Annotation of src/share/man/man7/sysctl.7, Revision 1.9
1.9 ! christos 1: .\" $NetBSD: sysctl.7,v 1.8 2007/03/25 20:13:44 liamjfoy Exp $
1.1 pavel 2: .\"
3: .\" Copyright (c) 1993
4: .\" The Regents of the University of California. All rights reserved.
5: .\"
6: .\" Redistribution and use in source and binary forms, with or without
7: .\" modification, are permitted provided that the following conditions
8: .\" are met:
9: .\" 1. Redistributions of source code must retain the above copyright
10: .\" notice, this list of conditions and the following disclaimer.
11: .\" 2. Redistributions in binary form must reproduce the above copyright
12: .\" notice, this list of conditions and the following disclaimer in the
13: .\" documentation and/or other materials provided with the distribution.
14: .\" 3. Neither the name of the University nor the names of its contributors
15: .\" may be used to endorse or promote products derived from this software
16: .\" without specific prior written permission.
17: .\"
18: .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
19: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
22: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28: .\" SUCH DAMAGE.
29: .\"
30: .\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95
31: .\"
1.9 ! christos 32: .Dd April 22, 2007
1.1 pavel 33: .Dt SYSCTL 7
34: .Os
35: .Sh NAME
36: .Nm sysctl
37: .Nd system information variables
38: .Sh DESCRIPTION
39: The
40: .Xr sysctl 3
41: library function and the
42: .Xr sysctl 8
43: utility are used to get and set values of system variables, maintained
44: by the kernel.
45: The variables are organized in a tree and identified by a sequence of
46: numbers, conventionally separated by dots with the topmost identifier
47: at the left side.
48: The numbers have corresponding text names.
49: The
50: .Xr sysctlnametomib 3
51: function or the
52: .Fl M
53: argument to the
54: .Xr sysctl 8
55: utility can be used to convert the text representation to the
56: numeric one.
57: .Pp
58: The individual sysctl variables are described below, both the textual
59: and numeric form where applicable.
60: The textual names can be used as argument to the
61: .Xr sysctl 8
62: utility and in the file
63: .Pa /etc/sysctl.conf .
64: The numeric names are usually defined as preprocessor constants and
65: are intended for use by programs.
66: Every such constant expands to one integer, which identifies the
67: sysctl variable relative to the upper level of the tree.
68: See the
69: .Xr sysctl 3
70: manual page for programming examples.
71: .Sh Top level names
72: The top level names are defined with a CTL_ prefix in
73: .Aq Pa sys/sysctl.h ,
74: and are as follows.
75: The next and subsequent levels down are found in the include files
76: listed here, and described in separate sections below.
77: .Bl -column securityXX CTLXSECURITYXX "Next level namesXX"
78: .It Sy Name Constant Next level names Description
79: .It kern CTL\_KERN sys/sysctl.h High kernel limits
80: .It vm CTL\_VM uvm/uvm_param.h Virtual memory
81: .It vfs CTL\_VFS sys/mount.h Filesystem
82: .It net CTL\_NET sys/socket.h Networking
83: .It debug CTL\_DEBUG sys/sysctl.h Debugging
84: .It hw CTL\_HW sys/sysctl.h Generic CPU, I/O
85: .It machdep CTL\_MACHDEP sys/sysctl.h Machine dependent
86: .It user CTL\_USER sys/sysctl.h User-level
87: .It ddb CTL\_DDB sys/sysctl.h In-kernel debugger
88: .It proc CTL\_PROC sys/sysctl.h Per-process
89: .It vendor CTL\_VENDOR ? Vendor specific
90: .It emul CTL\_EMUL sys/sysctl.h Emulation settings
91: .It security CTL\_SECURITY sys/sysctl.h Security settings
92: .El
93: .Sh The debug.* subtree
94: The debugging variables vary from system to system.
95: A debugging variable may be added or deleted without need to recompile
96: .Nm
97: to know about it.
98: Each time it runs,
99: .Nm
100: gets the list of debugging variables from the kernel and
101: displays their current values.
102: The system defines twenty
103: .Va ( struct ctldebug )
104: variables named
105: .Dv debug0
106: through
107: .Dv debug19 .
108: They are declared as separate variables so that they can be
109: individually initialized at the location of their associated variable.
110: The loader prevents multiple use of the same variable by issuing errors
111: if a variable is initialized in more than one place.
112: For example, to export the variable
113: .Dv dospecialcheck
114: as a debugging variable, the following declaration would be used:
115: .Bd -literal -offset indent -compact
116: int dospecialcheck = 1;
117: struct ctldebug debug5 = { "dospecialcheck", \*[Am]dospecialcheck };
118: .Ed
119: .Pp
120: Note that the dynamic implementation of
121: .Nm
122: currently in use largely makes this particular
123: .Nm
124: interface obsolete.
125: See
126: .Xr sysctl 8
127: .\" and
128: .\" .Xr sysctl 9
129: for more information.
130: .Sh The vfs.* subtree
131: A distinguished second level name,
132: .Li vfs.generic ( VFS_GENERIC ) ,
133: is used to get general information about all filesystems.
134: One of its third level identifiers is
135: .Li vfs.generic.maxtypenum ( VFS_MAXTYPENUM )
136: that gives the highest valid filesystem type number.
137: Its other third level identifier is
138: .Li vfs.generic.conf ( VFS_CONF )
139: that returns configuration information about the filesystem
140: type given as a fourth level identifier.
141: The remaining second level identifiers are the
142: filesystem type number returned by a
143: .Xr statvfs 2
144: call or from
145: .Li vfs.generic.conf .
146: The third level identifiers available for each filesystem
147: are given in the header file that defines the mount
148: argument structure for that filesystem.
149: .Sh The hw.* subtree
150: The string and integer information available for the
151: .Li hw
152: level is detailed below.
153: The changeable column shows whether a process with appropriate
154: privilege may change the value.
155: .Bl -column "Second level nameXXXXXX" "struct disk_sysctlXXX" -offset indent
156: .It Sy Second level name Type Changeable
157: .It hw.alignbytes integer no
158: .It hw.byteorder integer no
159: .It hw.cnmagic string yes
160: .It hw.disknames string no
161: .It hw.diskstats struct no
162: .It hw.machine string no
163: .It hw.machine_arch string no
164: .It hw.model string no
165: .It hw.ncpu integer no
166: .It hw.pagesize integer no
167: .It hw.physmem integer no
168: .It hw.physmem64 quad no
169: .It hw.usermem integer no
170: .It hw.usermem64 quad no
171: .El
172: .Pp
173: .Bl -tag -width "123456"
174: .It Li hw.alignbytes ( HW_ALIGNBYTES )
175: Alignment constraint for all possible data types.
176: This shows the value
177: .Dv ALIGNBYTES
178: in
179: .Pa /usr/include/machine/param.h ,
180: at the kernel compilation time.
181: .It Li hw.byteorder ( HW_BYTEORDER )
182: The byteorder (4,321, or 1,234).
183: .It Li hw.cnmagic ( HW_CNMAGIC )
184: The console magic key sequence.
185: .It Li hw.disknames ( HW_DISKNAMES )
186: The list of (space separated) disk device names on the system.
187: .It Li hw.iostatnames ( HW_IOSTATNAMES )
188: A space separated list of devices that will have I/O statistics
189: collected on them.
190: .It Li hw.iostats ( HW_IOSTATS )
191: Return statistical information on the NFS mounts, disk and tape
192: devices on the system.
193: An array of
194: .Va struct io_sysctl
195: structures is returned,
196: whose size depends on the current number of such objects in the system.
197: The third level name is the size of the
198: .Va struct io_sysctl .
199: The type of object can be determined by examining the
200: .Va type
201: element of
202: .Va struct io_sysctl .
203: Which can be
204: .Dv IOSTAT_DISK
205: (disk drive),
206: .Dv IOSTAT_TAPE
207: (tape drive), or
208: .Dv IOSTAT_NFS
209: (NFS mount).
210: .It Li hw.machine ( HW_MACHINE )
211: The machine class.
212: .It Li hw.machine_arch ( HW_MACHINE_ARCH )
213: The machine CPU class.
214: .It Li hw.model ( HW_MODEL )
215: The machine model.
216: .It Li hw.ncpu ( HW_NCPU )
217: The number of CPUs.
218: .ne 1i
219: .It Li hw.pagesize ( HW_PAGESIZE )
220: The software page size.
221: .It Li hw.physmem ( HW_PHYSMEM )
222: The bytes of physical memory as a 32-bit integer.
223: .It Li hw.physmem64 ( HW_PHYSMEM64 )
224: The bytes of physical memory as a 64-bit integer.
225: .It Li hw.usermem ( HW_USERMEM )
226: The bytes of non-kernel memory as a 32-bit integer.
227: .It Li hw.usermem64 ( HW_USERMEM64 )
228: The bytes of non-kernel memory as a 64-bit integer.
229: .El
230: .Sh The kern.* subtree
231: The string and integer information available for the
232: .Li kern
233: level is detailed below.
234: The changeable column shows whether a process with appropriate
235: privilege may change the value.
236: The types of data currently available are process information,
237: system vnodes, the open file entries, routing table entries,
238: virtual memory statistics, load average history, and clock rate
239: information.
240: .Bl -column "kern.posix_reader_writer_locks" "struct clockrateXXX" -offset indent
241: .It Sy Second level name Type Changeable
242: .It kern.argmax integer no
243: .It kern.autonicetime integer yes
244: .It kern.autoniceval integer yes
245: .It kern.boottime struct timeval no
246: .It kern.bufq node not applicable
247: .It kern.ccpu integer no
248: .It kern.clockrate struct clockinfo no
249: .It kern.consdev integer no
250: .It kern.cp\_id struct no
251: .It kern.cp\_time uint64_t[\|] no
252: .It kern.defcorename string yes
253: .It kern.domainname string yes
254: .It kern.drivers struct kinfo_drivers no
255: .It kern.file struct file no
256: .It kern.forkfsleep integer yes
257: .It kern.fscale integer no
258: .It kern.fsync integer no
259: .It kern.hardclock\_ticks integer no
260: .It kern.hostid integer yes
261: .It kern.hostname string yes
262: .It kern.iov\_max integer no
263: .It kern.job\_control integer no
264: .It kern.labeloffset integer no
265: .It kern.labelsector integer no
266: .It kern.login\_name\_max integer no
267: .It kern.logsigexit integer yes
268: .It kern.mapped\_files integer no
269: .It kern.maxfiles integer yes
270: .It kern.maxpartitions integer no
271: .It kern.maxphys integer no
272: .It kern.maxproc integer yes
273: .It kern.maxptys integer yes
274: .It kern.maxvnodes integer yes
275: .It kern.mbuf node not applicable
276: .It kern.memlock integer no
277: .It kern.memlock\_range integer no
278: .It kern.memory\_protection integer no
279: .It kern.monotonic\_clock integer no
280: .It kern.msgbuf integer no
281: .It kern.msgbufsize integer no
282: .It kern.ngroups integer no
283: .It kern.ntptime struct ntptimeval no
284: .It kern.osrelease string no
285: .It kern.osrev integer no
286: .It kern.ostype string no
287: .It kern.pipe node not applicable
288: .It kern.posix1 integer no
289: .It kern.posix\_barriers integer no
290: .It kern.posix\_reader\_writer\_locks integer no
291: .It kern.posix\_semaphores integer no
292: .It kern.posix\_spin\_locks integer no
293: .It kern.posix\_threads integer no
294: .It kern.posix\_timers integer no
295: .It kern.proc struct kinfo_proc no
296: .It kern.proc2 struct kinfo_proc2 no
297: .It kern.proc\_args string no
298: .It kern.prof node not applicable
299: .It kern.rawpartition integer no
300: .It kern.root\_device string no
301: .It kern.root\_partition integer no
302: .It kern.rtc\_offset integer yes
303: .It kern.saved\_ids integer no
304: .It kern.securelevel integer raise only
305: .It kern.synchronized\_io integer no
306: .It kern.ipc node not applicable
307: .It kern.timex struct no
308: .It kern.tkstat node not applicable
309: .It kern.urandom integer no
310: .It kern.version string no
311: .It kern.vnode struct vnode no
312: .El
313: .ne 1i
314: .Pp
315: .Bl -tag -width "123456"
316: .It Li kern.argmax ( KERN_ARGMAX )
317: The maximum bytes of argument to
318: .Xr execve 2 .
