Top level names

The top level names are defined with a CTL_ prefix in <sys/sysctl.h>, and are as follows. The next and subsequent levels down are found in the include files listed here, and described in separate sections below.

Name	Constant	Next level names	Description
kern	CTL_KERN	<sys/sysctl.h>	High kernel limits
vm	CTL_VM	<uvm/uvm_param.h>	Virtual memory
vfs	CTL_VFS	<sys/mount.h>	Filesystem
net	CTL_NET	<sys/socket.h>	Networking
debug	CTL_DEBUG	<sys/sysctl.h>	Debugging
hw	CTL_HW	<sys/sysctl.h>	Generic CPU, I/O
machdep	CTL_MACHDEP	<sys/sysctl.h>	Machine dependent
user	CTL_USER	<sys/sysctl.h>	User-level
ddb	CTL_DDB	<sys/sysctl.h>	In-kernel debugger
proc	CTL_PROC	<sys/sysctl.h>	Per-process
vendor	CTL_VENDOR	?	Vendor specific
emul	CTL_EMUL	<sys/sysctl.h>	Emulation settings
security	CTL_SECURITY	<sys/sysctl.h>	Security settings

The debug.* subtree

The debugging variables vary from system to system. A debugging variable may be added or deleted without need to recompile sysctl to know about it. Each time it runs, sysctl gets the list of debugging variables from the kernel and displays their current values. The system defines twenty (struct ctldebug) variables named debug0 through debug19. They are declared as separate variables so that they can be individually initialized at the location of their associated variable. The loader prevents multiple use of the same variable by issuing errors if a variable is initialized in more than one place. For example, to export the variable dospecialcheck as a debugging variable, the following declaration would be used:

int dospecialcheck = 1; 
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };

Note that the dynamic implementation of sysctl currently in use largely makes this particular sysctl interface obsolete. See sysctl(8) for more information.

The vfs.* subtree

A distinguished second level name, vfs.generic (VFS_GENERIC), is used to get general information about all file systems. It has the following third level identifiers:

vfs.generic.maxtypenum (VFS_MAXTYPENUM)

The highest valid file system type number.

vfs.generic.conf (VFS_CONF)

Returns configuration information about the file system type given as a fourth level identifier.

vfs.generic.usermount (VFS_USERMOUNT)

Determines if non superuser mounts are allowed, defaults to 0.

vfs.generic.magiclinks (VFS_MAGICLINKS)

Controls if expansion of variables is going to be performed on pathnames or not. Defaults to no variable expansion, 0. Variables are of the form @name and the variables supported are described in symlink(7) under “MAGIC SYMLINKS”.

A second level name for controlling the wapbl(4) (Write Ahead Physical Block Logging file system journalling) capabilities with the following third level identifiers:

vfs.wapbl.flush_disk_cache

Controls whether to attempt to flush the disk cache on each commit. It defaults to 1 and it should always be on to ensure integrity of file system metadata in the event of a power loss. For slow disks, turning it off can improve performance.

vfs.wapbl.verbose_commit

For each transaction log commit, print the number of bytes written and the time it took to commit as seconds.nanoseconds.

The remaining second level identifiers are the file system names, identified by the type number returned by a statvfs(2) call or from vfs.generic.conf.

The third level identifiers available for each file system are given in the header file that defines the mount argument structure for that file system.

The hw.* subtree

The string and integer information available for the hw level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.

Second level name	Type	Changeable
hw.alignbytes	integer	no
hw.byteorder	integer	no
hw.cnmagic	string	yes
hw.disknames	string	no
hw.diskstats	struct	no
hw.machine	string	no
hw.machine_arch	string	no
hw.model	string	no
hw.ncpu	integer	no
hw.ncpuonline	integer	no
hw.pagesize	integer	no
hw.physmem	integer	no
hw.physmem64	quad	no
hw.usermem	integer	no
hw.usermem64	quad	no

hw.alignbytes (HW_ALIGNBYTES)

Alignment constraint for all possible data types. This shows the value ALIGNBYTES in <machine/param.h>, at the kernel compilation time.

hw.byteorder (HW_BYTEORDER)

The byteorder (4321, or 1234).

hw.cnmagic (HW_CNMAGIC)

The console magic key sequence.

hw.disknames (HW_DISKNAMES)

The list of (space separated) disk device names on the system.

hw.iostatnames (HW_IOSTATNAMES)

A space separated list of devices that will have I/O statistics collected on them.

hw.iostats (HW_IOSTATS)

Return statistical information on the NFS mounts, disk and tape devices on the system. An array of struct io_sysctl structures is returned, whose size depends on the current number of such objects in the system. The third level name is the size of the struct io_sysctl. The type of object can be determined by examining the type element of struct io_sysctl. Which can be IOSTAT_DISK (disk drive), IOSTAT_TAPE (tape drive), or IOSTAT_NFS (NFS mount).

hw.machine (HW_MACHINE)

The machine class.

hw.machine_arch (HW_MACHINE_ARCH)

The machine CPU class.

hw.model (HW_MODEL)

The machine model.

hw.ncpu (HW_NCPU)

The number of CPUs configured.

hw.ncpuonline (HW_NCPUONLINE)

The number of CPUs online.

hw.pagesize (HW_PAGESIZE)

The software page size.

hw.physmem (HW_PHYSMEM)

The bytes of physical memory as a 32-bit integer.

hw.physmem64 (HW_PHYSMEM64)

The bytes of physical memory as a 64-bit integer.

hw.usermem (HW_USERMEM)

The bytes of non-kernel memory as a 32-bit integer.

hw.usermem64 (HW_USERMEM64)

The bytes of non-kernel memory as a 64-bit integer.

The kern.* subtree

This subtree includes data generally related to the kernel. The string and integer information available for the kern level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.

Second level name	Type	Changeable
kern.aio_listio_max	integer	yes
kern.aio_max	integer	yes
kern.arandom	integer	no
kern.argmax	integer	no
kern.boothowto	integer	no
kern.boottime	struct timeval	no
kern.buildinfo	string	no
kern.ccpu	integer	no
kern.clockrate	struct clockinfo	no
kern.consdev	integer	no
kern.coredump	node	not applicable
kern.cp_id	struct	no
kern.cp_time	uint64_t[]	no
kern.cryptodevallowsoft	integer	yes
kern.defcorename	string	yes
kern.detachall	integer	yes
kern.domainname	string	yes
kern.drivers	struct kinfo_drivers	no
kern.dump_on_panic	integer	yes
kern.file	struct file	no
kern.forkfsleep	integer	yes
kern.fscale	integer	no
kern.fsync	integer	no
kern.hardclock_ticks	integer	no
kern.hostid	integer	yes
kern.hostname	string	yes
kern.iov_max	integer	no
kern.ipc	node	not applicable
kern.job_control	integer	no
kern.labeloffset	integer	no
kern.labelsector	integer	no
kern.login_name_max	integer	no
kern.logsigexit	integer	yes
kern.mapped_files	integer	no
kern.maxfiles	integer	yes
kern.maxlwp	integer	yes
kern.maxpartitions	integer	no
kern.maxphys	integer	no
kern.maxproc	integer	yes
kern.maxptys	integer	yes
kern.maxvnodes	integer	yes
kern.mbuf	node	not applicable
kern.memlock	integer	no
kern.memlock_range	integer	no
kern.memory_protection	integer	no
kern.module	node	not applicable
kern.monotonic_clock	integer	no
kern.mqueue	node	not applicable
kern.msgbuf	integer	no
kern.msgbufsize	integer	no
kern.ngroups	integer	no
kern.ntptime	struct ntptimeval	no
kern.osrelease	string	no
kern.osrevision	integer	no
kern.ostype	string	no
kern.pipe	node	not applicable
kern.pool	struct pool_sysctl	no
kern.posix1version	integer	no
kern.posix_aio	integer	no
kern.posix_barriers	integer	no
kern.posix_reader_writer_locks	integer	no
kern.posix_semaphores	integer	no
kern.posix_spin_locks	integer	no
kern.posix_threads	integer	no
kern.posix_timers	integer	no
kern.proc	struct kinfo_proc	no
kern.proc2	struct kinfo_proc2	no
kern.proc_args	string	no
kern.profiling	node	not applicable
kern.rawpartition	integer	no
kern.root_device	string	no
kern.root_partition	integer	no
kern.rtc_offset	integer	yes
kern.saved_ids	integer	no
kern.sbmax	integer	yes
kern.securelevel	integer	raise only
kern.somaxkva	integer	yes
kern.synchronized_io	integer	no
kern.timecounter	node	not applicable
kern.timex	struct	no
kern.tkstat	node	not applicable
kern.tty	node	not applicable
kern.urandom	integer	no
kern.usercrypto	integer	yes
kern.userasymcrypto	integer	yes
kern.veriexec	node	not applicable
kern.version	string	no
kern.vnode	struct vnode	no

kern.aio_listio_max

The maximum number of asynchronous I/O operations in a single list I/O call. Like with all variables related to aio(3), the variable may be created and removed dynamically upon loading or unloading the corresponding kernel module.

kern.aio_max

The maximum number of asynchronous I/O operations.

kern.arandom

This variable picks a random number each time it is queried. The used random number generator (RNG) is based on arc4random(3).

kern.argmax (KERN_ARGMAX)

The maximum bytes of argument to execve(2).

kern.boothowto

Flags passed from the boot loader; see reboot(2) for the meanings of the flags.

kern.boottime (KERN_BOOTTIME)

A struct timeval structure is returned. This structure contains the time that the system was booted.

kern.buildinfo

When the kernel is built, the build environment may optionally provide arbitrary information to be stored in this variable.

kern.ccpu (KERN_CCPU)

The scheduler exponential decay value.

kern.clockrate (KERN_CLOCKRATE)

A struct clockinfo structure is returned. This structure contains the clock, statistics clock and profiling clock frequencies, the number of micro-seconds per hz tick, and the clock skew rate. Refer to hz(9) for additional details.

kern.consdev (KERN_CONSDEV)

Console device.

kern.coredump

Settings related to set-id processes coredumps. By default, set-id processes do not dump core in situations where other processes would. The settings in this node allows an administrator to change this behavior.

