The individual sysctl variables are described below, both the textual
and numeric form where applicable.
The textual names can be used as argument to the
sysctl(8)
utility and in the file
/etc/sysctl.conf
.
The numeric names are usually defined as preprocessor constants and
are intended for use by programs.
Every such constant expands to one integer, which identifies the
sysctl variable relative to the upper level of the tree.
See the
sysctl(3)
manual page for programming examples.
sys/sysctl.h
>,
and are as follows.
The next and subsequent levels down are found in the include files
listed here, and described in separate sections below.
Name Constant Next level names Description |
kern CTL_KERN sys/sysctl.h High kernel limits |
vm CTL_VM uvm/uvm_param.h Virtual memory |
vfs CTL_VFS sys/mount.h Filesystem |
net CTL_NET sys/socket.h Networking |
debug CTL_DEBUG sys/sysctl.h Debugging |
hw CTL_HW sys/sysctl.h Generic CPU, I/O |
machdep CTL_MACHDEP sys/sysctl.h Machine dependent |
user CTL_USER sys/sysctl.h User-level |
ddb CTL_DDB sys/sysctl.h In-kernel debugger |
proc CTL_PROC sys/sysctl.h Per-process |
vendor CTL_VENDOR ? Vendor specific |
emul CTL_EMUL sys/sysctl.h Emulation settings |
security CTL_SECURITY sys/sysctl.h Security settings |
debug0
through
debug19
.
They are declared as separate variables so that they can be
individually initialized at the location of their associated variable.
The loader prevents multiple use of the same variable by issuing errors
if a variable is initialized in more than one place.
For example, to export the variable
dospecialcheck
as a debugging variable, the following declaration would be used:
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
Note that the dynamic implementation of sysctl currently in use largely makes this particular sysctl interface obsolete. See sysctl(8) for more information.
vfs.generic
( VFS_GENERIC
),
is used to get general information about all filesystems.
One of its third level identifiers is
vfs.generic.maxtypenum
( VFS_MAXTYPENUM
)
that gives the highest valid filesystem type number.
Its other third level identifier is
vfs.generic.conf
( VFS_CONF
)
that returns configuration information about the filesystem
type given as a fourth level identifier.
The remaining second level identifiers are the
filesystem type number returned by a
statvfs(2)
call or from
vfs.generic.conf
.
The third level identifiers available for each filesystem
are given in the header file that defines the mount
argument structure for that filesystem.
hw
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
Second level name Type Changeable |
hw.acpi.supported_states string no |
hw.alignbytes integer no |
hw.byteorder integer no |
hw.cnmagic string yes |
hw.disknames string no |
hw.diskstats struct no |
hw.machine string no |
hw.machine_arch string no |
hw.model string no |
hw.ncpu integer no |
hw.pagesize integer no |
hw.physmem integer no |
hw.physmem64 quad no |
hw.usermem integer no |
hw.usermem64 quad no |
hw.acpi.support_states
hw.alignbytes
( HW_ALIGNBYTES
ALIGNBYTES
in
/usr/include/machine/param.h
,
at the kernel compilation time.
hw.byteorder
( HW_BYTEORDER
hw.cnmagic
( HW_CNMAGIC
hw.disknames
( HW_DISKNAMES
hw.iostatnames
( HW_IOSTATNAMES
hw.iostats
( HW_IOSTATS
IOSTAT_DISK
(disk drive),
IOSTAT_TAPE
(tape drive), or
IOSTAT_NFS
(NFS mount).
hw.machine
( HW_MACHINE
hw.machine_arch
( HW_MACHINE_ARCH
hw.model
( HW_MODEL
hw.ncpu
( HW_NCPU
hw.pagesize
( HW_PAGESIZE
hw.physmem
( HW_PHYSMEM
hw.physmem64
( HW_PHYSMEM64
hw.usermem
( HW_USERMEM
hw.usermem64
( HW_USERMEM64
kern
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
The types of data currently available are process information,
system vnodes, the open file entries, routing table entries,
virtual memory statistics, load average history, and clock rate
information.