319: .It Li kern.autonicetime ( KERN_AUTONICETIME )
320: The number of seconds of CPU-time a non-root process may accumulate before
321: having its priority lowered from the default to the value of KERN_AUTONICEVAL.
322: If set to 0, automatic lowering of priority is not performed, and if set to \-1
323: all non-root processes are immediately lowered.
324: .It Li kern.autoniceval ( KERN_AUTONICEVAL )
325: The priority assigned for automatically niced processes.
326: .It Li kern.boottime ( KERN_BOOTTIME )
327: A
328: .Va struct timeval
329: structure is returned.
330: This structure contains the time that the system was booted.
331: .It Li kern.ccpu ( KERN_CCPU )
332: The scheduler exponential decay value.
333: .It Li kern.clockrate ( KERN_CLOCKRATE )
334: A
335: .Va struct clockinfo
336: structure is returned.
337: This structure contains the clock, statistics clock and profiling clock
338: frequencies, the number of micro-seconds per hz tick, and the clock
339: skew rate.
340: .It Li kern.consdev ( KERN_CONSDEV )
341: Console device.
342: .It Li kern.cp_id ( KERN_CP_ID )
343: Mapping of CPU number to CPU id.
344: .It Li kern.cp_time ( KERN_CP_TIME )
345: Returns an array of CPUSTATES uint64_ts.
346: This array contains the
347: number of clock ticks spent in different CPU states.
348: On multi-processor systems, the sum across all CPUs is returned unless
349: appropriate space is given for one data set for each CPU.
350: Data for a specific CPU can also be obtained by adding the number of the
351: CPU at the end of the MIB, enlarging it by one.
352: .It Li kern.defcorename ( KERN_DEFCORENAME )
353: Default template for the name of core dump files (see also
354: .Li proc.pid.corename
355: in the per-process variables
356: .Li proc.* ,
357: and
358: .Xr core 5
359: for format of this template).
360: The default value is
361: .Nm %n.core
362: and can be changed with the kernel configuration option
363: .Cd options DEFCORENAME
364: (see
365: .Xr options 4
366: ).
367: .It Li kern.domainname ( KERN_DOMAINNAME )
368: Get or set the YP domain name.
369: .It Li kern.dump_on_panic ( KERN_DUMP_ON_PANIC )
370: Perform a crash dump on system panic.
371: .It Li kern.drivers ( KERN_DRIVERS )
372: Return an array of
373: .Va struct kinfo_drivers
374: that contains the name and major device numbers of all the device drivers
375: in the current kernel.
376: The
377: .Va d_name
378: field is always a NUL terminated string.
379: The
380: .Va d_bmajor
381: field will be set to \-1 if the driver doesn't have a block device.
382: .It Li kern.file ( KERN_FILE )
383: Return the entire file table.
384: The returned data consists of a single
385: .Va struct filelist
386: followed by an array of
387: .Va struct file ,
388: whose size depends on the current number of such objects in the system.
389: .It Li kern.forkfsleep ( KERN_FORKFSLEEP )
390: If
391: .Xr fork 2
392: system call fails due to limit on number of processes (either
393: the global maxproc limit or user's one), wait for this many
394: milliseconds before returning
395: .Er EAGAIN
396: error to process.
397: Useful to keep heavily forking runaway processes in bay.
398: Default zero (no sleep).
399: Maximum is 20 seconds.
400: .It Li kern.fscale ( KERN_FSCALE )
401: The kernel fixed-point scale factor.
402: .It Li kern.fsync ( KERN_FSYNC )
403: Return 1 if the POSIX 1003.1b File Synchronization Option is available
404: on this system,
405: otherwise 0.
406: .It Li kern.hardclock_ticks ( KERN_HARDCLOCK_TICKS )
407: Returns the number of
408: .Xr hardclock 9
409: ticks.
410: .It Li kern.hostid ( KERN_HOSTID )
411: Get or set the host id.
412: .It Li kern.hostname ( KERN_HOSTNAME )
413: Get or set the hostname.
414: .It Li kern.iov_max ( KERN_IOV_MAX )
415: Return the maximum number of
416: .Va iovec
417: structures that a process has available for use with
418: .Xr preadv 2 ,
419: .Xr pwritev 2 ,
420: .Xr readv 2 ,
421: .Xr recvmsg 2 ,
422: .Xr sendmsg 2
423: and
424: .Xr writev 2 .
425: .It Li kern.job_control ( KERN_JOB_CONTROL )
426: Return 1 if job control is available on this system, otherwise 0.
427: .It Li kern.labeloffset ( KERN_LABELOFFSET )
428: The offset within the sector specified by KERN_LABELSECTOR of the
429: .Xr disklabel 5 .
430: .It Li kern.labelsector ( KERN_LABELSECTOR )
431: The sector number containing the
432: .Xr disklabel 5 .
433: .It Li kern.login_name_max ( KERN_LOGIN_NAME_MAX )
434: The size of the storage required for a login name, in bytes,
435: including the terminating NUL.
436: .It Li kern.logsigexit ( KERN_LOGSIGEXIT )
437: If this flag is non-zero, the kernel will
438: .Xr log 9
439: all process exits due to signals which create a
440: .Xr core 5
441: file, and whether the coredump was created.
442: .It Li kern.mapped_files ( KERN_MAPPED_FILES )
443: Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available
444: on this system,
445: otherwise 0.
446: .It Li kern.maxfiles ( KERN_MAXFILES )
447: The maximum number of open files that may be open in the system.
448: .It Li kern.maxpartitions ( KERN_MAXPARTITIONS )
449: The maximum number of partitions allowed per disk.
450: .It Li kern.maxphys ( KERN_MAXPHYS )
451: Maximum raw I/O transfer size.
452: .It Li kern.maxproc ( KERN_MAXPROC )
453: The maximum number of simultaneous processes the system will allow.
454: .It Li kern.maxptys ( KERN_MAXPTYS )
455: The maximum number of pseudo terminals.
456: This value can be both raised and lowered, though it cannot
457: be set lower than number of currently used ptys.
458: See also
459: .Xr pty 4 .
460: .It Li kern.maxvnodes ( KERN_MAXVNODES )
461: The maximum number of vnodes available on the system.
462: This can only be raised.
463: .It Li kern.mbuf ( KERN_MBUF )
464: Return information about the mbuf control variables.
465: Mbufs are data structures which store network packets and other data
466: structures in the networking code, see
467: .Xr mbuf 9 .
468: The third level names for the mbuf variables are detailed below.
469: The changeable column shows whether a process with appropriate
470: privilege may change the value.
471: .Bl -column "kern.mbuf.nmbclusters" "struct integerXXX" -offset indent
472: .It Sy Third level name Type Changeable
473: .\" XXX Changeable? really?
474: .It kern.mbuf.mblowat integer yes
475: .It kern.mbuf.mclbytes integer yes
476: .It kern.mbuf.mcllowat integer yes
477: .It kern.mbuf.msize integer yes
478: .It kern.mbuf.nmbclusters integer yes
479: .El
480: .Pp
481: The variables are as follows:
482: .Bl -tag -width "123456"
483: .It Li kern.mbuf.mblowat ( MBUF_MBLOWAT )
484: The mbuf low water mark.
485: .It Li kern.mbuf.mclbytes ( MBUF_MCLBYTES )
486: The mbuf cluster size.
487: .It Li kern.mbuf.mcllowat ( MBUF_MCLLOWAT )
488: The mbuf cluster low water mark.
489: .It Li kern.mbuf.msize ( MBUF_MSIZE )
490: The mbuf base size.
491: .It Li kern.mbuf.nmbclusters ( MBUF_NMBCLUSTERS )
492: The limit on the number of mbuf clusters.
493: The variable can only be increased, and only increased on machines with
494: direct-mapped pool pages.
495: .El
496: .It Li kern.memlock ( KERN_MEMLOCK )
497: Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available
498: on this system,
499: otherwise 0.
500: .It Li kern.memlock_range ( KERN_MEMLOCK_RANGE )
501: Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available
502: on this system,
503: otherwise 0.
504: .It Li kern.memory_protection ( KERN_MEMORY_PROTECTION )
505: Returns 1 if the POSIX 1003.1b Memory Protection Option is available
506: on this system,
507: otherwise 0.
508: .It Li kern.monotonic_clock ( KERN_MONOTONIC_CLOCK )
509: Returns the standard version the implementation of the POSIX 1003.1b
510: Monotonic Clock Option conforms to,
511: otherwise 0.
512: .It Li kern.msgbuf ( KERN_MSGBUF )
513: The kernel message buffer, rotated so that the head of the circular kernel
514: message buffer is at the start of the returned data.
515: The returned data may contain NUL bytes.
516: .It Li kern.msgbufsize ( KERN_MSGBUFSIZE )
517: The maximum number of characters that the kernel message buffer can hold.
518: .It Li kern.ngroups ( KERN_NGROUPS )
519: The maximum number of supplemental groups.
520: .It Li kern.ntptime ( KERN_NTPTIME )
521: A
522: .Va struct ntptimeval
523: structure is returned.
524: This structure contains data used by the
525: .Xr ntpd 8
526: program.
527: .It Li kern.osrelease ( KERN_OSRELEASE )
528: The system release string.
529: .It Li kern.osrevision ( KERN_OSREV )
530: The system revision string.
531: .It Li kern.ostype ( KERN_OSTYPE )
532: The system type string.
533: .It Li kern.pipe ( KERN_PIPE )
534: Pipe settings.
535: The third level names for the integer pipe settings is detailed below.
536: The changeable column shows whether a process with appropriate
537: privilege may change the value.
538: .Bl -column "kern.pipe.maxbigpipesXXX" "integerXXX" -offset indent
539: .It Sy Third level name Type Changeable
540: .It kern.pipe.kvasiz integer yes
541: .It kern.pipe.maxbigpipes integer yes
542: .It kern.pipe.maxkvasz integer yes
543: .It kern.pipe.limitkva integer yes
544: .It kern.pipe.nbigpipes integer yes
545: .El
546: .Pp
547: The variables are as follows:
548: .Bl -tag -width "123456"
549: .It Li kern.pipe.kvasiz ( KERN_PIPE_KVASIZ )
550: Amount of kernel memory consumed by pipe buffers.
