SYSCTL(3) OpenBSD Programmer's Manual SYSCTL(3) NAME sysctl - get or set system information SYNOPSIS #include <sys/param.h> #include <sys/sysctl.h> int sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen); DESCRIPTION The sysctl() function retrieves system information and allows processes with appropriate privileges to set system information. The information available from sysctl() consists of integers, strings, and tables. In- formation may be retrieved and set from the command interface using the sysctl(8) utility. Unless explicitly noted below, sysctl() returns a consistent snapshot of the data requested. Consistency is obtained by locking the destination buffer into memory so that the data may be copied out without blocking. Calls to sysctl() are serialized to avoid deadlock. The state is described using a ``Management Information Base (MIB)'' style name, listed in name, which is a namelen length array of integers. The information is copied into the buffer specified by oldp. The size of the buffer is given by the location specified by oldlenp before the call, and that location gives the amount of data copied after a successful call. If the amount of data available is greater than the size of the buffer supplied, the call supplies as much data as fits in the buffer provided and returns with the error code ENOMEM. If the old value is not desired, oldp and oldlenp should be set to NULL. The size of the available data can be determined by calling sysctl() with a NULL parameter for oldp. The size of the available data will be re- turned in the location pointed to by oldlenp. For some operations, the amount of space may change often. For these operations, the system at- tempts to round up so that the returned size is large enough for a call to return the data shortly thereafter. To set a new value, newp is set to point to a buffer of length newlen from which the requested value is to be taken. If a new value is not to be set, newp should be set to NULL and newlen set to 0. The top level names are defined with a CTL_ prefix in <sys/sysctl.h>, and are as follows. The next and subsequent levels down are found in the in- clude files listed here, and described in separate sections below. Name Next level names Description CTL_DDB ddb/db_var.h Kernel debugger CTL_DEBUG sys/sysctl.h Debugging CTL_FS sys/sysctl.h File system CTL_HW sys/sysctl.h Generic CPU, I/O CTL_KERN sys/sysctl.h High kernel limits CTL_MACHDEP sys/sysctl.h Machine dependent CTL_NET sys/socket.h Networking CTL_USER sys/sysctl.h User-level CTL_VFS ufs/ffs/ffs_extern.h Virtual file system CTL_VM uvm/uvm_param.h Virtual memory For example, the following retrieves the maximum number of processes al- lowed in the system: int mib[2], maxproc; size_t len; mib[0] = CTL_KERN; mib[1] = KERN_MAXPROC; len = sizeof(maxproc); sysctl(mib, 2, &maxproc, &len, NULL, 0); To retrieve the standard search path for the system utilities: int mib[2]; size_t len; char *p; mib[0] = CTL_USER; mib[1] = USER_CS_PATH; sysctl(mib, 2, NULL, &len, NULL, 0); p = malloc(len); sysctl(mib, 2, p, &len, NULL, 0); CTL_DDB Integer information and settable variables are available for the CTL_DDB level, as described below. More information is also available in ddb(4). Second level name Type Changeable DBCTL_CONSOLE integer yes DBCTL_LOG integer yes DBCTL_MAXLINE integer yes DBCTL_MAXWIDTH integer yes DBCTL_PANIC integer yes DBCTL_RADIX integer yes DBCTL_TABSTOP integer yes DBCTL_CONSOLE When this variable is set, an architecture dependent magic key sequence on the console or a debugger button will permit entry into the kernel debugger. As described in securelevel(7), a se- curity level greater than 1 blocks modification of this variable. DBCTL_LOG When set, ddb output is also logged in the kernel message buffer. DBCTL_MAXLINE Determines the number of lines to page in ddb(4). This variable is also available as the ddb $lines variable. DBCTL_MAXWIDTH Determines the maximum width of a line in ddb(4). This variable is also available as the ddb $maxwidth variable. DBCTL_PANIC When this variable is set, system panics may drop into the kernel debugger. As described in securelevel(7), a security level greater than 1 blocks modification of this variable. DBCTL_RADIX Determines the default radix or base for non-prefixed numbers en- tered into ddb(4). This variable is also available as the ddb $radix variable. DBCTL_TABSTOP Width of a tab stop in ddb(4). This variable is also available as the ddb $tabstops variable. CTL_DEBUG The debugging variables vary from system to system. A debugging variable may be added or deleted without need to recompile sysctl() to know about it. Each time it runs, sysctl() gets the list of debugging variables from the kernel and displays their current values. The system defines twenty struct ctldebug variables named debug0 through debug19. They are declared as separate variables so that they can be individually initial- ized at the location of their associated variable. The loader prevents multiple use of the same variable by issuing errors if a variable is ini- tialized in more than one place. For example, to export the variable dospecialcheck as a debugging variable, the following declaration would be used: int dospecialcheck = 1; struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck }; CTL_FS The string and integer information available for the CTL_FS level is de- tailed below. The changeable column shows whether a process with appro- priate privileges may change the value. Second level name Type Changeable FS_POSIX_SETUID integer yes FS_POSIX_SETUID When this variable is set, ownership changes on a file will cause the S_ISUID and S_ISGID bits to be cleared. As detailed in securelevel(7), this variable may not be changed if the se- curelevel is > 0. CTL_HW The string and integer information available for the CTL_HW level is de- tailed below. The changeable column shows whether a process with appro- priate privileges may change the value. Second level name Type Changeable HW_BYTEORDER integer no HW_DISKCOUNT integer no HW_DISKNAMES string no HW_DISKSTATS struct no HW_MACHINE string no HW_MODEL string no HW_NCPU integer no HW_PAGESIZE integer no HW_PHYSMEM integer no HW_SENSORS struct no HW_USERMEM integer no HW_BYTEORDER The byteorder (4321 or 1234). HW_DISKCOUNT The number