Second level name Type Changeable |
kern.argmax integer no |
kern.autonicetime integer yes |
kern.autoniceval integer yes |
kern.boottime struct timeval no |
kern.bufq node not applicable |
kern.ccpu integer no |
kern.clockrate struct clockinfo no |
kern.consdev integer no |
kern.cp_id struct no |
kern.cp_time uint64_t[] no |
kern.defcorename string yes |
kern.domainname string yes |
kern.drivers struct kinfo_drivers no |
kern.file struct file no |
kern.forkfsleep integer yes |
kern.fscale integer no |
kern.fsync integer no |
kern.hardclock_ticks integer no |
kern.hostid integer yes |
kern.hostname string yes |
kern.iov_max integer no |
kern.job_control integer no |
kern.labeloffset integer no |
kern.labelsector integer no |
kern.login_name_max integer no |
kern.logsigexit integer yes |
kern.mapped_files integer no |
kern.maxfiles integer yes |
kern.maxpartitions integer no |
kern.maxphys integer no |
kern.maxproc integer yes |
kern.maxptys integer yes |
kern.maxvnodes integer yes |
kern.mbuf node not applicable |
kern.memlock integer no |
kern.memlock_range integer no |
kern.memory_protection integer no |
kern.monotonic_clock integer no |
kern.msgbuf integer no |
kern.msgbufsize integer no |
kern.ngroups integer no |
kern.ntptime struct ntptimeval no |
kern.osrelease string no |
kern.osrev integer no |
kern.ostype string no |
kern.pipe node not applicable |
kern.posix1 integer no |
kern.posix_barriers integer no |
kern.posix_reader_writer_locks integer no |
kern.posix_semaphores integer no |
kern.posix_spin_locks integer no |
kern.posix_threads integer no |
kern.posix_timers integer no |
kern.proc struct kinfo_proc no |
kern.proc2 struct kinfo_proc2 no |
kern.proc_args string no |
kern.prof node not applicable |
kern.rawpartition integer no |
kern.root_device string no |
kern.root_partition integer no |
kern.rtc_offset integer yes |
kern.saved_ids integer no |
kern.securelevel integer raise only |
kern.synchronized_io integer no |
kern.ipc node not applicable |
kern.timex struct no |
kern.tkstat node not applicable |
kern.urandom integer no |
kern.version string no |
kern.vnode struct vnode no |
kern.argmax
( KERN_ARGMAX
kern.autonicetime
( KERN_AUTONICETIME
kern.autoniceval
( KERN_AUTONICEVAL
kern.boottime
( KERN_BOOTTIME
kern.ccpu
( KERN_CCPU
kern.clockrate
( KERN_CLOCKRATE
kern.consdev
( KERN_CONSDEV
kern.cp_id
( KERN_CP_ID
kern.cp_time
( KERN_CP_TIME
kern.defcorename
( KERN_DEFCORENAME
proc.pid.corename
in the per-process variables
proc.*
,
and
core(5)
for format of this template).
The default value is
%n.core
and can be changed with the kernel configuration option
options DEFCORENAME
(see
options(4)
).
kern.domainname
( KERN_DOMAINNAME
kern.dump_on_panic
( KERN_DUMP_ON_PANIC
kern.drivers
( KERN_DRIVERS
kern.file
( KERN_FILE
kern.forkfsleep
( KERN_FORKFSLEEP
EAGAIN
error to process.
Useful to keep heavily forking runaway processes in bay.
Default zero (no sleep).
Maximum is 20 seconds.