The third level name is kern.coredump.setid and fourth level variables are described below.

Fourth level name	Type	Changeable
kern.coredump.setid.dump	integer	yes
kern.coredump.setid.group	integer	yes
kern.coredump.setid.mode	integer	yes
kern.coredump.setid.owner	integer	yes
kern.coredump.setid.path	string	yes

kern.coredump.setid.dump

If non-zero, set-id processes will dump core.

kern.coredump.setid.group

The group-id for the set-id processes' coredump.

kern.coredump.setid.mode

The mode for the set-id processes' coredump. See chmod(1).

kern.coredump.setid.owner

The user-id that will be used as the owner of the set-id processes' coredump.

kern.coredump.setid.path

The path to which set-id processes' coredumps will be saved to. Same syntax as kern.defcorename.

kern.cp_id (KERN_CP_ID)

Mapping of CPU number to CPU id.

kern.cp_time (KERN_CP_TIME)

Returns an array of CPUSTATES uint64_ts. This array contains the number of clock ticks spent in different CPU states. On multi-processor systems, the sum across all CPUs is returned unless appropriate space is given for one data set for each CPU. Data for a specific CPU can also be obtained by adding the number of the CPU at the end of the MIB, enlarging it by one.

kern.cryptodevallowsoft

This variable controls userland access to hardware versus software transforms in the crypto(4) system. The available values are as follows:

< 0

Always force userlevel requests to use software transforms.

= 0

If present, use hardware and grant userlevel requests for non-accelerated transforms (handling the latter in software).

> 0

Allow user requests only for transforms which are hardware-accelerated.

kern.defcorename (KERN_DEFCORENAME)

Default template for the name of core dump files (see also proc.pid.corename in the per-process variables proc.*, and core(5) for format of this template). The default value is %n.core and can be changed with the kernel configuration option options DEFCORENAME (see options(4) ).

kern.detachall

Detach all devices at shutdown.

kern.domainname (KERN_DOMAINNAME)

Get or set the YP domain name.

kern.drivers (KERN_DRIVERS)

Return an array of struct kinfo_drivers that contains the name and major device numbers of all the device drivers in the current kernel. The d_name field is always a NUL terminated string. The d_bmajor field will be set to -1 if the driver doesn't have a block device.

kern.dump_on_panic (KERN_DUMP_ON_PANIC)

Perform a crash dump on system panic(9).

kern.file (KERN_FILE)

Return the entire file table. The returned data consists of a single struct filelist followed by an array of struct file, whose size depends on the current number of such objects in the system.

kern.forkfsleep (KERN_FORKFSLEEP)

If fork(2) system call fails due to limit on number of processes (either the global maxproc limit or user's one), wait for this many milliseconds before returning EAGAIN error to process. Useful to keep heavily forking runaway processes in bay. Default zero (no sleep). Maximum is 20 seconds.

kern.fscale (KERN_FSCALE)

The kernel fixed-point scale factor.

kern.fsync (KERN_FSYNC)

Return 1 if the IEEE Std 1003.1b-1993 (“POSIX.1b”) File Synchronization Option is available on this system, otherwise 0.

kern.hardclock_ticks (KERN_HARDCLOCK_TICKS)

Returns the number of hardclock(9) ticks.

kern.hostid (KERN_HOSTID)

Get or set the host identifier. This is aimed to replace the legacy gethostid(3) and sethostid(3) system calls.

kern.hostname (KERN_HOSTNAME)

Get or set the hostname(1).

kern.iov_max (KERN_IOV_MAX)

Return the maximum number of iovec structures that a process has available for use with preadv(2), pwritev(2), readv(2), recvmsg(2), sendmsg(2) and writev(2).

kern.ipc (KERN_SYSVIPC)

Return information about the SysV IPC parameters. The third level names for the ipc variables are detailed below.

Third level name	Type	Changeable
kern.ipc.sysvmsg	integer	no
kern.ipc.sysvsem	integer	no
kern.ipc.sysvshm	integer	no
kern.ipc.sysvipc_info	struct	no
kern.ipc.shmmax	integer	yes
kern.ipc.shmmni	integer	yes
kern.ipc.shmseg	integer	yes
kern.ipc.shmmaxpgs	integer	yes
kern.ipc.shm_use_phys	integer	yes
kern.ipc.msgmni	integer	yes
kern.ipc.msgseg	integer	yes
kern.ipc.semmni	integer	yes
kern.ipc.semmns	integer	yes
kern.ipc.semmnu	integer	yes

kern.ipc.sysvmsg (KERN_SYSVIPC_MSG)

Returns 1 if System V style message queue functionality is available on this system, otherwise 0.

kern.ipc.sysvsem (KERN_SYSVIPC_SEM)

Returns 1 if System V style semaphore functionality is available on this system, otherwise 0.

kern.ipc.sysvshm (KERN_SYSVIPC_SHM)

Returns 1 if System V style share memory functionality is available on this system, otherwise 0.

kern.ipc.sysvipc_info (KERN_SYSVIPC_INFO)

Return System V style IPC configuration and run-time information. The fourth level name selects the System V style IPC facility.

Fourth level name	Type
KERN_SYSVIPC_MSG_INFO	struct msg_sysctl_info
KERN_SYSVIPC_SEM_INFO	struct sem_sysctl_info
KERN_SYSVIPC_SHM_INFO	struct shm_sysctl_info

KERN_SYSVIPC_MSG_INFO

Return information on the System V style message facility. The msg_sysctl_info structure is defined in <sys/msg.h>.

KERN_SYSVIPC_SEM_INFO

Return information on the System V style semaphore facility. The sem_sysctl_info structure is defined in <sys/sem.h>.

KERN_SYSVIPC_SHM_INFO

Return information on the System V style shared memory facility. The shm_sysctl_info structure is defined in <sys/shm.h>.

kern.ipc.shmmax (KERN_SYSVIPC_SHMMAX)

Max shared memory segment size in bytes.

kern.ipc.shmmni (KERN_SYSVIPC_SHMMNI)

Max number of shared memory identifiers.

kern.ipc.shmseg (KERN_SYSVIPC_SHMSEG)

Max shared memory segments per process.

kern.ipc.shmmaxpgs (KERN_SYSVIPC_SHMMAXPGS)

Max amount of shared memory in pages.

kern.ipc.shm_use_phys (KERN_SYSVIPC_SHMUSEPHYS)

Locking of shared memory in physical memory. If 0, memory can be swapped out, otherwise it will be locked in physical memory.

kern.ipc.msgmni

Max number of message queue identifiers.

kern.ipc.msgseg

Max number of number of message segments.

kern.ipc.semmni

Max number of number of semaphore identifiers.

kern.ipc.semmns

Max number of number of semaphores in system.

kern.ipc.semmnu

Max number of undo structures in system.

kern.job_control (KERN_JOB_CONTROL)

Return 1 if job control is available on this system, otherwise 0.

kern.labeloffset (KERN_LABELOFFSET)

The offset within the sector specified by KERN_LABELSECTOR of the disklabel(5).

kern.labelsector (KERN_LABELSECTOR)

The sector number containing the disklabel(5).

kern.login_name_max (KERN_LOGIN_NAME_MAX)

The size of the storage required for a login name, in bytes, including the terminating NUL.

kern.logsigexit (KERN_LOGSIGEXIT)

If this flag is non-zero, the kernel will log(9) all process exits due to signals which create a core(5) file, and whether the coredump was created.

kern.mapped_files (KERN_MAPPED_FILES)

Returns 1 if the IEEE Std 1003.1b-1993 (“POSIX.1b”) Memory Mapped Files Option is available on this system, otherwise 0.

kern.maxfiles (KERN_MAXFILES)

The maximum number of open files that may be open in the system.

kern.maxpartitions (KERN_MAXPARTITIONS)

The maximum number of partitions allowed per disk.

kern.maxlwp

The maximum number of Lightweight Processes (threads) the system allows per uid.

kern.maxphys (KERN_MAXPHYS)

Maximum raw I/O transfer size.

kern.maxproc (KERN_MAXPROC)

The maximum number of simultaneous processes the system will allow.

kern.maxptys (KERN_MAXPTYS)

The maximum number of pseudo terminals. This value can be both raised and lowered, though it cannot be set lower than number of currently used ptys. See also pty(4).

kern.maxvnodes (KERN_MAXVNODES)

The maximum number of vnodes available on the system. This can only be raised.

kern.mbuf (KERN_MBUF)

Return information about the mbuf control variables. Mbufs are data structures which store network packets and other data structures in the networking code, see mbuf(9). The third level names for the mbuf variables are detailed below. The changeable column shows whether a process with appropriate privilege may change the value.

