SYSCTL(3) OpenBSD Programmer's Manual SYSCTL(3) NAME sysctl - get or set system information SYNOPSIS #include <sys/param.h> #include <sys/sysctl.h> int sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen); DESCRIPTION The sysctl() function retrieves system information and allows processes with appropriate privileges to set system information. The information available from sysctl() consists of integers, strings, and tables. In- formation may be retrieved and set from the command interface using the sysctl(8) utility. Unless explicitly noted below, sysctl() returns a consistent snapshot of the data requested. Consistency is obtained by locking the destination buffer into memory so that the data may be copied out without blocking. Calls to sysctl() are serialized to avoid deadlock. The state is described using a ``Management Information Base (MIB)'' style name, listed in name, which is a namelen length array of integers. The information is copied into the buffer specified by oldp. The size of the buffer is given by the location specified by oldlenp before the call, and that location gives the amount of data copied after a successful call. If the amount of data available is greater than the size of the buffer supplied, the call supplies as much data as fits in the buffer provided and returns with the error code ENOMEM. If the old value is not desired, oldp and oldlenp should be set to NULL. The size of the available data can be determined by calling sysctl() with a NULL parameter for oldp. The size of the available data will be re- turned in the location pointed to by oldlenp. For some operations, the amount of space may change often. For these operations, the system at- tempts to round up so that the returned size is large enough for a call to return the data shortly thereafter. To set a new value, newp is set to point to a buffer of length newlen from which the requested value is to be taken. If a new value is not to be set, newp should be set to NULL and newlen set to 0. The top level names are defined with a CTL_ prefix in <sys/sysctl.h>, and are as follows. The next and subsequent levels down are found in the in- clude files listed here, and described in separate sections below. Name Next level names Description CTL_DEBUG sys/sysctl.h Debugging CTL_FS sys/sysctl.h File system CTL_HW sys/sysctl.h Generic CPU, I/O CTL_KERN sys/sysctl.h High kernel limits CTL_MACHDEP sys/sysctl.h Machine dependent CTL_NET sys/socket.h Networking CTL_USER sys/sysctl.h User-level CTL_VM vm/vm_param.h Virtual memory For example, the following retrieves the maximum number of processes al- lowed in the system: int mib[2], maxproc; size_t len; mib[0] = CTL_KERN; mib[1] = KERN_MAXPROC; len = sizeof(maxproc); sysctl(mib, 2, &maxproc, &len, NULL, 0); To retrieve the standard search path for the system utilities: int mib[2]; size_t len; char *p; mib[0] = CTL_USER; mib[1] = USER_CS_PATH; sysctl(mib, 2, NULL, &len, NULL, 0); p = malloc(len); sysctl(mib, 2, p, &len, NULL, 0); CTL_DEBUG The debugging variables vary from system to system. A debugging variable may be added or deleted without need to recompile sysctl() to know about it. Each time it runs, sysctl() gets the list of debugging variables from the kernel and displays their current values. The system defines twenty struct ctldebug variables named debug0 through debug19. They are declared as separate variables so that they can be individually initial- ized at the location of their associated variable. The loader prevents multiple use of the same variable by issuing errors if a variable is ini- tialized in more than one place. For example, to export the variable dospecialcheck as a debugging variable, the following declaration would be used: int dospecialcheck = 1; struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck }; CTL_FS The string and integer information available for the CTL_FS level is de- tailed below. The changeable column shows whether a process with appro- priate privileges may change the value. Second level name Type Changeable FS_POSIX_SETUID integer yes FS_POSIX_SETUID When this variable is set, ownership changes on a file will cause the S_ISUID and S_ISGID bits to be cleared. As detailed in securelevel(7), this variable may not be changed if the se- curelevel is > 0. CTL_HW The string and integer information available for the CTL_HW level is de- tailed below. The changeable column shows whether a process with appro- priate privileges may change the value. Second level name Type Changeable HW_MACHINE string no HW_MODEL string no HW_NCPU integer no HW_BYTEORDER integer no HW_PHYSMEM integer no HW_USERMEM