disable. |
|
The default value is 16. |
.It Li ip6.maxflows |
.It Li ip6.maxflows |
IPv6 Fast Forwarding is enabled by default. |
IPv6 Fast Forwarding is enabled by default. |
If set to 0, IPv6 Fast Forwarding is disabled. |
If set to 0, IPv6 Fast Forwarding is disabled. |
Line 1672 The maximum number of fragments the node |
|
Line 1772 The maximum number of fragments the node |
|
0 means that the node will not accept any fragments. |
0 means that the node will not accept any fragments. |
\-1 means that the node will accept as many fragments as it receives. |
\-1 means that the node will accept as many fragments as it receives. |
The flag is provided basically for avoiding possible DoS attacks. |
The flag is provided basically for avoiding possible DoS attacks. |
|
.It Li ip6.neighborgcthresh |
|
Maximum number of entries in neighbor cache. |
|
Set to negative to disable. |
|
The default value is 2048. |
.It Li ip6.redirect |
.It Li ip6.redirect |
If set to 1, ICMPv6 redirects may be sent by the node. |
If set to 1, ICMPv6 redirects may be sent by the node. |
This option is ignored unless the node is routing IP packets, |
This option is ignored unless the node is routing IP packets, |
Line 1797 The currently defined variable and names |
|
Line 1901 The currently defined variable and names |
|
.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent |
.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent |
.It Sy Variable name Type Changeable |
.It Sy Variable name Type Changeable |
.It debug integer yes |
.It debug integer yes |
|
.It enabled integer yes |
|
.It used integer no |
.It spi_try integer yes |
.It spi_try integer yes |
.It spi_min_value integer yes |
.It spi_min_value integer yes |
.It spi_max_value integer yes |
.It spi_max_value integer yes |
Line 1814 The variables are as follows: |
|
Line 1920 The variables are as follows: |
|
Turn on debugging message from within the kernel. |
Turn on debugging message from within the kernel. |
The value is a bitmap, as defined in |
The value is a bitmap, as defined in |
.In netkey/key_debug.h . |
.In netkey/key_debug.h . |
|
.It Li enabled |
|
Control processing of IPsec control messages. |
|
.Bl -tag -width indent |
|
.It 0 |
|
Never allow IPsec processing |
|
.It 1 |
|
Allow IPsec processing when SPD policies are present. |
|
.It 2 |
|
Force IPsec processing even when SPD policies are not present. |
|
.El |
|
.It Li used |
|
Based on if IPsec is enabled, and SPD rule existance, show if |
|
IPsec is being used. |
|
Note that currenly once IPsec is being used, it cannot be disabled. |
.It Li spi_try |
.It Li spi_try |
The number of times the kernel will try to obtain an unique SPI |
The number of times the kernel will try to obtain an unique SPI |
when it generates it from random number generator. |
when it generates it from random number generator. |
|
|
and |
and |
.Dv SO_SNDBUF |
.Dv SO_SNDBUF |
options. |
options. |
|
.It Li proc.pid.rlimit.vmemoryuse ( PROC_PID_LIMIT_AS ) |
|
The maximum size (in bytes) which a process can obtain. |
|
.It Li proc.pid.rlimit.maxlwp ( PROC_PID_LIMIT_NTHR ) |
|
The maximum number of threads that cen be created and running at one time in |
|
the process. |
|
The first thread of each process is not counted against this. |
.El |
.El |
.Pp |
.Pp |
The fifth level name is one of |
The fifth level name is one of |
Line 2111 privilege may change the value. |
|
Line 2237 privilege may change the value. |
|
.It vm.uvmexp2 struct uvmexp_sysctl no |
.It vm.uvmexp2 struct uvmexp_sysctl no |
.It vm.vmmeter struct vmtotal no |
.It vm.vmmeter struct vmtotal no |
.El |
.El |
.Pp |
|
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li vm.anonmax ( VM_ANONMAX ) |
.It Li vm.anonmax ( VM_ANONMAX ) |
The percentage of physical memory which will be reclaimed |
The percentage of physical memory which will be reclaimed |
Line 2185 privilege may change the value. |
|
Line 2310 privilege may change the value. |
|
.It ddb.tee_msgbuf integer yes |
.It ddb.tee_msgbuf integer yes |
.It ddb.commandonenter string yes |
.It ddb.commandonenter string yes |
.El |
.El |
.Pp |
|
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li ddb.radix ( DDBCTL_RADIX ) |
.It Li ddb.radix ( DDBCTL_RADIX ) |
The input and output radix. |
The input and output radix. |
Line 2198 Number of display lines. |
|
Line 2322 Number of display lines. |
|
.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) |
.It Li ddb.tabstops ( DDBCTL_TABSTOPS ) |
Tab width. |
Tab width. |
.It Li ddb.onpanic ( DDBCTL_ONPANIC ) |
