SYSCTL(3) OpenBSD Programmer's Manual SYSCTL(3)
NAME
sysctl - get or set system information
SYNOPSIS
#include <sys/param.h>
#include <sys/sysctl.h>
int
sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
size_t newlen);
DESCRIPTION
The sysctl() function retrieves system information and allows processes
with appropriate privileges to set system information. The information
available from sysctl() consists of integers, strings, and tables.
Information may be retrieved and set from the command interface using the
sysctl(8) utility.
Unless explicitly noted below, sysctl() returns a consistent snapshot of
the data requested. Consistency is obtained by locking the destination
buffer into memory so that the data may be copied out without blocking.
Calls to sysctl() are serialized to avoid deadlock.
The state is described using a ``Management Information Base (MIB)''
style name, listed in name, which is a namelen length array of integers.
The information is copied into the buffer specified by oldp. The size of
the buffer is given by the location specified by oldlenp before the call,
and that location gives the amount of data copied after a successful
call. If the amount of data available is greater than the size of the
buffer supplied, the call supplies as much data as fits in the buffer
provided and returns with the error code ENOMEM. If the old value is not
desired, oldp and oldlenp should be set to NULL.
The size of the available data can be determined by calling sysctl() with
a NULL parameter for oldp. The size of the available data will be
returned in the location pointed to by oldlenp. For some operations, the
amount of space may change often. For these operations, the system
attempts to round up so that the returned size is large enough for a call
to return the data shortly thereafter.
To set a new value, newp is set to point to a buffer of length newlen
from which the requested value is to be taken. If a new value is not to
be set, newp should be set to NULL and newlen set to 0.
The top level names are defined with a CTL_ prefix in <sys/sysctl.h>, and
are as follows. The next and subsequent levels down are found in the
include files listed here, and described in separate sections below.
Name Next level names Description
CTL_DDB ddb/db_var.h Kernel debugger
CTL_DEBUG sys/sysctl.h Debugging
CTL_FS sys/sysctl.h File system
CTL_HW sys/sysctl.h Generic CPU, I/O
CTL_KERN sys/sysctl.h High kernel limits
CTL_MACHDEP sys/sysctl.h Machine dependent
CTL_NET sys/socket.h Networking
CTL_USER sys/sysctl.h User-level
CTL_VFS ufs/ffs/ffs_extern.h Virtual file system
CTL_VM uvm/uvm_param.h Virtual memory
For example, the following retrieves the maximum number of processes
allowed in the system:
int mib[2], maxproc;
size_t len;
mib[0] = CTL_KERN;
mib[1] = KERN_MAXPROC;
len = sizeof(maxproc);
if (sysctl(mib, 2, &maxproc, &len, NULL, 0) == -1)
err(1, "sysctl");
To retrieve the standard search path for the system utilities:
int mib[2];
size_t len;
char *p;
mib[0] = CTL_USER;
mib[1] = USER_CS_PATH;
if (sysctl(mib, 2, NULL, &len, NULL, 0) == -1)
err(1, "sysctl");
if ((p = malloc(len)) == NULL)
err(1, NULL);
if (sysctl(mib, 2, p, &len, NULL, 0) == -1)
err(1, "sysctl");
CTL_DDB
Integer information and settable variables are available for the CTL_DDB
level, as described below. More information is also available in ddb(4).
Second level name Type Changeable
DBCTL_CONSOLE integer yes
DBCTL_LOG integer yes
DBCTL_MAXLINE integer yes
DBCTL_MAXWIDTH integer yes
DBCTL_PANIC integer yes
DBCTL_RADIX integer yes
DBCTL_TABSTOP integer yes
DBCTL_TRIGGER integer yes
DBCTL_CONSOLE
When this variable is set, an architecture dependent magic key
sequence on the console or a debugger button will permit entry
into the kernel debugger. When running with a securelevel(7)
greater than 0, this variable may not be raised.
DBCTL_LOG
When set, ddb output is also logged in the kernel message buffer.
DBCTL_MAXLINE
Determines the number of lines to page in ddb(4). This variable
is also available as the ddb $lines variable.
DBCTL_MAXWIDTH
Determines the maximum width of a line in ddb(4). This variable
is also available as the ddb $maxwidth variable.
DBCTL_PANIC
When this variable is set, system panics may drop into the kernel
debugger. When running with a securelevel(7) greater than 0,
this variable may not be raised.
DBCTL_RADIX
Determines the default radix or base for non-prefixed numbers
entered into ddb(4). This variable is also available as the ddb
$radix variable.
DBCTL_TABSTOP
Width of a tab stop in ddb(4). This variable is also available
as the ddb $tabstops variable.
DBCTL_TRIGGER
When DBCTL_CONSOLE is set, writing to DBCTL_TRIGGER causes the
system to enter ddb(4). If securelevel(7) is greater than 0, the
process writing to this variable must be running on the console
in order to enter ddb(4).
CTL_DEBUG
The debugging variables vary from system to system. A debugging variable
may be added or deleted without need to recompile sysctl() to know about
it. Each time it runs, sysctl() gets the list of debugging variables
from the kernel and displays their current values. The system defines
twenty struct ctldebug variables named debug0 through debug19. They are
declared as separate variables so that they can be individually
initialized at the location of their associated variable. The loader
prevents multiple use of the same variable by issuing errors if a
variable is initialized in more than one place. For example, to export
the variable dospecialcheck as a debugging variable, the following
declaration would be used:
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
CTL_FS
The string and integer information available for the CTL_FS level is
detailed below. The changeable column shows whether a process with
appropriate privileges may change the value.
Second level name Type Changeable
FS_POSIX_SETUID integer yes
FS_POSIX_SETUID
When this variable is set, ownership changes on a file will cause
the S_ISUID and S_ISGID bits to be cleared. As detailed in
securelevel(7), this variable may not be changed if the
securelevel is > 0.
CTL_HW
The string and integer information available for the CTL_HW level is
detailed below. The changeable column shows whether a process with
appropriate privileges may change the value.
Second level name Type Changeable
HW_BYTEORDER integer no
HW_CPUSPEED integer no
HW_DISKCOUNT integer no
HW_DISKNAMES string no
HW_DISKSTATS struct no
HW_MACHINE string no
HW_MODEL string no
HW_NCPU integer no
HW_NCPUFOUND integer no
HW_PAGESIZE integer no
HW_PHYSMEM integer no
HW_PHYSMEM64 int64_t no
HW_PRODUCT string no
HW_SENSORS node not applicable
HW_SERIALNO string no
HW_SETPERF integer yes
HW_USERMEM integer no
HW_USERMEM64 int64_t no
HW_UUID string no
HW_VENDOR string no
HW_VERSION string no
HW_BYTEORDER
The byteorder (4321 or 1234).
HW_CPUSPEED
The current CPU frequency (in MHz).
HW_DISKCOUNT
The number of disks currently attached to the system.
HW_DISKNAMES
A comma-separated list of disk names.
HW_DISKSTATS
An array of struct diskstats structures containing disk
statistics.
HW_MACHINE
The machine class.
HW_MODEL
The machine model.
HW_NCPU
The number of CPUs being used.
HW_NCPUFOUND
The number of CPUs found.
HW_PAGESIZE
The software page size.
HW_PHYSMEM
The total physical memory, in bytes. This variable is
deprecated; use HW_PHYSMEM64 instead.
HW_PHYSMEM64
The total physical memory, in bytes.
HW_PRODUCT
The product name of the machine.
HW_SENSORS
Third level comprises an array of struct sensordev structures
containing information about devices that may attach hardware
monitoring sensors.
Third, fourth and fifth levels together comprise an array of
struct sensor structures containing snapshot readings of hardware
monitoring sensors. In such usage, third level indicates the
numerical representation of the sensor device name to which the
sensor is attached (a device's xname and number are matched with
the help of struct sensordev structure above), fourth level
indicates sensor type and fifth level is an ordinal sensor number
(unique to the specified sensor type on the specified sensor
device).
