OpenBSD manual page server

Manual Page Search Parameters

SYSCTL(3) Library Functions Manual SYSCTL(3)

sysctlget or set system information

#include <sys/param.h>
#include <sys/sysctl.h>

int
sysctl(const int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen);

The () function retrieves system information and allows processes with appropriate privileges to set system information. The information available from sysctl() consists of integers, strings, and tables. Information may be retrieved and set from the command interface using the sysctl(8) utility.

Unless explicitly noted below, () returns a consistent snapshot of the data requested. Consistency is obtained by locking the destination buffer into memory so that the data may be copied out without blocking. Calls to sysctl() are serialized to avoid deadlock.

The state is described using a “Management Information Base (MIB)” style name, listed in name, which is a namelen length array of integers.

The information is copied into the buffer specified by oldp. The size of the buffer is given by the location specified by oldlenp before the call, and that location gives the amount of data copied after a successful call. If the amount of data available is greater than the size of the buffer supplied, the call supplies as much data as fits in the buffer provided and returns with the error code ENOMEM. If the old value is not desired, oldp and oldlenp should be set to NULL.

The size of the available data can be determined by calling () with a NULL parameter for oldp. The size of the available data will be returned in the location pointed to by oldlenp. For some operations, the amount of space may change often. For these operations, the system attempts to round up so that the returned size is large enough for a call to return the data shortly thereafter.

To set a new value, newp is set to point to a buffer of length newlen from which the requested value is to be taken. If a new value is not to be set, newp should be set to NULL and newlen set to 0.

The top level names are defined with a CTL_ prefix in ⟨sys/sysctl.h⟩, and are as follows. The next and subsequent levels down are found in the include files listed here, and described in separate sections below.

ddb/db_var.h Kernel debugger
sys/sysctl.h Debugging
sys/sysctl.h File system
sys/sysctl.h Generic CPU, I/O
sys/sysctl.h High kernel limits
sys/sysctl.h Machine dependent
sys/socket.h Networking
ufs/ffs/ffs_extern.h Virtual file system
uvm/uvm_param.h Virtual memory

For example, the following retrieves the maximum number of processes allowed in the system:

int mib[2], maxproc;
size_t len;

mib[0] = CTL_KERN;
mib[1] = KERN_MAXPROC;
len = sizeof(maxproc);
if (sysctl(mib, 2, &maxproc, &len, NULL, 0) == -1)
	err(1, "sysctl");

Integer information and settable variables are available for the CTL_DDB level, as described below. More information is also available in ddb(4).

integer yes
integer yes
integer yes
integer yes
integer yes
integer yes
integer yes
integer yes
When this variable is set, an architecture dependent magic key sequence on the console or a debugger button will permit entry into the kernel debugger. When running with a securelevel(7) greater than 0, this variable may not be raised.
When set, ddb output is also logged in the kernel message buffer.
Determines the number of lines to page in ddb(4). This variable is also available as the ddb $lines variable.
Determines the maximum width of a line in ddb(4). This variable is also available as the ddb $maxwidth variable.
When this variable is set, system panics may drop into the kernel debugger. When running with a securelevel(7) greater than 0, this variable may not be raised.
Determines the default radix or base for non-prefixed numbers entered into ddb(4). This variable is also available as the ddb $radix variable.
Width of a tab stop in ddb(4). This variable is also available as the ddb $tabstops variable.
When DBCTL_CONSOLE is set, writing to DBCTL_TRIGGER causes the system to enter ddb(4). If securelevel(7) is greater than 0, the process writing to this variable must be running on the console in order to enter ddb(4).

The debugging variables vary from system to system. A debugging variable may be added or deleted without need to recompile () to know about it. Each time it runs, sysctl() gets the list of debugging variables from the kernel and displays their current values. The system defines twenty struct ctldebug variables named debug0 through debug19. They are declared as separate variables so that they can be individually initialized at the location of their associated variable. The loader prevents multiple use of the same variable by issuing errors if a variable is initialized in more than one place. For example, to export the variable dospecialcheck as a debugging variable, the following declaration would be used:

int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };

The string and integer information available for the CTL_FS level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

integer yes
When this variable is set, ownership changes on a file will cause the S_ISUID and S_ISGID bits to be cleared. As detailed in securelevel(7), this variable may not be changed if the securelevel is > 0.