Third level name	Type	Changeable
kern.mbuf.mblowat	integer	yes
kern.mbuf.mclbytes	integer	yes
kern.mbuf.mcllowat	integer	yes
kern.mbuf.msize	integer	yes
kern.mbuf.nmbclusters	integer	yes

The variables are as follows:

kern.mbuf.mblowat (MBUF_MBLOWAT)

The mbuf low water mark.

kern.mbuf.mclbytes (MBUF_MCLBYTES)

The mbuf cluster size.

kern.mbuf.mcllowat (MBUF_MCLLOWAT)

The mbuf cluster low water mark.

kern.mbuf.msize (MBUF_MSIZE)

The mbuf base size.

kern.mbuf.nmbclusters (MBUF_NMBCLUSTERS)

The limit on the number of mbuf clusters. The variable can only be increased, and only increased on machines with direct-mapped pool pages.

kern.memlock (KERN_MEMLOCK)

Returns 1 if the IEEE Std 1003.1b-1993 (“POSIX.1b”) Process Memory Locking Option is available on this system, otherwise 0.

kern.memlock_range (KERN_MEMLOCK_RANGE)

Returns 1 if the IEEE Std 1003.1b-1993 (“POSIX.1b”) Range Memory Locking Option is available on this system, otherwise 0.

kern.memory_protection (KERN_MEMORY_PROTECTION)

Returns 1 if the IEEE Std 1003.1b-1993 (“POSIX.1b”) Memory Protection Option is available on this system, otherwise 0.

kern.module

Settings related to kernel modules. The third level names for the settings are described below.

Third level name	Type	Changeable
kern.module.autoload	integer	yes
kern.module.autotime	integer	yes
kern.module.verbose	integer	yes

The variables are as follows:

kern.module.autoload

A boolean that controls whether kernel modules are loaded automatically. See module(7) for additional details.

kern.module.autotime

An integer that controls the delay before an attempt is made to automatically unload a module that was auto-loaded. Setting this value to zero disables the auto-unload function.

kern.module.verbose

A boolean that enables or disables verbose debug messages related to kernel modules.

kern.monotonic_clock (KERN_MONOTONIC_CLOCK)

Returns the standard version the implementation of the IEEE Std 1003.1b-1993 (“POSIX.1b”) Monotonic Clock Option conforms to, otherwise 0.

kern.mqueue

Settings related to POSIX message queues; see mqueue(3). This node is created dynamically when the corresponding kernel module is loaded. The third level names for the settings are described below.

Third level name	Type	Changeable
kern.mqueue.mq_open_max	integer	yes
kern.mqueue.mq_prio_max	integer	yes
kern.mqueue.mq_max_msgsize	integer	yes
kern.mqueue.mq_def_maxmsg	integer	yes
kern.mqueue.mq_max_maxmsg	integer	yes

The variables are:

kern.mqueue.mq_open_max

The maximum number of message queue descriptors any single process can open.

kern.mqueue.mq_prio_max

The maximum priority of a message.

kern.mqueue.mq_max_msgsize

The maximum size of a message in a message queue.

kern.mqueue.mq_def_maxmsg

The default maximum message count.

kern.mqueue.mq_max_maxmsg

The maximum number of messages in a message queue.

kern.msgbuf (KERN_MSGBUF)

The kernel message buffer, rotated so that the head of the circular kernel message buffer is at the start of the returned data. The returned data may contain NUL bytes.

kern.msgbufsize (KERN_MSGBUFSIZE)

The maximum number of characters that the kernel message buffer can hold.

kern.ngroups (KERN_NGROUPS)

The maximum number of supplemental groups.

kern.ntptime (KERN_NTPTIME)

A struct ntptimeval structure is returned. This structure contains data used by the ntpd(8) program.

kern.osrelease (KERN_OSRELEASE)

The system release string.

kern.osrevision (KERN_OSREV)

The system revision string.

kern.ostype (KERN_OSTYPE)

The system type string.

kern.pipe (KERN_PIPE)

Pipe settings. The third level names for the integer pipe settings is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.

Third level name	Type	Changeable
kern.pipe.kvasiz	integer	yes
kern.pipe.maxbigpipes	integer	yes
kern.pipe.maxkvasz	integer	yes
kern.pipe.limitkva	integer	yes
kern.pipe.nbigpipes	integer	yes

The variables are as follows:

kern.pipe.kvasiz (KERN_PIPE_KVASIZ)

Amount of kernel memory consumed by pipe buffers.

kern.pipe.maxbigpipes (KERN_PIPE_MAXBIGPIPES)

Maximum number of “big” pipes.

kern.pipe.maxkvasz (KERN_PIPE_MAXKVASZ)

Maximum amount of kernel memory to be used for pipes.

kern.pipe.limitkva (KERN_PIPE_LIMITKVA)

Limit for direct transfers via page loan.

kern.pipe.nbigpipes (KERN_PIPE_NBIGPIPES)

Number of “big” pipes.

kern.pool

Provides statistics about the pool(9) and pool_cache(9) subsystems.

kern.posix1version (KERN_POSIX1)

The version of ISO/IEC 9945 (IEEE Std 1003.1 (“POSIX.1”)) with which the system attempts to comply.

kern.posix_aio

The version of IEEE Std 1003.1 (“POSIX.1”) and its Asynchronous I/O option to which the system attempts to conform.

kern.posix_barriers (KERN_POSIX_BARRIERS)

The version of IEEE Std 1003.1 (“POSIX.1”) and its Barriers option to which the system attempts to conform, otherwise 0.

kern.posix_reader_writer_locks (KERN_POSIX_READER_WRITER_LOCKS)

The version of IEEE Std 1003.1 (“POSIX.1”) and its Read-Write Locks option to which the system attempts to conform, otherwise 0.

kern.posix_semaphores (KERN_POSIX_SEMAPHORES)

The version of IEEE Std 1003.1 (“POSIX.1”) and its Semaphores option to which the system attempts to conform, otherwise 0.

kern.posix_spin_locks (KERN_POSIX_SPIN_LOCKS)

The version of IEEE Std 1003.1 (“POSIX.1”) and its Spin Locks option to which the system attempts to conform, otherwise 0.

kern.posix_threads (KERN_POSIX_THREADS)

The version of IEEE Std 1003.1 (“POSIX.1”) and its Threads option to which the system attempts to conform, otherwise 0.

kern.posix_timers (KERN_POSIX_TIMERS)

The version of IEEE Std 1003.1 (“POSIX.1”) and its Timers option to which the system attempts to conform, otherwise 0.

kern.proc (KERN_PROC)

Return the entire process table, or a subset of it. An array of struct kinfo_proc structures is returned, whose size depends on the current number of such objects in the system. The third and fourth level numeric names are as follows:

Third level name	Fourth level is:
KERN_PROC_ALL	None
KERN_PROC_GID	A group ID
KERN_PROC_PID	A process ID
KERN_PROC_PGRP	A process group
KERN_PROC_RGID	A real group ID
KERN_PROC_RUID	A real user ID
KERN_PROC_SESSION	A session ID
KERN_PROC_TTY	A tty device
KERN_PROC_UID	A user ID

kern.proc2 (KERN_PROC2)

As for KERN_PROC, but an array of struct kinfo_proc2 structures are returned. The fifth level name is the size of the struct kinfo_proc2 and the sixth level name is the number of structures to return.

kern.proc_args (KERN_PROC_ARGS)

Return the argv or environment strings (or the number thereof) of a process. Multiple strings are returned separated by NUL characters. The third level name is the process ID. The fourth level name is as follows:

KERN_PROC_ARGV	The argv strings
KERN_PROC_ENV	The environ strings
KERN_PROC_NARGV	The number of argv strings
KERN_PROC_NENV	The number of environ strings

kern.profiling (KERN_PROF)

Return profiling information about the kernel. If the kernel is not compiled for profiling, attempts to retrieve any of the KERN_PROF values will fail with EOPNOTSUPP. The third level names for the string and integer profiling information is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.