The sensordev and sensor structures and sensor_type enumeration
are defined in <sys/sensors.h>.
HW_SERIALNO
The serial number of the machine.
HW_SETPERF
Current CPU performance (percentage).
HW_USERMEM
The amount of available non-kernel memory in bytes. This
variable is deprecated; use HW_USERMEM64 instead.
HW_USERMEM64
The amount of available non-kernel memory in bytes.
HW_UUID
The universal unique identification number assigned to the
machine.
HW_VENDOR
The vendor name for this machine.
HW_VERSION
The version or revision of this machine.
CTL_KERN
The string and integer information available for the CTL_KERN level is
detailed below. The changeable column shows whether a process with
appropriate privileges may change the value. The types of data currently
available are process information, system vnodes, the open file entries,
routing table entries, virtual memory statistics, load average history,
and clock rate information.
Second level name Type Changeable
KERN_ARGMAX integer no
KERN_ARND char[] no
KERN_BOOTTIME struct timeval no
KERN_BUFCACHEPERCENT integer yes
KERN_CCPU integer no
KERN_CLOCKRATE struct clockinfo no
KERN_CPTIME long[CPUSTATES] no
KERN_CPTIME2 u_int64_t[CPUSTATES] no
KERN_CRYPTODEVALLOWSOFT integer yes
KERN_DOMAINNAME string yes
KERN_EMUL node not applicable
KERN_FILE struct file no
KERN_FILE2 struct kinfo_file2 no
KERN_FORKSTAT struct forkstat no
KERN_FSCALE integer no
KERN_FSYNC integer no
KERN_HOSTID integer yes
KERN_HOSTNAME string yes
KERN_INTRCNT node not applicable
KERN_JOB_CONTROL integer no
KERN_MALLOCSTATS node no
KERN_MAXCLUSTERS integer yes
KERN_MAXFILES integer yes
KERN_MAXLOCKSPERUID integer yes
KERN_MAXPARTITIONS integer no
KERN_MAXPROC integer yes
KERN_MAXVNODES integer yes
KERN_MBSTAT struct mbstat no
KERN_MSGBUF char[] no
KERN_MSGBUFSIZE integer no
KERN_NCHSTATS struct nchstats no
KERN_NFILES integer no
KERN_NGROUPS integer no
KERN_NOSUIDCOREDUMP integer yes
KERN_NPROCS integer no
KERN_NSELCOLL integer no
KERN_NUMVNODES integer no
KERN_OSRELEASE string no
KERN_OSREV integer no
KERN_OSTYPE string no
KERN_OSVERSION string no
KERN_POSIX1 integer no
KERN_PROC struct kinfo_proc no
KERN_PROC2 struct kinfo_proc2 no
KERN_PROC_ARGS node not applicable
KERN_PROF node not applicable
KERN_RAWPARTITION integer no
KERN_RND struct rndstats no
KERN_RTHREADS integer yes
KERN_SAVED_IDS integer no
KERN_SECURELVL integer raise only
KERN_SEMINFO node not applicable
KERN_SHMINFO node not applicable
KERN_SOMAXCONN integer yes
KERN_SOMINCONN integer yes
KERN_SPLASSERT int yes
KERN_STACKGAPRANDOM integer yes
KERN_SYSVIPC_INFO node not applicable
KERN_SYSVMSG integer no
KERN_SYSVSEM integer no
KERN_SYSVSHM integer no
KERN_TIMECOUNTER node not applicable
KERN_TTY node not applicable
KERN_TTYCOUNT integer no
KERN_USERASYMCRYPTO integer yes
KERN_USERCRYPTO integer yes
KERN_USERMOUNT integer yes
KERN_VERSION string no
KERN_VNODE struct e_vnode no
KERN_WATCHDOG node not applicable
KERN_ARGMAX
The maximum number of bytes allowed among the arguments to
exec(3).
KERN_ARND
Returns a maximum of 256 random bytes from the kernel using the
arc4random(9) function. This can be useful if /dev/arandom is
not available (see random(4)).
KERN_BOOTTIME
A struct timeval structure is returned. This structure contains
the time that the system was booted.
KERN_BUFCACHEPERCENT
The maximum percentage of physical memory the buffer cache may
use; the default is 10%.
KERN_CCPU
The scheduler exponential decay value.
KERN_CLOCKRATE
A struct clockinfo structure is returned. This structure
contains the clock, statistics clock and profiling clock
frequencies, the number of micro-seconds per hz tick, and the
clock skew rate.
KERN_CPTIME
An array of longs of size CPUSTATES is returned, containing
statistics about the number of ticks spent by the system among
all processors in interrupt processing, user processes (nice(1)
or normal), system processing, or idling.
KERN_CPTIME2
Similar to KERN_CPTIME, but obtains information from only the
single CPU specified by the third level name given.
KERN_CRYPTODEVALLOWSOFT
Permits userland to use /dev/crypto even if there is no hardware
crypto accelerator in the system.
KERN_DOMAINNAME
Get or set the YP domain name.
KERN_EMUL
Enable binary emulation.
Third level name Type Changeable
KERN_EMUL_ENABLED integer yes
KERN_EMUL_NAME string no
KERN_EMUL_NEMULS integer no
Third level names in KERN_EMUL other than KERN_EMUL_NEMULS refer
to a specific emulation available in the kernel. Valid values
range from 1 to the return value of KERN_EMUL_NEMULS. The fourth
level names available are KERN_EMUL_NAME, which returns a string
with the emulation name, and KERN_EMUL_ENABLED, which is an
adjustable integer.
Note that using this interface exposes duplicate entries which
are consolidated by the userland frontend.
KERN_FILE
Return the entire file table. This name is deprecated, as the
layout of the returned structures is not a stable ABI; use
KERN_FILE2 instead. The returned data consists of a single
struct filehead followed by an array of struct file, whose size
depends on the current number of such objects in the system.
KERN_FILE2
Like KERN_FILE but an array of struct kinfo_file2 structures is
returned. The third and fourth level names are as follows:
Third level name Fourth level is:
KERN_FILE_BYFILE Zero
KERN_FILE_BYPID A process ID
KERN_FILE_BYUID A user ID
The fifth level name is the size of the struct kinfo_file2 and
the sixth level name is the number of structures to return.
KERN_FORKSTAT
A struct forkstat structure is returned. This structure contains
information about the number of fork(2), vfork(2), and rfork(2)
system calls as well as kernel thread creations since system
startup, and the number of pages of virtual memory involved in
each.
KERN_FSCALE
The kernel fixed-point scale factor.
KERN_FSYNC
Return 1 if the File Synchronisation Option is available on this
system, otherwise 0.
KERN_HOSTID
Get or set the host ID.
KERN_HOSTNAME
Get or set the hostname.
KERN_JOB_CONTROL
Return 1 if job control is available on this system, otherwise 0.
KERN_MALLOCSTATS
Return kernel memory bucket statistics. The third level names
are detailed below. There are no changeable values in this
branch.
Third level name Type
KERN_MALLOC_BUCKET node
KERN_MALLOC_BUCKETS string
KERN_MALLOC_KMEMNAMES string
KERN_MALLOC_KMEMSTATS node
The variables are as follows:
KERN_MALLOC_BUCKET.<size>
A node containing the statistics for the memory bucket of
the specified size (in decimal notation, the number of
bytes per bucket element, e.g., 16, 32, 128). Each node
returns a struct kmembuckets.
If a value is specified that does not correspond directly
to a bucket size, the statistics for the closest larger
bucket size will be returned instead.
Note that bucket sizes are typically powers of 2.
KERN_MALLOC_BUCKETS
Return a comma-separated list of the bucket sizes used by
the kernel.
KERN_MALLOC_KMEMNAMES
Return a comma-separated list of the names of the kernel
malloc(9) types.
KERN_MALLOC_KMEMSTATS
A node containing the statistics for the memory types of
the specified name. Each node returns a struct
kmemstats.