of disks currently attached to the system. HW_DISKNAMES A comma-separated list of disk names. HW_DISKSTATS An array of struct diskstats structures containing disk statis- tics. HW_MACHINE The machine class. HW_MODEL The machine model. HW_NCPU The number of CPUs. HW_PAGESIZE The software page size. HW_PHYSMEM The bytes of physical memory. HW_SENSORS An array of struct sensor structures containing information from the hardware monitoring sensors. HW_USERMEM The bytes of non-kernel memory. CTL_KERN The string and integer information available for the CTL_KERN level is detailed below. The changeable column shows whether a process with ap- propriate privileges may change the value. The types of data currently available are process information, system vnodes, the open file entries, routing table entries, virtual memory statistics, load average history, and clock rate information. Second level name Type Changeable KERN_ARGMAX integer no KERN_ARND integer no KERN_BOOTTIME struct timeval no KERN_CCPU integer no KERN_CLOCKRATE struct clockinfo no KERN_CPTIME long[CPUSTATES] no KERN_CRYPTODEVALLOWSOFT integer yes KERN_DOMAINNAME string yes KERN_EMUL node not applicable KERN_FILE struct file no KERN_FORKSTAT struct forkstat no KERN_FSCALE integer no KERN_FSYNC integer no KERN_HOSTID integer yes KERN_HOSTNAME string yes KERN_INTRCNT node not applicable KERN_JOB_CONTROL integer no KERN_MALLOCSTATS node no KERN_MAXFILES integer yes KERN_MAXPARTITIONS integer no KERN_MAXPROC integer yes KERN_MAXVNODES integer yes KERN_MBSTAT struct mbstat no KERN_MSGBUF char[] no KERN_MSGBUFSIZE integer no KERN_NCHSTATS struct nchstats no KERN_NFILES integer no KERN_NGROUPS integer no KERN_NOSUIDCOREDUMP integer yes KERN_NPROCS integer no KERN_NSELCOLL integer no KERN_NUMVNODES integer no KERN_OSRELEASE string no KERN_OSREV integer no KERN_OSTYPE string no KERN_OSVERSION string no KERN_POSIX1 integer no KERN_PROC struct proc no KERN_PROC_ARGS node not applicable KERN_PROF node not applicable KERN_RAWPARTITION integer no KERN_RND struct rndstats no KERN_SAVED_IDS integer no KERN_SECURELVL integer raise only KERN_SEMINFO node not applicable KERN_SHMINFO node not applicable KERN_SOMAXCONN integer yes KERN_SOMINCONN integer yes KERN_SPLASSERT int yes KERN_STACKGAPRANDOM integer yes KERN_SYSVIPC_INFO node not applicable KERN_SYSVMSG integer no KERN_SYSVSEM integer no KERN_SYSVSHM integer no KERN_TTY node not applicable KERN_TTYCOUNT integer no KERN_USERASYMCRYPTO integer yes KERN_USERCRYPTO integer yes KERN_USERMOUNT integer yes KERN_VERSION string no KERN_VNODE struct vnode no KERN_WATCHDOG node not applicable KERN_ARGMAX The maximum bytes of argument to exec(3). KERN_ARND Returns a random integer from the kernel arc4random() function. This can be useful if /dev/arandom is not available (see random(4)). KERN_BOOTTIME A struct timeval structure is returned. This structure contains the time that the system was booted. KERN_CCPU The scheduler exponential decay value. KERN_CLOCKRATE A struct clockinfo structure is returned. This structure con- tains the clock, statistics clock and profiling clock frequen- cies, the number of micro-seconds per hz tick, and the clock skew rate. KERN_CPTIME An array of longs of size CPUSTATES is returned, containing statistics about the number of ticks spent by the system in in- terrupt processing, user processes (niced or normal), system pro- cessing, or idling. KERN_CRYPTODEVALLOWSOFT Permits userland to use /dev/crypto even if there is no hardware crypto accelerator in the system. KERN_DOMAINNAME Get or set the YP domain name. KERN_EMUL Enable binary emulation. Third level name Type Changeable KERN_EMUL_ENABLED integer yes KERN_EMUL_NAME string yes KERN_EMUL_NEMULS integer no Third level names in KERN_EMUL other than KERN_EMUL_NEMULS refer to a specific emulation available in the kernel. Valid values range from 1 to the return value of KERN_EMUL_NEMULS. The fourth level names available are KERN_EMUL_NAME, which returns a string with the emulation name, and KERN_EMUL_ENABLED, which is an ad- justable integer. Note that using this interface exposes duplicate entries which are consolidated by the userland frontend. KERN_FILE Return the entire file table. The returned data consists of a single struct filehead followed by an array of struct file, whose size depends on the current number of such objects in the system. KERN_FORKSTAT A struct forkstat structure is returned. This structure contains information about the number of fork(2), vfork(2), and rfork(2) system calls as well as kernel thread creations since system startup, and the number of pages of virtual memory involved in each. KERN_FSCALE The kernel fixed-point scale factor. KERN_FSYNC Return 1 if the File Synchronisation Option is available on this system, otherwise 0. KERN_HOSTID Get or set the host ID. KERN_HOSTNAME Get or set the hostname. KERN_JOB_CONTROL Return 1 if job control is available on this system, otherwise 0. KERN_MALLOCSTATS Return kernel memory bucket statistics. The third level names are detailed below. There are no changeable values in this branch. Third level name Type KERN_MALLOC_BUCKET node KERN_MALLOC_BUCKETS string KERN_MALLOC_KMEMNAMES string KERN_MALLOC_KMEMSTATS node The variables are as follows: KERN_MALLOC_BUCKET.<size> A node containing the statistics for the memory bucket of the specified size (in decimal notation, the number of bytes per bucket element, e.g., 16, 32, 128). Each node returns a struct kmembuckets. If a value is specified that does not correspond directly to a bucket size, the statistics for the closest larger bucket size will be returned instead. Note that bucket sizes are typically powers of 2. KERN_MALLOC_BUCKETS Return a comma-separated list of the bucket sizes used by the kernel. KERN_MALLOC_KMEMNAMES Return a comma-separated list of the names of the kernel malloc(9) types. KERN_MALLOC_KMEMSTATS A node containing the statistics for the memory types of the specified name. Each node returns a struct kmemstats. KERN_MAXFILES The maximum number of open files that may be open in the system. KERN_MAXPARTITIONS The maximum number of partitions allowed per disk. KERN_MAXPROC The maximum number of simultaneous processes the system will al- low. KERN_MAXVNODES The maximum number of vnodes available on the system. KERN_MBSTAT A struct