kern.fscale
( KERN_FSCALE
kern.fsync
( KERN_FSYNC
kern.hardclock_ticks
( KERN_HARDCLOCK_TICKS
kern.hostid
( KERN_HOSTID
kern.hostname
( KERN_HOSTNAME
kern.iov_max
( KERN_IOV_MAX
kern.job_control
( KERN_JOB_CONTROL
kern.labeloffset
( KERN_LABELOFFSET
kern.labelsector
( KERN_LABELSECTOR
kern.login_name_max
( KERN_LOGIN_NAME_MAX
kern.logsigexit
( KERN_LOGSIGEXIT
kern.mapped_files
( KERN_MAPPED_FILES
kern.maxfiles
( KERN_MAXFILES
kern.maxpartitions
( KERN_MAXPARTITIONS
kern.maxphys
( KERN_MAXPHYS
kern.maxproc
( KERN_MAXPROC
kern.maxptys
( KERN_MAXPTYS
kern.maxvnodes
( KERN_MAXVNODES
kern.mbuf
( KERN_MBUF
Third level name Type Changeable |
kern.mbuf.mblowat integer yes |
kern.mbuf.mclbytes integer yes |
kern.mbuf.mcllowat integer yes |
kern.mbuf.msize integer yes |
kern.mbuf.nmbclusters integer yes |
The variables are as follows:
kern.mbuf.mblowat
( MBUF_MBLOWAT
kern.mbuf.mclbytes
( MBUF_MCLBYTES
kern.mbuf.mcllowat
( MBUF_MCLLOWAT
kern.mbuf.msize
( MBUF_MSIZE
kern.mbuf.nmbclusters
( MBUF_NMBCLUSTERS
kern.memlock
( KERN_MEMLOCK
kern.memlock_range
( KERN_MEMLOCK_RANGE
kern.memory_protection
( KERN_MEMORY_PROTECTION
kern.monotonic_clock
( KERN_MONOTONIC_CLOCK
kern.msgbuf
( KERN_MSGBUF
kern.msgbufsize
( KERN_MSGBUFSIZE
kern.ngroups
( KERN_NGROUPS
kern.ntptime
( KERN_NTPTIME
kern.osrelease
( KERN_OSRELEASE
kern.osrevision
( KERN_OSREV
kern.ostype
( KERN_OSTYPE
kern.pipe
( KERN_PIPE
Third level name Type Changeable |
kern.pipe.kvasiz integer yes |
kern.pipe.maxbigpipes integer yes |
kern.pipe.maxkvasz integer yes |
kern.pipe.limitkva integer yes |
kern.pipe.nbigpipes integer yes |
The variables are as follows:
kern.pipe.kvasiz
( KERN_PIPE_KVASIZ
kern.pipe.maxbigpipes
( KERN_PIPE_MAXBIGPIPES
kern.pipe.maxkvasz
( KERN_PIPE_MAXKVASZ
kern.pipe.limitkva
( KERN_PIPE_LIMITKVA
kern.pipe.nbigpipes
( KERN_PIPE_NBIGPIPES
kern.posix1version
( KERN_POSIX1
kern.posix_barriers
( KERN_POSIX_BARRIERS
kern.posix_reader_writer_locks
( KERN_POSIX_READER_WRITER_LOCKS
kern.posix_semaphores
( KERN_POSIX_SEMAPHORES
kern.posix_spin_locks
( KERN_POSIX_SPIN_LOCKS
kern.posix_threads
( KERN_POSIX_THREADS
kern.posix_timers
( KERN_POSIX_TIMERS
kern.proc
( KERN_PROC
Third level name Fourth level is: |
KERN_PROC_ALL None |
KERN_PROC_GID A group ID |
KERN_PROC_PID A process ID |
KERN_PROC_PGRP A process group |
KERN_PROC_RGID A real group ID |
KERN_PROC_RUID A real user ID |
KERN_PROC_SESSION A session ID |
KERN_PROC_TTY A tty device |
KERN_PROC_UID A user ID |
kern.proc2
( KERN_PROC2
kern.proc_args
( KERN_PROC_ARGS
KERN_PROC_ARGV The argv strings |
KERN_PROC_ENV The environ strings |
KERN_PROC_NARGV The number of argv strings |
KERN_PROC_NENV The number of environ strings |
kern.profiling
( KERN_PROF
EOPNOTSUPP
.