KERN_MAXCLUSTERS
The maximum number of mbuf(9) clusters that may be allocated.
KERN_MAXFILES
The maximum number of open files that may be open in the system.
KERN_MAXLOCKSPERUID
The maximum number of file locks per user; the default is 1024.
KERN_MAXPARTITIONS
The maximum number of partitions allowed per disk.
KERN_MAXPROC
The maximum number of simultaneous processes the system will
allow.
KERN_MAXVNODES
The maximum number of vnodes available on the system.
KERN_MBSTAT
A struct mbstat structure is returned, containing statistics on
mbuf(9) usage.
KERN_MSGBUF
Returns a buffer containing kernel log messages.
KERN_MSGBUFSIZE
The size of the kernel message buffer.
KERN_NCHSTATS
A struct nchstats structure is returned. This structure contains
information about the filename to inode(5) mapping cache.
KERN_NFILES
Number of open files.
KERN_NGROUPS
The maximum number of supplemental groups.
KERN_NOSUIDCOREDUMP
Whether a process may dump core after changing user or group ID:
value condition dump core to
0 euid == 0 current directory
1 never
2 always /var/crash
KERN_NPROCS
The number of entries in the kernel process table.
KERN_NSELCOLL
Number of select(2) collisions.
KERN_NUMVNODES
Number of vnodes in use.
KERN_OSRELEASE
The system release string.
KERN_OSREV
The system revision number.
KERN_OSTYPE
The system type string.
KERN_OSVERSION
The kernel build version.
KERN_POSIX1
The version of ISO/IEC 9945 (POSIX 1003.1) with which the system
attempts to comply.
KERN_PROC
Return the entire process table, or a subset of it. This name is
deprecated, as the layout of the returned structures is not a
stable ABI; use KERN_PROC2 instead. An array of struct
kinfo_proc structures is returned, whose size depends on the
current number of such objects in the system. The third and
fourth level names are as follows:
Third level name Fourth level is:
KERN_PROC_ALL None
KERN_PROC_KTHREAD A kernel thread
KERN_PROC_PID A process ID
KERN_PROC_PGRP A process group
KERN_PROC_RUID A real user ID
KERN_PROC_SESSION A session PID
KERN_PROC_TTY A tty device
KERN_PROC_UID A user ID
KERN_PROC2
Like KERN_PROC but an array of struct kinfo_proc2 structures is
returned. The fifth level name is the size of the struct
kinfo_proc2 and the sixth level name is the number of structures
to return.
KERN_PROC_ARGS
Returns the arguments or environment of a process. The third
level name is the PID of the process. The fourth level name is
one of:
KERN_PROC_ARGV
KERN_PROC_ENV
KERN_PROC_NARGV
KERN_PROC_NENV
KERN_PROC_NARGV and KERN_PROC_NENV return the number of elements
as an int in the argv or env array. KERN_PROC_ARGV returns the
argv array and KERN_PROC_ENV returns the environ array. The
buffer pointed to by oldp is filled with an array of char
pointers followed by the strings themselves. The last char
pointer is a NULL pointer.
KERN_PROF
Return profiling information about the kernel. If the kernel is
not compiled for profiling, attempts to retrieve any of the
KERN_PROF values will fail with EOPNOTSUPP. The third level
names for the string and integer profiling information are
detailed below. The changeable column shows whether a process
with appropriate privileges may change the value.
Third level name Type Changeable
GPROF_COUNT u_short[] yes
GPROF_FROMS u_short[] yes
GPROF_GMONPARAM struct gmonparam no
GPROF_STATE integer yes
GPROF_TOS struct tostruct yes
The variables are as follows:
GPROF_COUNT
Array of statistical program counter counts.
GPROF_FROMS
Array indexed by program counter of call-from points.
GPROF_GMONPARAM
Structure giving the sizes of the above arrays.
GPROF_STATE
Returns GMON_PROF_ON or GMON_PROF_OFF to show that
profiling is running or stopped.
GPROF_TOS
Array of struct tostruct describing destination of calls
and their counts.
KERN_RAWPARTITION
The raw partition of a disk (a == 0).
KERN_RND
Returns statistics about the /dev/random device in a struct
rndstats structure.
KERN_RTHREADS
Enable the syscalls needed for kernel level threading.
Experimental.
KERN_SAVED_IDS
Returns 1 if saved set-group-ID and saved set-user-ID are
available.
KERN_SECURELVL
The system security level. This level may be raised by processes
with appropriate privileges. It may only be lowered by process
1.
KERN_SEMINFO
Return the elements of struct seminfo. If the kernel is not
compiled with System V style semaphore support, attempts to
retrieve any of the KERN_SEMINFO values will fail with
EOPNOTSUPP. The third level names for the elements of struct
seminfo are detailed below. The changeable column shows whether
a process with appropriate privileges may change the value.
Third level name Type Changeable
KERN_SEMINFO_SEMAEM integer no
KERN_SEMINFO_SEMMNI integer yes
KERN_SEMINFO_SEMMNS integer yes
KERN_SEMINFO_SEMMNU integer yes
KERN_SEMINFO_SEMMSL integer yes
KERN_SEMINFO_SEMOPM integer yes
KERN_SEMINFO_SEMUME integer no
KERN_SEMINFO_SEMUSZ integer no
KERN_SEMINFO_SEMVMX integer no
The variables are as follows:
KERN_SEMINFO_SEMAEM
The adjust on exit maximum value.
KERN_SEMINFO_SEMMNI
The maximum number of semaphore identifiers allowed.
KERN_SEMINFO_SEMMNS
The maximum number of semaphores allowed in the system.
KERN_SEMINFO_SEMMNU
The maximum number of semaphore undo structures allowed
in the system.
KERN_SEMINFO_SEMMSL
The maximum number of semaphores allowed per ID.
KERN_SEMINFO_SEMOPM
The maximum number of operations per semop(2) call.
KERN_SEMINFO_SEMUME
The maximum number of undo entries per process.
KERN_SEMINFO_SEMUSZ
The size (in bytes) of the undo structure.
KERN_SEMINFO_SEMVMX
The semaphore maximum value.
KERN_SHMINFO
Return the elements of struct shminfo. If the kernel is not
compiled with System V style shared memory support, attempts to
retrieve any of the KERN_SHMINFO values will fail with
EOPNOTSUPP. The third level names for the elements of struct
shminfo are detailed below. The changeable column shows whether
a process with appropriate privileges may change the value.
Third level name Type Changeable
KERN_SHMINFO_SHMALL integer yes
KERN_SHMINFO_SHMMAX integer yes
KERN_SHMINFO_SHMMIN integer yes
KERN_SHMINFO_SHMMNI integer yes
KERN_SHMINFO_SHMSEG integer yes
The variables are as follows:
KERN_SHMINFO_SHMALL
The maximum amount of total shared memory allowed in the
system (in pages).
KERN_SHMINFO_SHMMAX
The maximum shared memory segment size (in bytes).
KERN_SHMINFO_SHMMIN
The minimum shared memory segment size (in bytes).
KERN_SHMINFO_SHMMNI
The maximum number of shared memory identifiers in the
system.
KERN_SHMINFO_SHMSEG
The maximum number of shared memory segments per process.
KERN_SOMAXCONN
Upper bound on the number of half-open connections a process can
allow to be associated with a socket, using listen(2). The
default value is 128.
KERN_SOMINCONN
Lower bound on the number of half-open connections a process can
allow to be associated with a socket, using listen(2). The
default value is 80.
KERN_SPLASSERT
Modify the system interrupt priority level. Valid values are:
0 Disable error checking.
1 Print a message if an error is detected.
2 Print a message if an error is detected, and a stack
trace if possible.
3 The same as 2, but also drop into the kernel debugger.
Any other value causes a system panic on errors. See
splassert(9) for more information.