The string and integer information available for the CTL_HW level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

integer yes
integer no
integer no
integer no
string no
struct no
string no
string no
integer no
integer no
integer no
integer no
int64_t no
string no
node not applicable
string no
integer yes
integer no
int64_t no
string no
string no
string no
Some machines generate an interrupt when the power button is pressed and a driver can catch that interrupt. When this variable is set, such an event will cause the system to perform a regular shutdown and power off the machine. When running with a securelevel(7) greater than 0, this variable may not be changed.
The byteorder (4321 or 1234).
The current CPU frequency (in MHz).
The number of disks currently attached to the system.
A comma-separated list of disk names.
An array of struct diskstats structures containing disk statistics.
The machine class.
The machine model.
The number of CPUs being used.
The number of CPUs found.
The software page size.
The total physical memory, in bytes. This variable is deprecated; use HW_PHYSMEM64 instead.
The total physical memory, in bytes.
The product name of the machine.
Third level comprises an array of struct sensordev structures containing information about devices that may attach hardware monitoring sensors.

Third, fourth and fifth levels together comprise an array of struct sensor structures containing snapshot readings of hardware monitoring sensors. In such usage, third level indicates the numerical representation of the sensor device name to which the sensor is attached (a device's xname and number are matched with the help of struct sensordev structure above), fourth level indicates sensor type and fifth level is an ordinal sensor number (unique to the specified sensor type on the specified sensor device).

The and structures and enumeration are defined in ⟨sys/sensors.h⟩.

The serial number of the machine.
Current CPU performance (percentage).
The amount of available non-kernel memory in bytes. This variable is deprecated; use HW_USERMEM64 instead.
The amount of available non-kernel memory in bytes.
The universal unique identification number assigned to the machine.
The vendor name for this machine.
The version or revision of this machine.

The string and integer information available for the CTL_KERN level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value. The types of data currently available are process information, system vnodes, the open file entries, routing table entries, virtual memory statistics, load average history, and clock rate information.

integer no
char[] no
struct timeval no
integer yes
integer no
struct clockinfo no
dev_t no
long[CPUSTATES] no
u_int64_t[CPUSTATES] no
integer yes
string yes
node not applicable
struct file no
struct kinfo_file2 no
struct forkstat no
integer no
integer no
integer yes
string yes
node not applicable
integer no
node no
integer yes
integer yes
integer yes
integer no
integer yes
integer yes
integer yes
struct mbstat no
char[] no
integer no
struct nchstats no
integer no
integer no
integer yes
integer no
integer no
integer no
integer no
string no
integer no
string no
string no
integer no
struct kinfo_proc no
node not applicable
string not applicable
node not applicable
integer no
struct rndstats no
integer no
integer raise only
node not applicable
node not applicable
integer yes
integer yes
int yes
integer yes
node not applicable
integer no
integer no
integer no
node not applicable
node not applicable
integer no
integer yes
integer yes
integer yes
string no
struct e_vnode no
node not applicable
The maximum number of bytes allowed among the arguments to exec(3).
Returns a maximum of 256 random bytes from the kernel using the arc4random(9) function. This can be useful if /dev/arandom is not available (see random(4)).
A struct timeval structure is returned. This structure contains the time that the system was booted.
The maximum percentage of physical memory the buffer cache may use; the default is 20%.
The scheduler exponential decay value.
A struct clockinfo structure is returned. This structure contains the clock, statistics clock and profiling clock frequencies, the number of micro-seconds per hz tick, and the clock skew rate.
The console device.
An array of longs of size CPUSTATES is returned, containing statistics about the number of ticks spent by the system in interrupt processing, user processes (nice(1) or normal), system processing, or idling.
Similar to KERN_CPTIME, but obtains information from only the single CPU specified by the third level name given.
Permits userland to use /dev/crypto even if there is no hardware crypto accelerator in the system.
Get or set the YP domain name.
Enable binary emulation.
integer yes
string no
integer no

Third level names in KERN_EMUL other than KERN_EMUL_NEMULS refer to a specific emulation available in the kernel. Valid values range from 1 to the return value of KERN_EMUL_NEMULS. The fourth level names available are KERN_EMUL_NAME, which returns a string with the emulation name, and KERN_EMUL_ENABLED, which is an adjustable integer.

Note that using this interface exposes duplicate entries which are consolidated by the userland frontend.

Return the entire file table. This name is deprecated, as the layout of the returned structures is not a stable ABI; use KERN_FILE2 instead. The returned data consists of a single struct filehead followed by an array of struct file, whose size depends on the current number of such objects in the system.
Like KERN_FILE but an array of struct kinfo_file2 structures is returned. The third and fourth level names are as follows:
Zero
A process ID
A user ID

The fifth level name is the size of the struct kinfo_file2 and the sixth level name is the number of structures to return.

A struct forkstat structure is returned. This structure contains information about the number of fork(2), vfork(2), and __tfork(2) system calls as well as kernel thread creations since system startup, and the number of pages of virtual memory involved in each.
The kernel fixed-point scale factor.
Return 1 if the File Synchronisation Option is available on this system, otherwise 0.
Get or set the host ID.
Get or set the hostname.
Return 1 if job control is available on this system, otherwise 0.
Return kernel memory bucket statistics. The third level names are detailed below. There are no changeable values in this branch.
node
string
string
node

The variables are as follows:

A node containing the statistics for the memory bucket of the specified size (in decimal notation, the number of bytes per bucket element, e.g., 16, 32, 128). Each node returns a struct kmembuckets.