integer no HW_PAGESIZE integer no HW_MACHINE The machine class. HW_MODEL The machine model HW_NCPU The number of CPUs. HW_BYTEORDER The byteorder (4321 or 1234). HW_PHYSMEM The bytes of physical memory. HW_USERMEM The bytes of non-kernel memory. HW_PAGESIZE The software page size. CTL_KERN The string and integer information available for the CTL_KERN level is detailed below. The changeable column shows whether a process with ap- propriate privileges may change the value. The types of data currently available are process information, system vnodes, the open file entries, routing table entries, virtual memory statistics, load average history, and clock rate information. Second level name Type Changeable KERN_ARGMAX integer no KERN_ARND integer no KERN_BOOTTIME struct timeval no KERN_CHOWN_RESTRICTED integer no KERN_CLOCKRATE struct clockinfo no KERN_DOMAINNAME string yes KERN_FILE struct file no KERN_FSYNC integer no KERN_HOSTID integer yes KERN_HOSTNAME string yes KERN_JOB_CONTROL integer no KERN_LINK_MAX integer no KERN_MAXFILES integer yes KERN_MAXPARTITIONS integer no KERN_MAXPROC integer yes KERN_MAXVNODES integer yes KERN_MAX_CANON integer no KERN_MAX_INPUT integer no KERN_NAME_MAX integer no KERN_NGROUPS integer no KERN_NO_TRUNC integer no KERN_NOSUIDCOREDUMP integer yes KERN_OSRELEASE string no KERN_OSREV integer no KERN_OSTYPE string no KERN_PATH_MAX integer no KERN_PIPE_BUF integer no KERN_POSIX1 integer no KERN_PROC struct proc no KERN_PROF node not applicable KERN_RAWPARTITION integer no KERN_RND struct rndstats no KERN_SAVED_IDS integer no KERN_SECURELVL integer raise only KERN_SYSVMSG integer no KERN_SYSVSEM integer no KERN_SYSVSHM integer no KERN_VDISABLE integer no KERN_VERSION string no KERN_VNODE struct vnode no KERN_MALLOCSTATS node not applicable KERN_ARGMAX The maximum bytes of argument to exec(2). KERN_ARND Returns a random integer from the kernel arc4random() function. This can be useful if /dev/arandom is not available (see random(4)). KERN_BOOTTIME A struct timeval structure is returned. This structure contains the time that the system was booted. KERN_CHOWN_RESTRICTED Return 1 if appropriate privileges are required for the chown(2) system call, otherwise 0. KERN_CLOCKRATE A struct clockinfo structure is returned. This structure con- tains the clock, statistics clock and profiling clock frequen- cies, the number of micro-seconds per hz tick, and the clock skew rate. KERN_DOMAINNAME Get or set the YP domain name. KERN_FILE Return the entire file table. The returned data consists of a single struct filehead followed by an array of struct file, whose size depends on the current number of such objects in the system. KERN_FSYNC Return 1 if the File Synchronisation Option is available on this system, otherwise 0. KERN_HOSTID Get or set the host ID. KERN_HOSTNAME Get or set the hostname. KERN_JOB_CONTROL Return 1 if job control is available on this system, otherwise 0. KERN_LINK_MAX The maximum file link count. KERN_MAXFILES The maximum number of open files that may be open in the system. KERN_MAXPARTITIONS The maximum number of partitions allowed per disk. KERN_MAXPROC The maximum number of simultaneous processes the system will al- low. KERN_MAXVNODES The maximum number of vnodes available on the system. KERN_MAX_CANON The maximum number of bytes in terminal canonical input line. KERN_MAX_INPUT The minimum maximum number of bytes for which space is available in a terminal input queue. KERN_NAME_MAX The maximum number of bytes in a file name. KERN_NGROUPS The maximum number of supplemental groups. KERN_NO_TRUNC Return 1 if file names longer than KERN_NAME_MAX are truncated. KERN_NOSUIDCOREDUMP Programs with their set-user-ID bit set will not dump core when this is set. KERN_OSRELEASE The system release string. KERN_OSREV The system revision number. KERN_OSTYPE The system type string. KERN_PATH_MAX The maximum number of bytes in a pathname. KERN_PIPE_BUF The maximum number of bytes which will be written atomically to a pipe. KERN_POSIX1 The version of ISO/IEC 9945 (POSIX 1003.1) with which the system attempts to comply. KERN_PROC Return the entire process table, or a subset of it. An array of struct kinfo_proc structures is returned, whose size depends on the current number of such objects in the system. The third and fourth level names are as follows: Third level name Fourth level is: KERN_PROC_ALL None KERN_PROC_PID A process ID KERN_PROC_PGRP A process group KERN_PROC_TTY A tty device KERN_PROC_UID A user ID KERN_PROC_RUID A real user ID KERN_MALLOCSTATS Return kernel memory bucket statistics. The third level names are detailed below. There are no changeable values in this branch. Third level name Type KERN_MALLOC_BUCKETS string KERN_MALLOC_BUCKET node The variables are as follows: KERN_MALLOC_BUCKETS Return a comma-separated list of the bucket sizes used by the kernel. KERN_MALLOC_BUCKET.