KERN_STACKGAPRANDOM
Sets the range of the random value added to the stack pointer on
each program execution. The random value is added to make buffer
overflow exploitation slightly harder. The bigger the number,
the harder it is to brute force this added protection, but it
also means bigger waste of memory.
KERN_SYSVIPC_INFO
Return System V style IPC configuration and run-time information.
The third level name selects the System V style IPC facility.
Third level name Type
KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info
KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info
KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info
KERN_SYSVIPC_MSG_INFO
Return information on the System V style message
facility. The msg_sysctl_info structure is defined in
<sys/msg.h>.
KERN_SYSVIPC_SEM_INFO
Return information on the System V style semaphore
facility. The sem_sysctl_info structure is defined in
<sys/sem.h>.
KERN_SYSVIPC_SHM_INFO
Return information on the System V style shared memory
facility. The shm_sysctl_info structure is defined in
<sys/shm.h>.
KERN_SYSVMSG
Returns 1 if System V style message queue functionality is
available on this system, otherwise 0.
KERN_SYSVSEM
Returns 1 if System V style semaphore functionality is available
on this system, otherwise 0.
KERN_SYSVSHM
Returns 1 if System V style shared memory functionality is
available on this system, otherwise 0.
KERN_TIMECOUNTER
Return statistics information about the kernel time counter. The
third level names information is detailed below. The changeable
column shows whether a process with appropriate privileges may
change the value.
Third level name Type Changeable
KERN_TIMECOUNTER_CHOICE string no
KERN_TIMECOUNTER_HARDWARE string yes
KERN_TIMECOUNTER_TICK integer no
KERN_TIMECOUNTER_TIMESTEPWARNINGS integer yes
The variables are as follows:
KERN_TIMECOUNTER_CHOICE
Get the list of kernel time counter sources and their
claimed quality (higher is better).
KERN_TIMECOUNTER_HARDWARE
Get or set the kernel time counter source by name.
KERN_TIMECOUNTER_TICK
Get the number of times we have reset the kernel time
counter information.
KERN_TIMECOUNTER_TIMESTEPWARNINGS
Get or set a flag to log a message when the kernel time
is stepped.
KERN_TTY
Return statistics information about tty input/output. The third
level names information is detailed below. The changeable column
shows whether a process with appropriate privileges may change
the value.
Third level name Type Changeable
KERN_TTY_INFO struct itty no
KERN_TTY_NPTYS integer no
KERN_TTY_MAXPTYS integer yes
KERN_TTY_TKCANCC int64_t no
KERN_TTY_TKNIN int64_t no
KERN_TTY_TKNOUT int64_t no
KERN_TTY_TKRAWCC int64_t no
The variables are as follows:
KERN_TTY_INFO
Returns an array of struct itty structures containing tty
statistics.
KERN_TTY_MAXPTYS
The maximum number of pty(4) devices supported by the
kernel. This is the upper bound on KERN_TTY_NPTYS.
KERN_TTY_NPTYS
The current number of pty(4) devices allocated by the
kernel.
KERN_TTY_TKCANCC
Returns the number of input characters in canonical mode.
KERN_TTY_TKNIN
Returns the number of input characters from a tty(4).
KERN_TTY_TKNOUT
Returns the number of output characters on a tty(4).
KERN_TTY_TKRAWCC
Returns the number of input characters in raw mode.
KERN_TTYCOUNT
Number of available tty(4) devices.
KERN_USERASYMCRYPTO
Permits userland to use /dev/crypto for cryptographic support for
asymmetric (public) key operations via hardware cryptographic
devices. KERN_USERCRYPTO (see below) must also be set.
KERN_USERCRYPTO
Permits userland to use /dev/crypto for cryptographic support via
hardware cryptographic devices.
KERN_USERMOUNT
Return non-zero if regular users can issue mount(2) requests.
The default value is 0.
KERN_VERSION
The system version string.
KERN_VNODE
Return the entire vnode table. Note, the vnode table is not
necessarily a consistent snapshot of the system. The returned
data consists of an array whose size depends on the current
number of such objects in the system. Each element of the array
contains the kernel address of a vnode (struct vnode *) followed
by the vnode itself (struct vnode).
KERN_WATCHDOG
Return information on hardware watchdog timers. If the kernel
does not support a hardware watchdog timer, attempts to retrieve
or set any of the KERN_WATCHDOG values will fail with EOPNOTSUPP.
Third level name Type Changeable
KERN_WATCHDOG_AUTO integer yes
KERN_WATCHDOG_PERIOD integer yes
The variables are as follows:
KERN_WATCHDOG_AUTO
If set to 1, the kernel refreshes the watchdog timer
periodically. If set to 0, a userland process must
ensure that the watchdog timer gets refreshed by setting
the KERN_WATCHDOG_PERIOD variable.
KERN_WATCHDOG_PERIOD
The period of the watchdog timer in seconds. Set to 0 to
disable the watchdog timer.
CTL_MACHDEP
The set of variables defined is architecture dependent. Most
architectures define at least the following variables.
Second level name Type Changeable
CPU_CONSDEV dev_t no
CTL_NET
The string and integer information available for the CTL_NET level is
detailed below. The changeable column shows whether a process with
appropriate privileges may change the value.
Second level name Type Changeable
PF_ROUTE routing messages no
PF_INET IPv4 values yes
PF_INET6 IPv6 values yes
PF_KEY key management no
PF_ROUTE
Return the entire routing table or a subset of it. The data is
returned as a sequence of routing messages (see route(4) for the
header file, format, and meaning). The length of each message is
contained in the message header.
The third level name is a protocol number, which is currently
always 0. The fourth level name is an address family, which may
be set to 0 to select all address families. The fifth and sixth
level names are as follows:
Fifth level name Sixth level is:
NET_RT_DUMP None
NET_RT_FLAGS rtflags
NET_RT_IFLIST None
NET_RT_STATS None
An optional seventh level name can be provided to select the
routing table on which to run the operation. If not provided,
the table with ID 0 is used.
PF_INET
Get or set various global information about IPv4 (Internet
Protocol version 4). The third level name is the protocol. The
fourth level name is the variable name. The currently defined
protocols and names are:
Protocol name Variable name Type Changeable
ah enable integer yes
bpf bufsize integer yes
bpf maxbufsize integer yes
carp allow integer yes
carp log integer yes
carp preempt integer yes
divert recvspace integer yes
divert sendspace integer yes
esp enable integer yes
esp udpencap integer yes
esp udpencap_port integer yes
etherip allow integer yes
gre allow integer yes
gre wccp integer yes
icmp bmcastecho integer yes
icmp errppslimit integer yes
icmp maskrepl integer yes
icmp rediraccept integer yes
icmp redirtimeout integer yes
icmp stats structure no
icmp tstamprepl integer yes
ip directed-broadcast integer yes
ip encdebug integer yes
ip forwarding integer yes
ip ipsec-allocs integer yes
ip ipsec-auth-alg string yes
ip ipsec-bytes integer yes
ip ipsec-comp-alg string yes
ip ipsec-enc-alg string yes
ip ipsec-expire-acquire integer yes
ip ipsec-firstuse integer yes
ip ipsec-invalid-life integer yes
ip ipsec-pfs integer yes
ip ipsec-soft-allocs integer yes
ip ipsec-soft-bytes integer yes
ip ipsec-soft-firstuse integer yes
ip ipsec-soft-timeout integer yes
ip ipsec-timeout integer yes
ip maxqueue integer yes
ip mforwarding integer yes
ip mtudisc integer yes
ip mtudisctimeout integer yes
ip multipath integer yes
ip portfirst integer yes
ip porthifirst integer yes
ip porthilast integer yes
ip portlast integer yes
ip redirect integer yes
ip sourceroute integer yes
ip stats structure no
ip ttl integer yes
ipcomp enable integer yes
ipip allow integer yes
mobileip allow integer yes
tcp ackonpush integer yes
tcp baddynamic array yes
tcp ecn integer yes
tcp ident structure no
tcp keepidle integer yes
tcp keepinittime integer yes
tcp keepintvl integer yes
tcp mssdflt integer yes
tcp reasslimit integer yes
tcp recvspace integer yes
tcp rfc1323 integer yes
tcp rfc3390 integer yes
tcp rstppslimit integer yes
tcp sack integer yes
tcp sendspace integer yes
tcp slowhz integer no
tcp stats structure no
tcp synbucketlimit integer yes
tcp syncachelimit integer yes
udp baddynamic array yes
udp checksum integer yes
udp recvspace integer yes
udp sendspace integer yes
udp stats structure no
The variables are as follows:
ah.enable
If set to 1, enable the Authentication Header (AH) IPsec
protocol. Enabled by default. See ipsec(4) for more
information.