.It Li ddb.onpanic ( DDBCTL_ONPANIC ) |
If non-zero, DDB will be entered if the kernel panics. |
If greater than zero, DDB will be entered if the kernel panics. |
|
A value of 1 causes the system to enter DDB on panic, while a value of 2 |
|
causes the kernel to attempt to print out a stack trace before entering DDB. |
|
A value of 0 causes the kernel to attempt to print a stack trace, then |
|
reboot, while a value of \-1 means neither a stack trace will be printed |
|
nor DDB entered. |
.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) |
.It Li ddb.fromconsole ( DDBCTL_FROMCONSOLE ) |
If not zero, DDB may be entered by sending a break on a serial |
If not zero, DDB may be entered by sending a break on a serial |
console or by a special key sequence on a graphics console. |
console or by a special key sequence on a graphics console. |
Line 2232 The available second level names are: |
|
Line 2361 The available second level names are: |
|
.El |
.El |
.Pp |
.Pp |
Available settings are detailed below. |
Available settings are detailed below. |
.Pp |
|
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li security.curtain |
.It Li security.curtain |
If non-zero, will filter return objects according to the user |
If non-zero, will filter return objects according to the user |
Line 2268 Settings for PaX -- exploit mitigation f |
|
Line 2396 Settings for PaX -- exploit mitigation f |
|
For more information on any of the PaX features, please see |
For more information on any of the PaX features, please see |
.Xr paxctl 8 |
.Xr paxctl 8 |
and |
and |
.Xr security 8 . |
.Xr security 7 . |
The available third and fourth level names are: |
The available third and fourth level names are: |
.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ |
.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \ |
-offset 2n |
-offset 2n |
Line 2286 The available third and fourth level nam |
|
Line 2414 The available third and fourth level nam |
|
.It Li security.pax.segvguard.max_crashes integer yes |
.It Li security.pax.segvguard.max_crashes integer yes |
.It Li security.pax.segvguard.suspend_timeout integer yes |
.It Li security.pax.segvguard.suspend_timeout integer yes |
.El |
.El |
.Pp |
|
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li security.pax.aslr.enabled |
.It Li security.pax.aslr.enabled |
Enable PaX ASLR (Address Space Layout Randomization). |
Enable PaX ASLR (Address Space Layout Randomization). |
Line 2301 Specifies the default global policy for |
|
Line 2428 Specifies the default global policy for |
|
explicit enable/disable flag. |
explicit enable/disable flag. |
.Pp |
.Pp |
When non-zero, all programs will get PaX ASLR, except those exempted with |
When non-zero, all programs will get PaX ASLR, except those exempted with |
.Xr paxctl 8 . |
.Xr paxctl 8 . |
Otherwise, all programs will not get PaX ASLR, except those specifically |
Otherwise, all programs will not get PaX ASLR, except those specifically |
marked as such with |
marked as such with |
.Xr paxctl 8 . |
.Xr paxctl 8 . |
Line 2324 explicit enable/disable flag. |
|
Line 2451 explicit enable/disable flag. |
|
.Pp |
.Pp |
When non-zero, all programs will get the PaX MPROTECT restrictions, |
When non-zero, all programs will get the PaX MPROTECT restrictions, |
except those exempted with |
except those exempted with |
.Xr paxctl 8 . |
.Xr paxctl 8 . |
Otherwise, all programs will not get the PaX MPROTECT restrictions, |
Otherwise, all programs will not get the PaX MPROTECT restrictions, |
except those specifically marked as such with |
except those specifically marked as such with |
.Xr paxctl 8 . |
.Xr paxctl 8 . |
Line 2349 explicit enable/disable flag. |
|
Line 2476 explicit enable/disable flag. |
|
.Pp |
.Pp |
When non-zero, all programs will get the PaX Segvguard, |
When non-zero, all programs will get the PaX Segvguard, |
except those exempted with |
except those exempted with |
.Xr paxctl 8 . |
.Xr paxctl 8 . |
Otherwise, no program will get the PaX Segvguard restrictions, |
Otherwise, no program will get the PaX Segvguard restrictions, |
except those specifically marked as such with |
except those specifically marked as such with |
.Xr paxctl 8 . |
.Xr paxctl 8 . |
Line 2371 Intended use is to store values under |
|
Line 2498 Intended use is to store values under |
|
.Xr sysctl 3 , |
.Xr sysctl 3 , |
.Xr ipsec 4 , |
.Xr ipsec 4 , |
.Xr tcp 4 , |
.Xr tcp 4 , |
.Xr security 8 , |
.Xr security 7 , |
.Xr sysctl 8 |
.Xr sysctl 8 |
.Sh HISTORY |
.Sh HISTORY |
The |
The |