The third level names for the string and integer profiling information
is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
Third level name Type Changeable |
kern.profiling.count u_short[] yes |
kern.profiling.froms u_short[] yes |
kern.profiling.gmonparam struct gmonparam no |
kern.profiling.state integer yes |
kern.profiling.tos struct tostruct yes |
The variables are as follows:
kern.profiling.count
( GPROF_COUNT
kern.profiling.froms
( GPROF_FROMS
kern.profiling.gmonparams
( GPROF_GMONPARAM
kern.profiling.state
( GPROF_STATE
kern.profiling.tos
( GPROF_TOS
kern.rawpartition
( KERN_RAWPARTITION
kern.root_device
( KERN_ROOT_DEVICE
kern.root_partition
( KERN_ROOT_PARTITION
kern.rtc_offset
( KERN_RTC_OFFSET
kern.saved_ids
( KERN_SAVED_IDS
kern.sbmax
( KERN_SBMAX
kern.securelevel
( KERN_SECURELVL
kern.somaxkva
( KERN_SOMAXKVA
kern.synchronized_io
( KERN_SYNCHRONIZED_IO
kern.ipc
( KERN_SYSVIPC
Third level name Type Changeable |
kern.ipc.sysvmsg integer no |
kern.ipc.sysvsem integer no |
kern.ipc.sysvshm integer no |
kern.ipc.sysvipc_info struct no |
kern.ipc.shmmax integer yes |
kern.ipc.shmmni integer yes |
kern.ipc.shmseg integer yes |
kern.ipc.shmmaxpgs integer yes |
kern.ipc.shm_use_phys integer yes |
kern.ipc.msgmni integer yes |
kern.ipc.msgseg integer yes |
kern.ipc.semmni integer yes |
kern.ipc.semmns integer yes |
kern.ipc.semmnu integer yes |
kern.ipc.sysvmsg
( KERN_SYSVIPC_MSG
kern.ipc.sysvsem
( KERN_SYSVIPC_SEM
kern.ipc.sysvshm
( KERN_SYSVIPC_SHM
kern.ipc.sysvipc_info
( KERN_SYSVIPC_INFO
Fourth level name Type |
KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info |
KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info |
KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info |
KERN_SYSVIPC_MSG_INFO
sys/msg.h
>.
KERN_SYSVIPC_SEM_INFO
sys/sem.h
>.
KERN_SYSVIPC_SHM_INFO
sys/shm.h
>.
kern.ipc.shmmax
( KERN_SYSVIPC_SHMMAX
kern.ipc.shmmni
( KERN_SYSVIPC_SHMMNI
kern.ipc.shmseg
( KERN_SYSVIPC_SHMSEG
kern.ipc.shmmaxpgs
( KERN_SYSVIPC_SHMMAXPGS
kern.ipc.shm_use_phys
( KERN_SYSVIPC_SHMUSEPHYS
kern.ipc.msgmni
kern.ipc.msgseg
kern.ipc.semmni
kern.ipc.semmns
kern.ipc.semmnu
kern.timex
( KERN_TIMEX
kern.tkstat
( KERN_TKSTAT
Third level name Type Changeable |
kern.tkstat.cancc quad no |
kern.tkstat.nin quad no |
kern.tkstat.nout quad no |
kern.tkstat.rawcc quad no |
The variables are as follows:
kern.tkstat.cancc
( KERN_TKSTAT_CANCC
kern.tkstat.nin
( KERN_TKSTAT_NIN
kern.tkstat.nout
( KERN_TKSTAT_NOUT
kern.tkstat.rawcc
( KERN_TKSTAT_RAWCC
kern.urandom
( KERN_URND
kern.veriexec
kern.veriexec.algorithms
kern.veriexec.count
kern.veriexec.strict
kern.veriexec.verbose
kern.version
( KERN_VERSION
kern.vnode
( KERN_VNODE
kern.coredump.setid
kern.coredump.setid.dump
kern.coredump.setid.group
kern.coredump.setid.mode
kern.coredump.setid.owner
kern.coredump.setid.path
Second level name Type Changeable |
CPU_CONSDEV dev_t no
|
net
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
The second and third levels are typically the protocol family and
protocol number, though this is not always the case.