mbstat structure is returned, containing statistics on mbuf(9) usage. KERN_MSGBUF Returns a buffer containing kernel log messages. KERN_MSGBUFSIZE The size of the kernel message buffer. KERN_NCHSTATS A struct nchstats structure is returned. This structure contains information about the filename to inode(5) mapping cache. KERN_NFILES Number of open files. KERN_NGROUPS The maximum number of supplemental groups. KERN_NOSUIDCOREDUMP Programs with their set-user-ID bit set will not dump core when this is set. KERN_NPROCS The number of entries in the kernel process table. KERN_NSELCOLL Number of select(2) collisions. KERN_NUMVNODES Number of vnodes in use. KERN_OSRELEASE The system release string. KERN_OSREV The system revision number. KERN_OSTYPE The system type string. KERN_OSVERSION The kernel build version. KERN_POSIX1 The version of ISO/IEC 9945 (POSIX 1003.1) with which the system attempts to comply. KERN_PROC Return the entire process table, or a subset of it. An array of struct kinfo_proc structures is returned, whose size depends on the current number of such objects in the system. The third and fourth level names are as follows: Third level name Fourth level is: KERN_PROC_ALL None KERN_PROC_KTHREAD A kernel thread KERN_PROC_PID A process ID KERN_PROC_PGRP A process group KERN_PROC_RUID A real user ID KERN_PROC_SESSION A session PID KERN_PROC_TTY A tty device KERN_PROC_UID A user ID KERN_PROC_ARGS Returns the arguments or environment of a process. The third level name is the PID of the process. The fourth level name is one of: KERN_PROC_ARGV KERN_PROC_ENV KERN_PROC_NARGV KERN_PROC_NENV KERN_PROC_NARGV and KERN_PROC_NENV return the number of elements in the argv or env array. KERN_PROC_ARGV returns the argv array and KERN_PROC_ENV returns the environ array. KERN_PROF Return profiling information about the kernel. If the kernel is not compiled for profiling, attempts to retrieve any of the KERN_PROF values will fail with EOPNOTSUPP. The third level names for the string and integer profiling information is de- tailed below. The changeable column shows whether a process with appropriate privileges may change the value. Third level name Type Changeable GPROF_COUNT u_short[] yes GPROF_FROMS u_short[] yes GPROF_GMONPARAM struct gmonparam no GPROF_STATE integer yes GPROF_TOS struct tostruct yes The variables are as follows: GPROF_COUNT Array of statistical program counter counts. GPROF_FROMS Array indexed by program counter of call-from points. GPROF_GMONPARAM Structure giving the sizes of the above arrays. GPROF_STATE Returns GMON_PROF_ON or GMON_PROF_OFF to show that pro- filing is running or stopped. GPROF_TOS Array of struct tostruct describing destination of calls and their counts. KERN_RAWPARTITION The raw partition of a disk (a == 0). KERN_RND Returns statistics about the /dev/random device in a struct rndstats structure. KERN_SAVED_IDS Returns 1 if saved set-group-ID and saved set-user-ID are avail- able. KERN_SECURELVL The system security level. This level may be raised by processes with appropriate privileges. It may only be lowered by process 1. KERN_SEMINFO Return the elements of struct seminfo. If the kernel is not com- piled with System V style semaphore support, attempts to retrieve any of the KERN_SEMINFO values will fail with EOPNOTSUPP. The third level names for the elements of struct seminfo are detailed below. The changeable column shows whether a process with appro- priate privileges may change the value. Third level name Type Changeable KERN_SEMINFO_SEMAEM integer no KERN_SEMINFO_SEMMNI integer yes KERN_SEMINFO_SEMMNS integer yes KERN_SEMINFO_SEMMNU integer yes KERN_SEMINFO_SEMMSL integer yes KERN_SEMINFO_SEMOPM integer yes KERN_SEMINFO_SEMUME integer no KERN_SEMINFO_SEMUSZ integer no KERN_SEMINFO_SEMVMX integer no The variables are as follows: KERN_SEMINFO_SEMAEM The adjust on exit maximum value. KERN_SEMINFO_SEMMNI The maximum number of semaphore identifiers allowed. KERN_SEMINFO_SEMMNS The maximum number of semaphores allowed in the system. KERN_SEMINFO_SEMMNU The maximum number of semaphore undo structures allowed in the system. KERN_SEMINFO_SEMMSL The maximum number of semaphores allowed per ID. KERN_SEMINFO_SEMOPM The maximum number of operations per semop(2) call. KERN_SEMINFO_SEMUME The maximum number of undo entries per process. KERN_SEMINFO_SEMUSZ The size (in bytes) of the undo structure. KERN_SEMINFO_SEMVMX The semaphore maximum value. KERN_SHMINFO Return the elements of struct shminfo. If the kernel is not com- piled with System V style shared memory support, attempts to re- trieve any of the KERN_SHMINFO values will fail with EOPNOTSUPP. The third level names for the elements of struct shminfo are de- tailed below. The changeable column shows whether a process with appropriate privileges may change the value. Third level name Type Changeable KERN_SHMINFO_SHMALL integer yes KERN_SHMINFO_SHMMAX integer yes KERN_SHMINFO_SHMMIN integer yes KERN_SHMINFO_SHMMNI integer yes KERN_SHMINFO_SHMSEG integer yes The variables are as follows: KERN_SHMINFO_SHMALL The maximum amount of total shared memory allowed in the system (in pages). KERN_SHMINFO_SHMMAX The maximum shared memory segment size (in bytes). KERN_SHMINFO_SHMMIN The minimum shared memory segment size (in bytes). KERN_SHMINFO_SHMMNI The maximum number of shared memory identifiers in the system. KERN_SHMINFO_SHMSEG The maximum number of shared memory segments per process. KERN_SOMAXCONN Upper bound on the number of half-open connections a process can allow to be associated with a socket, using listen(2). The de- fault value is 128. KERN_SOMINCONN Lower bound on the number of half-open connections a process can allow to be associated with a socket, using listen(2). The de- fault value is 80. KERN_SPLASSERT Modify the system interrupt priority level. Valid values are: 0 Disable error checking. 1 Print a message if an error is detected. 2 Print a message if an error is detected, and a stack trace if possible. 