Third level name	Type	Changeable
kern.profiling.count	u_short[]	yes
kern.profiling.froms	u_short[]	yes
kern.profiling.gmonparam	struct gmonparam	no
kern.profiling.state	integer	yes
kern.profiling.tos	struct tostruct	yes

The variables are as follows:

kern.profiling.count (GPROF_COUNT)

Array of statistical program counter counts.

kern.profiling.froms (GPROF_FROMS)

Array indexed by program counter of call-from points.

kern.profiling.gmonparams (GPROF_GMONPARAM)

Structure giving the sizes of the above arrays.

kern.profiling.state (GPROF_STATE)

Profiling state. If set to GMON_PROF_ON, starts profiling. If set to GMON_PROF_OFF, stops profiling.

kern.profiling.tos (GPROF_TOS)

Array of struct tostruct describing destination of calls and their counts.

kern.rawpartition (KERN_RAWPARTITION)

The raw partition of a disk (a == 0).

kern.root_device (KERN_ROOT_DEVICE)

The name of the root device (e.g., “wd0”).

kern.root_partition (KERN_ROOT_PARTITION)

The root partition on the root device (a == 0).

kern.rtc_offset (KERN_RTC_OFFSET)

Return the offset of real time clock from UTC in minutes.

kern.saved_ids (KERN_SAVED_IDS)

Returns 1 if saved set-group and saved set-user ID is available.

kern.sbmax (KERN_SBMAX)

Maximum socket buffer size.

kern.securelevel (KERN_SECURELVL)

See secmodel_securelevel(9).

kern.somaxkva (KERN_SOMAXKVA)

Maximum amount of kernel memory to be used for socket buffers.

kern.synchronized_io (KERN_SYNCHRONIZED_IO)

Returns 1 if the IEEE Std 1003.1b-1993 (“POSIX.1b”) Synchronized I/O Option is available on this system, otherwise 0.

kern.timecounter (dynamic)

Display and control the timecounter source of the system.

Third level name	Type	Changeable
kern.timecounter.choice	string	no
kern.timecounter.hardware	string	yes
kern.timecounter.timestepwarnings	integer	yes

The variables are as follows:

kern.timecounter.choice (dynamic)

The list of available timecounters with their quality and frequency.

kern.timecounter.hardware (dynamic)

The currently selected timecounter source.

kern.timecounter.timestepwarnings (dynamic)

If non-zero display a message each time the time is stepped.

kern.timex (KERN_TIMEX)

Not available.

kern.tkstat (KERN_TKSTAT)

Return information about the number of characters sent and received on ttys. The third level names for the tty statistic variables are detailed below. The changeable column shows whether a process with appropriate privilege may change the value.

Third level name	Type	Changeable
kern.tkstat.cancc	quad	no
kern.tkstat.nin	quad	no
kern.tkstat.nout	quad	no
kern.tkstat.rawcc	quad	no

The variables are as follows:

kern.tkstat.cancc (KERN_TKSTAT_CANCC)

The number of canonical input characters.

kern.tkstat.nin (KERN_TKSTAT_NIN)

The total number of input characters.

kern.tkstat.nout (KERN_TKSTAT_NOUT)

The total number of output characters.

kern.tkstat.rawcc (KERN_TKSTAT_RAWCC)

The number of raw input characters.

kern.tty

The third level names for the tty setup variables are detailed below. The changeable column shows whether a process with appropriate privilege may change the value.

Third level name	Type	Changeable
kern.tty.qsize	int	yes

The variables are as follows:

kern.tty.qsize

Control/display the size of the default input and output queues selected during tty creation. Is converted to a power of two and its range is between 1024 and 65536.

kern.uidinfo

Resource usage for the current user.

Third level name	Type	Changeable
kern.uidinfo.proccnt	integer	no
kern.uidinfo.lwpcnt	integer	no
kern.uidinfo.lockcnt	integer	no
kern.uidinfo.sbsize	integer	no

kern.uidinfo.proccnt

Returns the number of active processes for the current user.

kern.uidinfo.lwpcnt

Returns the number of active threads for the current user; the first thread of each process is not counted.

kern.uidinfo.lockcnt

Number of locks held by the current user.

kern.uidinfo.sbsize

Number of bytes in socket buffers allocated to the current user.

kern.urandom (KERN_URND)

Random integer value.

kern.usercrypto

When enabled, allows userland to open(2) the /dev/crypto special device, used by the crypto(4) system.

kern.userasymcrypto

Enables or disables the use of software asymmetric crypto support in the crypto(4) system.

kern.veriexec

Runtime information for veriexec(8).

Third level name	Type	Changeable
kern.veriexec.algorithms	string	no
kern.veriexec.count	node	not applicable
kern.veriexec.strict	integer	yes
kern.veriexec.verbose	integer	yes

kern.veriexec.algorithms

Returns a string with the supported algorithms in Veriexec.

kern.veriexec.count

Sub-nodes are added to this node as new mounts are monitored by Veriexec. Each mount will be under its own tableN node. Under each node there will be three variables, indicating the mount point, the file system type, and the number of entries.

kern.veriexec.strict

Controls the strict level of Veriexec. See security(7) for more information on each level's implications.

kern.veriexec.verbose

Controls the verbosity level of Veriexec. If 0, only the minimal indication required will be given about what's happening - fingerprint mismatches, removal of entries from the tables, modification of a fingerprinted file. If 1, more messages will be printed (ie., when a file with a valid fingerprint is accessed). Verbose level 2 is debug mode.

kern.version (KERN_VERSION)

The system version string.

kern.vnode (KERN_VNODE)

Return the entire vnode table. Note, the vnode table is not necessarily a consistent snapshot of the system. The returned data consists of an array whose size depends on the current number of such objects in the system. Each element of the array contains the kernel address of a vnode struct vnode * followed by the vnode itself struct vnode.

The machdep.* subtree

The set of variables defined is architecture dependent. Most architectures define at least the following variables.

Second level name	Type	Changeable
machdep.booted_kernel	string	no

The net.* subtree

The string and integer information available for the net level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. The second and third levels are typically the protocol family and protocol number, though this is not always the case.

Second level name	Type	Changeable
net.route	routing messages	no
net.inet	IPv4 values	yes
net.inet6	IPv6 values	yes
net.key	IPsec key management values	yes

net.route (PF_ROUTE)

Return the entire routing table or a subset of it. The data is returned as a sequence of routing messages (see route(4) for the header file, format and meaning). The length of each message is contained in the message header.

The third level name is a protocol number, which is currently always 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows:

Fifth level name	Sixth level is:
NET_RT_FLAGS	rtflags
NET_RT_DUMP	None
NET_RT_IFLIST	None

net.inet (PF_INET)

Get or set various global information about the IPv4 (Internet Protocol version 4). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are:

Protocol name	Variable name	Type	Changeable
arp	down	integer	yes
arp	keep	integer	yes
arp	log_movements	integer	yes
arp	log_permanent_modify	integer	yes
arp	log_wrong_iface	integer	yes
arp	prune	integer	yes
arp	refresh	integer	yes
carp	allow	integer	yes
carp	preempt	integer	yes
carp	log	integer	yes
carp	arpbalance	integer	yes
icmp	errppslimit	integer	yes
icmp	maskrepl	integer	yes
icmp	rediraccept	integer	yes
icmp	redirtimeout	integer	yes
icmp	bmcastecho	integer	yes
ip	allowsrcrt	integer	yes
ip	anonportalgo.selected	string	yes
ip	anonportalgo.available	string	yes
ip	anonportalgo.reserve	struct	yes
ip	anonportmax	integer	yes
ip	anonportmin	integer	yes
ip	checkinterface	integer	yes
ip	directed-broadcast	integer	yes
ip	do_loopback_cksum	integer	yes
ip	forwarding	integer	yes
ip	forwsrcrt	integer	yes
ip	gifttl	integer	yes
ip	grettl	integer	yes
ip	hashsize	integer	yes
ip	hostzerobroadcast	integer	yes
ip	lowportmin	integer	yes
ip	lowportmax	integer	yes
ip	maxflows	integer	yes
ip	maxfragpackets	integer	yes
ip	mtudisc	integer	yes
ip	mtudisctimeout	integer	yes
ip	random_id	integer	yes
ip	redirect	integer	yes
ip	subnetsarelocal	integer	yes
ip	ttl	integer	yes
tcp	rfc1323	integer	yes
tcp	sendspace	integer	yes
tcp	recvspace	integer	yes
tcp	mssdflt	integer	yes
tcp	syn_cache_limit	integer	yes
tcp	syn_bucket_limit	integer	yes
tcp	syn_cache_interval	integer	yes
tcp	init_win	integer	yes
tcp	init_win_local	integer	yes
tcp	mss_ifmtu	integer	yes
tcp	win_scale	integer	yes
tcp	timestamps	integer	yes
tcp	compat_42	integer	yes
tcp	cwm	integer	yes
tcp	cwm_burstsize	integer	yes
tcp	ack_on_push	integer	yes
tcp	keepidle	integer	yes
tcp	keepintvl	integer	yes
tcp	keepcnt	integer	yes
tcp	slowhz	integer	no
tcp	keepinit	integer	yes
tcp	log_refused	integer	yes
tcp	rstppslimit	integer	yes
tcp	ident	struct	no
tcp	drop	struct	no
tcp	sack.enable	integer	yes
tcp	sack.globalholes	integer	no
tcp	sack.globalmaxholes	integer	yes
tcp	sack.maxholes	integer	yes
tcp	ecn.enable	integer	yes
tcp	ecn.maxretries	integer	yes
tcp	congctl.selected	string	yes
tcp	congctl.available	string	yes
tcp	abc.enable	integer	yes
tcp	abc.aggressive	integer	yes
udp	checksum	integer	yes
udp	do_loopback_cksum	integer	yes
udp	recvspace	integer	yes
udp	sendspace	integer	yes