Second level name Type Changeable |
net.route routing messages no |
net.inet IPv4 values yes |
net.inet6 IPv6 values yes |
net.key IPsec key management values yes |
net.route
( PF_ROUTE
The third level name is a protocol number, which is currently always 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows:
Fifth level name Sixth level is: |
NET_RT_FLAGS rtflags |
NET_RT_DUMP None |
NET_RT_IFLIST None |
net.inet
( PF_INET
Protocol name Variable name Type Changeable |
arp down integer yes |
arp keep integer yes |
arp prune integer yes |
arp refresh integer yes |
carp allow integer yes |
carp preempt integer yes |
carp log integer yes |
carp arpbalance integer yes |
icmp errppslimit integer yes |
icmp maskrepl integer yes |
icmp rediraccept integer yes |
icmp redirtimeout integer yes |
ip allowsrcrt integer yes |
ip anonportmax integer yes |
ip anonportmin integer yes |
ip checkinterface integer yes |
ip directed-broadcast integer yes |
ip do_loopback_cksum integer yes |
ip forwarding integer yes |
ip forwsrcrt integer yes |
ip gifttl integer yes |
ip grettl integer yes |
ip hashsize integer yes |
ip hostzerobroadcast integer yes |
ip lowportmin integer yes |
ip lowportmax integer yes |
ip maxflows integer yes |
ip maxfragpackets integer yes |
ip mtudisc integer yes |
ip mtudisctimeout integer yes |
ip random_id integer yes |
ip redirect integer yes |
ip subnetsarelocal integer yes |
ip ttl integer yes |
tcp rfc1323 integer yes |
tcp sendspace integer yes |
tcp recvspace integer yes |
tcp mssdflt integer yes |
tcp syn_cache_limit integer yes |
tcp syn_bucket_limit integer yes |
tcp syn_cache_interval integer yes |
tcp init_win integer yes |
tcp init_win_local integer yes |
tcp mss_ifmtu integer yes |
tcp win_scale integer yes |
tcp timestamps integer yes |
tcp compat_42 integer yes |
tcp cwm integer yes |
tcp cwm_burstsize integer yes |
tcp ack_on_push integer yes |
tcp keepidle integer yes |
tcp keepintvl integer yes |
tcp keepcnt integer yes |
tcp slowhz integer no |
tcp keepinit integer yes |
tcp log_refused integer yes |
tcp rstppslimit integer yes |
tcp ident struct no |
tcp drop struct no |
tcp sack.enable integer yes |
tcp sack.globalholes integer no |
tcp sack.globalmaxholes integer yes |
tcp sack.maxholes integer yes |
tcp ecn.enable integer yes |
tcp ecn.maxretries integer yes |
tcp congctl.selected string yes |
tcp congctl.available string yes |
tcp abc.enable integer yes |
tcp abc.aggressive integer yes |
udp checksum integer yes |
udp do_loopback_cksum integer yes |
udp recvspace integer yes |
udp sendspace integer yes |
The variables are as follows:
arp.down
arp.keep
arp.prune
arp.refresh
carp.allow
carp.arpbalance
carp.log
carp.preempt
ip.allowsrcrt
ip.anonportmax
ip.anonportmin
.
ip.anonportmin
ip.checkinterface
ip.directed-broadcast
ip.do_loopback_cksum
ip.forwarding
ip.forwsrcrt
ip.gifttl
ip.grettl
ip.hashsize
ip.maxflows
.
ip.hostzerobroadcast
ip.lowportmax
ip.lowportmin
.
ip.lowportmin
ip.lowportmax
.
ip.maxflows
ip.maxflows
controls the maximum amount of flows which can be created.
The default value is 256.
ip.maxfragpackets
ip.mtudisc
tcp.mssdflt
(the local maximum segment size).
ip.mtudisctimeout
ip.random_id
ip.redirect
ip.subnetsarelocal
ip.ttl
icmp.errppslimit
icmp.maskrepl
icmp.rediraccept
icmp.redirtimeout
icmp.returndatabytes
tcp.ack_on_push
tcp.compat_42
tcp.cwm
tcp.cwm_burstsize
tcp.delack_ticks
tcp.do_loopback_cksum
tcp.init_win
tcp.init_win_local
tcp.init_win
,
but used when communicating with hosts on a local network.
tcp.keepcnt
tcp.keepidle
tcp.keepintvl
tcp.log_refused
tcp.keepinit
tcp.mss_ifmtu
tcp.mssdflt
(ip.mtudisc
)
is disabled.
Do not change this value unless you really know what you are doing.
tcp.recvspace
tcp.rfc1323
tcp.rstppslimit
tcp.ident
tcp.drop
tcp.sack.enable
tcp.sack.globalholes
tcp.sack.globalmaxholes
tcp.sack.maxholes
tcp.ecn.enable
tcp.ecn.maxretries
tcp.sendspace
tcp.slowhz
tcp.syn_bucket_limit
tcp.syn_cache_limit
tcp.timestamps
tcp.win_scale
tcp.congctl.available
tcp.congctl.selected
tcp.abc.enable
tcp.abc.aggressive
udp.checksum
udp.sendspace
udp.recvspace
For variables net.*.ipsec, please refer to ipsec(4).