<size> A node containing the statistics for the memory bucket of the specified size (in decimal notation, the number of bytes per bucket element, e.g., 16, 32, 128). Each node returns a struct kmembuckets. If a value is specified that does not correspond directly to a bucket size, the statistics for the closest larger bucket size will be returned instead. Note that bucket sizes are typically powers of 2. KERN_PROF Return profiling information about the kernel. If the kernel is not compiled for profiling, attempts to retrieve any of the KERN_PROF values will fail with EOPNOTSUPP. The third level names for the string and integer profiling information is detailed be- low. The changeable column shows whether a process with appro- priate privileges may change the value. Third level name Type Changeable GPROF_STATE integer yes GPROF_COUNT u_short[] yes GPROF_FROMS u_short[] yes GPROF_TOS struct tostruct yes GPROF_GMONPARAM struct gmonparam no The variables are as follows: GPROF_STATE Returns GMON_PROF_ON or GMON_PROF_OFF to show that pro- filing is running or stopped. GPROF_COUNT Array of statistical program counter counts. GPROF_FROMS Array indexed by program counter of call-from points. GPROF_TOS Array of struct tostruct describing destination of calls and their counts. GPROF_GMONPARAM Structure giving the sizes of the above arrays. KERN_RAWPARTITION The raw partition of a disk (a == 0). KERN_RND Returns statistics about the /dev/random device in a struct rndstats structure. KERN_SAVED_IDS Returns 1 if saved set-group-ID and saved set-user-ID are avail- able. KERN_SECURELVL The system security level. This level may be raised by processes with appropriate privileges. It may only be lowered by process 1. KERN_SYSVMSG Returns 1 if System V style message queue functionality is avail- able on this system, otherwise 0. KERN_SYSVSEM Returns 1 if System V style semaphore functionality is available on this system, otherwise 0. KERN_SYSVSHM Returns 1 if System V style share memory functionality is avail- able on this system, otherwise 0. KERN_VDISABLE Returns the terminal character disabling value. KERN_VERSION The system version string. KERN_VNODE Return the entire vnode table. Note, the vnode table is not nec- essarily a consistent snapshot of the system. The returned data consists of an array whose size depends on the current number of such objects in the system. Each element of the array contains the kernel address of a vnode struct vnode * followed by the vn- ode itself struct vnode. CTL_MACHDEP The set of variables defined is architecture dependent. Most architec- tures define at least the following variables. Second level name Type Changeable CPU_CONSDEV dev_t no CTL_NET The string and integer information available for the CTL_NET level is de- tailed below. The changeable column shows whether a process with appro- priate privileges may change the value. Second level name Type Changeable PF_ROUTE routing messages no PF_INET IPv4 values yes PF_INET6 IPv6 values yes PF_ROUTE Return the entire routing table or a subset of it. The data is returned as a sequence of routing messages (see route(4) for the header file, format, and meaning). The length of each message is contained in the message header. The third level name is a protocol number, which is currently al- ways 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows: Fifth level name Sixth level is: NET_RT_FLAGS rtflags NET_RT_DUMP None NET_RT_IFLIST None PF_INET Get or set various global information about IPv4 (Internet Protocol version 4). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: Protocol name Variable name Type Changeable ip forwarding integer yes ip redirect integer yes ip ttl integer yes ip sourceroute integer yes ip directed-broadcast integer yes ip portfirst integer yes ip portlast integer yes ip porthifirst integer yes ip porthilast integer yes ip maxqueue integer yes ip encdebug integer yes ip ipsec-invalid-life integer yes ip ipsec-pfs integer yes ip ipsec-soft-allocs integer yes ip ipsec-allocs integer yes ip ipsec-soft-bytes integer yes ip ipsec-bytes integer yes ip ipsec-timeout integer yes ip ipsec-soft-timeout integer yes ip ipsec-soft-firstuse integer yes ip ipsec-firstuse integer yes ip ipsec-enc-alg string yes ip ipsec-auth-alg string yes ip ipsec-expire-acquire integeryes ip mtudisc integer yes ip mtudisctimeout