The individual sysctl variables are described below, both the textual
and numeric form where applicable.
The textual names can be used as argument to the
sysctl(8)
utility and in the file
/etc/sysctl.conf.
The numeric names are usually defined as preprocessor constants and
are intended for use by programs.
Every such constant expands to one integer, which identifies the
sysctl variable relative to the upper level of the tree.
See the
sysctl(3)
manual page for programming examples.
sys/sysctl.h>,
and are as follows.
The next and subsequent levels down are found in the include files
listed here, and described in separate sections below.
| Name Constant Next level names Description |
| kern CTL_KERN sys/sysctl.h High kernel limits |
| vm CTL_VM uvm/uvm_param.h Virtual memory |
| vfs CTL_VFS sys/mount.h Filesystem |
| net CTL_NET sys/socket.h Networking |
| debug CTL_DEBUG sys/sysctl.h Debugging |
| hw CTL_HW sys/sysctl.h Generic CPU, I/O |
| machdep CTL_MACHDEP sys/sysctl.h Machine dependent |
| user CTL_USER sys/sysctl.h User-level |
| ddb CTL_DDB sys/sysctl.h In-kernel debugger |
| proc CTL_PROC sys/sysctl.h Per-process |
| vendor CTL_VENDOR ? Vendor specific |
| emul CTL_EMUL sys/sysctl.h Emulation settings |
| security CTL_SECURITY sys/sysctl.h Security settings |
debug0
through
debug19.
They are declared as separate variables so that they can be
individually initialized at the location of their associated variable.
The loader prevents multiple use of the same variable by issuing errors
if a variable is initialized in more than one place.
For example, to export the variable
dospecialcheck
as a debugging variable, the following declaration would be used:
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
Note that the dynamic implementation of sysctl currently in use largely makes this particular sysctl interface obsolete. See sysctl(8) for more information.
vfs.generic( VFS_GENERIC),
is used to get general information about all filesystems.
One of its third level identifiers is
vfs.generic.maxtypenum( VFS_MAXTYPENUM)
that gives the highest valid filesystem type number.
Its other third level identifier is
vfs.generic.conf( VFS_CONF)
that returns configuration information about the filesystem
type given as a fourth level identifier.
The remaining second level identifiers are the
filesystem type number returned by a
statvfs(2)
call or from
vfs.generic.conf.
The third level identifiers available for each filesystem
are given in the header file that defines the mount
argument structure for that filesystem.
hw
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
| Second level name Type Changeable |
| hw.acpi.supported_states string no |
| hw.alignbytes integer no |
| hw.byteorder integer no |
| hw.cnmagic string yes |
| hw.disknames string no |
| hw.diskstats struct no |
| hw.machine string no |
| hw.machine_arch string no |
| hw.model string no |
| hw.ncpu integer no |
| hw.pagesize integer no |
| hw.physmem integer no |
| hw.physmem64 quad no |
| hw.usermem integer no |
| hw.usermem64 quad no |
hw.acpi.support_stateshw.alignbytes( HW_ALIGNBYTESALIGNBYTES
in
/usr/include/machine/param.h,
at the kernel compilation time.
hw.byteorder( HW_BYTEORDERhw.cnmagic( HW_CNMAGIChw.disknames( HW_DISKNAMEShw.iostatnames( HW_IOSTATNAMEShw.iostats( HW_IOSTATSIOSTAT_DISK
(disk drive),
IOSTAT_TAPE
(tape drive), or
IOSTAT_NFS
(NFS mount).
hw.machine( HW_MACHINEhw.machine_arch( HW_MACHINE_ARCHhw.model( HW_MODELhw.ncpu( HW_NCPUhw.pagesize( HW_PAGESIZEhw.physmem( HW_PHYSMEMhw.physmem64( HW_PHYSMEM64hw.usermem( HW_USERMEMhw.usermem64( HW_USERMEM64kern
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
The types of data currently available are process information,
system vnodes, the open file entries, routing table entries,
virtual memory statistics, load average history, and clock rate
information.