net.inet6
( PF_INET6
Protocol name Variable name Type Changeable |
icmp6 errppslimit integer yes |
icmp6 mtudisc_hiwat integer yes |
icmp6 mtudisc_lowat integer yes |
icmp6 nd6_debug integer yes |
icmp6 nd6_delay integer yes |
icmp6 nd6_maxnudhint integer yes |
icmp6 nd6_mmaxtries integer yes |
icmp6 nd6_prune integer yes |
icmp6 nd6_umaxtries integer yes |
icmp6 nd6_useloopback integer yes |
icmp6 nodeinfo integer yes |
icmp6 rediraccept integer yes |
icmp6 redirtimeout integer yes |
ip6 accept_rtadv integer yes |
ip6 anonportmax integer yes |
ip6 anonportmin integer yes |
ip6 auto_flowlabel integer yes |
ip6 dad_count integer yes |
ip6 defmcasthlim integer yes |
ip6 forwarding integer yes |
ip6 gifhlim integer yes |
ip6 hashsize integer yes |
ip6 hlim integer yes |
ip6 hdrnestlimit integer yes |
ip6 kame_version string no |
ip6 keepfaith integer yes |
ip6 log_interval integer yes |
ip6 lowportmax integer yes |
ip6 lowportmin integer yes |
ip6 maxflows integer yes |
ip6 maxfragpackets integer yes |
ip6 maxfrags integer yes |
ip6 redirect integer yes |
ip6 rr_prune integer yes |
ip6 use_deprecated integer yes |
ip6 v6only integer yes |
udp6 do_loopback_cksum integer yes |
udp6 recvspace integer yes |
udp6 sendspace integer yes |
The variables are as follows:
ip6.accept_rtadv
ip6.anonportmax
ip6.anonportmin
.
ip6.anonportmin
ip6.auto_flowlabel
ip6.dad_count
ip6.defmcasthlim
ip6.forwarding
ip6.gifhlim
ip6.hdrnestlimit
ip6.hashsize
ip6.maxflows
.
ip6.hlim
ip6.kame_version
ip6.keepfaith
ip6.log_interval
ip6.lowportmax
ip6.lowportmin
.
ip6.lowportmin
ip6.lowportmax
.
ip6.maxflows
ip6.maxflows
controls the maximum amount of flows which can be created.
The default value is 256.
ip6.maxfragpackets
ip6.maxfrags
ip6.redirect
ip6.rr_prune
ip6.use_deprecated
ip6.v6only
IPV6_V6ONLY
socket option for
AF_INET6
socket.
Please refer to
ip6(4)
for detail.
icmp6.errppslimit
icmp6.mtudisc_hiwat
icmp6.mtudisc_lowat
icmp6.mtudisc_hiwat
is used when we have verified ICMPv6 too big messages.
icmp6.mtudisc_lowat
is used when we have unverified ICMPv6 too big messages.
Verification is performed by using address/port pairs kept in connected pcbs.
Negative value disables the upper limit.
icmp6.nd6_debug
icmp6.nd6_delay
DELAY_FIRST_PROBE_TIME
timing constant in IPv6 neighbor discovery specification
(RFC 2461),
in seconds.
icmp6.nd6_maxnudhint
icmp6.nd6_mmaxtries
MAX_MULTICAST_SOLICIT
constant in IPv6 neighbor discovery specification
(RFC 2461).
icmp6.nd6_prune
icmp6.nd6_umaxtries
MAX_UNICAST_SOLICIT
constant in IPv6 neighbor discovery specification
(RFC 2461).
icmp6.nd6_useloopback
icmp6.nodeinfo
ping6
-w
.
ping6
-a
.
icmp6.rediraccept
icmp6.redirtimeout
udp6.do_loopback_cksum
udp6.recvspace
udp6.sendspace
We reuse net.*.tcp for
TCP
over
IPv6,
and therefore we do not have variables net.*.tcp6.
Variables net.inet6.udp6 have identical meaning to net.inet.udp.
Please refer to
PF_INET
section above.
For variables net.*.ipsec6, please refer to
ipsec(4).
net.key
( PF_KEY
Variable name Type Changeable |
debug integer yes |
spi_try integer yes |
spi_min_value integer yes |
spi_max_value integer yes |
larval_lifetime integer yes |
blockacq_count integer yes |
blockacq_lifetime integer yes |
esp_keymin integer yes |
esp_auth integer yes |
ah_keymin integer yes |
debug
/usr/include/netkey/key_debug.h
.
spi_try
spi_min_value
spi_max_value
larval_lifetime
blockacq_count
blockacq_lifetime
esp_keymin
esp_auth
ah_keymin
proc
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
These values are per-process,
and as such may change from one process to another.