If a value is specified that does not correspond directly to a bucket size, the statistics for the closest larger bucket size will be returned instead.

Note that bucket sizes are typically powers of 2.

Return a comma-separated list of the bucket sizes used by the kernel.
Return a comma-separated list of the names of the kernel malloc(9) types.
A node containing the statistics for the memory types of the specified name. Each node returns a struct kmemstats.
The maximum number of mbuf(9) clusters that may be allocated.
The maximum number of open files that may be open in the system.
The maximum number of file locks per user; the default is 1024.
The maximum number of partitions allowed per disk.
The maximum number of simultaneous processes the system will allow.
The maximum number of simultaneous threads the system will allow.
The maximum number of vnodes available on the system.
A struct mbstat structure is returned, containing statistics on mbuf(9) usage.
Returns a buffer containing kernel log messages.
The size of the kernel message buffer.
A struct nchstats structure is returned. This structure contains information about the filename to inode(5) mapping cache.
Number of open files.
The maximum number of supplemental groups.
Whether a process may dump core after changing user or group ID:
0 euid == 0 current directory
1 never
2 always /var/crash
The number of entries in the kernel process table.
Number of select(2) collisions.
The number of entries in the kernel thread table.
Number of vnodes in use.
The system release string.
The system revision number.
The system type string.
The kernel build version.
The version of ISO/IEC 9945 (POSIX 1003.1) with which the system attempts to comply.
Return the entire process table, or a subset of it. An array of struct kinfo_proc structures is returned, whose size depends on the current number of such objects in the system. The third and fourth level names are as follows:
None
A kernel thread
A process ID
A process group
A real user ID
A session PID
A tty device
A user ID

The fifth level name is the size of the struct kinfo_proc and the sixth level name is the number of structures to return.

Returns the arguments or environment of a process. The third level name is the PID of the process. The fourth level name is one of:

KERN_PROC_NARGV and KERN_PROC_NENV return the number of elements as an int in the argv or env array. KERN_PROC_ARGV returns the argv array and KERN_PROC_ENV returns the environ array. The buffer pointed to by oldp is filled with an array of char pointers followed by the strings themselves. The last char pointer is a NULL pointer.

Return the current working directory of a process. The third level name is the target process ID. A NUL-terminated string is returned.
Return profiling information about the kernel. If the kernel is not compiled for profiling, attempts to retrieve any of the KERN_PROF values will fail with EOPNOTSUPP. The third level names for the string and integer profiling information are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.
u_short[] yes
u_short[] yes
struct gmonparam no
integer yes
struct tostruct yes

The variables are as follows:

Array of statistical program counter counts.
Array indexed by program counter of call-from points.
Structure giving the sizes of the above arrays.
Returns GMON_PROF_ON or GMON_PROF_OFF to show that profiling is running or stopped.
Array of struct tostruct describing destination of calls and their counts.
The raw partition of a disk (a == 0).
Returns statistics about the /dev/random device in a struct rndstats structure.
Returns 1 if saved set-group-ID and saved set-user-ID are available.
The system security level. This level may be raised by processes with appropriate privileges. It may only be lowered by process 1.
Return the elements of struct seminfo. If the kernel is not compiled with System V style semaphore support, attempts to retrieve any of the KERN_SEMINFO values will fail with EOPNOTSUPP. The third level names for the elements of struct seminfo are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.
integer no
integer yes
integer yes
integer yes
integer yes
integer yes
integer no
integer no
integer no

The variables are as follows:

The adjust on exit maximum value.
The maximum number of semaphore identifiers allowed.
The maximum number of semaphores allowed in the system.
The maximum number of semaphore undo structures allowed in the system.
The maximum number of semaphores allowed per ID.
The maximum number of operations per semop(2) call.
The maximum number of undo entries per process.
The size (in bytes) of the undo structure.
The semaphore maximum value.
Return the elements of struct shminfo. If the kernel is not compiled with System V style shared memory support, attempts to retrieve any of the KERN_SHMINFO values will fail with EOPNOTSUPP. The third level names for the elements of struct shminfo are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.
integer yes
integer yes
integer yes
integer yes
integer yes

The variables are as follows:

The maximum amount of total shared memory allowed in the system (in pages).
The maximum shared memory segment size (in bytes).
The minimum shared memory segment size (in bytes).
The maximum number of shared memory identifiers in the system.
The maximum number of shared memory segments per process.
Upper bound on the number of half-open connections a process can allow to be associated with a socket, using listen(2). The default value is 128.
Lower bound on the number of half-open connections a process can allow to be associated with a socket, using listen(2). The default value is 80.
Modify the system interrupt priority level. Valid values are:

0
Disable error checking.
1
Print a message if an error is detected.
2
Print a message if an error is detected, and a stack trace if possible.
3
The same as 2, but also drop into the kernel debugger.