| Second level name Type Changeable |
| kern.argmax integer no |
| kern.autonicetime integer yes |
| kern.autoniceval integer yes |
| kern.boottime struct timeval no |
| kern.bufq node not applicable |
| kern.ccpu integer no |
| kern.clockrate struct clockinfo no |
| kern.consdev integer no |
| kern.cp_id struct no |
| kern.cp_time uint64_t[] no |
| kern.defcorename string yes |
| kern.domainname string yes |
| kern.drivers struct kinfo_drivers no |
| kern.file struct file no |
| kern.forkfsleep integer yes |
| kern.fscale integer no |
| kern.fsync integer no |
| kern.hardclock_ticks integer no |
| kern.hostid integer yes |
| kern.hostname string yes |
| kern.iov_max integer no |
| kern.job_control integer no |
| kern.labeloffset integer no |
| kern.labelsector integer no |
| kern.login_name_max integer no |
| kern.logsigexit integer yes |
| kern.mapped_files integer no |
| kern.maxfiles integer yes |
| kern.maxpartitions integer no |
| kern.maxphys integer no |
| kern.maxproc integer yes |
| kern.maxptys integer yes |
| kern.maxvnodes integer yes |
| kern.mbuf node not applicable |
| kern.memlock integer no |
| kern.memlock_range integer no |
| kern.memory_protection integer no |
| kern.monotonic_clock integer no |
| kern.msgbuf integer no |
| kern.msgbufsize integer no |
| kern.ngroups integer no |
| kern.ntptime struct ntptimeval no |
| kern.osrelease string no |
| kern.osrev integer no |
| kern.ostype string no |
| kern.pipe node not applicable |
| kern.posix1 integer no |
| kern.posix_barriers integer no |
| kern.posix_reader_writer_locks integer no |
| kern.posix_semaphores integer no |
| kern.posix_spin_locks integer no |
| kern.posix_threads integer no |
| kern.posix_timers integer no |
| kern.proc struct kinfo_proc no |
| kern.proc2 struct kinfo_proc2 no |
| kern.proc_args string no |
| kern.prof node not applicable |
| kern.rawpartition integer no |
| kern.root_device string no |
| kern.root_partition integer no |
| kern.rtc_offset integer yes |
| kern.saved_ids integer no |
| kern.securelevel integer raise only |
| kern.synchronized_io integer no |
| kern.ipc node not applicable |
| kern.timex struct no |
| kern.tkstat node not applicable |
| kern.urandom integer no |
| kern.version string no |
| kern.vnode struct vnode no |
kern.argmax( KERN_ARGMAXkern.autonicetime( KERN_AUTONICETIMEkern.autoniceval( KERN_AUTONICEVALkern.boottime( KERN_BOOTTIMEkern.ccpu( KERN_CCPUkern.clockrate( KERN_CLOCKRATEkern.consdev( KERN_CONSDEVkern.cp_id( KERN_CP_IDkern.cp_time( KERN_CP_TIMEkern.defcorename( KERN_DEFCORENAMEproc.pid.corename
in the per-process variables
proc.*,
and
core(5)
for format of this template).
The default value is
%n.core
and can be changed with the kernel configuration option
options DEFCORENAME
(see
options(4)
).
kern.domainname( KERN_DOMAINNAMEkern.dump_on_panic( KERN_DUMP_ON_PANICkern.drivers( KERN_DRIVERSkern.file( KERN_FILEkern.forkfsleep( KERN_FORKFSLEEPEAGAIN
error to process.
Useful to keep heavily forking runaway processes in bay.
Default zero (no sleep).
Maximum is 20 seconds.