The variables are as follows:

arp.down

Failed ARP entry lifetime.

arp.keep

Valid ARP entry lifetime.

arp.prune

ARP cache pruning interval.

arp.refresh

ARP entry refresh interval.

carp.allow

If set to 0, incoming carp(4) packets will not be processed. If set to any other value, processing will occur. Enabled by default.

carp.arpbalance

If set to any value other than 0, the ARP balancing functionality of carp(4) is enabled. When ARP requests are received for an IP address which is part of any virtual host, carp will hash the source IP in the ARP request to select one of the virtual hosts from the set of all the virtual hosts which have that IP address. The master of that host will respond with the correct virtual MAC address. Disabled by default.

carp.log

If set to any value other than 0, carp(4) will log errors. Disabled by default.

carp.preempt

If set to 0, carp(4) will not attempt to become master if it is receiving advertisements from another active master. If set to any other value, carp will become master of the virtual host if it believes it can send advertisements more frequently than the current master. Disabled by default.

ip.allowsrcrt

If set to 1, the host accepts source routed packets.

ip.anonportalgo.available

The available RFC 6056 port randomization algorithms.

ip.anonportalgo.reserve

A bitmask of ports that will not be used during anonymous or privileged port selection.

ip.anonportalgo.selected

The currently selected RFC 6056 port randomization algorithm.

ip.anonportmax

The highest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535, and must be greater than ip.anonportmin.

ip.anonportmin

The lowest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535.

ip.checkinterface

If set to non-zero, the host will reject packets addressed to it that arrive on an interface not bound to that address. Currently, this must be disabled if ipnat is used to translate the destination address to another local interface, or if addresses are added to the loopback interface instead of the interface where the packets for those packets are received.

ip.directed-broadcast

If set to 1, enables directed broadcast behavior for the host.

ip.do_loopback_cksum

Perform IP checksum on loopback.

ip.forwarding

If set to 1, enables IP forwarding for the host, meaning that the host is acting as a router.

ip.forwsrcrt

If set to 1, enables forwarding of source-routed packets for the host. This value may only be changed if the kernel security level is less than 1.

ip.gifttl

The maximum time-to-live (hop count) value for an IPv4 packet generated by gif(4) tunnel interface.

ip.grettl

The maximum time-to-live (hop count) value for an IPv4 packet generated by gre(4) tunnel interface.

ip.hashsize

The size of IPv4 Fast Forward hash table. This value must be a power of 2 (64, 256...). A larger hash table size results in fewer collisions. Also see ip.maxflows.

ip.hostzerobroadcast

All zeroes address is broadcast address.

ip.lowportmax

The highest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be greater than ip.lowportmin.

ip.lowportmin

The lowest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be smaller than ip.lowportmax.

ip.maxflows

IPv4 Fast Forwarding is enabled by default. If set to 0, IPv4 Fast Forwarding is disabled. ip.maxflows controls the maximum amount of flows which can be created. The default value is 256.

ip.maxfragpackets

The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any fragmented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is provided basically for avoiding possible DoS attacks.

ip.mtudisc

If set to 1, enables Path MTU Discovery (RFC 1191). When Path MTU Discovery is enabled, the transmitted TCP segment size will be determined by the advertised maximum segment size (MSS) from the remote end, as constrained by the path MTU. If MTU Discovery is disabled, the transmitted segment size will never be greater than tcp.mssdflt (the local maximum segment size).

ip.mtudisctimeout

The number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will attempt to probe a larger path MTU.

ip.random_id

Assign random ip_id values.

ip.redirect

If set to 1, ICMP redirects may be sent by the host. This option is ignored unless the host is routing IP packets, and should normally be enabled on all systems.

ip.subnetsarelocal

If set to 1, subnets are to be considered local addresses.

ip.ttl

The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to normal transport protocols, not to ICMP.

icmp.errppslimit

The variable specifies the maximum number of outgoing ICMP error messages, per second. ICMP error messages that exceeded the value are subject to rate limitation and will not go out from the node. Negative value disables rate limitation.

icmp.maskrepl

If set to 1, ICMP network mask requests are to be answered.

icmp.rediraccept

If set to non-zero, the host will accept ICMP redirect packets. Note that routers will never accept ICMP redirect packets, and the variable is meaningful on IP hosts only.

icmp.redirtimeout

The variable specifies lifetime of routing entries generated by incoming ICMP redirect. This defaults to 600 seconds.

icmp.returndatabytes

Number of bytes to return in an ICMP error message.

icmp.bmcastecho

If set to 1, enables responding to ICMP echo or timestamp request to the broadcast address.

tcp.ack_on_push

If set to 1, TCP is to immediately transmit an ACK upon reception of a packet with PUSH set. This can avoid losing a round trip time in some rare situations, but has the caveat of potentially defeating TCP's delayed ACK algorithm. Use of this option is generally not recommended, but the variable exists in case your configuration really needs it.

tcp.compat_42

If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. Use of this option is not recommended, although it may be required in order to communicate with extremely old TCP implementations.

tcp.cwm

If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window Monitoring algorithm. This algorithm prevents line-rate bursts of packets that could otherwise occur when data begins flowing on an idle TCP connection. These line-rate bursts can contribute to network and router congestion. This can be particularly useful on World Wide Web servers which support HTTP/1.1, which has lingering connections.

tcp.cwm_burstsize

The Congestion Window Monitoring allowed burst size, in terms of packet count.

tcp.delack_ticks

Number of ticks to delay sending an ACK.

tcp.do_loopback_cksum

Perform TCP checksum on loopback.

tcp.init_win

A value indicating the TCP initial congestion window. The valid range is 0 to 10 (maximum specified by draft-ietf-tcpm-initcwnd-08.txt), with a default of 4 (approximately 4K per RFC3390).

tcp.init_win_local

Like tcp.init_win, but used when communicating with hosts on a local network.

tcp.keepcnt

Number of keepalive probes sent before declaring a connection dead. If set to zero, there is no limit; keepalives will be sent until some kind of response is received from the peer.

tcp.keepidle

Time a connection must be idle before keepalives are sent (if keepalives are enabled for the connection). See also tcp.slowhz.

tcp.keepintvl

Time after a keepalive probe is sent until, in the absence of any response, another probe is sent. See also tcp.slowhz.

tcp.log_refused

If set to 1, refused TCP connections to the host will be logged.

tcp.keepinit

Timeout in seconds during connection establishment.

tcp.mss_ifmtu

If set to 1, TCP calculates the outgoing maximum segment size based on the MTU of the appropriate interface. If set to 0, it is calculated based on the greater of the MTU of the interface, and the largest (non-loopback) interface MTU on the system.

tcp.mssdflt

The default maximum segment size both advertised to the peer and to use when either the peer does not advertise a maximum segment size to us during connection setup or Path MTU Discovery (ip.mtudisc) is disabled. Do not change this value unless you really know what you are doing.

tcp.recvspace

The default TCP receive buffer size.

tcp.rfc1323

If set to 1, enables RFC 1323 extensions to TCP.

tcp.rstppslimit

The variable specifies the maximum number of outgoing TCP RST packets, per second. TCP RST packet that exceeded the value are subject to rate limitation and will not go out from the node. Negative value disables rate limitation.

tcp.ident

Return the user ID of a connected socket pair. (RFC1413 Identification Protocol lookups.)

tcp.drop

Drop a TCP socket pair connection.

tcp.sack.enable

If set to 1, enables RFC 2018 Selective ACKnowledgement.

tcp.sack.globalholes

Global number of TCP SACK holes.

tcp.sack.globalmaxholes

Global maximum number of TCP SACK holes.

tcp.sack.maxholes

Maximum number of TCP SACK holes allowed per connection.

tcp.ecn.enable

If set to 1, enables RFC 3168 Explicit Congestion Notification.

tcp.ecn.maxretries

Number of times to retry sending the ECN-setup packet.

tcp.sendspace

The default TCP send buffer size.

tcp.slowhz

The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks of a clock that ticks tcp.slowhz times per second. (That is, their values must be divided by the tcp.slowhz value to get times in seconds.)

tcp.syn_bucket_limit

The maximum number of entries allowed per hash bucket in the TCP compressed state engine.

tcp.syn_cache_limit

The maximum number of entries allowed in the TCP compressed state engine.

tcp.timestamps

If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, used for measuring TCP round trip times, are enabled.

tcp.win_scale

If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, for increasing the TCP window size, are enabled.

tcp.congctl.available

The available TCP congestion control algorithms.

tcp.congctl.selected

The currently selected TCP congestion control algorithm.

tcp.abc.enable

If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). If set to 0, use traditional Packet Counting.

tcp.abc.aggressive

Choose the L parameter found in RFC 3465. L is the maximum cwnd increase for an ack during slow start. If set to 1, use L=2*SMSS. If set to 0, use L=1*SMSS. It has no effect unless tcp.abc.enable is set to 1.

udp.checksum

If set to 1, UDP checksums are being computed. Received non-zero UDP checksums are always checked. Disabling UDP checksums is strongly discouraged.

udp.recvspace

The default UDP receive buffer size.

udp.sendspace

The default UDP send buffer size.