Any other value causes a system panic on errors. See splassert(9) for more information.

Sets the range of the random value added to the stack pointer on each program execution. The random value is added to make buffer overflow exploitation slightly harder. The bigger the number, the harder it is to brute force this added protection, but it also means bigger waste of memory.
Return System V style IPC configuration and run-time information. The third level name selects the System V style IPC facility.
struct msg_sysctl_info
struct sem_sysctl_info
struct shm_sysctl_info
Return information on the System V style message facility. The structure is defined in ⟨sys/msg.h⟩.
Return information on the System V style semaphore facility. The structure is defined in ⟨sys/sem.h⟩.
Return information on the System V style shared memory facility. The structure is defined in ⟨sys/shm.h⟩.
Returns 1 if System V style message queue functionality is available on this system, otherwise 0.
Returns 1 if System V style semaphore functionality is available on this system, otherwise 0.
Returns 1 if System V style shared memory functionality is available on this system, otherwise 0.
Return statistics information about the kernel time counter. The third level names information is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.
string no
string yes
integer no
integer yes

The variables are as follows:

Get the list of kernel time counter sources and their claimed quality (higher is better).
Get or set the kernel time counter source by name.
Get the number of times we have reset the kernel time counter information.
Get or set a flag to log a message when the kernel time is stepped.
Return statistics information about tty input/output. The third level names information is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.
struct itty no
integer no
integer yes
int64_t no
int64_t no
int64_t no
int64_t no

The variables are as follows:

Returns an array of struct itty structures containing tty statistics.
The maximum number of pty(4) devices supported by the kernel. This is the upper bound on KERN_TTY_NPTYS.
The current number of pty(4) devices allocated by the kernel.
Returns the number of input characters in canonical mode.
Returns the number of input characters from a tty(4).
Returns the number of output characters on a tty(4).
Returns the number of input characters in raw mode.
Number of available tty(4) devices.
Permits userland to use /dev/crypto for cryptographic support for asymmetric (public) key operations via hardware cryptographic devices. KERN_USERCRYPTO (see below) must also be set.
Permits userland to use /dev/crypto for cryptographic support via hardware cryptographic devices.
Return non-zero if regular users can issue mount(2) requests. The default value is 0.
The system version string.
Return the entire vnode table. Note, the vnode table is not necessarily a consistent snapshot of the system. The returned data consists of an array whose size depends on the current number of such objects in the system. Each element of the array contains the kernel address of a vnode (struct vnode *) followed by the vnode itself (struct vnode).
Return information on hardware watchdog timers. If the kernel does not support a hardware watchdog timer, attempts to retrieve or set any of the KERN_WATCHDOG values will fail with EOPNOTSUPP.
integer yes
integer yes

The variables are as follows:

If set to 1, the kernel refreshes the watchdog timer periodically. If set to 0, a userland process must ensure that the watchdog timer gets refreshed by setting the KERN_WATCHDOG_PERIOD variable.
The period of the watchdog timer in seconds. Set to 0 to disable the watchdog timer.

The set of variables defined is architecture dependent. Most architectures define at least the following variables.

dev_t no

The string and integer information available for the CTL_NET level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

routing messages no
IPv4 values yes
IPv6 values yes
key management no
MPLS values yes
PIPEX values yes
Return the entire routing table or a subset of it. The data is returned as a sequence of routing messages (see route(4) for the header file, format, and meaning). The length of each message is contained in the message header.

The third level name is a protocol number, which is currently always 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows:

None
rtflags
None
None

An optional seventh level name can be provided to select the routing table on which to run the operation. If not provided, the table with ID 0 is used.