integer yes icmp maskrepl integer yes icmp bmcastecho integer yes icmp errppslimit integer yes ipip allow integer yes tcp rfc1323 integer yes tcp ident structure no tcp keepinittime integer yes tcp keepidle integer yes tcp keepintvl integer yes tcp slowhz integer yes tcp baddynamic array yes tcp recvspace integer yes tcp sendspace integer yes tcp sack integer yes tcp mssdflt integer yes tcp rstppslimit integer yes udp checksum integer yes udp baddynamic array yes udp recvspace integer yes udp sendspace integer yes gre allow integer yes esp enable integer yes ah enable integer yes mobileip allow integer yes etherip allow integer yes The variables are as follows: ip.forwarding Returns 1 when IP forwarding is enabled for the host, in- dicating the host is acting as a router. ip.redirect Returns 1 when ICMP redirects may be sent by the host. This option is ignored unless the host is routing IP packets, and should normally be enabled on all systems. ip.ttl The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to nor- mal transport protocols, not to ICMP. ip.sourceroute Returns 1 when forwarding of source-routed packets is en- abled for the host. This value may only be changed if the kernel security level is less than 1. ip.directed-broadcast Returns 1 if directed broadcast behavior is enabled for the host. ip.encdebug Returns 1 when error message reporting is enabled for the host. If the kernel has been compiled with the ENCDEBUG option, then debugging information will also be reported when this variable is set. ip.ipsec-invalid-life The lifetime of embryonic Security Associations (SAs that key management daemons have reserved but not fully estab- lished yet) in seconds. If set to less than or equal to zero, embryonic SAs will not expire. The default value is 60. ip.ipsec-pfs If set to any non-zero value, the kernel will ask the key management daemons to use Perfect Forward Secrecy when establishing IPsec Security Associations. Perfect For- ward Secrecy makes IPsec Security Associations crypto- graphically distinct from each other, such that breaking the key for one such SA does not compromise any others. Requiring PFS for every security association significant- ly increases the computational load of isakmpd(8) ex- changes. The default value is 1. ip.ipsec-soft-allocs The number of IPsec flows that can use a security associ- ation before a message is sent by the kernel to key man- agement for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0. ip.ipsec-allocs The number of IPsec flows that can use a security associ- ation before it will expire. If set to less than or equal to zero, the security association will not expire because of this counter. The default value is 0. ip.ipsec-soft-bytes The number of bytes that will be processed by a security association before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0. ip.ipsec-bytes The number of bytes that will be processed by a security association before it will expire. If set to less than or equal to zero, the security association will not ex- pire because of this counter. The default value is 0. ip.ipsec-soft-timeout The number of seconds after a security association is es- tablished before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 80000 seconds. ip.ipsec-timeout The number of seconds after a security association is es- tablished before it will expire. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 86400 sec- onds. ip.ipsec-soft-firstuse The number of seconds after a security association is first used before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 3600 seconds. ip.ipsec-firstuse The number of seconds after a security association is first use before it will expire. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 7200 sec- onds. ip.ipsec-enc-alg This is the default encryption algorithm the kernel will instruct key management daemons to negotiate when estab- lishing security associations on behalf of the kernel. Such security associations can occur as a result of a process having requested some security level through setsockopt(3), or as a result of dynamic vpn(8) entries. Supported values are des, 3des, blowfish, cast128, and skipjack. If set to any other value, it is left to the key management daemons to select an encryption algorithm for the security association. The default value is 3des. ip.ipsec-auth-alg This is the default authentication algorithm the kernel will instruct key management daemons to negotiate when establishing security associations on behalf of the ker- nel. Such security associations can occur as a result of a process having requested some