When a process is created,
the default values are inherited from its parent.
When a set-user-ID or set-group-ID binary is executed, the
value of PROC_PID_CORENAME is reset to the system default value.
The second level name is either the magic value PROC_CURPROC, which
points to the current process, or the PID of the target process.
Third level name Type Changeable |
proc.pid.corename string yes |
proc.pid.rlimit node not applicable |
proc.pid.stopfork int yes |
proc.pid.stopexec int yes |
proc.pid.stopexit int yes |
proc.pid.corename
( PROC_PID_CORENAME
proc.pid.rlimit
( PROC_PID_LIMIT
proc.pid.rlimit.cputime
( PROC_PID_LIMIT_CPU
proc.pid.rlimit.filesize
( PROC_PID_LIMIT_FSIZE
proc.pid.rlimit.datasize
( PROC_PID_LIMIT_DATA
proc.pid.rlimit.stacksize
( PROC_PID_LIMIT_STACK
proc.pid.rlimit.coredumpsize
( PROC_PID_LIMIT_CORE
core
file that may be created.
proc.pid.rlimit.memoryuse
( PROC_PID_LIMIT_RSS
proc.pid.rlimit.memorylocked
( PROC_PID_LIMIT_MEMLOCK
proc.pid.rlimit.maxproc
( PROC_PID_LIMIT_NPROC
proc.pid.rlimit.descriptors
( PROC_PID_LIMIT_NOFILE
proc.pid.rlimit.sbsize
( PROC_PID_LIMIT_SBSIZE
SO_RCVBUF
and
SO_SNDBUF
options.
The fifth level name is one of
soft
( PROC_PID_LIMIT_TYPE_SOFT
) or
hard
( PROC_PID_LIMIT_TYPE_HARD
),
to select respectively the soft or hard limit.
Both are of type integer.
proc.pid.stopfork
( PROC_PID_STOPFORK
This value is inherited by the process's children, and it also
apply to emulation specific system calls that fork a new process, such as
sproc()
or
clone(
).
proc.pid.stopexec
( PROC_PID_STOPEXEC
This value is inherited by the process's children.
proc.pid.stopexit
( PROC_PID_STOPEXIT
This value is also inherited by the process's children.
user
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
Second level name Type Changeable |
user.atexit_max integer no |
user.bc_base_max integer no |
user.bc_dim_max integer no |
user.bc_scale_max integer no |
user.bc_string_max integer no |
user.coll_weights_max integer no |
user.cs_path string no |
user.expr_nest_max integer no |
user.line_max integer no |
user.posix2_c_bind integer no |
user.posix2_c_dev integer no |
user.posix2_char_term integer no |
user.posix2_fort_dev integer no |
user.posix2_fort_run integer no |
user.posix2_localedef integer no |
user.posix2_sw_dev integer no |
user.posix2_upe integer no |
user.posix2_version integer no |
user.re_dup_max integer no |
user.stream_max integer no |
user.stream_max integer no |
user.tzname_max integer no |
user.atexit_max
( USER_ATEXIT_MAX
user.bc_base_max
( USER_BC_BASE_MAX
user.bc_dim_max
( USER_BC_DIM_MAX
user.bc_scale_max
( USER_BC_SCALE_MAX
user.bc_string_max
( USER_BC_STRING_MAX
user.coll_weights_max
( USER_COLL_WEIGHTS_MAX
user.cs_path
( USER_CS_PATH
PATH
environment variable that finds all the standard utilities.