Get or set various global information about IPv4 (Internet Protocol version 4). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are:
ah enable integer yes
bpf bufsize integer yes
bpf maxbufsize integer yes
carp allow integer yes
carp log integer yes
carp preempt integer yes
divert recvspace integer yes
divert sendspace integer yes
esp enable integer yes
esp udpencap integer yes
esp udpencap_port integer yes
etherip allow integer yes
gre allow integer yes
gre wccp integer yes
icmp bmcastecho integer yes
icmp errppslimit integer yes
icmp maskrepl integer yes
icmp rediraccept integer yes
icmp redirtimeout integer yes
icmp stats structure no
icmp tstamprepl integer yes
ip directed-broadcast integer yes
ip encdebug integer yes
ip forwarding integer yes
ip ifq node N/A
ip ipsec-allocs integer yes
ip ipsec-auth-alg string yes
ip ipsec-bytes integer yes
ip ipsec-comp-alg string yes
ip ipsec-enc-alg string yes
ip ipsec-expire-acquire integer yes
ip ipsec-firstuse integer yes
ip ipsec-invalid-life integer yes
ip ipsec-pfs integer yes
ip ipsec-soft-allocs integer yes
ip ipsec-soft-bytes integer yes
ip ipsec-soft-firstuse integer yes
ip ipsec-soft-timeout integer yes
ip ipsec-timeout integer yes
ip maxqueue integer yes
ip mforwarding integer yes
ip mtudisc integer yes
ip mtudisctimeout integer yes
ip multipath integer yes
ip portfirst integer yes
ip porthifirst integer yes
ip porthilast integer yes
ip portlast integer yes
ip redirect integer yes
ip sourceroute integer yes
ip stats structure no
ip ttl integer yes
ipcomp enable integer yes
ipip allow integer yes
mobileip allow integer yes
tcp ackonpush integer yes
tcp always_keepalive integer yes
tcp baddynamic array yes
tcp ecn integer yes
tcp ident structure no
tcp keepidle integer yes
tcp keepinittime integer yes
tcp keepintvl integer yes
tcp mssdflt integer yes
tcp reasslimit integer yes
tcp rfc1323 integer yes
tcp rfc3390 integer yes
tcp rstppslimit integer yes
tcp sack integer yes
tcp slowhz integer no
tcp stats structure no
tcp synbucketlimit integer yes
tcp syncachelimit integer yes
udp baddynamic array yes
udp checksum integer yes
udp recvspace integer yes
udp sendspace integer yes
udp stats structure no

The variables are as follows:

If set to 1, enable the Authentication Header (AH) IPsec protocol. Enabled by default. See ipsec(4) for more information.
The initial size of bpf(4) buffers.
The maximum size a user may request a bpf(4) buffer to be.
If set to 0, incoming carp(4) packets will not be processed. If set to any other value, processing will occur. Enabled by default.
Controls the verbosity of carp(4) logging. May be a value between 0 and 7 corresponding with syslog(3) priorities. The default value is 2.
If set to 0, carp(4) will not attempt to become master if it is receiving advertisements from another active master. If set to any other value, carp will become master of the virtual host if it believes it can send advertisements more frequently than the current master. Disabled by default.
Returns the default divert receive buffer size.
Returns the default divert send buffer size.
If set to 1, enable the Encapsulating Security Payload (ESP) IPsec protocol. Enabled by default. See ipsec(4) for more information.
If set to 1, enable processing of UDP encapsulated ESP packets. Enabled by default.
Contains the value of the UDP port that triggers decapsulation for incoming UDP encapsulated ESP packets. The default port is 4500.
If set to 0, incoming Ethernet-in-IPv4 packets will not be processed. If set to any other value, processing will occur.
If set to 0, incoming GRE packets will not be processed. If set to any other value, processing will occur.
If set to 0, incoming WCCPv1-style GRE packets will not be processed. If set to any other value, and gre.allow allows GRE packet processing, WCCPv1-style GRE packets will be processed.
If set to 1, respond to ICMP echo requests destined for broadcast and multicast addresses. Note, enabling this could open a system to a type of denial of service attack called "smurfing", and is thus not advised.
This variable specifies the maximum number of outgoing ICMP error messages per second. ICMP error messages exceeding this value are subject to rate limitation and will not go out from the node. A negative value disables rate limitation.
Returns 1 if ICMP network mask requests are to be answered.
If set to non-zero, the host will accept ICMP redirect packets. Note that routers will never accept ICMP redirect packets, and the variable is meaningful on IP hosts only.
This variable specifies the lifetime of routing entries generated by incoming ICMP redirects. The default timeout is 10 minutes.
Returns the ICMP statistics in a struct icmpstat.
If set to 1, reply to ICMP timestamp requests. If set to 0, ignore timestamp requests.
Returns 1 if directed broadcast behavior is enabled for the host.
Returns 1 when error message reporting is enabled for the host. If the kernel has been compiled with the ENCDEBUG option, then debugging information will also be reported when this variable is set.
If set to 1, then IP forwarding is enabled for the host, indicating the host is acting as a router. If set to 2, then IP forwarding is restricted to traffic that has been IPsec encapsulated or decapsulated by the host. The default value is 0.
Fifth level comprises an array of struct ifqueue structures containing information about IP packet input queue. The fifth level names for the elements of struct ifqueue are detailed below.
integer no
integer no
integer yes

The variables are as follows:

Returns number of packet dropped.
Returns the current queue length.
Get or set the maximum number of queue length.
The number of IPsec flows that can use a security association before it expires. If set to less than or equal to zero, the security association will not expire because of this counter. The default value is 0.
This is the default authentication algorithm the kernel will instruct key management daemons to negotiate when establishing security associations on behalf of the kernel. Such security associations can occur as a result of a process having requested some security level through setsockopt(2), or as a result of dynamic VPN entries. Supported values are hmac-md5, hmac-sha1, and hmac-ripemd160. If set to any other value, it is left to the key management daemons to select an authentication algorithm for the security association. The default value is hmac-sha1.
The number of bytes that will be processed by a security association before it expires. If set to less than or equal to zero, the security association will not expire because of this counter. The default value is 0.
The compression algorithm to use with an IP Compression Association (IPCA). Possible values are “deflate” and “lzs”. Note that lzs is only available with hifn(4). See ipsecctl(8) for more information.
This is the default encryption algorithm the kernel will instruct key management daemons to negotiate when establishing security associations on behalf of the kernel. Such security associations can occur as a result of a process having requested some security level through setsockopt(2), or as a result of dynamic VPN entries. Supported values are aes, des, 3des, blowfish and cast128. If set to any other value, it is left to the key management daemons to select an encryption algorithm for the security association. The default value is aes.
How long the kernel should allow key management to dynamically acquire security associations before re-sending a request. The default value is 30 seconds.
The number of seconds after a security association is first used before it expires. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 7200 seconds.
The lifetime of embryonic Security Associations (SAs that key management daemons have reserved but not fully established yet) in seconds. If set to less than or equal to zero, embryonic SAs will not expire. The default value is 60.
If set to any non-zero value, the kernel will ask the key management daemons to use Perfect Forward Secrecy when establishing IPsec Security Associations. Perfect Forward Secrecy makes IPsec Security Associations cryptographically distinct from each other, such that breaking the key for one such SA does not compromise any others. Requiring PFS for every security association significantly increases the computational load of isakmpd(8) exchanges. The default value is 1.
The number of IPsec flows that can use a security association before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0.
The number of bytes that will be processed by a security association before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0.
The number of seconds after a security association is first used before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 3600 seconds.
The number of seconds after a security association is established before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 80000 seconds.
The number of seconds after a security association is established before it will expire. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 86400 seconds.
Fragment flood protection. Sets the maximum number of unassembled IP fragments in the fragment queue.
If set to 1, then multicast forwarding is enabled for the host. The default is 0.
Returns 1 if Path MTU Discovery is enabled.
Returns the number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will attempt to probe a larger path MTU.
This variable enables multipath routing for IPv4 addresses. If set to 0, only the first route selected will be used for a given destination regardless of how many routes exist in the routing table.
Minimum registered port number for TCP/UDP port allocation. Registered ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 1024 or greater than 49151. Must be less than ip.portlast.
Minimum dynamic/private port number for TCP/UDP port allocation. Dynamic/private ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 49152 or greater than 65535. Must be less than ip.porthilast.
Maximum dynamic/private port number for TCP/UDP port allocation. Dynamic/private ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 49152 or greater than 65535. Must be greater than ip.porthifirst.
Maximum registered port number for TCP/UDP port allocation. Registered ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 1024 or greater than 49151. Must be greater than ip.portfirst.
Returns 1 when ICMP redirects may be sent by the host. This option is ignored unless the host is routing IP packets, and should normally be enabled on all systems.
Returns 1 when forwarding of source-routed packets is enabled for the host. As detailed in securelevel(7), this variable may not be changed if the securelevel is > 0.
Returns the IP statistics in a struct ipstat.
The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to normal transport protocols, not to ICMP.
Enable the IPComp protocol. See ipsecctl(8) for more information.
If set to 0, incoming IP-in-IP packets will not be processed. If set to any other value, processing will occur; furthermore, if set to 2, no checks for spoofing of loopback addresses will be done. This is useful only for debugging purposes, and should never be used in production systems.
If set to 0, incoming MobileIP encapsulated packets (RFC 2004) will not be processed. If set to any other value, processing will occur.
Returns 1 if TCP segments with the TH_PUSH flag set are being acknowledged immediately, otherwise 0.
An array of in_port_t is returned specifying the bitmask of TCP ports between 512 and 1023 inclusive that should not be allocated dynamically by the kernel (i.e., they must be bound specifically by port number).
Returns 1 if Explicit Congestion Notifications for TCP are enabled.
A struct tcp_ident_mapping specifying a local and foreign endpoint of a TCP socket is filled in with the effective and real UIDs of the process that owns the socket. If no such socket exists, then the effective and real UID values are both set to -1.
If the socket option SO_KEEPALIVE has been set on a socket, then this value specifies how much time a connection needs to be idle before keepalives are sent. See also tcp.slowhz.
Time to keep alive the initial SYN packet of a TCP handshake.
Time after a keepalive probe is sent until, in the absence of any response, another probe is sent. See also tcp.slowhz.
Act as if the option SO_KEEPALIVE was set on all TCP sockets.
The maximum segment size that is used as default for non-local connections. The default value is 512.
The maximum number of out-of-order TCP segments the system will store for reassembly.
Returns 1 if RFC 1323 extensions to TCP are enabled.
Returns 1 if the TCP Initial Window is increased to 4 * MSS or 4380 bytes, as specified in RFC 3390. Returns 2 if the TCP Initial Window is increased to 10 * MSS or 14600 bytes, as specified in draft-ietf-tcpm-initcwnd.
This variable specifies the maximum number of outgoing TCP RST packets per second. TCP RST packets exceeding this value are subject to rate limitation and will not go out from the node. A negative value disables rate limitation.
Returns 1 if RFC 2018 Selective Acknowledgements are enabled.
The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks of a clock that ticks tcp.slowhz times per second. (That is, their values must be divided by the tcp.slowhz value to get times in seconds.)
Returns the TCP statistics in a struct tcpstat.
The maximum number of entries allowed per hash bucket in the TCP SYN cache.
The maximum number of entries allowed in the TCP SYN cache.
Analogous to tcp.baddynamic but for UDP sockets.
Returns 1 when UDP checksums are being computed and checked. Disabling UDP checksums is strongly discouraged.
Returns the default UDP receive buffer size.
Returns the default UDP send buffer size.
Returns the UDP statistics in a struct udpstat.
Get or set various global information about IPv6 (Internet Protocol version 6). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are:
icmp6 errppslimit integer yes
icmp6 mtudisc_hiwat integer yes
icmp6 mtudisc_lowat integer yes
icmp6 nd6_debug integer yes
icmp6 nd6_delay integer yes
icmp6 nd6_maxnudhint integer yes
icmp6 nd6_mmaxtries integer yes
icmp6 nd6_prune integer yes
icmp6 nd6_umaxtries integer yes
icmp6 nd6_useloopback integer yes
icmp6 nodeinfo integer yes
icmp6 rediraccept integer yes
icmp6 redirtimeout integer yes
ip6 accept_rtadv integer yes
ip6 auto_flowlabel integer yes
ip6 dad_count integer yes
ip6 defmcasthlim integer yes
ip6 forwarding integer yes
ip6 hdrnestlimit integer yes
ip6 hlim integer yes
ip6 kame_version string no
ip6 log_interval integer yes
ip6 maxfragpackets integer yes
ip6 maxfrags integer yes
ip6 mforwarding integer yes
ip6 multicast_mtudisc integer yes
ip6 multipath integer yes
ip6 redirect integer yes
ip6 rr_prune integer yes
ip6 use_deprecated integer yes
ip6 v6only integer no