security level through setsockopt(3), or as a result of dynamic vpn(8) entries. Supported values are hmac-md5, hmac-sha1, and hmac- ripemd160. If set to any other value, it is left to the key management daemons to select an authentiction algo- rithm for the security association. The default value is hmac-sha1. ip.ipsec-expire-acquire How long should the kernel allow key management to dynam- ically acquire security associations, before re-sending a request. The default value is 30 seconds. ip.ipsec-keep-invalid How long half-created security associations should be kept by the kernel (these are created by key management daemons while negotiating). The default value is 60 sec- onds. ip.mtudisc Returns 1 if Path MTU Discovery is enabled. ip.mtudisctimeout Returns the number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will at- tempt to probe a larger path MTU. ipip.allow If set to 0, incoming IP-in-IP packets will not be pro- cessed. If set to any other value, processing will oc- cur; furthermore, if set to 2, no checks for spoofing of loopback addresses will be done. This is useful only for debugging purposes, and should never be used in produc- tion systems. gre.allow If set to 0, incoming GRE packets will not be processed. If set to any other value, processing will occur. mobileip.allow If set to 0, incoming MobileIP encapsulated packets (RFC 2004) will not be processed. If set to any other value, processing will occur. etherip.allow If set to 0, incoming Ethernet-in-IPv4 packets will not be processed. If set to any other value, processing will occur. icmp.maskrepl Returns 1 if ICMP network mask requests are to be an- swered. icmp.errppslimit The variable specifies the maximum number of outgoing ICMP error messages per second. ICMP error messages that exceeded the value are subject to rate limitation and will not go out from the node. Negative value disables rate limitation. tcp.rfc1323 Returns 1 if RFC1323 extensions to TCP are enabled. tcp.baddynamic An array of in_port_t is returned specifying the bitmask of TCP ports between 512 and 1023 inclusive that should not be allocated dynamically by the kernel (i.e., they must be bound specifically by port number). tcp.ident A structure struct tcp_ident_mapping specifying a local and foreign endpoint of a TCP socket is filled in with the euid and ruid of the process that owns the socket. If no such socket exists then the euid and ruid values are both set to -1. tcp.keepidle If the socket option SO_KEEPALIVE has been set, time a connection needs to be idle before keepalives are sent. See also tcp.slowhz. tcp.keepintvl Time after a keepalive probe is sent until, in the ab- sence of any response, another probe is sent. See also tcp.slowhz. tcp.slowhz The units for tcp.keepidle and tcp.keepintvl; those vari- ables are in ticks of a clock that ticks tcp.slowhz times per second. (That is, their values must be divided by the tcp.slowhz value to get times in seconds.) tcp.sendspace Returns the default TCP send buffer size. tcp.recvspace Returns the default TCP receive buffer size. tcp.sack Returns 1 if RFC2018 Selective Acknowledgements are en- abled. tcp.mssdflt The maximum segment size that is used as default for non- local connections. The default value is 512. tcp.rstppslimit The variable specifies the maximum number of outgoing TCP RST packets per second. TCP RST packet that exceeded the value are subject to rate limitation and will not go out from the node. Negative value disables rate limitation. udp.checksum Returns 1 when UDP checksums are being computed and checked. Disabling UDP checksums is strongly discour- aged. udp.baddynamic Analogous to tcp.baddynamic but for UDP sockets. udp.sendspace Returns the default UDP send buffer size. udp.recvspace Returns the default UDP receive buffer size. PF_INET6 Get or set various global information about IPv6 (Internet Protocol version 6). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: Protocol name Variable name Type Changeable ip6 forwarding integer yes ip6 redirect integer yes ip6 hlim integer yes ip6 maxfragpackets integer yes ip6 accept_rtadv integer yes ip6 keepfaith integer yes ip6 log_interval integer yes ip6 hdrnestlimit integer yes ip6 dad_count integer yes ip6 auto_flowlabel integer yes ip6 defmcasthlim integer yes ip6 kame_version string no ip6 use_deprecated integer yes ip6 rr_prune integer yes icmp6 rediraccept integer yes icmp6 redirtimeout integer yes icmp6 nd6_prune integer yes icmp6 nd6_delay integer yes icmp6 nd6_umaxtries integer yes icmp6 nd6_mmaxtries integer yes icmp6 nd6_useloopback integer yes icmp6 nodeinfo integer yes icmp6 