551: .It Li kern.pipe.maxbigpipes ( KERN_PIPE_MAXBIGPIPES )
552: Maximum number of "big" pipes.
553: .It Li kern.pipe.maxkvasz ( KERN_PIPE_MAXKVASZ )
554: Maximum amount of kernel memory to be used for pipes.
555: .It Li kern.pipe.limitkva ( KERN_PIPE_LIMITKVA )
556: Limit for direct transfers via page loan.
557: .It Li kern.pipe.nbigpipes ( KERN_PIPE_NBIGPIPES )
558: Number of "big" pipes.
559: .El
560: .It Li kern.posix1version ( KERN_POSIX1 )
561: The version of ISO/IEC 9945 (POSIX 1003.1) with which the system
562: attempts to comply.
563: .It Li kern.posix_barriers ( KERN_POSIX_BARRIERS )
564: The version of
565: .St -p1003.1
566: and its
567: Barriers
568: option to which the system attempts to conform,
569: otherwise 0.
570: .It Li kern.posix_reader_writer_locks ( KERN_POSIX_READER_WRITER_LOCKS )
571: The version of
572: .St -p1003.1
573: and its
574: Read-Write Locks
575: option to which the system attempts to conform,
576: otherwise 0.
577: .It Li kern.posix_semaphores ( KERN_POSIX_SEMAPHORES )
578: The version of
579: .St -p1003.1
580: and its
581: Semaphores
582: option to which the system attempts to conform,
583: otherwise 0.
584: .It Li kern.posix_spin_locks ( KERN_POSIX_SPIN_LOCKS )
585: The version of
586: .St -p1003.1
587: and its
588: Spin Locks
589: option to which the system attempts to conform,
590: otherwise 0.
591: .It Li kern.posix_threads ( KERN_POSIX_THREADS )
592: The version of
593: .St -p1003.1
594: and its
595: Threads
596: option to which the system attempts to conform,
597: otherwise 0.
598: .It Li kern.posix_timers ( KERN_POSIX_TIMERS )
599: The version of
600: .St -p1003.1
601: and its
602: Timers
603: option to which the system attempts to conform,
604: otherwise 0.
605: .It Li kern.proc ( KERN_PROC )
606: Return the entire process table, or a subset of it.
607: An array of
608: .Va struct kinfo_proc
609: structures is returned,
610: whose size depends on the current number of such objects in the system.
611: The third and fourth level numeric names are as follows:
612: .Bl -column "Third level nameXXXXXX" "Fourth level is:XXXXXX" -offset indent
613: .It Sy Third level name Fourth level is:
614: .It KERN\_PROC\_ALL None
615: .It KERN\_PROC\_GID A group ID
616: .It KERN\_PROC\_PID A process ID
617: .It KERN\_PROC\_PGRP A process group
618: .It KERN\_PROC\_RGID A real group ID
619: .It KERN\_PROC\_RUID A real user ID
620: .It KERN\_PROC\_SESSION A session ID
621: .It KERN\_PROC\_TTY A tty device
622: .It KERN\_PROC\_UID A user ID
623: .El
624: .It Li kern.proc2 ( KERN_PROC2 )
625: As for KERN_PROC, but an array of
626: .Va struct kinfo_proc2
627: structures are returned.
628: The fifth level name is the size of the
629: .Va struct kinfo_proc2
630: and the sixth level name is the number of structures to return.
631: .It Li kern.proc_args ( KERN_PROC_ARGS )
632: Return the argv or environment strings (or the number thereof)
633: of a process.
634: Multiple strings are returned separated by NUL characters.
635: The third level name is the process ID.
636: The fourth level name is as follows:
637: .Bl -column "Third level nameXXXXXX" -offset indent
638: .It KERN\_PROC\_ARGV The argv strings
639: .It KERN\_PROC\_ENV The environ strings
640: .It KERN\_PROC\_NARGV The number of argv strings
641: .It KERN\_PROC\_NENV The number of environ strings
642: .El
643: .It Li kern.profiling ( KERN_PROF )
644: Return profiling information about the kernel.
645: If the kernel is not compiled for profiling,
646: attempts to retrieve any of the KERN_PROF values will
647: fail with
648: .Er EOPNOTSUPP .
649: The third level names for the string and integer profiling information
650: is detailed below.
651: The changeable column shows whether a process with appropriate
652: privilege may change the value.
653: .Bl -column "kern.profiling.gmonparam" "struct gmonparam" -offset indent
654: .It Sy Third level name Type Changeable
655: .It kern.profiling.count u_short[\|] yes
656: .It kern.profiling.froms u_short[\|] yes
657: .It kern.profiling.gmonparam struct gmonparam no
658: .It kern.profiling.state integer yes
659: .It kern.profiling.tos struct tostruct yes
660: .El
661: .Pp
662: The variables are as follows:
663: .Bl -tag -width "123456"
664: .It Li kern.profiling.count ( GPROF_COUNT )
665: Array of statistical program counter counts.
666: .It Li kern.profiling.froms ( GPROF_FROMS )
667: Array indexed by program counter of call-from points.
668: .It Li kern.profiling.gmonparams ( GPROF_GMONPARAM )
669: Structure giving the sizes of the above arrays.
670: .It Li kern.profiling.state ( GPROF_STATE )
671: Profiling state.
672: If set to GMON_PROF_ON, starts profiling.
673: If set to GMON_PROF_OFF, stops profiling.
674: .It Li kern.profiling.tos ( GPROF_TOS )
675: Array of
676: .Va struct tostruct
677: describing destination of calls and their counts.
678: .El
679: .It Li kern.rawpartition ( KERN_RAWPARTITION )
680: The raw partition of a disk (a == 0).
681: .It Li kern.root_device ( KERN_ROOT_DEVICE )
682: The name of the root device (e.g.,
683: .Dq wd0 ) .
684: .It Li kern.root_partition ( KERN_ROOT_PARTITION )
685: The root partition on the root device (a == 0).
686: .It Li kern.rtc_offset ( KERN_RTC_OFFSET )
687: Return the offset of real time clock from UTC in minutes.
688: .It Li kern.saved_ids ( KERN_SAVED_IDS )
689: Returns 1 if saved set-group and saved set-user ID is available.
690: .It Li kern.sbmax ( KERN_SBMAX )
691: Maximum socket buffer size.
692: .\" XXX units?
693: .It Li kern.securelevel ( KERN_SECURELVL )
694: The system security level.
695: This level may be raised by processes with appropriate privilege.
696: It may only be lowered by process 1.
697: .It Li kern.somaxkva ( KERN_SOMAXKVA )
698: Maximum amount of kernel memory to be used for socket buffers.
699: .\" XXX units?
700: .It Li kern.synchronized_io ( KERN_SYNCHRONIZED_IO )
701: Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available
702: on this system,
703: otherwise 0.
704: .It Li kern.ipc ( KERN_SYSVIPC )
1.2 wiz 705: Return information about the SysV IPC parameters.
706: The third level names for the ipc variables are detailed below.
1.1 pavel 707: .Bl -column "KERN_SYSVIPC_MSGXXX" "integerXXX" "noXXX" -offset indent
708: .It Sy Third level name Type Changeable
709: .It kern.ipc.sysvmsg integer no
710: .It kern.ipc.sysvsem integer no
711: .It kern.ipc.sysvshm integer no
712: .It kern.ipc.sysvipc_info struct no
713: .It kern.ipc.shmmax integer no
714: .It kern.ipc.shmmni integer yes
715: .It kern.ipc.shmseg integer yes
716: .It kern.ipc.shmmaxpgs integer yes
717: .It kern.ipc.shm_use_phys integer yes
718: .El
719: .Bl -tag -width "123456"
720: .It Li kern.ipc.sysvmsg ( KERN_SYSVIPC_MSG )
721: Returns 1 if System V style message queue functionality is available
722: on this system,
723: otherwise 0.
724: .It Li kern.ipc.sysvsem ( KERN_SYSVIPC_SEM )
725: Returns 1 if System V style semaphore functionality is available
726: on this system,
727: otherwise 0.
728: .It Li kern.ipc.sysvshm ( KERN_SYSVIPC_SHM )
729: Returns 1 if System V style share memory functionality is available
730: on this system,
731: otherwise 0.
732: .It Li kern.ipc.sysvipc_info ( KERN_SYSVIPC_INFO )
733: Return System V style IPC configuration and run-time information.
734: The fourth level name selects the System V style IPC facility.
735: .Bl -column "KERN_SYSVIPC_MSG_INFOXXX" "struct shm_sysctl_infoXXX" -offset indent
736: .It Sy Fourth level name Type
737: .It KERN\_SYSVIPC\_MSG\_INFO struct msg_sysctl_info
738: .It KERN\_SYSVIPC\_SEM\_INFO struct sem_sysctl_info
739: .It KERN\_SYSVIPC\_SHM\_INFO struct shm_sysctl_info
740: .El
741: .Pp
742: .Bl -tag -width "123456"
743: .It Li KERN_SYSVIPC_MSG_INFO
744: Return information on the System V style message facility.
745: The
746: .Sy msg_sysctl_info
747: structure is defined in
748: .Aq Pa sys/msg.h .
749: .It Li KERN_SYSVIPC_SEM_INFO
750: Return information on the System V style semaphore facility.
751: The
752: .Sy sem_sysctl_info
753: structure is defined in
754: .Aq Pa sys/sem.h .
755: .It Li KERN_SYSVIPC_SHM_INFO
756: Return information on the System V style shared memory facility.
757: The
758: .Sy shm_sysctl_info
759: structure is defined in
760: .Aq Pa sys/shm.h .
761: .El
762: .It Li kern.ipc.shmmax ( KERN_SYSVIPC_SHMMAX )
763: Max shared memory segment size in bytes.
764: .It Li kern.ipc.shmmni ( KERN_SYSVIPC_SHMMNI )
765: Max number of shared memory identifiers.
766: .It Li kern.ipc.shmseg ( KERN_SYSVIPC_SHMSEG )
767: Max shared memory segments per process.
768: .It Li kern.ipc.shmmaxpgs ( KERN_SYSVIPC_SHMMAXPGS )
769: Max amount of shared memory in pages.
770: .It Li kern.ipc.shm_use_phys ( KERN_SYSVIPC_SHMUSEPHYS )
1.2 wiz 771: Locking of shared memory in physical memory.
1.3 wiz 772: If 0, memory can be swapped
1.1 pavel 773: out, otherwise it will be locked in physical memory.
774: .El
775: .It Li kern.timex ( KERN_TIMEX )
776: Not available.
777: .It Li kern.tkstat ( KERN_TKSTAT )
778: Return information about the number of characters sent and received
779: on ttys.
780: The third level names for the tty statistic variables are detailed below.
781: The changeable column shows whether a process
782: with appropriate privilege may change the value.
783: .Bl -column "KERNXTKSTATXRAWCCXXX" "struct integerXXX" -offset indent
784: .It Sy Third level name Type Changeable
785: .It kern.tkstat.cancc quad no
786: .It kern.tkstat.nin quad no
787: .It kern.tkstat.nout quad no
788: .It kern.tkstat.rawcc quad no
789: .El
790: .Pp
791: The variables are as follows:
792: .Bl -tag -width "123456"
793: .It Li kern.tkstat.cancc ( KERN_TKSTAT_CANCC )
794: The number of canonical input characters.
795: .It Li kern.tkstat.nin ( KERN_TKSTAT_NIN )
796: The total number of input characters.