3 The same as 2, but also drop into the kernel debugger. Any other value causes a system panic on errors. See splassert(9) for more information. KERN_STACKGAPRANDOM Sets the range of the random value added to the stack pointer on each program execution. The random value is added to make buffer overflow exploitation slightly harder. The bigger the number, the harder it is to brute force this added protection, but it al- so means bigger waste of memory. KERN_SYSVIPC_INFO Return System V style IPC configuration and run-time information. The third level name selects the System V style IPC facility. Third level name Type KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info KERN_SYSVIPC_MSG_INFO Return information on the System V style message facili- ty. The msg_sysctl_info structure is defined in <sys/msg.h>. KERN_SYSVIPC_SEM_INFO Return information on the System V style semaphore facil- ity. The sem_sysctl_info structure is defined in <sys/sem.h>. KERN_SYSVIPC_SHM_INFO Return information on the System V style shared memory facility. The shm_sysctl_info structure is defined in <sys/shm.h>. KERN_SYSVMSG Returns 1 if System V style message queue functionality is avail- able on this system, otherwise 0. KERN_SYSVSEM Returns 1 if System V style semaphore functionality is available on this system, otherwise 0. KERN_SYSVSHM Returns 1 if System V style share memory functionality is avail- able on this system, otherwise 0. KERN_TTY Return statistics information about tty input/output. The third level names information is detailed below. The changeable column shows whether a process with appropriate privileges may change the value. Third level name Type Changeable KERN_TTY_TKCANCC int64_t no KERN_TTY_TKNIN int64_t no KERN_TTY_TKNOUT int64_t no KERN_TTY_TKRAWCC int64_t no The variables are as follows: KERN_TTY_TKCANCC Return the number of input characters in canonical mode. KERN_TTY_TKNIN Returns the number of input characters from a tty(4). KERN_TTY_TKNOUT Returns the number of output characters on a tty(4). KERN_TTY_TKRAWCC Return the number of input characters in raw mode. KERN_TTYCOUNT Number of available tty(4) devices. KERN_USERASYMCRYPTO Permits userland to use /dev/crypto for cryptographic support for asymmetric (public) key operations via hardware cryptographic de- vices. kern.usercrypto must also be set. KERN_USERCRYPTO Permits userland to use /dev/crypto for cryptographic support via hardware cryptographic devices. KERN_USERMOUNT Return non-zero if regular users can issue mount(2) requests. The default value is 0. KERN_VERSION The system version string. KERN_VNODE Return the entire vnode table. Note, the vnode table is not nec- essarily a consistent snapshot of the system. The returned data consists of an array whose size depends on the current number of such objects in the system. Each element of the array contains the kernel address of a vnode struct vnode * followed by the vn- ode itself struct vnode. KERN_WATCHDOG If the kernel does not support a hardware watchdog timer, at- tempts to retrieve or set any of the KERN_WATCHDOG values will fail with EOPNOTSUPP. Third level name Type Changeable KERN_WATCHDOG_AUTO integer yes KERN_WATCHDOG_PERIOD integer yes The variables are as follows: KERN_WATCHDOG_AUTO If set to 1, the kernel refreshes the watchdog timer pe- riodically. If set to 0, a userland process must ensure that the watchdog timer gets refreshed by setting the KERN_WATCHDOG_PERIOD variable. KERN_WATCHDOG_PERIOD The period of the watchdog timer in seconds. Set to 0 to disable the watchdog timer. CTL_MACHDEP The set of variables defined is architecture dependent. Most architec- tures define at least the following variables. Second level name Type Changeable CPU_CONSDEV dev_t no CTL_NET The string and integer information available for the CTL_NET level is de- tailed below. The changeable column shows whether a process with appro- priate privileges may change the value. Second level name Type Changeable PF_ROUTE routing messages no PF_INET IPv4 values yes PF_INET6 IPv6 values yes PF_ROUTE Return the entire routing table or a subset of it. The data is returned as a sequence of routing messages (see route(4) for the header file, format, and meaning). The length of each message is contained in the message header. The third level name is a protocol number, which is currently al- ways 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows: Fifth level name Sixth level is: NET_RT_DUMP None NET_RT_FLAGS rtflags NET_RT_IFLIST None PF_INET Get or set various global information about IPv4 (Internet Protocol version 4). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: Protocol name Variable name Type Changeable ah enable integer yes esp enable integer yes etherip allow integer yes gre allow integer yes gre wccp integer yes icmp bmcastecho integer yes icmp errppslimit integer yes icmp maskrepl integer yes icmp rediraccept integer yes icmp redirtimeout integer yes icmp tstamprepl integer yes ip directed-broadcast integer yes ip encdebug integer yes ip forwarding integer yes ip ipsec-allocs integer yes ip ipsec-auth-alg string yes ip ipsec-bytes integer yes ip ipsec-comp-alg string yes ip ipsec-enc-alg string yes ip ipsec-expire-acquire integer yes ip ipsec-firstuse integer yes ip ipsec-invalid-life integer yes ip ipsec-pfs integer yes ip ipsec-soft-allocs integer yes ip ipsec-soft-bytes integer yes ip ipsec-soft-firstuse integer yes ip ipsec-soft-timeout integer yes ip ipsec-timeout integer yes ip maxqueue integer yes ip mtudisc integer yes ip mtudisctimeout integer yes ip portfirst integer yes ip porthifirst integer yes ip porthilast integer yes ip portlast integer yes ip redirect integer yes ip sourceroute integer yes ip ttl integer yes ipcomp enable integer yes ipip allow integer yes mobileip allow integer yes tcp ackonpush integer yes tcp baddynamic array yes tcp ecn integer yes tcp ident structure no tcp keepidle integer yes tcp keepinittime integer yes tcp keepintvl integer yes tcp mssdflt integer yes tcp recvspace integer yes tcp rfc1323 integer yes tcp rstppslimit integer yes tcp sack integer yes tcp sendspace integer yes tcp slowhz integer no udp baddynamic array yes udp checksum integer yes udp recvspace integer yes udp sendspace integer yes The variables are as follows: ah.enable If set to 1, enable Authentication Header (AH) IPsec pro- tocol. Enabled by default. See ipsec(4) for more infor- mation. esp.enable If set to 1, enable Encapsulating Security Payload (ESP) IPsec protocol. Enabled by default. See ipsec(4) for more information. etherip.allow If set to 0, incoming Ethernet-in-IPv4 packets will not be processed. If set to any other