errppslimit integer yes icmp6 nd6_maxnudhint integer yes icmp6 mtudisc_hiwat integer yes icmp6 mtudisc_lowat integer yes icmp6 nd6_debug integer yes The variables are as follows: ip6.forwarding Returns 1 when IPv6 forwarding is enabled for the node, meaning that the node is acting as a router. Returns 0 when IPv6 forwarding is disabled for the node, meaning that the node is acting as a host. Note that IPv6 de- fines node behavior for the ``router'' and ``host'' cases quite differently, and changing this variable during op- eration may cause serious trouble. Hence, this variable should only be set at bootstrap time. ip6.redirect Returns 1 when ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, and should normally be enabled on all systems. ip6.hlim The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overrid- ing this value are documented in ip6(4). ip6.maxfragpackets The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any frag- mented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is pro- vided basically for avoiding possible DoS attacks. ip6.accept_rtadv If set to non-zero, the node will accept ICMPv6 router advertisement packets and autoconfigures address prefixes and default routers. The node must be a host (not a router) for the option to be meaningful (see ip6.forwarding). ip6.keepfaith If set to non-zero, enables the ``FAITH'' TCP relay IPv6-to-IPv4 translator code in the kernel. Refer to faith(4) and faithd(8) for more details. ip6.log_interval This variable permits adjusting the amount of logs gener- ated by the IPv6 packet forwarding engine. The value in- dicates the number of seconds of interval which must elapse between log output. ip6.hdrnestlimit The number of IPv6 extension headers permitted on incom- ing IPv6 packets. If set to 0, the node will accept as many extension headers as possible. ip6.dad_count The variable configures the number of IPv6 DAD (duplicated address detection) probe packets. These packets are generated when IPv6 interfaces are first brought up. ip6.auto_flowlabel On connected transport protocol packets, fill IPv6 flowlabel field to help intermediate routers identify packet flows. ip6.defmcasthlim The default hop limit value for an IPv6 multicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overrid- ing this value are documented in ip6(4). ip6.kame_version The string identifies the version of the KAME IPv6 stack implemented in the kernel. ip6.use_deprecated The variable controls use of deprecated addresses, speci- fied in RFC2462 5.5.4. ip6.rr_prune The variable specifies interval between IPv6 router renumbering prefix babysitting in seconds. icmp6.rediraccept If set to non-zero, the host will accept ICMPv6 redirect packets. Note that IPv6 routers will never accept ICMPv6 redirect packets, so the variable is only meaningful on IPv6 hosts, not on routers. icmp6.redirtimeout The variable specifies the lifetime of routing entries generated by incoming ICMPv6 redirects. icmp6.nd6_prune The variable specifies interval between IPv6 neighbor cache babysitting in seconds. icmp6.nd6_delay The variable specifies DELAY_FIRST_PROBE_TIME timing con- stant in IPv6 neighbor discovery specification (RFC2461), in seconds. icmp6.nd6_umaxtries The variable specifies MAX_UNICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC2461). icmp6.nd6_mmaxtries The variable specifies MAX_MULTICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC2461). icmp6.nd6_useloopback If set to non-zero, IPv6 will use the loopback interface for local traffic. icmp6.nodeinfo The variable enables responses to ICMPv6 node information queries. If you set the variable to 0, reponses will not be generated for ICMPv6 node information queries. Since node information queries can have a security impact, it is possible to fine tune which responses should be an- swered. Two seperate bits can be set. 1 Respond to ICMPv6 FQDN queries, e.g. ping6 -w. 2 Respond to ICMPv6 node addresses queries, e.g. ping6 -a. icmp6.errppslimit The variable specifies the maximum number of outgoing ICMPv6 error messages per second. ICMPv6 error messages that exceeded the value is subject to rate limitation and will not go out from the node. A negative value will disable the rate limitation. icmp6.nd6_maxnudhint IPv6 neighbor discovery permits upper layer protocols to supply reachability hints, to avoid unnecessary neighbor discovery exchanges. The variable defines the number of consecutive hints the neighbor discovery layer will take. For example, by setting the variable to 3, neighbor dis- covery can take take a maximum of 3 consecutive hints. After receiving 3 hints, the