For variables net.*.ipsec, please refer to ipsec(4).

net.inet6 (PF_INET6)

Get or set various global information about the IPv6 (Internet Protocol version 6). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are:

Protocol name	Variable name	Type	Changeable
icmp6	errppslimit	integer	yes
icmp6	mtudisc_hiwat	integer	yes
icmp6	mtudisc_lowat	integer	yes
icmp6	nd6_debug	integer	yes
icmp6	nd6_delay	integer	yes
icmp6	nd6_maxnudhint	integer	yes
icmp6	nd6_mmaxtries	integer	yes
icmp6	nd6_prune	integer	yes
icmp6	nd6_umaxtries	integer	yes
icmp6	nd6_useloopback	integer	yes
icmp6	nodeinfo	integer	yes
icmp6	rediraccept	integer	yes
icmp6	redirtimeout	integer	yes
ip6	accept_rtadv	integer	yes
ip6	anonportalgo.selected	string	yes
ip6	anonportalgo.available	string	yes
ip6 anonportalgo.reserve	struct	yes
ip6	anonportmax	integer	yes
ip6	anonportmin	integer	yes
ip6	auto_flowlabel	integer	yes
ip6	dad_count	integer	yes
ip6	defmcasthlim	integer	yes
ip6	forwarding	integer	yes
ip6	gifhlim	integer	yes
ip6	hashsize	integer	yes
ip6	hlim	integer	yes
ip6	hdrnestlimit	integer	yes
ip6	kame_version	string	no
ip6	keepfaith	integer	yes
ip6	log_interval	integer	yes
ip6	lowportmax	integer	yes
ip6	lowportmin	integer	yes
ip6	maxdynroutes	integer	yes
ip6	maxifprefixes	integer	yes
ip6	maxifdefrouters	integer	yes
ip6	maxflows	integer	yes
ip6	maxfragpackets	integer	yes
ip6	maxfrags	integer	yes
ip6	neighborgcthresh	integer	yes
ip6	redirect	integer	yes
ip6	rr_prune	integer	yes
ip6	use_deprecated	integer	yes
ip6	v6only	integer	yes
udp6	do_loopback_cksum	integer	yes
udp6	recvspace	integer	yes
udp6	sendspace	integer	yes

The variables are as follows:

ip6.accept_rtadv

If set to non-zero, the node will accept ICMPv6 router advertisement packets and autoconfigures address prefixes and default routers. The node must be a host (not a router) for the option to be meaningful.

ip6.anonportalgo.available

The available RFC 6056 port randomization algorithms.

ip6.anonportalgo.reserve

A bitmask of ports that will not be used during anonymous or privileged port selection.

ip6.anonportalgo.selected

The currently selected RFC 6056 port randomization algorithm.

ip6.anonportmax

The highest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535, and must be greater than ip6.anonportmin.

ip6.anonportmin

The lowest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535.

ip6.auto_flowlabel

On connected transport protocol packets, fill IPv6 flowlabel field to help intermediate routers to identify packet flows.

ip6.dad_count

The variable configures number of IPv6 DAD (duplicated address detection) probe packets. The packets will be generated when IPv6 interface addresses are configured.

ip6.defmcasthlim

The default hop limit value for an IPv6 multicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. There are APIs to override the value, as documented in ip6(4).

ip6.forwarding

If set to 1, enables IPv6 forwarding for the node, meaning that the node is acting as a router. If set to 0, disables IPv6 forwarding for the node, meaning that the node is acting as a host. IPv6 specification defines node behavior for “router” case and “host” case quite differently, and changing this variable during operation may cause serious trouble. It is recommended to configure the variable at bootstrap time, and bootstrap time only.

ip6.gifhlim

The maximum hop limit value for an IPv6 packet generated by gif(4) tunnel interface.

ip6.hdrnestlimit

The number of IPv6 extension headers permitted on incoming IPv6 packets. If set to 0, the node will accept as many extension headers as possible.

ip6.hashsize

The size of IPv6 Fast Forward hash table. This value must be a power of 2 (64, 256, ...). A larger hash table size results in fewer collisions. Also see ip6.maxflows.

ip6.hlim

The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. There are APIs to override the value, as documented in ip6(4).

ip6.kame_version

The string identifies the version of KAME IPv6 stack implemented in the kernel.

ip6.keepfaith

If set to non-zero, it enables “FAITH” TCP relay IPv6-to-IPv4 translator code in the kernel. Refer faith(4) and faithd(8) for detail.

ip6.log_interval

The variable controls amount of logs generated by IPv6 packet forwarding engine, by setting interval between log output (in seconds).

ip6.lowportmax

The highest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be greater than ip6.lowportmin.

ip6.lowportmin

The lowest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be smaller than ip6.lowportmax.

ip6.maxdynroutes

Maximum number of routes created by redirect. Set it to negative to disable. The default value is 4096.

ip6.maxifprefixes

Maximum number of prefixes created by route advertisements per interface. Set it to negative to disable. The default value is 16.

ip6.maxifdefrouters 16

Maximum number of default routers created by route advertisements per interface. Set it to negative to disable. The default value is 16.

ip6.maxflows

IPv6 Fast Forwarding is enabled by default. If set to 0, IPv6 Fast Forwarding is disabled. ip6.maxflows controls the maximum amount of flows which can be created. The default value is 256.

ip6.maxfragpackets

The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any fragmented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is provided basically for avoiding possible DoS attacks.

ip6.maxfrags

The maximum number of fragments the node will accept. 0 means that the node will not accept any fragments. -1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks.

ip6.neighborgcthresh

Maximum number of entries in neighbor cache. Set to negative to disable. The default value is 2048.

ip6.redirect

If set to 1, ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, and should normally be enabled on all systems.

ip6.rr_prune

The variable specifies interval between IPv6 router renumbering prefix babysitting, in seconds.

ip6.use_deprecated

The variable controls use of deprecated address, specified in RFC 2462 5.5.4.

ip6.v6only

The variable specifies initial value for IPV6_V6ONLY socket option for AF_INET6 socket. Please refer to ip6(4) for detail.

icmp6.errppslimit

The variable specifies the maximum number of outgoing ICMPv6 error messages, per second. ICMPv6 error messages that exceeded the value are subject to rate limitation and will not go out from the node. Negative value disables rate limitation.

icmp6.mtudisc_hiwat

icmp6.mtudisc_lowat

The variables define the maximum number of routing table entries, created due to path MTU discovery (prevents denial-of-service attacks with ICMPv6 too big messages). When IPv6 path MTU discovery happens, we keep path MTU information into the routing table. If the number of routing table entries exceed the value, the kernel will not attempt to keep the path MTU information. icmp6.mtudisc_hiwat is used when we have verified ICMPv6 too big messages. icmp6.mtudisc_lowat is used when we have unverified ICMPv6 too big messages. Verification is performed by using address/port pairs kept in connected pcbs. Negative value disables the upper limit.

icmp6.nd6_debug

If set to non-zero, kernel IPv6 neighbor discovery code will generate debugging messages. The debug outputs are useful to diagnose IPv6 interoperability issues. The flag must be set to 0 for normal operation.

icmp6.nd6_delay

The variable specifies DELAY_FIRST_PROBE_TIME timing constant in IPv6 neighbor discovery specification (RFC 2461), in seconds.

icmp6.nd6_maxnudhint

IPv6 neighbor discovery permits upper layer protocols to supply reachability hints, to avoid unnecessary neighbor discovery exchanges. The variable defines the number of consecutive hints the neighbor discovery layer will take. For example, by setting the variable to 3, neighbor discovery layer will take 3 consecutive hints in maximum. After receiving 3 hints, neighbor discovery layer will perform normal neighbor discovery process.

icmp6.nd6_mmaxtries

The variable specifies MAX_MULTICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 2461).

icmp6.nd6_prune

The variable specifies interval between IPv6 neighbor cache babysitting, in seconds.

icmp6.nd6_umaxtries

The variable specifies MAX_UNICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 2461).

icmp6.nd6_useloopback

If set to non-zero, kernel IPv6 stack will use loopback interface for local traffic.

icmp6.nodeinfo

The variable enables responses to ICMPv6 node information queries. If you set the variable to 0, responses will not be generated for ICMPv6 node information queries. Since node information queries can have a security impact, it is possible to fine tune which responses should be answered. Two separate bits can be set.

1

Respond to ICMPv6 FQDN queries, e.g. ping6 -w.