bpf.bufsize
The initial size of bpf(4) buffers.
bpf.maxbufsize
The maximum size a user may request a bpf(4) buffer to
be.
carp.allow
If set to 0, incoming carp(4) packets will not be
processed. If set to any other value, processing will
occur. Enabled by default.
carp.log
Controls the verbosity of carp(4) logging. May be a
value between 0 and 7 corresponding with syslog(3)
priorities. The default value is 2.
carp.preempt
If set to 0, carp(4) will not attempt to become master if
it is receiving advertisements from another active
master. If set to any other value, carp will become
master of the virtual host if it believes it can send
advertisements more frequently than the current master.
Disabled by default.
divert.recvspace
Returns the default divert receive buffer size.
divert.sendspace
Returns the default divert send buffer size.
esp.enable
If set to 1, enable the Encapsulating Security Payload
(ESP) IPsec protocol. Enabled by default. See ipsec(4)
for more information.
esp.udpencap
If set to 1, enable processing of UDP encapsulated ESP
packets. Enabled by default.
esp.udpencap_port
Contains the value of the UDP port that triggers
decapsulation for incoming UDP encapsulated ESP packets.
The default port is 4500.
etherip.allow
If set to 0, incoming Ethernet-in-IPv4 packets will not
be processed. If set to any other value, processing will
occur.
gre.allow
If set to 0, incoming GRE packets will not be processed.
If set to any other value, processing will occur.
gre.wccp
If set to 0, incoming WCCPv1-style GRE packets will not
be processed. If set to any other value, and gre.allow
allows GRE packet processing, WCCPv1-style GRE packets
will be processed.
icmp.bmcastecho
If set to 1, respond to ICMP echo requests destined for
broadcast and multicast addresses. Note, enabling this
could open a system to a type of denial of service attack
called "smurfing", and is thus not advised.
icmp.errppslimit
This variable specifies the maximum number of outgoing
ICMP error messages per second. ICMP error messages
exceeding this value are subject to rate limitation and
will not go out from the node. A negative value disables
rate limitation.
icmp.maskrepl
Returns 1 if ICMP network mask requests are to be
answered.
icmp.rediraccept
If set to non-zero, the host will accept ICMP redirect
packets. Note that routers will never accept ICMP
redirect packets, and the variable is meaningful on IP
hosts only.
icmp.redirtimeout
This variable specifies the lifetime of routing entries
generated by incoming ICMP redirects. The default
timeout is 10 minutes.
icmp.stats
Returns the ICMP statistics in a struct icmpstat.
icmp.tstamprepl
If set to 1, reply to ICMP timestamp requests. If set to
0, ignore timestamp requests.
ip.directed-broadcast
Returns 1 if directed broadcast behavior is enabled for
the host.
ip.encdebug
Returns 1 when error message reporting is enabled for the
host. If the kernel has been compiled with the ENCDEBUG
option, then debugging information will also be reported
when this variable is set.
ip.forwarding
If set to 1, then IP forwarding is enabled for the host,
indicating the host is acting as a router. If set to 2,
then IP forwarding is restricted to traffic that has been
IPsec encapsulated or decapsulated by the host. The
default value is 0.
ip.ipsec-allocs
The number of IPsec flows that can use a security
association before it expires. If set to less than or
equal to zero, the security association will not expire
because of this counter. The default value is 0.
ip.ipsec-auth-alg
This is the default authentication algorithm the kernel
will instruct key management daemons to negotiate when
establishing security associations on behalf of the
kernel. Such security associations can occur as a result
of a process having requested some security level through
setsockopt(2), or as a result of dynamic VPN entries.
Supported values are hmac-md5, hmac-sha1, and hmac-
ripemd160. If set to any other value, it is left to the
key management daemons to select an authentication
algorithm for the security association. The default
value is hmac-sha1.
ip.ipsec-bytes
The number of bytes that will be processed by a security
association before it expires. If set to less than or
equal to zero, the security association will not expire
because of this counter. The default value is 0.
ip.ipsec-comp-alg
The compression algorithm to use with an IP Compression
Association (IPCA). Possible values are ``deflate'' and
``lzs''. Note that lzs is only available with hifn(4).
See ipsecctl(8) for more information.
ip.ipsec-enc-alg
This is the default encryption algorithm the kernel will
instruct key management daemons to negotiate when
establishing security associations on behalf of the
kernel. Such security associations can occur as a result
of a process having requested some security level through
setsockopt(2), or as a result of dynamic VPN entries.
Supported values are aes, des, 3des, blowfish, cast128,
and skipjack. If set to any other value, it is left to
the key management daemons to select an encryption
algorithm for the security association. The default
value is aes.
ip.ipsec-expire-acquire
How long the kernel should allow key management to
dynamically acquire security associations before re-
sending a request. The default value is 30 seconds.
ip.ipsec-firstuse
The number of seconds after a security association is
first used before it expires. If set to less than or
equal to zero, the security association will not expire
because of this timer. The default value is 7200
seconds.
ip.ipsec-invalid-life
The lifetime of embryonic Security Associations (SAs that
key management daemons have reserved but not fully
established yet) in seconds. If set to less than or
equal to zero, embryonic SAs will not expire. The
default value is 60.
ip.ipsec-pfs
If set to any non-zero value, the kernel will ask the key
management daemons to use Perfect Forward Secrecy when
establishing IPsec Security Associations. Perfect
Forward Secrecy makes IPsec Security Associations
cryptographically distinct from each other, such that
breaking the key for one such SA does not compromise any
others. Requiring PFS for every security association
significantly increases the computational load of
isakmpd(8) exchanges. The default value is 1.
ip.ipsec-soft-allocs
The number of IPsec flows that can use a security
association before a message is sent by the kernel to key
management for renegotiation of the security association.
If set to less than or equal to zero, no message is sent
to key management. The default value is 0.
ip.ipsec-soft-bytes
The number of bytes that will be processed by a security
association before a message is sent by the kernel to key
management for renegotiation of the security association.
If set to less than or equal to zero, no message is sent
to key management. The default value is 0.
ip.ipsec-soft-firstuse
The number of seconds after a security association is
first used before a message is sent by the kernel to key
management for renegotiation of the security association.
If set to less than or equal to zero, no message is sent
to key management. The default value is 3600 seconds.
ip.ipsec-soft-timeout
The number of seconds after a security association is
established before a message is sent by the kernel to key
management for renegotiation of the security association.
If set to less than or equal to zero, no message is sent
to key management. The default value is 80000 seconds.
ip.ipsec-timeout
The number of seconds after a security association is
established before it will expire. If set to less than
or equal to zero, the security association will not
expire because of this timer. The default value is 86400
seconds.
ip.maxqueue
Fragment flood protection. Sets the maximum number of
unassembled IP fragments in the fragment queue.
ip.mforwarding
If set to 1, then multicast forwarding is enabled for the
host. The default is 0.
ip.mtudisc
Returns 1 if Path MTU Discovery is enabled.
ip.mtudisctimeout
Returns the number of seconds in which a route added by
the Path MTU Discovery engine will time out. When the
route times out, the Path MTU Discovery engine will
attempt to probe a larger path MTU.
ip.multipath
This variable enables multipath routing for IPv4
addresses. If set to 0, only the first route selected
will be used for a given destination regardless of how
many routes exist in the routing table.
ip.portfirst
Minimum registered port number for TCP/UDP port
allocation. Registered ports can be used by ordinary
user processes or programs executed by ordinary users.