797: .It Li kern.tkstat.nout ( KERN_TKSTAT_NOUT )
798: The total number of output characters.
799: .It Li kern.tkstat.rawcc ( KERN_TKSTAT_RAWCC )
800: The number of raw input characters.
801: .El
802: .It Li kern.urandom ( KERN_URND )
803: Random integer value.
804: .It Li kern.veriexec
805: Tunings for Verixec.
806: .Bl -tag -width "123456"
807: .It Li kern.veriexec.algorithms
808: Returns a string with the supported algorithms in Veriexec.
809: .It Li kern.veriexec.count
810: Sub-nodes are added to this node as new mounts are monitored by Veriexec.
811: Each mount will be under its own
812: .No tableN
813: node.
814: Under each node there will be three variables, indicating the mount
815: point, the file-system type, and the number of entries.
816: .It Li kern.veriexec.strict
817: Controls the strict level of Veriexec.
818: See
819: .Xr security 8
820: for more information on each level's implications.
821: .It Li kern.veriexec.verbose
822: Controls the verbosity level of Veriexec.
823: If 0, only the minimal
824: indication required will be given about what's happening - fingerprint
825: mismatches, removal of entries from the tables, modification of a
826: fingerprinted file.
827: If 1, more messages will be printed (ie., when a file with a valid
828: fingerprint is accessed).
829: Verbose level 2 is debug mode.
830: .El
831: .It Li kern.version ( KERN_VERSION )
832: The system version string.
833: .It Li kern.vnode ( KERN_VNODE )
834: Return the entire vnode table.
835: Note, the vnode table is not necessarily a consistent snapshot of
836: the system.
837: The returned data consists of an array whose size depends on the
838: current number of such objects in the system.
839: Each element of the array contains the kernel address of a vnode
840: .Va struct vnode *
841: followed by the vnode itself
842: .Va struct vnode .
843: .It Li kern.coredump.setid
844: Settings related to set-id processes coredumps.
845: By default, set-id processes do not dump core in situations where
846: other processes would.
847: The settings in this node allows an administrator to change this
848: behavior.
849: .Pp
850: .Bl -tag -width "123456"
851: .It Li kern.coredump.setid.dump
852: If non-zero, set-id processes will dump core.
853: .It Li kern.coredump.setid.group
854: The group-id for the set-id processes' coredump.
855: .It Li kern.coredump.setid.mode
856: The mode for the set-id processes' coredump.
857: See
858: .Xr chmod 1 .
859: .It Li kern.coredump.setid.owner
860: The user-id that will be used as the owner of the set-id processes'
861: coredump.
862: .It Li kern.coredump.setid.path
863: The path to which set-id processes' coredumps will be saved to.
864: Same syntax as kern.defcorename.
865: .El
866: .\" XXX kern.lwp
867: .El
868: .Sh The machdep.* subtree
869: The set of variables defined is architecture dependent.
870: Most architectures define at least the following variables.
871: .Bl -column "CONSOLE_DEVICEXXX" "integerXXX" -offset indent
872: .It Sy Second level name Type Changeable
873: .It Li CPU_CONSDEV dev_t no
874: .El
875: .Sh The net.* subtree
876: The string and integer information available for the
877: .Li net
878: level is detailed below.
879: The changeable column shows whether a process with appropriate
880: privilege may change the value.
881: The second and third levels are typically the protocol family and
882: protocol number, though this is not always the case.
883: .Bl -column "Second level nameX" "IPsec key management valuesX" -offset indent
884: .It Sy Second level name Type Changeable
885: .It net.route routing messages no
886: .It net.inet IPv4 values yes
887: .It net.inet6 IPv6 values yes
888: .It net.key IPsec key management values yes
889: .El
890: .Pp
891: .Bl -tag -width "123456"
892: .It Li net.route ( PF_ROUTE )
893: .\" XXX really?
894: Return the entire routing table or a subset of it.
895: The data is returned as a sequence of routing messages (see
896: .Xr route 4
897: for the header file, format and meaning).
898: The length of each message is contained in the message header.
899: .Pp
900: The third level name is a protocol number, which is currently always 0.
901: The fourth level name is an address family, which may be set to 0 to
902: select all address families.
903: The fifth and sixth level names are as follows:
904: .Bl -column "Fifth level nameXXXXXX" "Sixth level is:XXX" -offset indent
905: .It Sy Fifth level name Sixth level is:
906: .It NET\_RT\_FLAGS rtflags
907: .It NET\_RT\_DUMP None
908: .It NET\_RT\_IFLIST None
909: .El
910: .It Li net.inet ( PF_INET )
911: Get or set various global information about the IPv4
912: .Pq Internet Protocol version 4 .
913: The third level name is the protocol.
914: The fourth level name is the variable name.
915: The currently defined protocols and names are:
916: .Bl -column "Protocol name" "sack.globalmaxholes" "integer" -offset 4n
917: .It Sy Protocol name Variable name Type Changeable
918: .It arp down integer yes
919: .It arp keep integer yes
920: .It arp prune integer yes
921: .It arp refresh integer yes
922: .It carp allow integer yes
923: .It carp preempt integer yes
924: .It carp log integer yes
925: .It carp arpbalance integer yes
926: .It icmp errppslimit integer yes
927: .It icmp maskrepl integer yes
928: .It icmp rediraccept integer yes
929: .It icmp redirtimeout integer yes
930: .It ip allowsrcrt integer yes
931: .It ip anonportmax integer yes
932: .It ip anonportmin integer yes
933: .It ip checkinterface integer yes
934: .It ip directed-broadcast integer yes
935: .It ip do_loopback_cksum integer yes
936: .It ip forwarding integer yes
937: .It ip forwsrcrt integer yes
938: .It ip gifttl integer yes
939: .It ip grettl integer yes
1.8 liamjfoy 940: .It ip hashsize integer yes
1.1 pavel 941: .It ip hostzerobroadcast integer yes
942: .It ip lowportmin integer yes
943: .It ip lowportmax integer yes
944: .It ip maxflows integer yes
945: .It ip maxfragpackets integer yes
946: .It ip mtudisc integer yes
947: .It ip mtudisctimeout integer yes
948: .It ip random_id integer yes
949: .It ip redirect integer yes
950: .It ip subnetsarelocal integer yes
951: .It ip ttl integer yes
952: .It tcp rfc1323 integer yes
953: .It tcp sendspace integer yes
954: .It tcp recvspace integer yes
955: .It tcp mssdflt integer yes
956: .It tcp syn_cache_limit integer yes
957: .It tcp syn_bucket_limit integer yes
958: .It tcp syn_cache_interval integer yes
959: .It tcp init_win integer yes
960: .It tcp init_win_local integer yes
961: .It tcp mss_ifmtu integer yes
962: .It tcp win_scale integer yes
963: .It tcp timestamps integer yes
964: .It tcp compat_42 integer yes
965: .It tcp cwm integer yes
966: .It tcp cwm_burstsize integer yes
967: .It tcp ack_on_push integer yes
968: .It tcp keepidle integer yes
969: .It tcp keepintvl integer yes
970: .It tcp keepcnt integer yes
971: .It tcp slowhz integer no
972: .It tcp log_refused integer yes
973: .It tcp rstppslimit integer yes
974: .It tcp ident struct no
975: .It tcp sack.enable integer yes
976: .It tcp sack.globalholes integer no
977: .It tcp sack.globalmaxholes integer yes
978: .It tcp sack.maxholes integer yes
979: .It tcp ecn.enable integer yes
980: .It tcp ecn.maxretries integer yes
981: .It tcp congctl.selected string yes
982: .It tcp congctl.available string yes
983: .It tcp abc.enable integer yes
984: .It tcp abc.aggressive integer yes
985: .It udp checksum integer yes
986: .It udp do_loopback_cksum integer yes
987: .It udp recvspace integer yes
988: .It udp sendspace integer yes
989: .El
990: .Pp
991: The variables are as follows:
992: .Bl -tag -width "123456"
993: .It Li arp.down
994: Failed ARP entry lifetime.
995: .It Li arp.keep
996: Valid ARP entry lifetime.
997: .It Li arp.prune
998: ARP cache pruning interval.
999: .It Li arp.refresh
1000: ARP entry refresh interval.
1001: .It Li carp.allow
1002: If set to 0, incoming
1003: .Xr carp 4
1004: packets will not be processed.
1005: If set to any other value, processing will occur.
1006: Enabled by default.
1007: .It Li carp.arpbalance
1008: If set to any value other than 0, the ARP balancing functionality of
1009: .Xr carp 4
1010: is enabled.
1011: When ARP requests are received for an IP address which is part of any virtual
1012: host, carp will hash the source IP in the ARP request to select one of the
1013: virtual hosts from the set of all the virtual hosts which have that IP address.
1014: The master of that host will respond with the correct virtual MAC address.
1015: Disabled by default.
1016: .It Li carp.log
1017: If set to any value other than 0,
1018: .Xr carp 4
1019: will log errors.
1020: Disabled by default.
1021: .It Li carp.preempt
1022: If set to 0,
1023: .Xr carp 4
1024: will not attempt to become master if it is receiving advertisements from
1025: another active master.
1026: If set to any other value, carp will become master of the virtual host if it
1027: believes it can send advertisements more frequently than the current master.
1028: Disabled by default.
1029: .It Li ip.allowsrcrt
1030: If set to 1, the host accepts source routed packets.
1031: .It Li ip.anonportmax
1032: The highest port number to use for TCP and UDP ephemeral port allocation.
1033: This cannot be set to less than 1024 or greater than 65535, and must
1034: be greater than
1035: .Li ip.anonportmin .
1036: .It Li ip.anonportmin
1037: The lowest port number to use for TCP and UDP ephemeral port allocation.
1038: This cannot be set to less than 1024 or greater than 65535.
1039: .It Li ip.checkinterface
1040: If set to non-zero, the host will reject packets addressed to it
1041: that arrive on an interface not bound to that address.
1042: Currently, this must be disabled if ipnat is used to translate the
1043: destination address to another local interface, or if addresses
1044: are added to the loopback interface instead of the interface where
1045: the packets for those packets are received.
1046: .It Li ip.directed-broadcast
1047: If set to 1, enables directed broadcast behavior for the host.
1048: .It Li ip.do_loopback_cksum
1049: Perform IP checksum on loopback.
1050: .It Li ip.forwarding
1051: If set to 1, enables IP forwarding for the host,
1052: meaning that the host is acting as a router.
1053: .It Li ip.forwsrcrt
1054: If set to 1, enables forwarding of source-routed packets for the host.
1055: This value may only be changed if the kernel security level is less than 1.
1056: .It Li ip.gifttl
1057: The maximum time-to-live (hop count) value for an IPv4 packet generated by
1058: .Xr gif 4
1059: tunnel interface.
1060: .It Li ip.grettl
1061: The maximum time-to-live (hop count) value for an IPv4 packet generated by
1062: .Xr gre 4
1063: tunnel interface.
1.8 liamjfoy 1064: .It Li ip.hashsize
1065: The size of IPv4 Fast Forward hash table.
1066: This value must be a power of 2 (64, 256...).
1067: A larger hash table size results in fewer collisions.
1068: Also see
1069: .Li ip.maxflows .
1.1 pavel 1070: .It Li ip.hostzerobroadcast
1071: All zeroes address is broadcast address.