value, processing will occur. gre.allow If set to 0, incoming GRE packets will not be processed. If set to any other value, processing will occur. gre.wccp If set to 0, incoming WCCPv1-style GRE packets will not be processed. If set to any other value, and gre.allow allows GRE packet processing, WCCPv1-style GRE packets will be processed. icmp.bmcastecho If set to 1, respond to ICMP echo requests destined for broadcast and multicast addresses. Note, enabling this could open a system to a type of denial of service attack called "smurfing", and is thus not advised. icmp.errppslimit This variable specifies the maximum number of outgoing ICMP error messages per second. ICMP error messages that exceeded the value are subject to rate limitation and will not go out from the node. A negative value disables rate limitation. icmp.maskrepl Returns 1 if ICMP network mask requests are to be an- swered. icmp.rediraccept If set to non-zero, the host will accept ICMP redirect packets. Note that routers will never accept ICMP redi- rect packets, and the variable is meaningful on IP hosts only. icmp.redirtimeout This variable specifies the lifetime of routing entries generated by incoming ICMP redirect. The default timeout is 10 minutes. icmp.tstamprepl If set to 1, reply to ICMP timestamp requests. If set to 0, ignore timestamp requests. ip.directed-broadcast Returns 1 if directed broadcast behavior is enabled for the host. ip.encdebug Returns 1 when error message reporting is enabled for the host. If the kernel has been compiled with the ENCDEBUG option, then debugging information will also be reported when this variable is set. ip.forwarding Returns 1 when IP forwarding is enabled for the host, in- dicating the host is acting as a router. ip.ipsec-allocs The number of IPsec flows that can use a security associ- ation before it expires. If set to less than or equal to zero, the security association will not expire because of this counter. The default value is 0. ip.ipsec-auth-alg This is the default authentication algorithm the kernel will instruct key management daemons to negotiate when establishing security associations on behalf of the ker- nel. Such security associations can occur as a result of a process having requested some security level through setsockopt(2), or as a result of dynamic vpn(8) entries. Supported values are hmac-md5, hmac-sha1, and hmac- ripemd160. If set to any other value, it is left to the key management daemons to select an authentiction algo- rithm for the security association. The default value is hmac-sha1. ip.ipsec-bytes The number of bytes that will be processed by a security association before it expires. If set to less than or equal to zero, the security association will not expire because of this counter. The default value is 0. ip.ipsec-comp-alg The compression algorithm to use with an IP Compression Association (IPCA). Possible values are ``deflate'' and ``lzs''. Note that lzs is only available with hifn(4). See ipsecadm(8) for more information. ip.ipsec-enc-alg This is the default encryption algorithm the kernel will instruct key management daemons to negotiate when estab- lishing security associations on behalf of the kernel. Such security associations can occur as a result of a process having requested some security level through setsockopt(2), or as a result of dynamic vpn(8) entries. Supported values are aes, des, 3des, blowfish, cast128, and skipjack. If set to any other value, it is left to the key management daemons to select an encryption algo- rithm for the security association. The default value is aes. ip.ipsec-expire-acquire How long should the kernel allow key management to dynam- ically acquire security associations, before re-sending a request. The default value is 30 seconds. ip.ipsec-firstuse The number of seconds after a security association is first used before it expires. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 7200 sec- onds. ip.ipsec-invalid-life The lifetime of embryonic Security Associations (SAs that key management daemons have reserved but not fully estab- lished yet) in seconds. If set to less than or equal to zero, embryonic SAs will not expire. The default value is 60. ip.ipsec-pfs If set to any non-zero value, the kernel will ask the key management daemons to use Perfect Forward Secrecy when establishing IPsec Security Associations. Perfect For- ward Secrecy makes IPsec Security Associations crypto- graphically distinct from each other, such that breaking the key for one such SA does not compromise any others. Requiring PFS for every security association significant- ly increases the computational load of isakmpd(8) ex- changes. The default value is 1. ip.ipsec-soft-allocs The number of IPsec flows that can use a security associ- ation before a message is sent by the kernel to key man- agement for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0. ip.ipsec-soft-bytes The number of bytes that will be processed by a security association before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0. ip.ipsec-soft-firstuse The number of seconds after a security association is first used before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 3600 seconds. ip.ipsec-soft-timeout The number of seconds after a security association is es- tablished before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 80000 seconds. ip.ipsec-timeout The number of seconds after a security association is es- tablished before it will expire. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 86400 sec- onds. ip.maxqueue Fragment flood protection. Sets the maximum number of unassembled IP fragments in the fragment queue. ip.mtudisc Returns 1 if Path MTU Discovery is enabled. ip.mtudisctimeout Returns the number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will at- tempt to probe a larger path MTU. ip.portfirst Minimum registered port number for TCP/UDP port alloca- tion. Registered ports can be used by ordinary user pro- cesses or programs executed by ordinary users. Cannot be less than 1024 or greater than 49151. Must be less than ip.portlast. ip.porthifirst Maximum dynamic/private port number for TCP/UDP port al- location. Dynamic/private ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 49152 or greater than 65535. Must be less than ip.porthilast. ip.porthilast Maximum dynamic/private port number for TCP/UDP port al- location. Dynamic/private ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 49152 or greater than 65535. Must be greater than ip.porthifirst. ip.portlast Maximum registered port number for TCP/UDP port alloca- tion. Registered ports can be used by ordinary user pro- cesses or programs executed by ordinary users. Cannot be less than 1024 or greater than 49151. Must be greater than ip.portfirst. ip.redirect Returns 1 when ICMP redirects may be sent by the host. This option is ignored unless the host is routing IP packets, and should normally be enabled on all systems. ip.sourceroute Returns 1 when forwarding of source-routed packets is en- abled for the host. This value may only be changed if the kernel security level is less than 1. ip.ttl The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to nor- mal transport protocols, not to ICMP. ipcomp.enable Enable the IPComp protocol. See ipsecadm(8) for more in- formation. ipip.allow If set to 0, incoming IP-in-IP packets will not be pro- cessed. If set to any other value, processing will oc- cur; furthermore, if set to 2, no checks for spoofing of loopback addresses will be done. This is useful only for debugging purposes, and should never be used in produc- tion systems. mobileip.allow If set to 0, incoming MobileIP encapsulated packets (RFC 2004) will not be processed. If set to any other value, processing will occur. tcp.ackonpush Returns 1 if tcp segments with the TH_PUSH set are being acknowledged immediately, otherwise 0. tcp.baddynamic An array of in_port_t is returned specifying the bitmask of TCP ports between 512 and 1023 inclusive that should not be allocated dynamically by the kernel (i.e., they must be bound specifically by port number). tcp.ecn Returns 1 if Explicit Congestion Notifications for TCP are enabled. tcp.ident A structure struct tcp_ident_mapping specifying a local and foreign endpoint of a TCP socket is filled in with the euid and ruid of the process that owns the socket. If no such socket exists, then the euid and ruid values are both set to -1. tcp.keepidle If the socket option SO_KEEPALIVE has been set, time a connection needs to be idle before keepalives are sent. See also tcp.slowhz. tcp.keepinittime Unused. tcp.keepintvl Time after a keepalive probe is sent until, in the ab- sence of any response, another probe is sent. See also tcp.slowhz. tcp.mssdflt The maximum segment size that is used as default for non- local connections. The default value is 512. tcp.recvspace Returns the default TCP receive buffer size. tcp.rfc1323 Returns 1 if RFC 1323 extensions to TCP are enabled. tcp.rstppslimit This variable specifies the maximum number of outgoing TCP RST packets per second. TCP RST packets that exceed- ed the value are subject to rate limitation and will not go out from the node. A negative value disables rate limitation. tcp.sack Returns 1 if RFC 2018 Selective Acknowledgements are en- abled. tcp.sendspace Returns the default TCP send buffer size. tcp.slowhz The units for tcp.keepidle and tcp.keepintvl; those vari- ables are in ticks of a clock that ticks tcp.slowhz times per second. (That is, their values must be divided by the tcp.slowhz value to get times in seconds.) udp.baddynamic Analogous to tcp.baddynamic but for UDP sockets. udp.checksum Returns 1 when UDP checksums are being computed and checked. Disabling UDP checksums is strongly discour- aged. udp.recvspace Returns the default UDP receive buffer size. udp.sendspace Returns the default UDP send buffer size. PF_INET6 Get or set various global information about IPv6 (Internet Protocol version 6). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are: Protocol name Variable name Type Changeable icmp6 errppslimit integer yes icmp6 mtudisc_hiwat integer yes icmp6 mtudisc_lowat integer yes icmp6 nd6_debug integer yes icmp6 nd6_delay integer yes icmp6 nd6_maxnudhint integer yes icmp6 nd6_mmaxtries integer yes icmp6 nd6_prune integer yes icmp6 nd6_umaxtries integer yes icmp6 nd6_useloopback integer yes icmp6 nodeinfo integer yes icmp6 rediraccept integer yes icmp6 redirtimeout integer yes ip6 accept_rtadv integer yes ip6 auto_flowlabel integer yes ip6 dad_count integer yes ip6 defmcasthlim integer yes ip6 forwarding integer yes ip6 hdrnestlimit integer yes ip6 hlim integer yes ip6 kame_version string no ip6 keepfaith integer yes ip6 log_interval integer yes ip6 maxfragpackets integer yes ip6 maxfrags integer yes ip6 redirect integer yes ip6 rr_prune integer yes ip6 use_deprecated integer yes ip6 v6only integer no The variables are as follows: icmp6.errppslimit This variable specifies the maximum number of outgoing ICMPv6 error messages per second. ICMPv6 error messages that exceeded the value are subject to rate limitation and will not go out from the node. A negative value will disable the rate limitation. icmp6.mtudisc_hiwat icmp6.mtudisc_lowat These variables define the maximum number of routing table entries, created due to path MTU discovery (preventing denial-of-service attacks with ICMPv6 too big messages). After IPv6 path MTU discovery happens, path MTU information is kept in the routing table. If the number of routing table entries exceed the value, the kernel will not attempt to keep the path MTU information. icmp6.mtudisc_hiwat is used when we have verified ICMPv6 too big messages. icmp6.mtudisc_lowat is used when we have unverified ICMPv6 too big messages. Verification is performed by using address/port pairs kept in connected pcbs. A negative value disables the upper limit. icmp6.nd6_debug If set to non-zero, IPv6 neighbor discovery will generate debugging messages. The debug output is useful for diag- nosing IPv6 interoperability issues. The flag must be set to 0 for normal operation. icmp6.nd6_delay This variable specifies the DELAY_FIRST_PROBE_TIME timing constant in IPv6 neighbor discovery specification (RFC 2461), in seconds. icmp6.nd6_maxnudhint IPv6 neighbor discovery permits upper layer protocols to supply reachability hints, to avoid unnecessary neighbor discovery exchanges. This variable defines the number of consecutive hints the neighbor discovery layer will take. For example, by setting the variable to 3, neighbor dis- covery can take take a maximum of 3 consecutive hints. After receiving 3 