kern.fscale( KERN_FSCALEkern.fsync( KERN_FSYNCkern.hardclock_ticks( KERN_HARDCLOCK_TICKSkern.hostid( KERN_HOSTIDkern.hostname( KERN_HOSTNAMEkern.iov_max( KERN_IOV_MAXkern.job_control( KERN_JOB_CONTROLkern.labeloffset( KERN_LABELOFFSETkern.labelsector( KERN_LABELSECTORkern.login_name_max( KERN_LOGIN_NAME_MAXkern.logsigexit( KERN_LOGSIGEXITkern.mapped_files( KERN_MAPPED_FILESkern.maxfiles( KERN_MAXFILESkern.maxpartitions( KERN_MAXPARTITIONSkern.maxphys( KERN_MAXPHYSkern.maxproc( KERN_MAXPROCkern.maxptys( KERN_MAXPTYSkern.maxvnodes( KERN_MAXVNODESkern.mbuf( KERN_MBUF| Third level name Type Changeable |
| kern.mbuf.mblowat integer yes |
| kern.mbuf.mclbytes integer yes |
| kern.mbuf.mcllowat integer yes |
| kern.mbuf.msize integer yes |
| kern.mbuf.nmbclusters integer yes |
The variables are as follows:
kern.mbuf.mblowat( MBUF_MBLOWATkern.mbuf.mclbytes( MBUF_MCLBYTESkern.mbuf.mcllowat( MBUF_MCLLOWATkern.mbuf.msize( MBUF_MSIZEkern.mbuf.nmbclusters( MBUF_NMBCLUSTERSkern.memlock( KERN_MEMLOCKkern.memlock_range( KERN_MEMLOCK_RANGEkern.memory_protection( KERN_MEMORY_PROTECTIONkern.monotonic_clock( KERN_MONOTONIC_CLOCKkern.msgbuf( KERN_MSGBUFkern.msgbufsize( KERN_MSGBUFSIZEkern.ngroups( KERN_NGROUPSkern.ntptime( KERN_NTPTIMEkern.osrelease( KERN_OSRELEASEkern.osrevision( KERN_OSREVkern.ostype( KERN_OSTYPEkern.pipe( KERN_PIPE| Third level name Type Changeable |
| kern.pipe.kvasiz integer yes |
| kern.pipe.maxbigpipes integer yes |
| kern.pipe.maxkvasz integer yes |
| kern.pipe.limitkva integer yes |
| kern.pipe.nbigpipes integer yes |
The variables are as follows:
kern.pipe.kvasiz( KERN_PIPE_KVASIZkern.pipe.maxbigpipes( KERN_PIPE_MAXBIGPIPESkern.pipe.maxkvasz( KERN_PIPE_MAXKVASZkern.pipe.limitkva( KERN_PIPE_LIMITKVAkern.pipe.nbigpipes( KERN_PIPE_NBIGPIPESkern.posix1version( KERN_POSIX1kern.posix_barriers( KERN_POSIX_BARRIERSkern.posix_reader_writer_locks( KERN_POSIX_READER_WRITER_LOCKSkern.posix_semaphores( KERN_POSIX_SEMAPHORESkern.posix_spin_locks( KERN_POSIX_SPIN_LOCKSkern.posix_threads( KERN_POSIX_THREADSkern.posix_timers( KERN_POSIX_TIMERSkern.proc( KERN_PROC| Third level name Fourth level is: |
| KERN_PROC_ALL None |
| KERN_PROC_GID A group ID |
| KERN_PROC_PID A process ID |
| KERN_PROC_PGRP A process group |
| KERN_PROC_RGID A real group ID |
| KERN_PROC_RUID A real user ID |
| KERN_PROC_SESSION A session ID |
| KERN_PROC_TTY A tty device |
| KERN_PROC_UID A user ID |
kern.proc2( KERN_PROC2kern.proc_args( KERN_PROC_ARGS| KERN_PROC_ARGV The argv strings |
| KERN_PROC_ENV The environ strings |
| KERN_PROC_NARGV The number of argv strings |
| KERN_PROC_NENV The number of environ strings |
kern.profiling( KERN_PROFEOPNOTSUPP.