1072: .It Li ip.lowportmax
1073: The highest port number to use for TCP and UDP reserved port allocation.
1074: This cannot be set to less than 0 or greater than 1024, and must
1075: be greater than
1076: .Li ip.lowportmin .
1077: .It Li ip.lowportmin
1078: The lowest port number to use for TCP and UDP reserved port allocation.
1079: This cannot be set to less than 0 or greater than 1024, and must
1080: be smaller than
1081: .Li ip.lowportmax .
1082: .It Li ip.maxflows
1.5 liamjfoy 1083: IPv4 Fast Forwarding is enabled by default.
1084: If set to 0, IPv4 Fast Forwarding is disabled.
1.1 pavel 1085: .Li ip.maxflows
1086: controls the maximum amount of flows which can be created.
1087: The default value is 256.
1088: .It Li ip.maxfragpackets
1089: The maximum number of fragmented packets the node will accept.
1090: 0 means that the node will not accept any fragmented packets.
1091: \-1 means that the node will accept as many fragmented packets as it receives.
1092: The flag is provided basically for avoiding possible DoS attacks.
1093: .It Li ip.mtudisc
1094: If set to 1, enables Path MTU Discovery (RFC 1191).
1095: When Path MTU Discovery is enabled, the transmitted TCP segment
1096: size will be determined by the advertised maximum segment size
1097: (MSS) from the remote end, as constrained by the path MTU.
1098: If MTU Discovery is disabled, the transmitted segment size will
1099: never be greater than
1100: .Li tcp.mssdflt
1101: (the local maximum segment size).
1102: .It Li ip.mtudisctimeout
1103: The number of seconds in which a route added by the Path MTU
1104: Discovery engine will time out.
1105: When the route times out, the Path
1106: MTU Discovery engine will attempt to probe a larger path MTU.
1107: .It Li ip.random_id
1108: Assign random ip_id values.
1109: .It Li ip.redirect
1110: If set to 1, ICMP redirects may be sent by the host.
1111: This option is ignored unless the host is routing IP packets,
1112: and should normally be enabled on all systems.
1113: .It Li ip.subnetsarelocal
1114: If set to 1, subnets are to be considered local addresses.
1115: .It Li ip.ttl
1116: The maximum time-to-live (hop count) value for an IP packet sourced by
1117: the system.
1118: This value applies to normal transport protocols, not to ICMP.
1119: .It Li icmp.errppslimit
1120: The variable specifies the maximum number of outgoing ICMP error messages,
1121: per second.
1122: ICMP error messages that exceeded the value are subject to rate limitation
1123: and will not go out from the node.
1124: Negative value disables rate limitation.
1125: .It Li icmp.maskrepl
1126: If set to 1, ICMP network mask requests are to be answered.
1127: .It Li icmp.rediraccept
1128: If set to non-zero, the host will accept ICMP redirect packets.
1129: Note that routers will never accept ICMP redirect packets,
1130: and the variable is meaningful on IP hosts only.
1131: .It Li icmp.redirtimeout
1132: The variable specifies lifetime of routing entries generated by incoming
1133: ICMP redirect.
1134: This defaults to 600 seconds.
1135: .It Li icmp.returndatabytes
1136: Number of bytes to return in an ICMP error message.
1137: .It Li tcp.ack_on_push
1138: If set to 1, TCP is to immediately transmit an ACK upon reception of
1139: a packet with PUSH set.
1140: This can avoid losing a round trip time in some rare situations,
1141: but has the caveat of potentially defeating TCP's delayed ACK algorithm.
1142: Use of this option is generally not recommended, but
1143: the variable exists in case your configuration really needs it.
1144: .It Li tcp.compat_42
1145: If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation.
1146: Use of this option is not recommended, although it may be
1147: required in order to communicate with extremely old TCP implementations.
1148: .It Li tcp.cwm
1149: If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window
1150: Monitoring algorithm.
1151: This algorithm prevents line-rate bursts of packets that could
1152: otherwise occur when data begins flowing on an idle TCP connection.
1153: These line-rate bursts can contribute to network and router congestion.
1154: This can be particularly useful on World Wide Web servers
1155: which support HTTP/1.1, which has lingering connections.
1156: .It Li tcp.cwm_burstsize
1157: The Congestion Window Monitoring allowed burst size, in terms
1158: of packet count.
1159: .It Li tcp.delack_ticks
1160: Number of ticks to delay sending an ACK.
1161: .It Li tcp.do_loopback_cksum
1162: Perform TCP checksum on loopback.
1163: .It Li tcp.init_win
1164: A value indicating the TCP initial congestion window.
1165: If this value is 0, an auto-tuning algorithm designed to use an initial
1166: window of approximately 4K bytes is in use.
1167: Otherwise, this value indicates a fixed number of packets.
1168: .It Li tcp.init_win_local
1169: Like
1170: .Li tcp.init_win ,
1171: but used when communicating with hosts on a local network.
1172: .It Li tcp.keepcnt
1173: Number of keepalive probes sent before declaring a connection dead.
1174: If set to zero, there is no limit;
1175: keepalives will be sent until some kind of
1176: response is received from the peer.
1177: .It Li tcp.keepidle
1178: Time a connection must be idle before keepalives are sent (if keepalives
1179: are enabled for the connection).
1180: See also tcp.slowhz.
1181: .It Li tcp.keepintvl
1182: Time after a keepalive probe is sent until, in the absence of any response,
1183: another probe is sent.
1184: See also tcp.slowhz.
1185: .It Li tcp.log_refused
1186: If set to 1, refused TCP connections to the host will be logged.
1187: .It Li tcp.mss_ifmtu
1188: If set to 1, TCP calculates the outgoing maximum segment size based on
1189: the MTU of the appropriate interface.
1190: If set to 0, it is calculated based on the greater of the MTU of the
1191: interface, and the largest (non-loopback) interface MTU on the system.
1192: .It Li tcp.mssdflt
1193: The default maximum segment size both advertised to the peer
1194: and to use when either the peer does not advertise a maximum segment size to
1195: us during connection setup or Path MTU Discovery
1196: .Li ( ip.mtudisc )
1197: is disabled.
1198: Do not change this value unless you really know what you are doing.
1199: .It Li tcp.newreno
1200: If set to 1, enables the use of J.
1201: Hoe's NewReno congestion control algorithm.
1202: This algorithm improves the start-up behavior of TCP connections.
1203: .It Li tcp.recvspace
1204: The default TCP receive buffer size.
1205: .It Li tcp.rfc1323
1206: If set to 1, enables RFC 1323 extensions to TCP.
1207: .It Li tcp.rstppslimit
1208: The variable specifies the maximum number of outgoing TCP RST packets,
1209: per second.
1210: TCP RST packet that exceeded the value are subject to rate limitation
1211: and will not go out from the node.
1212: Negative value disables rate limitation.
1213: .It Li tcp.sack.enable
1214: If set to 1, enables RFC 2018 Selective ACKnowledgement.
1215: .It Li tcp.sack.globalholes
1216: Global number of TCP SACK holes.
1217: .It Li tcp.sack.globalmaxholes
1218: Global maximum number of TCP SACK holes.
1219: .It Li tcp.sack.maxholes
1220: Maximum number of TCP SACK holes allowed per connection.
1221: .It Li tcp.ecn.enable
1222: If set to 1, enables RFC 3168 Explicit Congestion Notification.
1223: .It Li tcp.ecn.maxretries
1224: Number of times to retry sending the ECN-setup packet.
1225: .It Li tcp.sendspace
1226: The default TCP send buffer size.
1227: .It Li tcp.slowhz
1228: The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks
1229: of a clock that ticks tcp.slowhz times per second.
1230: (That is, their values
1231: must be divided by the tcp.slowhz value to get times in seconds.)
1232: .It Li tcp.syn_bucket_limit
1233: The maximum number of entries allowed per hash bucket in the TCP
1234: compressed state engine.
1235: .It Li tcp.syn_cache_limit
1236: The maximum number of entries allowed in the TCP compressed state
1237: engine.
1238: .It Li tcp.timestamps
1239: If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options,
1240: used for measuring TCP round trip times, are enabled.
1241: .It Li tcp.win_scale
1242: If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options,
1243: for increasing the TCP window size, are enabled.
1244: .It Li tcp.congctl.available
1245: The available TCP congestion control algorithms.
1246: .It Li tcp.congctl.selected
1247: The currently selected TCP congestion control algorithm.
1248: .It Li tcp.abc.enable
1249: If set to 1, use RFC 3465 Appropriate Byte Counting (ABC).
1250: If set to 0, use traditional Packet Counting.
1251: .It Li tcp.abc.aggressive
1252: Choose the L parameter found in RFC 3465.
1253: L is the maximum cwnd increase for an ack during slow start.
1254: If set to 1, use L=2*SMSS.
1255: If set to 0, use L=1*SMSS.
1256: It has no effect unless tcp.abc.enable is set to 1.
1257: .It Li udp.checksum
1258: If set to 1, UDP checksums are being computed.
1259: Received non-zero UDP checksums are always checked.
1260: Disabling UDP checksums is strongly discouraged.
1261: .It Li udp.sendspace
1262: The default UDP send buffer size.
1263: .It Li udp.recvspace
1264: The default UDP receive buffer size.
1265: .El
1266: .Pp
1267: For variables net.*.ipsec, please refer to
1268: .Xr ipsec 4 .
1269: .It Li net.inet6 ( PF_INET6 )
1270: Get or set various global information about the IPv6
1271: .Pq Internet Protocol version 6 .
1272: The third level name is the protocol.
1273: The fourth level name is the variable name.
1274: The currently defined protocols and names are:
1275: .Bl -column "Protocol name" "Variable nameXX" "integer" "yes" -offset indent
1276: .It Sy Protocol name Variable name Type Changeable
1277: .It icmp6 errppslimit integer yes
1278: .It icmp6 mtudisc_hiwat integer yes
1279: .It icmp6 mtudisc_lowat integer yes
1280: .It icmp6 nd6_debug integer yes
1281: .It icmp6 nd6_delay integer yes
1282: .It icmp6 nd6_maxnudhint integer yes
1283: .It icmp6 nd6_mmaxtries integer yes
1284: .It icmp6 nd6_prune integer yes
1285: .It icmp6 nd6_umaxtries integer yes
1286: .It icmp6 nd6_useloopback integer yes
1287: .It icmp6 nodeinfo integer yes
1288: .It icmp6 rediraccept integer yes
1289: .It icmp6 redirtimeout integer yes
1290: .It ip6 accept_rtadv integer yes
1291: .It ip6 anonportmax integer yes
1292: .It ip6 anonportmin integer yes
1293: .It ip6 auto_flowlabel integer yes
1294: .It ip6 dad_count integer yes
1295: .It ip6 defmcasthlim integer yes
1296: .It ip6 forwarding integer yes
1297: .It ip6 gifhlim integer yes
1.7 liamjfoy 1298: .It ip6 hashsize integer yes
1.1 pavel 1299: .It ip6 hlim integer yes
1300: .It ip6 hdrnestlimit integer yes
1301: .It ip6 kame_version string no
1302: .It ip6 keepfaith integer yes
1303: .It ip6 log_interval integer yes
1304: .It ip6 lowportmax integer yes
1305: .It ip6 lowportmin integer yes
1.5 liamjfoy 1306: .It ip6 maxflows integer yes
1.1 pavel 1307: .It ip6 maxfragpackets integer yes
1308: .It ip6 maxfrags integer yes
1309: .It ip6 redirect integer yes
1.9 ! christos 1310: .It ip6 rht0 integer yes
1.1 pavel 1311: .It ip6 rr_prune integer yes
1312: .It ip6 use_deprecated integer yes
1313: .It ip6 v6only integer yes
1314: .It udp6 do_loopback_cksum integer yes
1315: .It udp6 recvspace integer yes
1316: .It udp6 sendspace integer yes
1317: .El
1318: .Pp
1319: The variables are as follows:
1320: .Bl -tag -width "123456"
1321: .It Li ip6.accept_rtadv
1322: If set to non-zero, the node will accept ICMPv6 router advertisement packets
1323: and autoconfigures address prefixes and default routers.