The variables are as follows:

This variable specifies the maximum number of outgoing ICMPv6 error messages per second. ICMPv6 error messages exceeding this value are subject to rate limitation and will not go out from the node. A negative value will disable the rate limitation.

 
These variables define the maximum number of routing table entries created due to path MTU discovery (preventing denial-of-service attacks with ICMPv6 too big messages). After IPv6 path MTU discovery happens, path MTU information is kept in the routing table. If the number of routing table entries exceeds this value, the kernel will not attempt to keep the path MTU information. icmp6.mtudisc_hiwat is used when we have verified ICMPv6 too big messages. icmp6.mtudisc_lowat is used when we have unverified ICMPv6 too big messages. Verification is performed by using address/port pairs kept in connected PCBs. A negative value disables the upper limit.

If set to non-zero, IPv6 neighbor discovery will generate debugging messages. The debug output is useful for diagnosing IPv6 interoperability issues. The flag must be set to 0 for normal operation.

This variable specifies the DELAY_FIRST_PROBE_TIME timing constant in IPv6 neighbor discovery specification (RFC 4861), in seconds.

IPv6 neighbor discovery permits upper layer protocols to supply reachability hints, to avoid unnecessary neighbor discovery exchanges. This variable defines the number of consecutive hints the neighbor discovery layer will take. For example, by setting the variable to 3, neighbor discovery will take a maximum of 3 consecutive hints. After receiving 3 hints, the neighbor discovery layer will instead perform the normal neighbor discovery process.

This variable specifies the MAX_MULTICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 4861).

This variable specifies the interval between IPv6 neighbor cache babysitting in seconds.

This variable specifies the MAX_UNICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 4861).

If set to non-zero, IPv6 will use the loopback interface for local traffic.

This variable enables responses to ICMPv6 node information queries. If set to 0, responses will not be generated for ICMPv6 node information queries. Since node information queries can have a security impact, it is possible to fine tune which responses should be answered. Two separate bits can be set:
1
Respond to ICMPv6 FQDN queries, e.g. ping6 -w.
2
Respond to ICMPv6 node addresses queries, e.g. ping6 -a.

If set to non-zero, the host will accept ICMPv6 redirect packets. Note that IPv6 routers will never accept ICMPv6 redirect packets, so the variable is only meaningful on IPv6 hosts, not on routers.