The third level names for the string and integer profiling information
is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
| Third level name Type Changeable |
| kern.profiling.count u_short[] yes |
| kern.profiling.froms u_short[] yes |
| kern.profiling.gmonparam struct gmonparam no |
| kern.profiling.state integer yes |
| kern.profiling.tos struct tostruct yes |
The variables are as follows:
kern.profiling.count( GPROF_COUNTkern.profiling.froms( GPROF_FROMSkern.profiling.gmonparams( GPROF_GMONPARAMkern.profiling.state( GPROF_STATEkern.profiling.tos( GPROF_TOSkern.rawpartition( KERN_RAWPARTITIONkern.root_device( KERN_ROOT_DEVICEkern.root_partition( KERN_ROOT_PARTITIONkern.rtc_offset( KERN_RTC_OFFSETkern.saved_ids( KERN_SAVED_IDSkern.sbmax( KERN_SBMAXkern.securelevel( KERN_SECURELVLkern.somaxkva( KERN_SOMAXKVAkern.synchronized_io( KERN_SYNCHRONIZED_IOkern.ipc( KERN_SYSVIPC| Third level name Type Changeable |
| kern.ipc.sysvmsg integer no |
| kern.ipc.sysvsem integer no |
| kern.ipc.sysvshm integer no |
| kern.ipc.sysvipc_info struct no |
| kern.ipc.shmmax integer yes |
| kern.ipc.shmmni integer yes |
| kern.ipc.shmseg integer yes |
| kern.ipc.shmmaxpgs integer yes |
| kern.ipc.shm_use_phys integer yes |
| kern.ipc.msgmni integer yes |
| kern.ipc.msgseg integer yes |
| kern.ipc.semmni integer yes |
| kern.ipc.semmns integer yes |
| kern.ipc.semmnu integer yes |
kern.ipc.sysvmsg( KERN_SYSVIPC_MSGkern.ipc.sysvsem( KERN_SYSVIPC_SEMkern.ipc.sysvshm( KERN_SYSVIPC_SHMkern.ipc.sysvipc_info( KERN_SYSVIPC_INFO| Fourth level name Type |
| KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info |
| KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info |
| KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info |
KERN_SYSVIPC_MSG_INFOsys/msg.h>.
KERN_SYSVIPC_SEM_INFOsys/sem.h>.
KERN_SYSVIPC_SHM_INFOsys/shm.h>.
kern.ipc.shmmax( KERN_SYSVIPC_SHMMAXkern.ipc.shmmni( KERN_SYSVIPC_SHMMNIkern.ipc.shmseg( KERN_SYSVIPC_SHMSEGkern.ipc.shmmaxpgs( KERN_SYSVIPC_SHMMAXPGSkern.ipc.shm_use_phys( KERN_SYSVIPC_SHMUSEPHYSkern.ipc.msgmnikern.ipc.msgsegkern.ipc.semmnikern.ipc.semmnskern.ipc.semmnukern.timex( KERN_TIMEXkern.tkstat( KERN_TKSTAT| Third level name Type Changeable |
| kern.tkstat.cancc quad no |
| kern.tkstat.nin quad no |
| kern.tkstat.nout quad no |
| kern.tkstat.rawcc quad no |
The variables are as follows:
kern.tkstat.cancc( KERN_TKSTAT_CANCCkern.tkstat.nin( KERN_TKSTAT_NINkern.tkstat.nout( KERN_TKSTAT_NOUTkern.tkstat.rawcc( KERN_TKSTAT_RAWCCkern.urandom( KERN_URNDkern.veriexeckern.veriexec.algorithmskern.veriexec.countkern.veriexec.strictkern.veriexec.verbosekern.version( KERN_VERSIONkern.vnode( KERN_VNODEkern.coredump.setid
kern.coredump.setid.dumpkern.coredump.setid.groupkern.coredump.setid.modekern.coredump.setid.ownerkern.coredump.setid.path| Second level name Type Changeable |
CPU_CONSDEV dev_t no
|
net
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
The second and third levels are typically the protocol family and
protocol number, though this is not always the case.