hints, the neighbor discovery layer will instead perform the normal neighbor discovery pro- cess. icmp6.nd6_mmaxtries This variable specifies the MAX_MULTICAST_SOLICIT con- stant in IPv6 neighbor discovery specification (RFC 2461). icmp6.nd6_prune This variable specifies the interval between IPv6 neigh- bor cache babysitting in seconds. icmp6.nd6_umaxtries This variable specifies the MAX_UNICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 2461). icmp6.nd6_useloopback If set to non-zero, IPv6 will use the loopback interface for local traffic. icmp6.nodeinfo This variable enables responses to ICMPv6 node informa- tion queries. If set to 0, responses will not be gener- ated for ICMPv6 node information queries. Since node in- formation queries can have a security impact, it is pos- sible to fine tune which responses should be answered. Two separate bits can be set: 1 Respond to ICMPv6 FQDN queries, e.g. ping6 -w. 2 Respond to ICMPv6 node addresses queries, e.g. ping6 -a. icmp6.rediraccept If set to non-zero, the host will accept ICMPv6 redirect packets. Note that IPv6 routers will never accept ICMPv6 redirect packets, so the variable is only meaningful on IPv6 hosts, not on routers. icmp6.redirtimeout The variable specifies the lifetime of routing entries generated by incoming ICMPv6 redirects. ip6.accept_rtadv If set to non-zero, the node will accept ICMPv6 router advertisement packets and autoconfigures address prefixes and default routers. The node must be a host (not a router) for the option to be meaningful (see ip6.forwarding). ip6.auto_flowlabel On connected transport protocol packets, fill IPv6 flowlabel field to help intermediate routers identify packet flows. ip6.dad_count This variable configures the number of IPv6 DAD (duplicated address detection) probe packets. These packets are generated when IPv6 interfaces are first brought up. ip6.defmcasthlim The default hop limit value for an IPv6 multicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overrid- ing this value are documented in ip6(4). ip6.forwarding Returns 1 when IPv6 forwarding is enabled for the node, meaning that the node is acting as a router. Returns 0 when IPv6 forwarding is disabled for the node, meaning that the node is acting as a host. Note that IPv6 de- fines node behavior for the ``router'' and ``host'' cases quite differently, and changing this variable during op- eration may cause serious trouble. Hence, this variable should only be set at bootstrap time. ip6.hdrnestlimit The number of IPv6 extension headers permitted on incom- ing IPv6 packets. If set to 0, the node will accept as many extension headers as possible. ip6.hlim The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overrid- ing this value are documented in ip6(4). ip6.kame_version This string identifies the version of the KAME IPv6 stack implemented in the kernel. ip6.keepfaith If set to non-zero, enables the ``FAITH'' TCP relay IPv6-to-IPv4 translator code in the kernel. Refer to faith(4) and faithd(8) for more details. ip6.log_interval This variable permits adjusting the amount of logs gener- ated by the IPv6 packet forwarding engine. The value in- dicates the number of seconds of interval which must elapse between log output. ip6.maxfragpackets The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any frag- mented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is pro- vided basically for avoiding possible DoS attacks. ip6.maxfrags The maximum number of fragments the node will accept. 0 means that the node will not accept any fragments. -1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks. ip6.redirect Returns 1 when ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, and should normally be enabled on all systems. ip6.rr_prune This variable specifies the interval between IPv6 router renumbering prefix babysitting in seconds. ip6.use_deprecated This variable controls use of deprecated addresses, spec- ified in RFC 2462 5.5.4. ip6.v6only The variable specifies the initial value for the IPV6_V6ONLY socket option for an AF_INET6 socket. It is always 1 for OpenBSD. We reuse net.inet.tcp and net.inet.udp for TCP/UDP over IPv6. CTL_USER The string and integer information available for the CTL_USER level is detailed below. The changeable column shows whether a process with ap- propriate privileges may change the value. Second level name Type Changeable USER_BC_BASE_MAX integer no USER_BC_DIM_MAX integer no USER_BC_SCALE_MAX integer no USER_BC_STRING_MAX integer no USER_COLL_WEIGHTS_MAX integer no USER_CS_PATH string no USER_EXPR_NEST_MAX integer no USER_LINE_MAX integer no USER_POSIX2_C_BIND integer no USER_POSIX2_C_DEV integer no USER_POSIX2_CHAR_TERM integer no USER_POSIX2_FORT_DEV integer no USER_POSIX2_FORT_RUN integer no USER_POSIX2_LOCALEDEF integer no USER_POSIX2_SW_DEV integer no USER_POSIX2_UPE integer no USER_POSIX2_VERSION integer no USER_RE_DUP_MAX integer no USER_STREAM_MAX integer no USER_TZNAME_MAX integer no USER_BC_BASE_MAX The maximum ibase/obase values in the bc(1) utility. USER_BC_DIM_MAX The maximum array size in the bc(1) utility. USER_BC_SCALE_MAX The maximum scale value in the bc(1) utility. USER_BC_STRING_MAX The maximum string length in the bc(1) utility. USER_COLL_WEIGHTS_MAX The maximum number of weights that can be assigned to any entry of the LC_COLLATE order keyword in the locale definition file. USER_CS_PATH Return a value for the PATH environment variable that finds all the standard utilities. USER_EXPR_NEST_MAX The maximum number of expressions that can be nested within parentheses by the expr(1) utility. USER_LINE_MAX The maximum length in bytes of a text-processing utility's input line. USER_POSIX2_C_BIND Return 1 if the system's C-language development facilities sup- port the C-Language Bindings Option, otherwise 0. USER_POSIX2_C_DEV Return 1 if the system supports the C-Language Development Utili- ties Option, otherwise 0. USER_POSIX2_CHAR_TERM Return 1 if the system supports at least one terminal type capa- ble of all operations described in POSIX 1003.2, otherwise 0. USER_POSIX2_FORT_DEV Return 1 if the system supports the FORTRAN Development Utilities Option, otherwise 0. USER_POSIX2_FORT_RUN Return 1 if the system supports the FORTRAN Runtime Utilities Op- tion, otherwise 0. USER_POSIX2_LOCALEDEF Return 1 if the system