1324: The node must be a host
1325: .Pq not a router
1326: for the option to be meaningful.
1327: .It Li ip6.anonportmax
1328: The highest port number to use for TCP and UDP ephemeral port allocation.
1329: This cannot be set to less than 1024 or greater than 65535, and must
1330: be greater than
1331: .Li ip6.anonportmin .
1332: .It Li ip6.anonportmin
1333: The lowest port number to use for TCP and UDP ephemeral port allocation.
1334: This cannot be set to less than 1024 or greater than 65535.
1335: .It Li ip6.auto_flowlabel
1336: On connected transport protocol packets,
1337: fill IPv6 flowlabel field to help intermediate routers to identify packet flows.
1338: .It Li ip6.dad_count
1339: The variable configures number of IPv6 DAD
1340: .Pq duplicated address detection
1341: probe packets.
1342: The packets will be generated when IPv6 interface addresses are configured.
1343: .It Li ip6.defmcasthlim
1344: The default hop limit value for an IPv6 multicast packet sourced by the node.
1345: This value applies to all the transport protocols on top of IPv6.
1346: There are APIs to override the value, as documented in
1347: .Xr ip6 4 .
1348: .It Li ip6.forwarding
1349: If set to 1, enables IPv6 forwarding for the node,
1350: meaning that the node is acting as a router.
1351: If set to 0, disables IPv6 forwarding for the node,
1352: meaning that the node is acting as a host.
1353: IPv6 specification defines node behavior for
1354: .Dq router
1355: case and
1356: .Dq host
1357: case quite differently, and changing this variable during operation
1358: may cause serious trouble.
1359: It is recommended to configure the variable at bootstrap time,
1360: and bootstrap time only.
1361: .It Li ip6.gifhlim
1362: The maximum hop limit value for an IPv6 packet generated by
1363: .Xr gif 4
1364: tunnel interface.
1365: .It Li ip6.hdrnestlimit
1366: The number of IPv6 extension headers permitted on incoming IPv6 packets.
1367: If set to 0, the node will accept as many extension headers as possible.
1.7 liamjfoy 1368: .It Li ip6.hashsize
1369: The size of IPv6 Fast Forward hash table.
1370: This value must be a power of 2 (64, 256...).
1371: A larger hash table size results in fewer collisions.
1372: Also see
1373: .Li ip6.maxflows .
1.1 pavel 1374: .It Li ip6.hlim
1375: The default hop limit value for an IPv6 unicast packet sourced by the node.
1376: This value applies to all the transport protocols on top of IPv6.
1377: There are APIs to override the value, as documented in
1378: .Xr ip6 4 .
1379: .It Li ip6.kame_version
1380: The string identifies the version of KAME IPv6 stack implemented in the kernel.
1381: .It Li ip6.keepfaith
1382: If set to non-zero, it enables
1383: .Dq FAITH
1384: TCP relay IPv6-to-IPv4 translator code in the kernel.
1385: Refer
1386: .Xr faith 4
1387: and
1388: .Xr faithd 8
1389: for detail.
1390: .It Li ip6.log_interval
1391: The variable controls amount of logs generated by IPv6 packet
1392: forwarding engine, by setting interval between log output
1393: .Pq in seconds .
1394: .It Li ip6.lowportmax
1395: The highest port number to use for TCP and UDP reserved port allocation.
1396: This cannot be set to less than 0 or greater than 1024, and must
1397: be greater than
1398: .Li ip6.lowportmin .
1399: .It Li ip6.lowportmin
1400: The lowest port number to use for TCP and UDP reserved port allocation.
1401: This cannot be set to less than 0 or greater than 1024, and must
1402: be smaller than
1403: .Li ip6.lowportmax .
1.5 liamjfoy 1404: .It Li ip6.maxflows
1405: IPv6 Fast Forwarding is enabled by default.
1406: If set to 0, IPv6 Fast Forwarding is disabled.
1407: .Li ip6.maxflows
1408: controls the maximum amount of flows which can be created.
1.6 liamjfoy 1409: The default value is 256.
1.1 pavel 1410: .It Li ip6.maxfragpackets
1411: The maximum number of fragmented packets the node will accept.
1412: 0 means that the node will not accept any fragmented packets.
1413: \-1 means that the node will accept as many fragmented packets as it receives.
1414: The flag is provided basically for avoiding possible DoS attacks.
1415: .It Li ip6.maxfrags
1416: The maximum number of fragments the node will accept.
1417: 0 means that the node will not accept any fragments.
1418: \-1 means that the node will accept as many fragments as it receives.
1419: The flag is provided basically for avoiding possible DoS attacks.
1420: .It Li ip6.redirect
1421: If set to 1, ICMPv6 redirects may be sent by the node.
1422: This option is ignored unless the node is routing IP packets,
1423: and should normally be enabled on all systems.
1.9 ! christos 1424: .It Li ip6.rht0
! 1425: This variable controls processing of routing header type 0 packets. The
! 1426: possible values are:
! 1427: .Bl -tag -width "-1"
! 1428: .It Li \-1
! 1429: Processing is disabled (default).
! 1430: .It Li 0
! 1431: Processing is enabled only for routers and not for hosts.
! 1432: .It Li 1
! 1433: Processing is enabled for both routers and hosts.
! 1434: .El
1.1 pavel 1435: .It Li ip6.rr_prune
1436: The variable specifies interval between IPv6 router renumbering prefix
1437: babysitting, in seconds.
1438: .It Li ip6.use_deprecated
1439: The variable controls use of deprecated address, specified in RFC 2462 5.5.4.
1440: .It Li ip6.v6only
1441: The variable specifies initial value for
1442: .Dv IPV6_V6ONLY
1443: socket option for
1444: .Dv AF_INET6
1445: socket.
1446: Please refer to
1447: .Xr ip6 4
1448: for detail.
1449: .It Li icmp6.errppslimit
1450: The variable specifies the maximum number of outgoing ICMPv6 error messages,
1451: per second.
1452: ICMPv6 error messages that exceeded the value are subject to rate limitation
1453: and will not go out from the node.
1454: Negative value disables rate limitation.
1455: .It Li icmp6.mtudisc_hiwat
1456: .It Li icmp6.mtudisc_lowat
1457: The variables define the maximum number of routing table entries,
1458: created due to path MTU discovery
1459: .Pq prevents denial-of-service attacks with ICMPv6 too big messages .
1460: When IPv6 path MTU discovery happens, we keep path MTU information into
1461: the routing table.
1462: If the number of routing table entries exceed the value,
1463: the kernel will not attempt to keep the path MTU information.
1464: .Li icmp6.mtudisc_hiwat
1465: is used when we have verified ICMPv6 too big messages.
1466: .Li icmp6.mtudisc_lowat
1467: is used when we have unverified ICMPv6 too big messages.
1468: Verification is performed by using address/port pairs kept in connected pcbs.
1469: Negative value disables the upper limit.
1470: .It Li icmp6.nd6_debug
1471: If set to non-zero, kernel IPv6 neighbor discovery code will generate
1472: debugging messages.
1473: The debug outputs are useful to diagnose IPv6 interoperability issues.
1474: The flag must be set to 0 for normal operation.
1475: .It Li icmp6.nd6_delay
1476: The variable specifies
1477: .Dv DELAY_FIRST_PROBE_TIME
1478: timing constant in IPv6 neighbor discovery specification
1479: .Pq RFC 2461 ,
1480: in seconds.
1481: .It Li icmp6.nd6_maxnudhint
1482: IPv6 neighbor discovery permits upper layer protocols to supply reachability
1483: hints, to avoid unnecessary neighbor discovery exchanges.
1484: The variable defines the number of consecutive hints the neighbor discovery
1485: layer will take.
1486: For example, by setting the variable to 3, neighbor discovery layer
1487: will take 3 consecutive hints in maximum.
1488: After receiving 3 hints, neighbor discovery layer will perform
1489: normal neighbor discovery process.
1490: .It Li icmp6.nd6_mmaxtries
1491: The variable specifies
1492: .Dv MAX_MULTICAST_SOLICIT
1493: constant in IPv6 neighbor discovery specification
1494: .Pq RFC 2461 .
1495: .It Li icmp6.nd6_prune
1496: The variable specifies interval between IPv6 neighbor cache babysitting,
1497: in seconds.
1498: .It Li icmp6.nd6_umaxtries
1499: The variable specifies
1500: .Dv MAX_UNICAST_SOLICIT
1501: constant in IPv6 neighbor discovery specification
1502: .Pq RFC 2461 .
1503: .It Li icmp6.nd6_useloopback
1504: If set to non-zero, kernel IPv6 stack will use loopback interface for
1505: local traffic.
1506: .It Li icmp6.nodeinfo
1507: The variable enables responses to ICMPv6 node information queries.
1508: If you set the variable to 0, responses will not be generated for
1509: ICMPv6 node information queries.
1510: Since node information queries can have a security impact, it is
1511: possible to fine tune which responses should be answered.
1512: Two separate bits can be set.
1513: .Bl -tag -width "12345"
1514: .It 1
1515: Respond to ICMPv6 FQDN queries, e.g.
1516: .Li ping6 -w .
1517: .It 2
1518: Respond to ICMPv6 node addresses queries, e.g.
1519: .Li ping6 -a .
1520: .El
1521: .It Li icmp6.rediraccept
1522: If set to non-zero, the host will accept ICMPv6 redirect packets.
1523: Note that IPv6 routers will never accept ICMPv6 redirect packets,
1524: and the variable is meaningful on IPv6 hosts
1525: .Pq non-router
1526: only.
1527: .It Li icmp6.redirtimeout
1528: The variable specifies lifetime of routing entries generated by incoming
1529: ICMPv6 redirect.
1530: .It Li udp6.do_loopback_cksum
1531: Perform UDP checksum on loopback.
1532: .It Li udp6.recvspace
1533: Default UDP receive buffer size.
1534: .It Li udp6.sendspace
1535: Default UDP send buffer size.
1536: .El
1537: .Pp
1538: We reuse net.*.tcp for
1539: .Tn TCP
1540: over
1541: .Tn IPv6 ,
1542: and therefore we do not have variables net.*.tcp6.
1543: Variables net.inet6.udp6 have identical meaning to net.inet.udp.
1544: Please refer to
1545: .Li PF_INET
1546: section above.
1547: For variables net.*.ipsec6, please refer to
1548: .Xr ipsec 4 .
1549: .It Li net.key ( PF_KEY )
1550: Get or set various global information about the IPsec key management.
1551: The third level name is the variable name.