| Second level name Type Changeable |
| net.route routing messages no |
| net.inet IPv4 values yes |
| net.inet6 IPv6 values yes |
| net.key IPsec key management values yes |
net.route( PF_ROUTEThe third level name is a protocol number, which is currently always 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows:
| Fifth level name Sixth level is: |
| NET_RT_FLAGS rtflags |
| NET_RT_DUMP None |
| NET_RT_IFLIST None |
net.inet( PF_INET| Protocol name Variable name Type Changeable |
| arp down integer yes |
| arp keep integer yes |
| arp prune integer yes |
| arp refresh integer yes |
| carp allow integer yes |
| carp preempt integer yes |
| carp log integer yes |
| carp arpbalance integer yes |
| icmp errppslimit integer yes |
| icmp maskrepl integer yes |
| icmp rediraccept integer yes |
| icmp redirtimeout integer yes |
| ip allowsrcrt integer yes |
| ip anonportmax integer yes |
| ip anonportmin integer yes |
| ip checkinterface integer yes |
| ip directed-broadcast integer yes |
| ip do_loopback_cksum integer yes |
| ip forwarding integer yes |
| ip forwsrcrt integer yes |
| ip gifttl integer yes |
| ip grettl integer yes |
| ip hashsize integer yes |
| ip hostzerobroadcast integer yes |
| ip lowportmin integer yes |
| ip lowportmax integer yes |
| ip maxflows integer yes |
| ip maxfragpackets integer yes |
| ip mtudisc integer yes |
| ip mtudisctimeout integer yes |
| ip random_id integer yes |
| ip redirect integer yes |
| ip subnetsarelocal integer yes |
| ip ttl integer yes |
| tcp rfc1323 integer yes |
| tcp sendspace integer yes |
| tcp recvspace integer yes |
| tcp mssdflt integer yes |
| tcp syn_cache_limit integer yes |
| tcp syn_bucket_limit integer yes |
| tcp syn_cache_interval integer yes |
| tcp init_win integer yes |
| tcp init_win_local integer yes |
| tcp mss_ifmtu integer yes |
| tcp win_scale integer yes |
| tcp timestamps integer yes |
| tcp compat_42 integer yes |
| tcp cwm integer yes |
| tcp cwm_burstsize integer yes |
| tcp ack_on_push integer yes |
| tcp keepidle integer yes |
| tcp keepintvl integer yes |
| tcp keepcnt integer yes |
| tcp slowhz integer no |
| tcp keepinit integer yes |
| tcp log_refused integer yes |
| tcp rstppslimit integer yes |
| tcp ident struct no |
| tcp drop struct no |
| tcp sack.enable integer yes |
| tcp sack.globalholes integer no |
| tcp sack.globalmaxholes integer yes |
| tcp sack.maxholes integer yes |
| tcp ecn.enable integer yes |
| tcp ecn.maxretries integer yes |
| tcp congctl.selected string yes |
| tcp congctl.available string yes |
| tcp abc.enable integer yes |
| tcp abc.aggressive integer yes |
| udp checksum integer yes |
| udp do_loopback_cksum integer yes |
| udp recvspace integer yes |
| udp sendspace integer yes |
The variables are as follows:
arp.downarp.keeparp.prunearp.refreshcarp.allowcarp.arpbalancecarp.logcarp.preemptip.allowsrcrtip.anonportmaxip.anonportmin.
ip.anonportminip.checkinterfaceip.directed-broadcastip.do_loopback_cksumip.forwardingip.forwsrcrtip.gifttlip.grettlip.hashsizeip.maxflows.
ip.hostzerobroadcastip.lowportmaxip.lowportmin.
ip.lowportminip.lowportmax.
ip.maxflowsip.maxflows
controls the maximum amount of flows which can be created.
The default value is 256.
ip.maxfragpacketsip.mtudisctcp.mssdflt
(the local maximum segment size).
ip.mtudisctimeoutip.random_idip.redirectip.subnetsarelocalip.ttlicmp.errppslimiticmp.maskreplicmp.rediraccepticmp.redirtimeouticmp.returndatabytestcp.ack_on_pushtcp.compat_42tcp.cwmtcp.cwm_burstsizetcp.delack_tickstcp.do_loopback_cksumtcp.init_wintcp.init_win_localtcp.init_win,
but used when communicating with hosts on a local network.
tcp.keepcnttcp.keepidletcp.keepintvltcp.log_refusedtcp.keepinittcp.mss_ifmtutcp.mssdflt(ip.mtudisc)
is disabled.
Do not change this value unless you really know what you are doing.
tcp.recvspacetcp.rfc1323tcp.rstppslimittcp.identtcp.droptcp.sack.enabletcp.sack.globalholestcp.sack.globalmaxholestcp.sack.maxholestcp.ecn.enabletcp.ecn.maxretriestcp.sendspacetcp.slowhztcp.syn_bucket_limittcp.syn_cache_limittcp.timestampstcp.win_scaletcp.congctl.availabletcp.congctl.selectedtcp.abc.enabletcp.abc.aggressiveudp.checksumudp.sendspaceudp.recvspaceFor variables net.*.ipsec, please refer to ipsec(4).