2

Respond to ICMPv6 node addresses queries, e.g. ping6 -a.

icmp6.rediraccept

If set to non-zero, the host will accept ICMPv6 redirect packets. Note that IPv6 routers will never accept ICMPv6 redirect packets, and the variable is meaningful on IPv6 hosts (non-router) only.

icmp6.redirtimeout

The variable specifies lifetime of routing entries generated by incoming ICMPv6 redirect.

udp6.do_loopback_cksum

Perform UDP checksum on loopback.

udp6.recvspace

Default UDP receive buffer size.

udp6.sendspace

Default UDP send buffer size.

We reuse net.*.tcp for TCP over IPv6, and therefore we do not have variables net.*.tcp6. Variables net.inet6.udp6 have identical meaning to net.inet.udp. Please refer to PF_INET section above. For variables net.*.ipsec6, please refer to ipsec(4).

net.key (PF_KEY)

Get or set various global information about the IPsec key management. The third level name is the variable name. The currently defined variable and names are:

Variable name	Type	Changeable
debug	integer	yes
enabled	integer	yes
used	integer	no
spi_try	integer	yes
spi_min_value	integer	yes
spi_max_value	integer	yes
larval_lifetime	integer	yes
blockacq_count	integer	yes
blockacq_lifetime	integer	yes
esp_keymin	integer	yes
esp_auth	integer	yes
ah_keymin	integer	yes

The variables are as follows:

debug

Turn on debugging message from within the kernel. The value is a bitmap, as defined in <netkey/key_debug.h>.

enabled

Control processing of IPsec control messages.

0

Never allow IPsec processing

1

Allow IPsec processing when SPD policies are present.

2

Force IPsec processing even when SPD policies are not present.

used

Based on if IPsec is enabled, and SPD rule existance, show if IPsec is being used. Note that currenly once IPsec is being used, it cannot be disabled.

spi_try

The number of times the kernel will try to obtain an unique SPI when it generates it from random number generator.

spi_min_value

Minimum SPI value when generating it within the kernel.

spi_max_value

Maximum SPI value when generating it within the kernel.

larval_lifetime

Lifetime for LARVAL SAD entries, in seconds.

blockacq_count

Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the key management daemon.

blockacq_lifetime

Lifetime of ACQUIRE PF_KEY message.

esp_keymin

Minimum ESP key length, in bits. The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message.

esp_auth

Whether ESP authentication should be used or not. Non-zero value indicates that ESP authentication should be used. The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message.

ah_keymin

Minimum AH key length, in bits, The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message.

The proc.* subtree

The string and integer information available for the proc level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. These values are per-process, and as such may change from one process to another. When a process is created, the default values are inherited from its parent. When a set-user-ID or set-group-ID binary is executed, the value of PROC_PID_CORENAME is reset to the system default value. The second level name is either the magic value PROC_CURPROC, which points to the current process, or the PID of the target process.

Third level name	Type	Changeable
proc.pid.corename	string	yes
proc.pid.rlimit	node	not applicable
proc.pid.stopfork	int	yes
proc.pid.stopexec	int	yes
proc.pid.stopexit	int	yes

proc.pid.corename (PROC_PID_CORENAME)

The template used for the core dump file name (see core(5) for details). The base name must either be core or end with the suffix .core (the super-user may set arbitrary names). By default it points to KERN_DEFCORENAME.

proc.pid.rlimit (PROC_PID_LIMIT)

Return resources limits, as defined for the getrlimit(2) and setrlimit(2) system calls. The fourth level name is one of:

proc.pid.rlimit.cputime (PROC_PID_LIMIT_CPU)

The maximum amount of CPU time (in seconds) to be used by each process.

proc.pid.rlimit.filesize (PROC_PID_LIMIT_FSIZE)

The largest size (in bytes) file that may be created.

proc.pid.rlimit.datasize (PROC_PID_LIMIT_DATA)

The maximum size (in bytes) of the data segment for a process; this defines how far a program may extend its break with the sbrk(2) system call.

proc.pid.rlimit.stacksize (PROC_PID_LIMIT_STACK)

The maximum size (in bytes) of the stack segment for a process; this defines how far a program's stack segment may be extended. Stack extension is performed automatically by the system.

proc.pid.rlimit.coredumpsize (PROC_PID_LIMIT_CORE)

The largest size (in bytes) core file that may be created.

proc.pid.rlimit.memoryuse (PROC_PID_LIMIT_RSS)

The maximum size (in bytes) to which a process's resident set size may grow. This imposes a limit on the amount of physical memory to be given to a process; if memory is tight, the system will prefer to take memory from processes that are exceeding their declared resident set size.

proc.pid.rlimit.memorylocked (PROC_PID_LIMIT_MEMLOCK)

The maximum size (in bytes) which a process may lock into memory using the mlock(2) function.

proc.pid.rlimit.maxproc (PROC_PID_LIMIT_NPROC)

The maximum number of simultaneous processes for this user id.

proc.pid.rlimit.descriptors (PROC_PID_LIMIT_NOFILE)

The maximum number of open files for this process.

proc.pid.rlimit.sbsize (PROC_PID_LIMIT_SBSIZE)

The maximum size (in bytes) of the socket buffers set by the setsockopt(2) SO_RCVBUF and SO_SNDBUF options.

The fifth level name is one of soft (PROC_PID_LIMIT_TYPE_SOFT) or hard (PROC_PID_LIMIT_TYPE_HARD), to select respectively the soft or hard limit. Both are of type integer.

proc.pid.stopfork (PROC_PID_STOPFORK)

If non zero, the process' children will be stopped after fork(2) calls. The children is created in the SSTOP state and is never scheduled for running before being stopped. This feature helps attaching a process with a debugger such as gdb(1) before it had the opportunity to actually do anything.

This value is inherited by the process's children, and it also apply to emulation specific system calls that fork a new process, such as sproc() or clone().

proc.pid.stopexec (PROC_PID_STOPEXEC)

If non zero, the process will be stopped on next exec(3) call. The process created by exec(3) is created in the SSTOP state and is never scheduled for running before being stopped. This feature helps attaching a process with a debugger such as gdb(1) before it had the opportunity to actually do anything.

This value is inherited by the process's children.

proc.pid.stopexit (PROC_PID_STOPEXIT)

If non zero, the process will be stopped on when it has cause to exit, either by way of calling exit(3), _exit(2), or by the receipt of a specific signal. The process is stopped before any of its resources or vm space is released allowing examination of the termination state of a process before it disappears. This feature can be used to examine the final conditions of the process's vmspace via pmap(1) or its resource settings with sysctl(8) before it disappears.

This value is also inherited by the process's children.

The user.* subtree (CTL_USER)

The string and integer information available for the user level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.

Second level name	Type	Changeable
user.atexit_max	integer	no
user.bc_base_max	integer	no
user.bc_dim_max	integer	no
user.bc_scale_max	integer	no
user.bc_string_max	integer	no
user.coll_weights_max	integer	no
user.cs_path	string	no
user.expr_nest_max	integer	no
user.line_max	integer	no
user.posix2_c_bind	integer	no
user.posix2_c_dev	integer	no
user.posix2_char_term	integer	no
user.posix2_fort_dev	integer	no
user.posix2_fort_run	integer	no
user.posix2_localedef	integer	no
user.posix2_sw_dev	integer	no
user.posix2_upe	integer	no
user.posix2_version	integer	no
user.re_dup_max	integer	no
user.stream_max	integer	no
user.stream_max	integer	no
user.tzname_max	integer	no

user.atexit_max (USER_ATEXIT_MAX)

The maximum number of functions that may be registered with atexit(3).

user.bc_base_max (USER_BC_BASE_MAX)

The maximum ibase/obase values in the bc(1) utility.

user.bc_dim_max (USER_BC_DIM_MAX)

The maximum array size in the bc(1) utility.

user.bc_scale_max (USER_BC_SCALE_MAX)

The maximum scale value in the bc(1) utility.

user.bc_string_max (USER_BC_STRING_MAX)

The maximum string length in the bc(1) utility.

user.coll_weights_max (USER_COLL_WEIGHTS_MAX)

The maximum number of weights that can be assigned to any entry of the LC_COLLATE order keyword in the locale definition file.

user.cs_path (USER_CS_PATH)

Return a value for the PATH environment variable that finds all the standard utilities.

user.expr_nest_max (USER_EXPR_NEST_MAX)

The maximum number of expressions that can be nested within parenthesis by the expr(1) utility.

user.line_max (USER_LINE_MAX)

The maximum length in bytes of a text-processing utility's input line.

user.posix2_char_term (USER_POSIX2_CHAR_TERM)

Return 1 if the system supports at least one terminal type capable of all operations described in IEEE Std 1003.2 (“POSIX.2”), otherwise 0.

user.posix2_c_bind (USER_POSIX2_C_BIND)

Return 1 if the system's C-language development facilities support the C-Language Bindings Option, otherwise 0.

user.posix2_c_dev (USER_POSIX2_C_DEV)

Return 1 if the system supports the C-Language Development Utilities Option, otherwise 0.

user.posix2_fort_dev (USER_POSIX2_FORT_DEV)

Return 1 if the system supports the FORTRAN Development Utilities Option, otherwise 0.

user.posix2_fort_run (USER_POSIX2_FORT_RUN)

Return 1 if the system supports the FORTRAN Runtime Utilities Option, otherwise 0.

user.posix2_localedef (USER_POSIX2_LOCALEDEF)

Return 1 if the system supports the creation of locales, otherwise 0.

user.posix2_sw_dev (USER_POSIX2_SW_DEV)

Return 1 if the system supports the Software Development Utilities Option, otherwise 0.

user.posix2_upe (USER_POSIX2_UPE)

Return 1 if the system supports the User Portability Utilities Option, otherwise 0.

user.posix2_version (USER_POSIX2_VERSION)

The version of IEEE Std 1003.2 (“POSIX.2”) with which the system attempts to comply.

user.re_dup_max (USER_RE_DUP_MAX)

The maximum number of repeated occurrences of a regular expression permitted when using interval notation.

user.stream_max (USER_STREAM_MAX)

The minimum maximum number of streams that a process may have open at any one time.

user.tzname_max (USER_TZNAME_MAX)

The minimum maximum number of types supported for the name of a timezone.