neighbor discovery layer will instead perform the normal neighbor discovery pro- cess. icmp6.mtudisc_hiwat icmp6.mtudisc_lowat These variables define the maximum number of routing table entries, created due to path MTU discovery (preventing denial-of-service attacks with ICMPv6 too big messages). After IPv6 path MTU discovery happens, path MTU information is kept in the routing table. If the number of routing table entries exceed the value, the kernel will not attempt to keep the path MTU information. icmp6.mtudisc_hiwat is used when we have verified ICMPv6 too big messages. icmp6.mtudisc_lowat is used when we have unverified ICMPv6 too big messages. Verification is performed by using address/port pairs kept in connected pcbs. Negative value disables the upper limit. icmp6.nd6_debug If set to non-zero, IPv6 neighbor discovery will generate debugging messages. The debug outputs are useful for di- agnosing IPv6 interoperability issues. The flag must be set to 0 for normal operation. We reuse net.inet.tcp and net.inet.udp for TCP/UDP over IPv6. CTL_USER The string and integer information available for the CTL_USER level is detailed below. The changeable column shows whether a process with ap- propriate privileges may change the value. Second level name Type Changeable USER_BC_BASE_MAX integer no USER_BC_DIM_MAX integer no USER_BC_SCALE_MAX integer no USER_BC_STRING_MAX integer no USER_COLL_WEIGHTS_MAX integer no USER_CS_PATH string no USER_EXPR_NEST_MAX integer no USER_LINE_MAX integer no USER_POSIX2_CHAR_TERM integer no USER_POSIX2_C_BIND integer no USER_POSIX2_C_DEV integer no USER_POSIX2_FORT_DEV integer no USER_POSIX2_FORT_RUN integer no USER_POSIX2_LOCALEDEF integer no USER_POSIX2_SW_DEV integer no USER_POSIX2_UPE integer no USER_POSIX2_VERSION integer no USER_RE_DUP_MAX integer no USER_STREAM_MAX integer no USER_TZNAME_MAX integer no USER_BC_BASE_MAX The maximum ibase/obase values in the bc(1) utility. USER_BC_DIM_MAX The maximum array size in the bc(1) utility. USER_BC_SCALE_MAX The maximum scale value in the bc(1) utility. USER_BC_STRING_MAX The maximum string length in the bc(1) utility. USER_COLL_WEIGHTS_MAX The maximum number of weights that can be assigned to any entry of the LC_COLLATE order keyword in the locale definition file. USER_CS_PATH Return a value for the PATH environment variable that finds all the standard utilities. USER_EXPR_NEST_MAX The maximum number of expressions that can be nested within parenthesis by the expr(1) utility. USER_LINE_MAX The maximum length in bytes of a text-processing utility's input line. USER_POSIX2_CHAR_TERM Return 1 if the system supports at least one terminal type capa- ble of all operations described in POSIX 1003.2, otherwise 0. USER_POSIX2_C_BIND Return 1 if the system's C-language development facilities sup- port the C-Language Bindings Option, otherwise 0. USER_POSIX2_C_DEV Return 1 if the system supports the C-Language Development Utili- ties Option, otherwise 0. USER_POSIX2_FORT_DEV Return 1 if the system supports the FORTRAN Development Utilities Option, otherwise 0. USER_POSIX2_FORT_RUN Return 1 if the system supports the FORTRAN Runtime Utilities Op- tion, otherwise 0. USER_POSIX2_LOCALEDEF Return 1 if the system supports the creation of locales, other- wise 0. USER_POSIX2_SW_DEV Return 1 if the system supports the Software Development Utili- ties Option, otherwise 0. USER_POSIX2_UPE Return 1 if the system supports the User Portability Utilities Option, otherwise 0. USER_POSIX2_VERSION The version of POSIX 1003.2 with which the system attempts to comply. USER_RE_DUP_MAX The maximum number of repeated occurrences of a regular expres- sion permitted when using interval notation. USER_STREAM_MAX The maximum number of streams that a process may have open at any one time. USER_TZNAME_MAX The minimum maximum number of types supported for the name of a timezone. CTL_DDB Integer information and settable variables are available for the CTL_DDB level, as described below. More information is also available in ddb(4). Second level name Type Changeable DBCTL_RADIX integer yes DBCTL_MAXWIDTH integer yes DBCTL_TABSTOP integer yes DBCTL_PANIC integer yes DBCTL_CONSOLE integer yes DBCTL_RADIX Determines the default radix or base for non-prefixed numbers en- tered into ddb(4). This variable is also available as the ddb $radix variable. DBCTL_MAXWIDTH Determines the maximum width of a line in ddb(4). This variable is also available as the ddb $maxwidth variable. DBCTL_TABSTOP Width of a tab stop in ddb(4). This variable is also available as the ddb $tabstops variable. DBCTL_PANIC When this variable is