1552: The currently defined variable and names are:
1553: .Bl -column "blockacq_lifetime" "integer" "yes" -offset indent
1554: .It Sy Variable name Type Changeable
1555: .It debug integer yes
1556: .It spi_try integer yes
1557: .It spi_min_value integer yes
1558: .It spi_max_value integer yes
1559: .It larval_lifetime integer yes
1560: .It blockacq_count integer yes
1561: .It blockacq_lifetime integer yes
1562: .It esp_keymin integer yes
1563: .It esp_auth integer yes
1564: .It ah_keymin integer yes
1565: .El
1566: The variables are as follows:
1567: .Bl -tag -width "123456"
1568: .It Li debug
1569: Turn on debugging message from within the kernel.
1570: The value is a bitmap, as defined in
1571: .Pa /usr/include/netkey/key_debug.h .
1572: .It Li spi_try
1573: The number of times the kernel will try to obtain an unique SPI
1574: when it generates it from random number generator.
1575: .It Li spi_min_value
1576: Minimum SPI value when generating it within the kernel.
1577: .It Li spi_max_value
1578: Maximum SPI value when generating it within the kernel.
1579: .It Li larval_lifetime
1580: Lifetime for LARVAL SAD entries, in seconds.
1581: .It Li blockacq_count
1582: Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message.
1583: It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the
1584: key management daemon.
1585: .It Li blockacq_lifetime
1586: Lifetime of ACQUIRE PF_KEY message.
1587: .It Li esp_keymin
1588: Minimum ESP key length, in bits.
1589: The value is used when the kernel creates proposal payload
1590: on ACQUIRE PF_KEY message.
1591: .It Li esp_auth
1592: Whether ESP authentication should be used or not.
1593: Non-zero value indicates that ESP authentication should be used.
1594: The value is used when the kernel creates proposal payload
1595: on ACQUIRE PF_KEY message.
1596: .It Li ah_keymin
1597: Minimum AH key length, in bits,
1598: The value is used when the kernel creates proposal payload
1599: on ACQUIRE PF_KEY message.
1600: .El
1601: .El
1602: .Sh The proc.* subtree
1603: The string and integer information available for the
1604: .Li proc
1605: level is detailed below.
1606: The changeable column shows whether a process with appropriate
1607: privilege may change the value.
1608: These values are per-process,
1609: and as such may change from one process to another.
1610: When a process is created,
1611: the default values are inherited from its parent.
1612: When a set-user-ID or set-group-ID binary is executed, the
1613: value of PROC_PID_CORENAME is reset to the system default value.
1614: The second level name is either the magic value PROC_CURPROC, which
1615: points to the current process, or the PID of the target process.
1616: .Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" "yes" -offset indent
1617: .It Sy Third level name Type Changeable
1618: .It proc.pid.corename string yes
1619: .It proc.pid.rlimit node not applicable
1620: .It proc.pid.stopfork int yes
1621: .It proc.pid.stopexec int yes
1622: .It proc.pid.stopexit int yes
1623: .El
1624: .Bl -tag -width "123456"
1625: .Pp
1626: .It Li proc.pid.corename ( PROC_PID_CORENAME )
1627: The template used for the core dump file name (see
1628: .Xr core 5
1629: for details).
1630: The base name must either be
1631: .Nm core
1632: or end with the suffix ``.core'' (the super-user may set arbitrary names).
1633: By default it points to KERN_DEFCORENAME.
1634: .It Li proc.pid.rlimit ( PROC_PID_LIMIT )
1635: Return resources limits, as defined for the
1636: .Xr getrlimit 2
1637: and
1638: .Xr setrlimit 2
1639: system calls.
1640: The fourth level name is one of:
1641: .Bl -tag -width PROC_PID_LIMIT_MEMLOCKAA
1642: .It Li proc.pid.rlimit.cputime ( PROC_PID_LIMIT_CPU )
1643: The maximum amount of CPU time (in seconds) to be used by each process.
1644: .It Li proc.pid.rlimit.filesize ( PROC_PID_LIMIT_FSIZE )
1645: The largest size (in bytes) file that may be created.
1646: .It Li proc.pid.rlimit.datasize ( PROC_PID_LIMIT_DATA )
1647: The maximum size (in bytes) of the data segment for a process;
1648: this defines how far a program may extend its break with the
1649: .Xr sbrk 2
1650: system call.
1651: .It Li proc.pid.rlimit.stacksize ( PROC_PID_LIMIT_STACK )
1652: The maximum size (in bytes) of the stack segment for a process;
1653: this defines how far a program's stack segment may be extended.
1654: Stack extension is performed automatically by the system.
1655: .It Li proc.pid.rlimit.coredumpsize ( PROC_PID_LIMIT_CORE )
1656: The largest size (in bytes)
1657: .Pa core
1658: file that may be created.
1659: .It Li proc.pid.rlimit.memoryuse ( PROC_PID_LIMIT_RSS )
1660: The maximum size (in bytes) to which a process's resident set size may
1661: grow.
1662: This imposes a limit on the amount of physical memory to be given to
1663: a process; if memory is tight, the system will prefer to take memory
1664: from processes that are exceeding their declared resident set size.
1665: .It Li proc.pid.rlimit.memorylocked ( PROC_PID_LIMIT_MEMLOCK )
1666: The maximum size (in bytes) which a process may lock into memory
1667: using the
1668: .Xr mlock 2
1669: function.
1670: .It Li proc.pid.rlimit.maxproc ( PROC_PID_LIMIT_NPROC )
1671: The maximum number of simultaneous processes for this user id.
1672: .It Li proc.pid.rlimit.descriptors ( PROC_PID_LIMIT_NOFILE )
1673: The maximum number of open files for this process.
1674: .\" XXX proc.pid.rlimit.sbsize
1675: .El
1676: .Pp
1677: The fifth level name is one of
1678: .Li soft ( PROC_PID_LIMIT_TYPE_SOFT ) or
1679: .Li hard ( PROC_PID_LIMIT_TYPE_HARD ) ,
1680: to select respectively the soft or hard limit.
1681: Both are of type integer.
1682: .It Li proc.pid.stopfork ( PROC_PID_STOPFORK )
1683: If non zero, the process' children will be stopped after
1684: .Xr fork 2
1685: calls.
1686: The children is created in the SSTOP state and is never scheduled
1687: for running before being stopped.
1688: This feature helps attaching a process with a debugger such as
1689: .Xr gdb 1
1690: before it had the opportunity to actually do anything.
1691: .Pp
1692: This value is inherited by the process's children, and it also
1693: apply to emulation specific system calls that fork a new process, such as
1694: .Fn sproc
1695: or
1696: .Fn clone .
1697: .It Li proc.pid.stopexec ( PROC_PID_STOPEXEC )
1698: If non zero, the process will be stopped on next
1699: .Xr exec 3
1700: call.
1701: The process created by
1702: .Xr exec 3
1703: is created in the SSTOP state and is never scheduled for running
1704: before being stopped.
1705: This feature helps attaching a process with a debugger such as
1706: .Xr gdb 1
1707: before it had the opportunity to actually do anything.
1708: .Pp
1709: This value is inherited by the process's children.
1710: .It Li proc.pid.stopexit ( PROC_PID_STOPEXIT )
1711: If non zero, the process will be stopped on when it has cause to exit,
1712: either by way of calling
1713: .Xr exit 3 ,
1714: .Xr _exit 2 ,
1715: or by the receipt of a specific signal.
1716: The process is stopped before any of its resources or vm space is
1717: released allowing examination of the termination state of a process
1718: before it disappears.
1719: This feature can be used to examine the final conditions of the
1720: process's vmspace via
1721: .Xr pmap 1
1722: or its resource settings with
1723: .Xr sysctl 8
1724: before it disappears.
1725: .Pp
1726: This value is also inherited by the process's children.
1727: .El
1728: .Sh The user.* subtree ( CTL_USER )
1729: The string and integer information available for the
1730: .Li user
1731: level is detailed below.
1732: The changeable column shows whether a process with appropriate
1733: privilege may change the value.
1734: .Bl -column "USER_COLL_WEIGHTS_MAXXXX" "integerXXX" -offset indent
1735: .It Sy Second level name Type Changeable
1736: .It user.atexit_max integer no
1737: .It user.bc_base_max integer no
1738: .It user.bc_dim_max integer no
1739: .It user.bc_scale_max integer no
1740: .It user.bc_string_max integer no
1741: .It user.coll_weights_max integer no
1742: .It user.cs_path string no
1743: .It user.expr_nest_max integer no
1744: .It user.line_max integer no
1745: .It user.posix2_c_bind integer no
1746: .It user.posix2_c_dev integer no
1747: .It user.posix2_char_term integer no
1748: .It user.posix2_fort_dev integer no
1749: .It user.posix2_fort_run integer no
1750: .It user.posix2_localedef integer no
1751: .It user.posix2_sw_dev integer no
1752: .It user.posix2_upe integer no
1753: .It user.posix2_version integer no
1754: .It user.re_dup_max integer no
1755: .It user.stream_max integer no
1756: .It user.stream_max integer no
1757: .It user.tzname_max integer no
1758: .El
1759: .Bl -tag -width "123456"
1760: .Pp
1761: .It Li user.atexit_max ( USER_ATEXIT_MAX )
1762: The maximum number of functions that may be registered with
1763: .Xr atexit 3 .
1764: .It Li user.bc_base_max ( USER_BC_BASE_MAX )
1765: The maximum ibase/obase values in the
1766: .Xr bc 1
1767: utility.
1768: .It Li user.bc_dim_max ( USER_BC_DIM_MAX )
1769: The maximum array size in the
1770: .Xr bc 1
1771: utility.
1772: .It Li user.bc_scale_max ( USER_BC_SCALE_MAX )
1773: The maximum scale value in the
1774: .Xr bc 1
1775: utility.
1776: .It Li user.bc_string_max ( USER_BC_STRING_MAX )
1777: The maximum string length in the
1778: .Xr bc 1
1779: utility.
1780: .It Li user.coll_weights_max ( USER_COLL_WEIGHTS_MAX )
1781: The maximum number of weights that can be assigned to any entry of
1782: the LC_COLLATE order keyword in the locale definition file.
1783: .It Li user.cs_path ( USER_CS_PATH )
1784: Return a value for the
1785: .Ev PATH
1786: environment variable that finds all the standard utilities.
1787: .It Li user.expr_nest_max ( USER_EXPR_NEST_MAX )
1788: The maximum number of expressions that can be nested within
1789: parenthesis by the
1790: .Xr expr 1
1791: utility.
1792: .It Li user.line_max ( USER_LINE_MAX )
1793: The maximum length in bytes of a text-processing utility's input
1794: line.
1795: .It Li user.posix2_char_term ( USER_POSIX2_CHAR_TERM )
1796: Return 1 if the system supports at least one terminal type capable of
1797: all operations described in POSIX 1003.2, otherwise 0.
1798: .It Li user.posix2_c_bind ( USER_POSIX2_C_BIND )
1799: Return 1 if the system's C-language development facilities support the
1800: C-Language Bindings Option, otherwise 0.
1801: .It Li user.posix2_c_dev ( USER_POSIX2_C_DEV )
1802: Return 1 if the system supports the C-Language Development Utilities Option,
1803: otherwise 0.
1804: .It Li user.posix2_fort_dev ( USER_POSIX2_FORT_DEV )
1805: Return 1 if the system supports the FORTRAN Development Utilities Option,
1806: otherwise 0.