Cannot be less than 1024 or greater than 49151. Must be
less than ip.portlast.
ip.porthifirst
Minimum dynamic/private port number for TCP/UDP port
allocation. Dynamic/private ports can be used by
ordinary user processes or programs executed by ordinary
users. Cannot be less than 49152 or greater than 65535.
Must be less than ip.porthilast.
ip.porthilast
Maximum dynamic/private port number for TCP/UDP port
allocation. Dynamic/private ports can be used by
ordinary user processes or programs executed by ordinary
users. Cannot be less than 49152 or greater than 65535.
Must be greater than ip.porthifirst.
ip.portlast
Maximum registered port number for TCP/UDP port
allocation. Registered ports can be used by ordinary
user processes or programs executed by ordinary users.
Cannot be less than 1024 or greater than 49151. Must be
greater than ip.portfirst.
ip.redirect
Returns 1 when ICMP redirects may be sent by the host.
This option is ignored unless the host is routing IP
packets, and should normally be enabled on all systems.
ip.sourceroute
Returns 1 when forwarding of source-routed packets is
enabled for the host. As detailed in securelevel(7),
this variable may not be changed if the securelevel is >
0.
ip.stats
Returns the IP statistics in a struct ipstat.
ip.ttl The maximum time-to-live (hop count) value for an IP
packet sourced by the system. This value applies to
normal transport protocols, not to ICMP.
ipcomp.enable
Enable the IPComp protocol. See ipsecctl(8) for more
information.
ipip.allow
If set to 0, incoming IP-in-IP packets will not be
processed. If set to any other value, processing will
occur; furthermore, if set to 2, no checks for spoofing
of loopback addresses will be done. This is useful only
for debugging purposes, and should never be used in
production systems.
mobileip.allow
If set to 0, incoming MobileIP encapsulated packets (RFC
2004) will not be processed. If set to any other value,
processing will occur.
tcp.ackonpush
Returns 1 if TCP segments with the TH_PUSH flag set are
being acknowledged immediately, otherwise 0.
tcp.baddynamic
An array of in_port_t is returned specifying the bitmask
of TCP ports between 512 and 1023 inclusive that should
not be allocated dynamically by the kernel (i.e., they
must be bound specifically by port number).
tcp.ecn
Returns 1 if Explicit Congestion Notifications for TCP
are enabled.
tcp.ident
A struct tcp_ident_mapping specifying a local and foreign
endpoint of a TCP socket is filled in with the effective
and real UIDs of the process that owns the socket. If no
such socket exists, then the effective and real UID
values are both set to -1.
tcp.keepidle
If the socket option SO_KEEPALIVE has been set on a
socket, then this value specifies how much time a
connection needs to be idle before keepalives are sent.
See also tcp.slowhz.
tcp.keepinittime
Time to keep alive the initial SYN packet of a TCP
handshake.
tcp.keepintvl
Time after a keepalive probe is sent until, in the
absence of any response, another probe is sent. See also
tcp.slowhz.
tcp.mssdflt
The maximum segment size that is used as default for non-
local connections. The default value is 512.
tcp.reasslimit
The maximum number of out-of-order TCP segments the
system will store for reassembly.
tcp.recvspace
Returns the default TCP receive buffer size.
tcp.rfc1323
Returns 1 if RFC 1323 extensions to TCP are enabled.
tcp.rfc3390
Returns 1 if the TCP Initial Window is increased, as
specified in RFC 3390.
tcp.rstppslimit
This variable specifies the maximum number of outgoing
TCP RST packets per second. TCP RST packets exceeding
this value are subject to rate limitation and will not go
out from the node. A negative value disables rate
limitation.
tcp.sack
Returns 1 if RFC 2018 Selective Acknowledgements are
enabled.
tcp.sendspace
Returns the default TCP send buffer size.
tcp.slowhz
The units for tcp.keepidle and tcp.keepintvl; those
variables are in ticks of a clock that ticks tcp.slowhz
times per second. (That is, their values must be divided
by the tcp.slowhz value to get times in seconds.)
tcp.stats
Returns the TCP statistics in a struct tcpstat.
tcp.synbucketlimit
The maximum number of entries allowed per hash bucket in
the TCP SYN cache.
tcp.syncachelimit
The maximum number of entries allowed in the TCP SYN
cache.
udp.baddynamic
Analogous to tcp.baddynamic but for UDP sockets.
udp.checksum
Returns 1 when UDP checksums are being computed and
checked. Disabling UDP checksums is strongly
discouraged.
udp.recvspace
Returns the default UDP receive buffer size.
udp.sendspace
Returns the default UDP send buffer size.
udp.stats
Returns the UDP statistics in a struct udpstat.
PF_INET6
Get or set various global information about IPv6 (Internet
Protocol version 6). The third level name is the protocol. The
fourth level name is the variable name. The currently defined
protocols and names are:
Protocol name Variable name Type Changeable
icmp6 errppslimit integer yes
icmp6 mtudisc_hiwat integer yes
icmp6 mtudisc_lowat integer yes
icmp6 nd6_debug integer yes
icmp6 nd6_delay integer yes
icmp6 nd6_maxnudhint integer yes
icmp6 nd6_mmaxtries integer yes
icmp6 nd6_prune integer yes
icmp6 nd6_umaxtries integer yes
icmp6 nd6_useloopback integer yes
icmp6 nodeinfo integer yes
icmp6 rediraccept integer yes
icmp6 redirtimeout integer yes
ip6 accept_rtadv integer yes
ip6 auto_flowlabel integer yes
ip6 dad_count integer yes
ip6 defmcasthlim integer yes
ip6 forwarding integer yes
ip6 hdrnestlimit integer yes
ip6 hlim integer yes
ip6 kame_version string no
ip6 keepfaith integer yes
ip6 log_interval integer yes
ip6 maxfragpackets integer yes
ip6 maxfrags integer yes
ip6 mforwarding integer yes
ip6 multicast_mtudisc integer yes
ip6 multipath integer yes
ip6 redirect integer yes
ip6 rr_prune integer yes
ip6 use_deprecated integer yes
ip6 v6only integer no
The variables are as follows:
icmp6.errppslimit
This variable specifies the maximum number of outgoing
ICMPv6 error messages per second. ICMPv6 error messages
exceeding this value are subject to rate limitation and
will not go out from the node. A negative value will
disable the rate limitation.
icmp6.mtudisc_hiwat
icmp6.mtudisc_lowat
These variables define the maximum number of routing
table entries created due to path MTU discovery
(preventing denial-of-service attacks with ICMPv6 too big
messages). After IPv6 path MTU discovery happens, path
MTU information is kept in the routing table. If the
number of routing table entries exceeds this value, the
kernel will not attempt to keep the path MTU information.
icmp6.mtudisc_hiwat is used when we have verified ICMPv6
too big messages. icmp6.mtudisc_lowat is used when we
have unverified ICMPv6 too big messages. Verification is
performed by using address/port pairs kept in connected
PCBs. A negative value disables the upper limit.
icmp6.nd6_debug
If set to non-zero, IPv6 neighbor discovery will generate
debugging messages. The debug output is useful for
diagnosing IPv6 interoperability issues. The flag must
be set to 0 for normal operation.
icmp6.nd6_delay
This variable specifies the DELAY_FIRST_PROBE_TIME timing
constant in IPv6 neighbor discovery specification (RFC
2461), in seconds.
icmp6.nd6_maxnudhint
IPv6 neighbor discovery permits upper layer protocols to
supply reachability hints, to avoid unnecessary neighbor
discovery exchanges. This variable defines the number of
consecutive hints the neighbor discovery layer will take.
For example, by setting the variable to 3, neighbor
discovery will take a maximum of 3 consecutive hints.