net.inet6( PF_INET6| Protocol name Variable name Type Changeable |
| icmp6 errppslimit integer yes |
| icmp6 mtudisc_hiwat integer yes |
| icmp6 mtudisc_lowat integer yes |
| icmp6 nd6_debug integer yes |
| icmp6 nd6_delay integer yes |
| icmp6 nd6_maxnudhint integer yes |
| icmp6 nd6_mmaxtries integer yes |
| icmp6 nd6_prune integer yes |
| icmp6 nd6_umaxtries integer yes |
| icmp6 nd6_useloopback integer yes |
| icmp6 nodeinfo integer yes |
| icmp6 rediraccept integer yes |
| icmp6 redirtimeout integer yes |
| ip6 accept_rtadv integer yes |
| ip6 anonportmax integer yes |
| ip6 anonportmin integer yes |
| ip6 auto_flowlabel integer yes |
| ip6 dad_count integer yes |
| ip6 defmcasthlim integer yes |
| ip6 forwarding integer yes |
| ip6 gifhlim integer yes |
| ip6 hashsize integer yes |
| ip6 hlim integer yes |
| ip6 hdrnestlimit integer yes |
| ip6 kame_version string no |
| ip6 keepfaith integer yes |
| ip6 log_interval integer yes |
| ip6 lowportmax integer yes |
| ip6 lowportmin integer yes |
| ip6 maxflows integer yes |
| ip6 maxfragpackets integer yes |
| ip6 maxfrags integer yes |
| ip6 redirect integer yes |
| ip6 rr_prune integer yes |
| ip6 use_deprecated integer yes |
| ip6 v6only integer yes |
| udp6 do_loopback_cksum integer yes |
| udp6 recvspace integer yes |
| udp6 sendspace integer yes |
The variables are as follows:
ip6.accept_rtadvip6.anonportmaxip6.anonportmin.
ip6.anonportminip6.auto_flowlabelip6.dad_countip6.defmcasthlimip6.forwardingip6.gifhlimip6.hdrnestlimitip6.hashsizeip6.maxflows.
ip6.hlimip6.kame_versionip6.keepfaithip6.log_intervalip6.lowportmaxip6.lowportmin.
ip6.lowportminip6.lowportmax.
ip6.maxflowsip6.maxflows
controls the maximum amount of flows which can be created.
The default value is 256.
ip6.maxfragpacketsip6.maxfragsip6.redirectip6.rr_pruneip6.use_deprecatedip6.v6onlyIPV6_V6ONLY
socket option for
AF_INET6
socket.
Please refer to
ip6(4)
for detail.
icmp6.errppslimiticmp6.mtudisc_hiwaticmp6.mtudisc_lowaticmp6.mtudisc_hiwat
is used when we have verified ICMPv6 too big messages.
icmp6.mtudisc_lowat
is used when we have unverified ICMPv6 too big messages.
Verification is performed by using address/port pairs kept in connected pcbs.
Negative value disables the upper limit.
icmp6.nd6_debugicmp6.nd6_delayDELAY_FIRST_PROBE_TIME
timing constant in IPv6 neighbor discovery specification
(RFC 2461),
in seconds.
icmp6.nd6_maxnudhinticmp6.nd6_mmaxtriesMAX_MULTICAST_SOLICIT
constant in IPv6 neighbor discovery specification
(RFC 2461).
icmp6.nd6_pruneicmp6.nd6_umaxtriesMAX_UNICAST_SOLICIT
constant in IPv6 neighbor discovery specification
(RFC 2461).
icmp6.nd6_useloopbackicmp6.nodeinfoping6 -w.
ping6 -a.
icmp6.rediraccepticmp6.redirtimeoutudp6.do_loopback_cksumudp6.recvspaceudp6.sendspace
We reuse net.*.tcp for
TCP
over
IPv6,
and therefore we do not have variables net.*.tcp6.
Variables net.inet6.udp6 have identical meaning to net.inet.udp.
Please refer to
PF_INET
section above.
For variables net.*.ipsec6, please refer to
ipsec(4).
net.key( PF_KEY| Variable name Type Changeable |
| debug integer yes |
| spi_try integer yes |
| spi_min_value integer yes |
| spi_max_value integer yes |
| larval_lifetime integer yes |
| blockacq_count integer yes |
| blockacq_lifetime integer yes |
| esp_keymin integer yes |
| esp_auth integer yes |
| ah_keymin integer yes |
debug/usr/include/netkey/key_debug.h.
spi_tryspi_min_valuespi_max_valuelarval_lifetimeblockacq_countblockacq_lifetimeesp_keyminesp_authah_keyminproc
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
These values are per-process,
and as such may change from one process to another.