1807: .It Li user.posix2_fort_run ( USER_POSIX2_FORT_RUN )
1808: Return 1 if the system supports the FORTRAN Runtime Utilities Option,
1809: otherwise 0.
1810: .It Li user.posix2_localedef ( USER_POSIX2_LOCALEDEF )
1811: Return 1 if the system supports the creation of locales, otherwise 0.
1812: .It Li user.posix2_sw_dev ( USER_POSIX2_SW_DEV )
1813: Return 1 if the system supports the Software Development Utilities Option,
1814: otherwise 0.
1815: .It Li user.posix2_upe ( USER_POSIX2_UPE )
1816: Return 1 if the system supports the User Portability Utilities Option,
1817: otherwise 0.
1818: .It Li user.posix2_version ( USER_POSIX2_VERSION )
1819: The version of POSIX 1003.2 with which the system attempts to comply.
1820: .It Li user.re_dup_max ( USER_RE_DUP_MAX )
1821: The maximum number of repeated occurrences of a regular expression
1822: permitted when using interval notation.
1823: .ne 1i
1824: .It Li user.stream_max ( USER_STREAM_MAX )
1825: The minimum maximum number of streams that a process may have open
1826: at any one time.
1827: .It Li user.tzname_max ( USER_TZNAME_MAX )
1828: The minimum maximum number of types supported for the name of a
1829: timezone.
1830: .El
1831: .Sh The vm.* subtree ( CTL_VM )
1832: The string and integer information available for the
1833: .Li vm
1834: level is detailed below.
1835: The changeable column shows whether a process with appropriate
1836: privilege may change the value.
1837: .Bl -column "Second level nameXXXXXX" "struct uvmexp_sysctlXXX" -offset indent
1838: .It Sy Second level name Type Changeable
1839: .It vm.anonmax int yes
1840: .It vm.anonmin int yes
1841: .It vm.bufcache int yes
1842: .It vm.bufmem int no
1843: .It vm.bufmem_hiwater int yes
1844: .It vm.bufmem_lowater int yes
1845: .It vm.execmax int yes
1846: .It vm.execmin int yes
1847: .It vm.filemax int yes
1848: .It vm.filemin int yes
1849: .It vm.loadavg struct loadavg no
1850: .It vm.maxslp int no
1851: .It vm.nkmempages int no
1852: .It vm.uspace int no
1853: .It vm.uvmexp struct uvmexp no
1854: .It vm.uvmexp2 struct uvmexp_sysctl no
1855: .It vm.vmmeter struct vmtotal no
1856: .El
1857: .Pp
1858: .Bl -tag -width "123456"
1859: .It Li vm.anonmax ( VM_ANONMAX )
1860: The percentage of physical memory which will be reclaimed
1861: from other types of memory usage to store anonymous application data.
1862: .It Li vm.anonmin ( VM_ANONMIN )
1863: The percentage of physical memory which will be always be available for
1864: anonymous application data.
1865: .It Li vm.bufcache ( VM_BUFCACHE )
1866: The percentage of physical memory which will be available
1867: for the buffer cache.
1868: .It Li vm.bufmem ( VM_BUFMEM )
1869: The amount of kernel memory that is being used by the buffer cache.
1870: .It Li vm.bufmem_lowater ( VM_BUFMEM_LOWATER )
1871: The minimum amount of kernel memory to reserve for the
1872: buffer cache.
1873: .It Li vm.bufmem_hiwater ( VM_BUFMEM_HIWATER )
1874: The maximum amount of kernel memory to be used for the
1875: buffer cache.
1876: .It Li vm.execmax ( VM_EXECMAX )
1877: The percentage of physical memory which will be reclaimed
1878: from other types of memory usage to store cached executable data.
1879: .It Li vm.execmin ( VM_EXECMIN )
1880: The percentage of physical memory which will be always be available for
1881: cached executable data.
1882: .It Li vm.filemax ( VM_FILEMAX )
1883: The percentage of physical memory which will be reclaimed
1884: from other types of memory usage to store cached file data.
1885: .It Li vm.filemin ( VM_FILEMIN )
1886: The percentage of physical memory which will be always be available for
1887: cached file data.
1888: .It Li vm.loadavg ( VM_LOADAVG )
1889: Return the load average history.
1890: The returned data consists of a
1891: .Va struct loadavg .
1892: .It Li vm.maxslp ( VM_MAXSLP )
1893: The value of the maxslp kernel global variable.
1894: .It Li vm.vmmeter ( VM_METER )
1895: Return system wide virtual memory statistics.
1896: The returned data consists of a
1897: .Va struct vmtotal .
1898: .It Li vm.uspace ( VM_USPACE )
1899: The number of bytes allocated for each kernel stack.
1900: .It Li vm.uvmexp ( VM_UVMEXP )
1901: Return system wide virtual memory statistics.
1902: The returned data consists of a
1903: .Va struct uvmexp .
1904: .It Li vm.uvmexp2 ( VM_UVMEXP2 )
1905: Return system wide virtual memory statistics.
1906: The returned data consists of a
1907: .Va struct uvmexp_sysctl .
1908: .\" XXX vm.idlezero
1909: .El
1910: .Sh The ddb.* subtree ( CTL_DDB )
1911: The integer information available for the
1912: .Li ddb
1913: level is detailed below.
1914: The changeable column shows whether a process with appropriate
1915: privilege may change the value.
1916: .\" XXX sort
1917: .Bl -column "ddb.fromconsoleXXX" "integerXXX" -offset indent
1918: .It Sy Second level name Type Changeable
1919: .It ddb.radix integer yes
1920: .It ddb.maxoff integer yes
1921: .It ddb.lines integer yes
1922: .It ddb.tabstops integer yes
1923: .It ddb.onpanic integer yes
1924: .It ddb.fromconsole integer yes
1925: .El
1926: .Pp
1927: .Bl -tag -width "123456"
1928: .It Li ddb.radix ( DBCTL_RADIX )
1929: The input and output radix.
1930: .It Li ddb.maxoff ( DBCTL_MAXOFF )
1931: The maximum symbol offset.
1932: .It Li ddb.lines ( DBCTL_LINES )
1933: Number of display lines.
1934: .It Li ddb.tabstops ( DBCTL_TABSTOPS )
1935: Tab width.
1936: .It Li ddb.onpanic ( DBCTL_ONPANIC )
1937: If non-zero, DDB will be entered when the kernel panics.
1938: .It Li ddb.fromconsole ( DBCTL_FROMCONSOLE )
1939: If not zero, DDB may be entered by sending a break on a serial
1940: console or by a special key sequence on a graphics console.
1941: .\" XXX tee_msgbuf maxwidth commandonenter
1942: .El
1943: .Pp
1944: These MIB nodes are also available as variables from within the DDB.
1945: See
1946: .Xr ddb 4
1947: for more details.
1948: .Sh The security.* subtree ( CTL_SECURITY )
1949: The
1950: .Li security
1951: level contains various security-related settings for
1.2 wiz 1952: the system.
1953: Available settings are detailed below.
1.1 pavel 1954: .Pp
1955: .Bl -tag -width "123456"
1956: .It Li security.curtain
1957: If non-zero, will filter return objects according to the user-id
1958: requesting information about them, preventing from users any
1959: access to objects they don't own.
1960: .Pp
1961: At the moment, it affects
1962: .Xr ps 1 ,
1963: .Xr netstat 1
1964: (for
1965: .Dv PF_INET ,
1966: .Dv PF_INET6 ,
1967: and
1968: .Dv PF_UNIX
1969: PCBs), and
1970: .Xr w 1 .
1.4 elad 1971: .It Li security.models
1972: .Nx
1973: supports pluggable security models.
1974: Every security model used, whether if loaded as an LKM or built with the system,
1975: is required to add an entry to this node with at least one element,
1976: .Dq name ,
1977: indicating the name of the security model.
1978: .Pp
1979: In addition to the name, any settings and other information private to the
1980: security model will be available under this node.
1981: See
1982: .Xr secmodel 9
1983: for more information.
1.1 pavel 1984: .It Li security.pax
1985: Settings for PaX -- exploit mitigation features.
1.4 elad 1986: For more information on any of the PaX features, please see
1987: .Xr paxctl 8
1988: and
1989: .Xr security 8 .
1.1 pavel 1990: .Pp
1991: .Bl -tag -width "123456"
1992: .It Li security.pax.mprotect.enable
1993: Enable PaX MPROTECT restrictions.
1994: .Pp
1995: These are
1996: .Xr mprotect 2
1.2 wiz 1997: restrictions to better enforce a W^X policy.
1998: The value of this
1.1 pavel 1999: knob must be non-zero for PaX MPROTECT to be enabled, even if a
2000: program is set to explicit enable.
2001: .It Li security.pax.mprotect.global
2002: Specifies the default global policy for programs without an
2003: explicit enable/disable flag.
2004: .Pp
2005: When non-zero, all programs will get the PaX MPROTECT restrictions,
2006: except those exempted with
1.4 elad 2007: .Xr paxctl 8 .
1.1 pavel 2008: Otherwise, all programs will not get the PaX MPROTECT restrictions,
2009: except those specifically marked as such with
1.4 elad 2010: .Xr paxctl 8 .
1.1 pavel 2011: .It Li security.pax.segvguard.enable
2012: Enable PaX Segvguard.
2013: .Pp
2014: PaX Segvguard can detect and prevent certain exploitation attempts, where
2015: an attacker may try for example to brute-force function return addresses
2016: of respawning daemons.
2017: .Pp
2018: .Em Note :
2019: The
2020: .Nx
2021: interface and implementation of the Segvguard is still experimental, and may
2022: change in future releases.
2023: .It Li security.pax.segvguard.global
2024: Specifies the default global policy for programs without an
2025: explicit enable/disable flag.
2026: .Pp
2027: When non-zero, all programs will get the PaX Segvguard,
2028: except those exempted with
1.4 elad 2029: .Xr paxctl 8 .
1.2 wiz 2030: Otherwise, no program will get the PaX Segvguard restrictions,
1.1 pavel 2031: except those specifically marked as such with
1.4 elad 2032: .Xr paxctl 8 .
1.1 pavel 2033: .It Li security.pax.segvguard.expiry_timeout
2034: If the max number was not reached within this timeout (in seconds), the entry
2035: will expire.
2036: .It Li security.pax.segvguard.suspend_timeout
2037: Number of seconds to suspend a user from running a faulting program when the
2038: limit was exceeded.
2039: .It Li security.pax.segvguard.max_crashes
2040: Max number of segfaults a program can receive before suspension.
2041: .El
2042: .El
2043: .Sh The vendor.* subtree ( CTL_VENDOR )
2044: The
2045: .Li vendor
2046: toplevel name is reserved to be used by vendors who wish to
2047: have their own private MIB tree.
2048: Intended use is to store values under
2049: .Dq vendor.\*[Lt]yourname\*[Gt].* .
2050: .Sh SEE ALSO
2051: .Xr sysctl 3 ,
2052: .Xr ipsec 4 ,
2053: .Xr tcp 4 ,
2054: .Xr security 8 ,
2055: .Xr sysctl 8
2056: .Sh HISTORY
2057: The
2058: .Nm
2059: variables first appeared in
2060: .Bx 4.4 .
CVSweb <webmaster@jp.NetBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to sysctl.7 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / share / man / man7