supports the creation of locales, other- wise 0. USER_POSIX2_SW_DEV Return 1 if the system supports the Software Development Utili- ties Option, otherwise 0. USER_POSIX2_UPE Return 1 if the system supports the User Portability Utilities Option, otherwise 0. USER_POSIX2_VERSION The version of POSIX 1003.2 with which the system attempts to comply. USER_RE_DUP_MAX The maximum number of repeated occurrences of a regular expres- sion permitted when using interval notation. USER_STREAM_MAX The maximum number of streams that a process may have open at any one time. USER_TZNAME_MAX The minimum maximum number of types supported for the name of a timezone. CTL_VFS The string and integer information available for the CTL_VFS level is de- tailed below. The changeable column shows whether a process with appro- priate privileges may change the value. Second level name Type Changeable VFS_GENERIC vm generic info no filesystem # filesystem info no VFS_GENERIC This second level identifier requests generic information about the vfs layer. Within it, the following third level identifiers exist: Third level name Type Changeable VFS_CONF struct vfsconf no VFS_MAXTYPENUM int no filesystem # After finding the filesystem dependent vfc_typenum using VFS_GENERIC with VFS_CONF, it is possible to access filesystem dependent information. Some filesystems may contain settings. ffs Third level name Type Changeable FFS_ASYNCFREE integer yes FFS_CLUSTERREAD integer yes FFS_CLUSTERWRITE integer yes FFS_MAXSOFTDEPS integer yes FFS_REALLOCBLOCKS integer yes FFS_SD_BLK_LIMIT_HIT integer yes FFS_SD_BLK_LIMIT_PUSH integer yes FFS_SD_DIR_ENTRY integer yes FFS_SD_DIRECT_BLK_PTRS integer yes FFS_SD_INDR_BLK_PTRS integer yes FFS_SD_INO_LIMIT_HIT integer yes FFS_SD_INO_LIMIT_PUSH integer yes FFS_SD_INODE_BITMAP integer yes FFS_SD_SYNC_LIMIT_HIT integer yes FFS_SD_TICKDELAY integer yes FFS_SD_WORKLIST_PUSH integer yes nfs Third level name Type Changeable NFS_NFSSTATS struct nfsstats yes NFS_NIOTHREADS int yes CTL_VM The string and integer information available for the CTL_VM level is de- tailed below. The changeable column shows whether a process with appro- priate privileges may change the value. Second level name Type Changeable VM_ANONMIN integer yes VM_LOADAVG struct loadavg no VM_MAXSLP integer no VM_METER struct vmtotal no VM_NKMEMPAGES integer no VM_PSSTRINGS struct psstrings no VM_SWAPENCRYPT swap encrypt values yes VM_USPACE integer no VM_UVMEXP struct uvmexp no VM_VNODEMIN integer yes VM_VTEXTMIN integer yes VM_ANONMIN Percentage of physical memory available for pages which contain anonymous mapping. VM_LOADAVG Return the load average history. The returned data consists of a struct loadavg. VM_MAXSLP The time for a process to be blocked before being swappable, in seconds. VM_METER Return the system wide virtual memory statistics. The returned data consists of a struct vmtotal. VM_NKMEMPAGES Number of pages in kmem_map. VM_PSSTRINGS Returns address of struct ps_strings. The ps(1) program uses it to locate argv and environment strings. VM_SWAPENCRYPT Contains statistics about swap encryption. The string and inte- ger information available for the third level is detailed below. Third level name Type Changeable SWPENC_CREATED integer no SWPENC_DELETED integer no SWPENC_ENABLE integer yes SWPENC_CREATED The number of encryption keys that have been randomly created. The swap partition is divided into sections of normally 512KB. Each section has its own encryption key. SWPENC_DELETED The number of encryption keys that have been deleted, thus effectivly erasing the data that has been encrypted with them. Encryption keys are deleted when their refer- ence counter reaches zero. SWPENC_ENABLE Set to 1 to enable swap encryption for all processes. A 0 disables swap encryption. Pages still on swap receive a grandfather clause. Turning this option on does not affect legacy swap data already on the disk, but all new- ly written data will be encrypted. When swap encryption is turned on, automatic crash(8) dumps are disabled. VM_USPACE The number of bytes allocated for each kernel stack. VM_UVMEXP Contains statistics about the UVM memory management system. VM_VNODEMIN Percentage of physical memory available for pages which contain cached file data. VM_VTEXTMIN Percentage of physical memory available for pages which contain cached executable data. RETURN VALUES If the call to sysctl() is unsuccessful, -1 is returned and errno is set appropriately. FILES <sys/sysctl.h> definitions for top level identifiers, second level kernel and hardware identifiers, and user level identifiers <sys/socket.h> definitions for second level network identi- fiers <sys/gmon.h> definitions for third level profiling identi- fiers <ufs/ffs/ffs_extern.h> definitions for third level virtual file system identifiers (ffs) <nfs/nfs.h> definitions for third level virtual file system identifiers (nfs) <uvm/uvm_param.h> definitions for second level virtual memory identifiers <uvm/uvm_swap_encrypt.h> definitions for third level virtual memory identifiers <netinet/in.h> definitions for third level IPv4/v6 identifiers and fourth level IP and IPv6 identifiers <netinet/icmp_var.h> definitions for fourth level ICMP identifiers <netinet/icmp6.h> definitions for fourth level ICMPv6 identifiers <netinet/tcp_var.h> definitions for fourth level TCP identifiers <netinet/udp_var.h> definitions for fourth level UDP identifiers ERRORS The following errors may be reported: [EFAULT] The buffer name, oldp, newp, or length pointer oldlenp con- tains an invalid address. [EINVAL] The name array is less than two or greater than CTL_MAXNAME. [EINVAL] A non-null newp pointer is given and its specified length in newlen is too large or too small. [ENOMEM] The length pointed to by oldlenp is too short to hold the requested value. [ENOTDIR] The name array specifies an intermediate rather than termi- nal name. [EOPNOTSUPP] The name array specifies a value that is unknown. [EPERM] An attempt is made to set a read-only value. [EPERM] A process without appropriate privileges attempts to set a value. [EPERM] An attempt to change a value protected by the current ker- nel security level is made. SEE ALSO ddb(4), sysctl.conf(5), securelevel(7), sysctl(8) HISTORY The sysctl() function first appeared in 4.4BSD. OpenBSD 3.4 June 4, 1993 26