set, system panics may drop into the kernel debugger. As described in securelevel(7), a security level greater than 1 blocks modification of this variable. ddb(4). DBCTL_CONSOLE When this variable is set, an architecture dependent magic key sequence on the console or a debugger button will permit entry into the kernel debugger. As described in securelevel(7), a se- curity level greater than 1 blocks modification of this variable. CTL_VM The string and integer information available for the CTL_VM level is de- tailed below. The changeable column shows whether a process with appro- priate privileges may change the value. Second level name Type Changeable VM_LOADAVG struct loadavg no VM_METER struct vmtotal no VM_SWAPENCRYPT swap encrypt values yes VM_LOADAVG Return the load average history. The returned data consists of a struct loadavg. VM_METER Return the system wide virtual memory statistics. The returned data consists of a struct vmtotal. VM_SWAPENCRYPT Contains statistics about swap encryption. The string and inte- ger information available for the third level is detailed below. Third level name Type Changeable SWPENC_ENABLE integer yes SWPENC_CREATED integer no SWPENC_DELETED integer no SWPENC_ENABLE Set to 1 to enable swap encryption for all processes. A 0 disables swap encryption. Pages still on swap receive a grandfather clause. Turning this option on does not affect legacy swap data already on the disk, but all new- ly written data will be encrypted. When swap encryption is turned on, automatic crash(8) dumps are disabled. SWPENC_CREATED The number of encryption keys that have been randomly created. The swap partition is divided into sections of normally 512KB. Each section has its own encryption key. SWPENC_DELETED The number of encryption keys that have been deleted, thus effectivly erasing the data that has been encrypted with them. Encryption keys are deleted when their refer- ence counter reaches zero. CTL_VFS The string and integer information available for the CTL_VFS level is de- tailed below. The changeable column shows whether a process with appro- priate privileges may change the value. Second level name Type Changeable VFS_GENERIC vm generic info no filesystem # filesystem info no VFS_GENERIC This second level identifier requests generic information about the vfs layer. Within it, the following third level identifiers exist: Third level name Type Changeable VFS_MAXTYPENUM int no VFS_CONF struct vfsconf no filesystem # After finding the filesystem dependent vfc_typenum using VFS_GENERIC with VFS_CONF, it is possible to access filesystem dependent information. Some filesystems may contain settings. ffs Third level name Type Changeable FFS_CLUSTERREAD int yes FFS_CLUSTERWRITE int yes FFS_REALLOCBLOCKS int yes FFS_ASYNCFREE int yes nfs Third level name Type Changeable NFS_NFSSTATS struct nfsstats yes NFS_NIOTHREADS int yes RETURN VALUES If the call to sysctl() is unsuccessful, -1 is returned and errno is set appropriately. ERRORS The following errors may be reported: [EFAULT] The buffer name, oldp, newp, or length pointer oldlenp con- tains an invalid address. [EINVAL] The name array is less than two or greater than CTL_MAXNAME. [EINVAL] A non-null newp pointer is given and its specified length in newlen is too large or too small. [ENOMEM] The length pointed to by oldlenp is too short to hold the requested value. [ENOTDIR] The name array specifies an intermediate rather than termi- nal name. [EOPNOTSUPP] The name array specifies a value that is unknown. [EPERM] An attempt is made to set a read-only value. [EPERM] A process without appropriate privileges attempts to set a value. [EPERM] An attempt to change a value protected by the current ker- nel security level is made. FILES <sys/sysctl.h> definitions for top level identifiers, second level kernel and hardware identifiers, and user level identifiers <sys/socket.h> definitions for second level network identi- fiers <sys/gmon.h> definitions for third level profiling identi- fiers <vm/vm_param.h> definitions for second level virtual memory identifiers <uvm/uvm_swap_encrypt.h> definitions for third level virtual memory identifiers <netinet/in.h> definitions for third level IPv4/v6 identifiers and fourth level IP and IPv6 identifiers <netinet/icmp_var.h> definitions for fourth level ICMP identifiers <netinet/icmp6.h> definitions for fourth level ICMPv6 identifiers <netinet/tcp_var.h> definitions for fourth level TCP identifiers <netinet/udp_var.h> definitions for fourth level UDP identifiers SEE ALSO sysctl(8) HISTORY The sysctl() function first appeared in 4.4BSD. OpenBSD 2.9 June 4, 1993 20