user.expr_nest_max
( USER_EXPR_NEST_MAX
user.line_max
( USER_LINE_MAX
user.posix2_char_term
( USER_POSIX2_CHAR_TERM
user.posix2_c_bind
( USER_POSIX2_C_BIND
user.posix2_c_dev
( USER_POSIX2_C_DEV
user.posix2_fort_dev
( USER_POSIX2_FORT_DEV
user.posix2_fort_run
( USER_POSIX2_FORT_RUN
user.posix2_localedef
( USER_POSIX2_LOCALEDEF
user.posix2_sw_dev
( USER_POSIX2_SW_DEV
user.posix2_upe
( USER_POSIX2_UPE
user.posix2_version
( USER_POSIX2_VERSION
user.re_dup_max
( USER_RE_DUP_MAX
user.stream_max
( USER_STREAM_MAX
user.tzname_max
( USER_TZNAME_MAX
vm
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
Second level name Type Changeable |
vm.anonmax int yes |
vm.anonmin int yes |
vm.bufcache int yes |
vm.bufmem int no |
vm.bufmem_hiwater int yes |
vm.bufmem_lowater int yes |
vm.execmax int yes |
vm.execmin int yes |
vm.filemax int yes |
vm.filemin int yes |
vm.loadavg struct loadavg no |
vm.maxslp int no |
vm.nkmempages int no |
vm.uspace int no |
vm.uvmexp struct uvmexp no |
vm.uvmexp2 struct uvmexp_sysctl no |
vm.vmmeter struct vmtotal no |
vm.anonmax
( VM_ANONMAX
vm.anonmin
( VM_ANONMIN
vm.bufcache
( VM_BUFCACHE
vm.bufmem
( VM_BUFMEM
vm.bufmem_lowater
( VM_BUFMEM_LOWATER
vm.bufmem_hiwater
( VM_BUFMEM_HIWATER
vm.execmax
( VM_EXECMAX
vm.execmin
( VM_EXECMIN
vm.filemax
( VM_FILEMAX
vm.filemin
( VM_FILEMIN
vm.loadavg
( VM_LOADAVG
vm.maxslp
( VM_MAXSLP
vm.vmmeter
( VM_METER
vm.uspace
( VM_USPACE
vm.uvmexp
( VM_UVMEXP
vm.uvmexp2
( VM_UVMEXP2
ddb
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
Second level name Type Changeable |
ddb.radix integer yes |
ddb.maxoff integer yes |
ddb.lines integer yes |
ddb.tabstops integer yes |
ddb.onpanic integer yes |
ddb.fromconsole integer yes |
ddb.radix
( DBCTL_RADIX
ddb.maxoff
( DBCTL_MAXOFF
ddb.lines
( DBCTL_LINES
ddb.tabstops
( DBCTL_TABSTOPS
ddb.onpanic
( DBCTL_ONPANIC
ddb.fromconsole
( DBCTL_FROMCONSOLE
These MIB nodes are also available as variables from within the DDB. See ddb(4) for more details.
security
level contains various security-related settings for
the system.
Available settings are detailed below.
security.curtain
At the moment, it affects
ps(1),
netstat(1)
(for
PF_INET
,
PF_INET6
,
and
PF_UNIX
PCBs), and
w(1).
security.models
In addition to the name, any settings and other information private to the security model will be available under this node. See secmodel(9) for more information.
security.pax
security.pax.aslr.enable
The value of this knob must be non-zero for PaX ASLR to be enabled, even if a program is set to explicit enable.
security.pax.aslr.global
When non-zero, all programs will get PaX ASLR, except those exempted with paxctl(8). Otherwise, all programs will not get PaX ASLR, except those specifically marked as such with paxctl(8).
security.pax.mprotect.enable
These are mprotect(2) restrictions to better enforce a W^X policy. The value of this knob must be non-zero for PaX MPROTECT to be enabled, even if a program is set to explicit enable.
security.pax.mprotect.global
When non-zero, all programs will get the PaX MPROTECT restrictions, except those exempted with paxctl(8). Otherwise, all programs will not get the PaX MPROTECT restrictions, except those specifically marked as such with paxctl(8).
security.pax.segvguard.enable
PaX Segvguard can detect and prevent certain exploitation attempts, where an attacker may try for example to brute-force function return addresses of respawning daemons.
Note: The NetBSD interface and implementation of the Segvguard is still experimental, and may change in future releases.
security.pax.segvguard.global
When non-zero, all programs will get the PaX Segvguard, except those exempted with paxctl(8). Otherwise, no program will get the PaX Segvguard restrictions, except those specifically marked as such with paxctl(8).
security.pax.segvguard.expiry_timeout
security.pax.segvguard.suspend_timeout
security.pax.segvguard.max_crashes
vendor
toplevel name is reserved to be used by vendors who wish to
have their own private MIB tree.
Intended use is to store values under
``vendor.<yourname>.*''.