The vm.* subtree (CTL_VM)

The string and integer information available for the vm level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.

Second level name	Type	Changeable
vm.anonmax	int	yes
vm.anonmin	int	yes
vm.bufcache	int	yes
vm.bufmem	int	no
vm.bufmem_hiwater	int	yes
vm.bufmem_lowater	int	yes
vm.execmax	int	yes
vm.execmin	int	yes
vm.filemax	int	yes
vm.filemin	int	yes
vm.loadavg	struct loadavg	no
vm.maxslp	int	no
vm.nkmempages	int	no
vm.uspace	int	no
vm.uvmexp	struct uvmexp	no
vm.uvmexp2	struct uvmexp_sysctl	no
vm.vmmeter	struct vmtotal	no

vm.anonmax (VM_ANONMAX)

The percentage of physical memory which will be reclaimed from other types of memory usage to store anonymous application data.

vm.anonmin (VM_ANONMIN)

The percentage of physical memory which will be always be available for anonymous application data.

vm.bufcache (VM_BUFCACHE)

The percentage of physical memory which will be available for the buffer cache.

vm.bufmem (VM_BUFMEM)

The amount of kernel memory that is being used by the buffer cache.

vm.bufmem_lowater (VM_BUFMEM_LOWATER)

The minimum amount of kernel memory to reserve for the buffer cache.

vm.bufmem_hiwater (VM_BUFMEM_HIWATER)

The maximum amount of kernel memory to be used for the buffer cache.

vm.execmax (VM_EXECMAX)

The percentage of physical memory which will be reclaimed from other types of memory usage to store cached executable data.

vm.execmin (VM_EXECMIN)

The percentage of physical memory which will be always be available for cached executable data.

vm.filemax (VM_FILEMAX)

The percentage of physical memory which will be reclaimed from other types of memory usage to store cached file data.

vm.filemin (VM_FILEMIN)

The percentage of physical memory which will be always be available for cached file data.

vm.loadavg (VM_LOADAVG)

Return the load average history. The returned data consists of a struct loadavg.

vm.maxslp (VM_MAXSLP)

The value of the maxslp kernel global variable.

vm.vmmeter (VM_METER)

Return system wide virtual memory statistics. The returned data consists of a struct vmtotal.

vm.user_va0_disable

A flag which controls whether user processes can map virtual address 0.

vm.uspace (VM_USPACE)

The number of bytes allocated for each kernel stack.

vm.uvmexp (VM_UVMEXP)

Return system wide virtual memory statistics. The returned data consists of a struct uvmexp.

vm.uvmexp2 (VM_UVMEXP2)

Return system wide virtual memory statistics. The returned data consists of a struct uvmexp_sysctl.

The ddb.* subtree (CTL_DDB)

The information available for the ddb level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.

Second level name	Type	Changeable
ddb.radix	integer	yes
ddb.maxoff	integer	yes
ddb.maxwidth	integer	yes
ddb.lines	integer	yes
ddb.tabstops	integer	yes
ddb.onpanic	integer	yes
ddb.fromconsole	integer	yes
ddb.tee_msgbuf	integer	yes
ddb.commandonenter	string	yes

ddb.radix (DDBCTL_RADIX)

The input and output radix.

ddb.maxoff (DDBCTL_MAXOFF)

The maximum symbol offset.

ddb.maxwidth (DDBCTL_MAXWIDTH)

The maximum output line width.

ddb.lines (DDBCTL_LINES)

Number of display lines.

ddb.tabstops (DDBCTL_TABSTOPS)

Tab width.

ddb.onpanic (DDBCTL_ONPANIC)

If greater than zero, DDB will be entered if the kernel panics. A value of 1 causes the system to enter DDB on panic, while a value of 2 causes the kernel to attempt to print out a stack trace before entering DDB. A value of 0 causes the kernel to attempt to print a stack trace, then reboot, while a value of -1 means neither a stack trace will be printed nor DDB entered.

ddb.fromconsole (DDBCTL_FROMCONSOLE)

If not zero, DDB may be entered by sending a break on a serial console or by a special key sequence on a graphics console.

ddb.tee_msgbuf

If not zero, DDB will output also to the kernel message buffer.

ddb.commandonenter

If not empty, a command to be executed on each enter to the DDB.

Some of these MIB nodes are also available as variables from within the debugger. See ddb(4) for more details.

The security.* subtree (CTL_SECURITY)

The security level contains various security-related settings for the system. The available second level names are:

Second level name	Type	Changeable
security.curtain	integer	yes
security.models	node	not applicable
security.pax	node	not applicable

Available settings are detailed below.

security.curtain

If non-zero, will filter return objects according to the user ID requesting information about them, preventing from users any access to objects they do not own.

At the moment, it affects ps(1), netstat(1) (for PF_INET, PF_INET6, and PF_UNIX PCBs), and w(1).

security.models

NetBSD supports pluggable security models. Every security model used, whether if loaded as a module or built with the system, is required to add an entry to this node with at least one element, “name”, indicating the name of the security model.

In addition to the name, any settings and other information private to the security model will be available under this node. See secmodel(9) for more information.

security.pax

Settings for PaX -- exploit mitigation features. For more information on any of the PaX features, please see paxctl(8) and security(7). The available third and fourth level names are:

Third and fourth level names	Type	Changeable
security.pax.aslr.enabled	integer	yes
security.pax.aslr.global	integer	yes
security.pax.mprotect.enabled	integer	yes
security.pax.mprotect.global	integer	yes
security.pax.segvguard.enabled	integer	yes
security.pax.segvguard.expiry_timeout	integer	yes
security.pax.segvguard.global	integer	yes
security.pax.segvguard.max_crashes	integer	yes
security.pax.segvguard.suspend_timeout	integer	yes

security.pax.aslr.enabled

Enable PaX ASLR (Address Space Layout Randomization).

The value of this knob must be non-zero for PaX ASLR to be enabled, even if a program is set to explicit enable.

security.pax.aslr.global

Specifies the default global policy for programs without an explicit enable/disable flag.

When non-zero, all programs will get PaX ASLR, except those exempted with paxctl(8). Otherwise, all programs will not get PaX ASLR, except those specifically marked as such with paxctl(8).

security.pax.mprotect.enabled

Enable PaX MPROTECT restrictions.

These are mprotect(2) restrictions to better enforce a W^X policy. The value of this knob must be non-zero for PaX MPROTECT to be enabled, even if a program is set to explicit enable.

security.pax.mprotect.global

Specifies the default global policy for programs without an explicit enable/disable flag.

When non-zero, all programs will get the PaX MPROTECT restrictions, except those exempted with paxctl(8). Otherwise, all programs will not get the PaX MPROTECT restrictions, except those specifically marked as such with paxctl(8).

security.pax.segvguard.enabled

Enable PaX Segvguard.

PaX Segvguard can detect and prevent certain exploitation attempts, where an attacker may try for example to brute-force function return addresses of respawning daemons.

Note: The NetBSD interface and implementation of the Segvguard is still experimental, and may change in future releases.

security.pax.segvguard.expiry_timeout

If the max number was not reached within this timeout (in seconds), the entry will expire.

security.pax.segvguard.global

Specifies the default global policy for programs without an explicit enable/disable flag.

When non-zero, all programs will get the PaX Segvguard, except those exempted with paxctl(8). Otherwise, no program will get the PaX Segvguard restrictions, except those specifically marked as such with paxctl(8).

security.pax.segvguard.max_crashes

The maximum number of segfaults a program can receive before suspension.

security.pax.segvguard.suspend_timeout

Number of seconds to suspend a user from running a faulting program when the limit was exceeded.

The vendor.* subtree (CTL_VENDOR)

The vendor toplevel name is reserved to be used by vendors who wish to have their own private MIB tree. Intended use is to store values under “vendor.<yourname>.*”.