When a process is created,
the default values are inherited from its parent.
When a set-user-ID or set-group-ID binary is executed, the
value of PROC_PID_CORENAME is reset to the system default value.
The second level name is either the magic value PROC_CURPROC, which
points to the current process, or the PID of the target process.
| Third level name Type Changeable |
| proc.pid.corename string yes |
| proc.pid.rlimit node not applicable |
| proc.pid.stopfork int yes |
| proc.pid.stopexec int yes |
| proc.pid.stopexit int yes |
proc.pid.corename( PROC_PID_CORENAMEproc.pid.rlimit( PROC_PID_LIMITproc.pid.rlimit.cputime( PROC_PID_LIMIT_CPUproc.pid.rlimit.filesize( PROC_PID_LIMIT_FSIZEproc.pid.rlimit.datasize( PROC_PID_LIMIT_DATAproc.pid.rlimit.stacksize( PROC_PID_LIMIT_STACKproc.pid.rlimit.coredumpsize( PROC_PID_LIMIT_COREcore
file that may be created.
proc.pid.rlimit.memoryuse( PROC_PID_LIMIT_RSSproc.pid.rlimit.memorylocked( PROC_PID_LIMIT_MEMLOCKproc.pid.rlimit.maxproc( PROC_PID_LIMIT_NPROCproc.pid.rlimit.descriptors( PROC_PID_LIMIT_NOFILE
The fifth level name is one of
soft( PROC_PID_LIMIT_TYPE_SOFT) or
hard( PROC_PID_LIMIT_TYPE_HARD),
to select respectively the soft or hard limit.
Both are of type integer.
proc.pid.stopfork( PROC_PID_STOPFORK
This value is inherited by the process's children, and it also
apply to emulation specific system calls that fork a new process, such as
sproc()
or
clone().
proc.pid.stopexec( PROC_PID_STOPEXECThis value is inherited by the process's children.
proc.pid.stopexit( PROC_PID_STOPEXITThis value is also inherited by the process's children.
user
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
| Second level name Type Changeable |
| user.atexit_max integer no |
| user.bc_base_max integer no |
| user.bc_dim_max integer no |
| user.bc_scale_max integer no |
| user.bc_string_max integer no |
| user.coll_weights_max integer no |
| user.cs_path string no |
| user.expr_nest_max integer no |
| user.line_max integer no |
| user.posix2_c_bind integer no |
| user.posix2_c_dev integer no |
| user.posix2_char_term integer no |
| user.posix2_fort_dev integer no |
| user.posix2_fort_run integer no |
| user.posix2_localedef integer no |
| user.posix2_sw_dev integer no |
| user.posix2_upe integer no |
| user.posix2_version integer no |
| user.re_dup_max integer no |
| user.stream_max integer no |
| user.stream_max integer no |
| user.tzname_max integer no |
user.atexit_max( USER_ATEXIT_MAXuser.bc_base_max( USER_BC_BASE_MAXuser.bc_dim_max( USER_BC_DIM_MAXuser.bc_scale_max( USER_BC_SCALE_MAXuser.bc_string_max( USER_BC_STRING_MAXuser.coll_weights_max( USER_COLL_WEIGHTS_MAXuser.cs_path( USER_CS_PATHPATH
environment variable that finds all the standard utilities.