After receiving 3 hints, the neighbor discovery layer
will instead perform the normal neighbor discovery
process.
icmp6.nd6_mmaxtries
This variable specifies the MAX_MULTICAST_SOLICIT
constant in IPv6 neighbor discovery specification (RFC
2461).
icmp6.nd6_prune
This variable specifies the interval between IPv6
neighbor cache babysitting in seconds.
icmp6.nd6_umaxtries
This variable specifies the MAX_UNICAST_SOLICIT constant
in IPv6 neighbor discovery specification (RFC 2461).
icmp6.nd6_useloopback
If set to non-zero, IPv6 will use the loopback interface
for local traffic.
icmp6.nodeinfo
This variable enables responses to ICMPv6 node
information queries. If set to 0, responses will not be
generated for ICMPv6 node information queries. Since
node information queries can have a security impact, it
is possible to fine tune which responses should be
answered. Two separate bits can be set:
1 Respond to ICMPv6 FQDN queries, e.g. ping6 -w.
2 Respond to ICMPv6 node addresses queries, e.g.
ping6 -a.
icmp6.rediraccept
If set to non-zero, the host will accept ICMPv6 redirect
packets. Note that IPv6 routers will never accept ICMPv6
redirect packets, so the variable is only meaningful on
IPv6 hosts, not on routers.
icmp6.redirtimeout
The variable specifies the lifetime of routing entries
generated by incoming ICMPv6 redirects.
ip6.accept_rtadv
If set to non-zero, the node will accept ICMPv6 router
advertisement packets and autoconfigures address prefixes
and default routers. The node must be a host (not a
router) for the option to be meaningful (see
ip6.forwarding).
ip6.auto_flowlabel
On connected transport protocol packets, fill the IPv6
flowlabel field to help intermediate routers identify
packet flows.
ip6.dad_count
This variable configures the number of IPv6 DAD
(duplicated address detection) probe packets. These
packets are generated when IPv6 interfaces are first
brought up.
ip6.defmcasthlim
The default hop limit value for an IPv6 multicast packet
sourced by the node. This value applies to all the
transport protocols on top of IPv6. Methods for
overriding this value are documented in ip6(4).
ip6.forwarding
Returns 1 when IPv6 forwarding is enabled for the node,
meaning that the node is acting as a router. Returns 0
when IPv6 forwarding is disabled for the node, meaning
that the node is acting as a host. Note that IPv6
defines node behavior for the ``router'' and ``host''
cases quite differently, and changing this variable
during operation may cause serious trouble. Hence, this
variable should only be set at bootstrap time.
ip6.hdrnestlimit
The number of IPv6 extension headers permitted on
incoming IPv6 packets. If set to 0, the node will accept
as many extension headers as possible.
ip6.hlim
The default hop limit value for an IPv6 unicast packet
sourced by the node. This value applies to all the
transport protocols on top of IPv6. Methods for
overriding this value are documented in ip6(4).
ip6.kame_version
This string identifies the version of the KAME IPv6 stack
implemented in the kernel.
ip6.keepfaith
If set to non-zero, enables the ``FAITH'' TCP relay IPv6-
to-IPv4 translator code in the kernel. Refer to faith(4)
and faithd(8) for more details.
ip6.log_interval
This variable permits adjusting the amount of logs
generated by the IPv6 packet forwarding engine. The
value indicates the number of seconds of interval which
must elapse between log output.
ip6.maxfragpackets
The maximum number of fragmented packets the node will
accept. 0 means that the node will not accept any
fragmented packets. -1 means that the node will accept
as many fragmented packets as it receives. The flag is
provided basically for avoiding possible DoS attacks.
ip6.maxfrags
The maximum number of fragments the node will accept. 0
means that the node will not accept any fragments. -1
means that the node will accept as many fragments as it
receives. The flag is provided basically for avoiding
possible DoS attacks.
ip6.mforwarding
If set to 1, then multicast forwarding is enabled for the
host. The default is 0.
ip6.multicast_mtudisc
This variable controls generation of ICMPv6 Too Big
messages when the machine is performing as an IPv6
multicast router. If set to 1, an ICMPv6 Too Big message
will be generated for multicast packets which were too
big to be forwarded. If set to 0, the ICMPv6 Too Big
message will be suppressed.
ip6.multipath
This variable enables multipath routing for IPv6
addresses. If set to 0, only the first route selected
will be used for a given destination regardless of how
many routes exist in the routing table.
ip6.redirect
Returns 1 when ICMPv6 redirects may be sent by the node.
This option is ignored unless the node is routing IP
packets, and should normally be enabled on all systems.
ip6.rr_prune
This variable specifies the interval between IPv6 router
renumbering prefix babysitting in seconds.
ip6.use_deprecated
This variable controls the use of deprecated addresses,
specified in RFC 2462 5.5.4.
ip6.v6only
The variable specifies the initial value for the
IPV6_V6ONLY socket option for an AF_INET6 socket. It is
always 1 for OpenBSD.
We reuse net.inet.tcp and net.inet.udp for TCP/UDP over IPv6.
PF_KEY Return ipsec(4) database dumps. The second level name is
PF_KEY_V2. The third level name selects the database as follows:
NET_KEY_SADB_DUMP Security Association database (SADB).
NET_KEY_SPD_DUMP IPsec flow database (SPD).
CTL_USER
The string and integer information available for the CTL_USER level is
detailed below. The changeable column shows whether a process with
appropriate privileges may change the value.
Second level name Type Changeable
USER_BC_BASE_MAX integer no
USER_BC_DIM_MAX integer no
USER_BC_SCALE_MAX integer no
USER_BC_STRING_MAX integer no
USER_COLL_WEIGHTS_MAX integer no
USER_CS_PATH string no
USER_EXPR_NEST_MAX integer no
USER_LINE_MAX integer no
USER_POSIX2_C_BIND integer no
USER_POSIX2_C_DEV integer no
USER_POSIX2_CHAR_TERM integer no
USER_POSIX2_FORT_DEV integer no
USER_POSIX2_FORT_RUN integer no
USER_POSIX2_LOCALEDEF integer no
USER_POSIX2_SW_DEV integer no
USER_POSIX2_UPE integer no
USER_POSIX2_VERSION integer no
USER_RE_DUP_MAX integer no
USER_STREAM_MAX integer no
USER_TZNAME_MAX integer no
USER_BC_BASE_MAX
The maximum ibase/obase values in the bc(1) utility.
USER_BC_DIM_MAX
The maximum array size in the bc(1) utility.
USER_BC_SCALE_MAX
The maximum scale value in the bc(1) utility.
USER_BC_STRING_MAX
The maximum string length in the bc(1) utility.
USER_COLL_WEIGHTS_MAX
The maximum number of weights that can be assigned to any entry
of the LC_COLLATE order keyword in the locale definition file.
USER_CS_PATH
Return a value for the PATH environment variable that finds all
the standard utilities.
USER_EXPR_NEST_MAX
The maximum number of expressions that can be nested within
parentheses by the expr(1) utility.
USER_LINE_MAX
The maximum length in bytes of a text-processing utility's input
line.
USER_POSIX2_C_BIND
Return 1 if the system's C-language development facilities
support the C-Language Bindings Option, otherwise 0.
USER_POSIX2_C_DEV
Return 1 if the system supports the C-Language Development
Utilities Option, otherwise 0.
USER_POSIX2_CHAR_TERM
Return 1 if the system supports at least one terminal type
capable of all operations described in POSIX 1003.2, otherwise 0.
USER_POSIX2_FORT_DEV
Return 1 if the system supports the FORTRAN Development Utilities
Option, otherwise 0.
USER_POSIX2_FORT_RUN
Return 1 if the system supports the FORTRAN Runtime Utilities
Option, otherwise 0.
USER_POSIX2_LOCALEDEF
Return 1 if the system supports the creation of locales,
otherwise 0.
USER_POSIX2_SW_DEV
Return 1 if the system supports the Software Development
Utilities Option, otherwise 0.
USER_POSIX2_UPE
Return 1 if the system supports the User Portability Utilities
Option, otherwise 0.
USER_POSIX2_VERSION
The version of POSIX 1003.2 with which the system attempts to
comply.
USER_RE_DUP_MAX
The maximum number of repeated occurrences of a regular
expression permitted when using interval notation.
USER_STREAM_MAX
The maximum number of streams that a process may have open at any
one time.
USER_TZNAME_MAX
The minimum maximum number of types supported for the name of a
time zone.
CTL_VFS
The string and integer information available for the CTL_VFS level is
detailed below. The changeable column shows whether a process with
appropriate privileges may change the value.
Second level name Type Changeable
VFS_GENERIC VFS generic info no
filesystem # filesystem info no
VFS_GENERIC
This second level identifier requests generic information about
the VFS layer. Within it, the following third level identifiers
exist:
Third level name Type Changeable
VFS_CONF struct vfsconf no
VFS_MAXTYPENUM int no
filesystem #
After finding the filesystem dependent vfc_typenum using
VFS_GENERIC with VFS_CONF, it is possible to access filesystem
dependent information.
Some filesystems may contain settings.
FFS
Third level name Type Changeable
FFS_ASYNCFREE integer yes
FFS_CLUSTERREAD integer yes
FFS_CLUSTERWRITE integer yes
FFS_DIRHASH_DIRSIZE integer yes
FFS_DIRHASH_MAXMEM integer yes
FFS_DIRHASH_MEM integer no
FFS_MAXSOFTDEPS integer yes
FFS_REALLOCBLOCKS integer yes
FFS_SD_BLK_LIMIT_HIT integer yes
FFS_SD_BLK_LIMIT_PUSH integer yes
FFS_SD_DIR_ENTRY integer yes
FFS_SD_DIRECT_BLK_PTRS integer yes
FFS_SD_INDR_BLK_PTRS integer yes
FFS_SD_INO_LIMIT_HIT integer yes
FFS_SD_INO_LIMIT_PUSH integer yes
FFS_SD_INODE_BITMAP integer yes
FFS_SD_SYNC_LIMIT_HIT integer yes
FFS_SD_TICKDELAY integer yes
FFS_SD_WORKLIST_PUSH integer yes
FFS_CLUSTERREAD
Enable combining multiple reads into one request to
improve performance.
FFS_CLUSTERWRITE
Enable combining multiple writes into one request.
FFS_DIRHASH_DIRSIZE
The minimum size of a directory, in bytes, before it
is considered for hashing.
FFS_DIRHASH_MAXMEM
The maximum amount of memory, in bytes, to be used
for storing directory hashes.
FFS_DIRHASH_MEM
The amount of memory currently used by all directory
hashes.
FFS_REALLOCBLOCKS
When enabled, the kernel will attempt to relocate
growing files so that they are contiguous on disk,
reducing fragmentation.
NFS
Third level name Type Changeable
NFS_NFSSTATS struct nfsstats yes
NFS_NIOTHREADS int yes
NFS_NIOTHREADS
The number of NFS I/O kernel threads. Should be set
high enough for the server to handle the maximum
level of concurrency from its clients, typically
four to six.
CTL_VM
The string and integer information available for the CTL_VM level is
detailed below. The changeable column shows whether a process with
appropriate privileges may change the value.
Second level name Type Changeable
VM_ANONMIN integer yes
VM_LOADAVG struct loadavg no
VM_MAXSLP integer no
VM_METER struct vmtotal no
VM_NKMEMPAGES integer no
VM_PSSTRINGS struct psstrings no
VM_SWAPENCRYPT swap encrypt values yes
VM_USPACE integer no
VM_UVMEXP struct uvmexp no
VM_VNODEMIN integer yes
VM_VTEXTMIN integer yes
VM_ANONMIN
Percentage of physical memory available for pages which contain
anonymous mapping.
VM_LOADAVG
Return the load average history. The returned data consists of a
struct loadavg.
VM_MAXSLP
The time for a process to be blocked before being swappable, in
seconds.
VM_METER
Return the system wide virtual memory statistics. The returned
data consists of a struct vmtotal.
VM_NKMEMPAGES
Number of pages in kmem_map.
VM_PSSTRINGS
Returns the address of the process struct ps_strings. The ps(1)
program uses it to locate the argument and environment strings.
VM_SWAPENCRYPT
Contains statistics about swap encryption. The string and
integer information available for the third level is detailed
below.
Third level name Type Changeable
SWPENC_CREATED integer no
SWPENC_DELETED integer no
SWPENC_ENABLE integer yes
SWPENC_CREATED
The number of encryption keys that have been randomly
created. The swap partition is divided into sections of
normally 512KB. Each section has its own encryption key.
SWPENC_DELETED
The number of encryption keys that have been deleted,
thus effectively erasing the data that has been encrypted
with them. Encryption keys are deleted when their
reference counter reaches zero.
SWPENC_ENABLE
Set to 1 to enable swap encryption for all processes. A
0 disables swap encryption. Pages still on swap receive
a grandfather clause. Turning this option on does not
affect legacy swap data already on the disk, but all
newly written data will be encrypted. When swap
encryption is turned on, automatic crash(8) dumps are
disabled.
VM_USPACE
The number of bytes allocated for each kernel stack.
VM_UVMEXP
Contains statistics about the UVM memory management system.
VM_VNODEMIN
Percentage of physical memory available for pages which contain
cached file data.
VM_VTEXTMIN
Percentage of physical memory available for pages which contain
cached executable data.
RETURN VALUES
If the call to sysctl() is unsuccessful, -1 is returned and errno is set
appropriately.
FILES
<sys/sysctl.h> definitions for top level identifiers, second
level kernel and hardware identifiers, and user
level identifiers
<sys/socket.h> definitions for second level network
identifiers
<sys/gmon.h> definitions for third level profiling
identifiers
<ufs/ffs/ffs_extern.h> definitions for third level virtual file system
identifiers (ffs)
<nfs/nfs.h> definitions for third level virtual file system
identifiers (nfs)
<uvm/uvm_param.h> definitions for second level virtual memory
identifiers
<uvm/uvm_swap_encrypt.h> definitions for third level virtual memory
identifiers
<netinet/in.h> definitions for third level IPv4/v6 identifiers
and fourth level IP and IPv6 identifiers
<netinet/icmp_var.h> definitions for fourth level ICMP identifiers
<netinet/icmp6.h> definitions for fourth level ICMPv6 identifiers
<netinet/tcp_var.h> definitions for fourth level TCP identifiers
<netinet/udp_var.h> definitions for fourth level UDP identifiers
<machine/cpu.h> definitions for second level CPU identifiers
ERRORS
The following errors may be reported:
[EFAULT] The buffer name, oldp, newp, or length pointer oldlenp
contains an invalid address.
[EINVAL] The name array is less than two or greater than
CTL_MAXNAME.
[EINVAL] A non-null newp pointer is given and its specified length
in newlen is too large or too small.
[ENOMEM] The length pointed to by oldlenp is too short to hold the
requested value.
[ENOENT] The mib specified does not exist, or exceeds the range that
is possible.
[ENXIO] If the mib is a sparsely populated array, this error may be
returned instead.
[ENOTDIR] The name array specifies an intermediate rather than
terminal name.
[EOPNOTSUPP] The name array specifies a value that is unknown.
[EPERM] An attempt is made to set a read-only value.
[EPERM] A process without appropriate privileges attempts to set a
value.
[EPERM] An attempt to change a value protected by the current
kernel security level is made.
[ESRCH] No process could be found which corresponds to the given
process ID.
SEE ALSO
pathconf(2), sysconf(3), ddb(4), sysctl.conf(5), securelevel(7),
sysctl(8)
HISTORY
The sysctl() function first appeared in 4.4BSD.
OpenBSD 4.8 June 29, 2010 OpenBSD 4.8