user.expr_nest_max( USER_EXPR_NEST_MAXuser.line_max( USER_LINE_MAXuser.posix2_char_term( USER_POSIX2_CHAR_TERMuser.posix2_c_bind( USER_POSIX2_C_BINDuser.posix2_c_dev( USER_POSIX2_C_DEVuser.posix2_fort_dev( USER_POSIX2_FORT_DEVuser.posix2_fort_run( USER_POSIX2_FORT_RUNuser.posix2_localedef( USER_POSIX2_LOCALEDEFuser.posix2_sw_dev( USER_POSIX2_SW_DEVuser.posix2_upe( USER_POSIX2_UPEuser.posix2_version( USER_POSIX2_VERSIONuser.re_dup_max( USER_RE_DUP_MAXuser.stream_max( USER_STREAM_MAXuser.tzname_max( USER_TZNAME_MAXvm
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
| Second level name Type Changeable |
| vm.anonmax int yes |
| vm.anonmin int yes |
| vm.bufcache int yes |
| vm.bufmem int no |
| vm.bufmem_hiwater int yes |
| vm.bufmem_lowater int yes |
| vm.execmax int yes |
| vm.execmin int yes |
| vm.filemax int yes |
| vm.filemin int yes |
| vm.loadavg struct loadavg no |
| vm.maxslp int no |
| vm.nkmempages int no |
| vm.uspace int no |
| vm.uvmexp struct uvmexp no |
| vm.uvmexp2 struct uvmexp_sysctl no |
| vm.vmmeter struct vmtotal no |
vm.anonmax( VM_ANONMAXvm.anonmin( VM_ANONMINvm.bufcache( VM_BUFCACHEvm.bufmem( VM_BUFMEMvm.bufmem_lowater( VM_BUFMEM_LOWATERvm.bufmem_hiwater( VM_BUFMEM_HIWATERvm.execmax( VM_EXECMAXvm.execmin( VM_EXECMINvm.filemax( VM_FILEMAXvm.filemin( VM_FILEMINvm.loadavg( VM_LOADAVGvm.maxslp( VM_MAXSLPvm.vmmeter( VM_METERvm.uspace( VM_USPACEvm.uvmexp( VM_UVMEXPvm.uvmexp2( VM_UVMEXP2ddb
level is detailed below.
The changeable column shows whether a process with appropriate
privilege may change the value.
| Second level name Type Changeable |
| ddb.radix integer yes |
| ddb.maxoff integer yes |
| ddb.lines integer yes |
| ddb.tabstops integer yes |
| ddb.onpanic integer yes |
| ddb.fromconsole integer yes |
ddb.radix( DBCTL_RADIXddb.maxoff( DBCTL_MAXOFFddb.lines( DBCTL_LINESddb.tabstops( DBCTL_TABSTOPSddb.onpanic( DBCTL_ONPANICddb.fromconsole( DBCTL_FROMCONSOLEThese MIB nodes are also available as variables from within the DDB. See ddb(4) for more details.
security
level contains various security-related settings for
the system.
Available settings are detailed below.
security.curtain
At the moment, it affects
ps(1),
netstat(1)
(for
PF_INET,
PF_INET6,
and
PF_UNIX
PCBs), and
w(1).
security.modelsIn addition to the name, any settings and other information private to the security model will be available under this node. See secmodel(9) for more information.
security.pax
security.pax.aslr.enableThe value of this knob must be non-zero for PaX ASLR to be enabled, even if a program is set to explicit enable.
security.pax.aslr.globalWhen non-zero, all programs will get PaX ASLR, except those exempted with paxctl(8). Otherwise, all programs will not get PaX ASLR, except those specifically marked as such with paxctl(8).
security.pax.mprotect.enableThese are mprotect(2) restrictions to better enforce a W^X policy. The value of this knob must be non-zero for PaX MPROTECT to be enabled, even if a program is set to explicit enable.
security.pax.mprotect.globalWhen non-zero, all programs will get the PaX MPROTECT restrictions, except those exempted with paxctl(8). Otherwise, all programs will not get the PaX MPROTECT restrictions, except those specifically marked as such with paxctl(8).
security.pax.segvguard.enablePaX Segvguard can detect and prevent certain exploitation attempts, where an attacker may try for example to brute-force function return addresses of respawning daemons.
Note: The NetBSD interface and implementation of the Segvguard is still experimental, and may change in future releases.
security.pax.segvguard.globalWhen non-zero, all programs will get the PaX Segvguard, except those exempted with paxctl(8). Otherwise, no program will get the PaX Segvguard restrictions, except those specifically marked as such with paxctl(8).
security.pax.segvguard.expiry_timeoutsecurity.pax.segvguard.suspend_timeoutsecurity.pax.segvguard.max_crashesvendor
toplevel name is reserved to be used by vendors who wish to
have their own private MIB tree.
Intended use is to store values under
``vendor.<yourname>.*''.