The variable specifies the lifetime of routing entries generated by incoming ICMPv6 redirects.

If set to non-zero, the node will accept ICMPv6 router advertisement packets and autoconfigures address prefixes and default routers. The node must be a host (not a router) for the option to be meaningful (see ip6.forwarding).

On connected transport protocol packets, fill the IPv6 flowlabel field to help intermediate routers identify packet flows.

This variable configures the number of IPv6 DAD (duplicated address detection) probe packets. These packets are generated when IPv6 interfaces are first brought up.

The default hop limit value for an IPv6 multicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overriding this value are documented in ip6(4).

Returns 1 when IPv6 forwarding is enabled for the node, meaning that the node is acting as a router. Returns 0 when IPv6 forwarding is disabled for the node, meaning that the node is acting as a host. Note that IPv6 defines node behavior for the “router” and “host” cases quite differently, and changing this variable during operation may cause serious trouble. Hence, this variable should only be set at bootstrap time.

The number of IPv6 extension headers permitted on incoming IPv6 packets. If set to 0, the node will accept as many extension headers as possible.

The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overriding this value are documented in ip6(4).

This string identifies the version of the KAME IPv6 stack implemented in the kernel.

This variable permits adjusting the amount of logs generated by the IPv6 packet forwarding engine. The value indicates the number of seconds of interval which must elapse between log output.

The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any fragmented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is provided basically for avoiding possible DoS attacks.

The maximum number of fragments the node will accept. 0 means that the node will not accept any fragments. -1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks.

If set to 1, then multicast forwarding is enabled for the host. The default is 0.

This variable controls generation of ICMPv6 Too Big messages when the machine is performing as an IPv6 multicast router. If set to 1, an ICMPv6 Too Big message will be generated for multicast packets which were too big to be forwarded. If set to 0, the ICMPv6 Too Big message will be suppressed.

This variable enables multipath routing for IPv6 addresses. If set to 0, only the first route selected will be used for a given destination regardless of how many routes exist in the routing table.

Returns 1 when ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, and should normally be enabled on all systems.

This variable specifies the interval between IPv6 router renumbering prefix babysitting in seconds.

This variable controls the use of deprecated addresses, specified in RFC 4862 5.5.4.

The variable specifies the initial value for the IPV6_V6ONLY socket option for an AF_INET6 socket. It is always 1 for OpenBSD.

We reuse net.inet.tcp and net.inet.udp for TCP/UDP over IPv6.

Return ipsec(4) database dumps. The second level name is PF_KEY_V2. The third level name selects the database as follows:

Security Association database (SADB).
IPsec flow database (SPD).
Get or set global information about MPLS (Multiprotocol Label Switching).
integer yes
node not applicable
integer yes
integer yes
integer yes
Set or get the default TTL value which is used for MPLS (Shim) Header. The default is 255.
Fourth level comprises an array of struct ifqueue structures containing information about MPLS packet input queue. The forth level names for the elements of struct ifqueue are same as described in ip.ifq in the PF_INET section.
If set to 1 the TTL field is synchronized between the IP header and the MPLS label stack. If set to 0 the IP header TTL is not modified while passing through MPLS and the MPLS label stack is initialized with the MPLSCTL_DEFTTL. The default is 1.
If set to 1 the TTL field is synchronized between the IPv6 header and the MPLS label stack. If set to 0 the IPv6 header TTL is not modified while passing through MPLS and the MPLS label stack is initialized with the MPLSCTL_DEFTTL. The default is 0.
Set or get the maxinum number of label stack operations (push, swap, pop) that can be made on a packet. The default is 16.
Get or set global information about PIPEX.

The currently defined variable names are:

integer yes
node not applicable
node not applicable
If set to 1, enable PIPEX processing. The default is 0.
Fourth level comprises an array of struct ifqueue structures containing information about the PIPEX packet input queue. The forth level names for the elements of struct ifqueue are the same as described in ip.ifq in the PF_INET section.
Fourth level comprises an array of struct ifqueue structures containing information about PIPEX packet output queue. The forth level names for the elements of struct ifqueue are same as described in ip.ifq in the PF_INET section.

The string and integer information available for the CTL_VFS level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

VFS generic info no
filesystem info no
This second level identifier requests generic information about the VFS layer. Within it, the following third level identifiers exist:
struct vfsconf no
int no
filesystem #
After finding the filesystem dependent vfc_typenum using VFS_GENERIC with VFS_CONF, it is possible to access filesystem dependent information.

Some filesystems may contain settings.

FFS
integer yes
integer yes
integer yes
integer yes
integer yes
integer no
integer yes
integer yes
integer yes
integer yes
integer yes
integer yes
integer yes
integer yes
integer yes
integer yes
integer yes
integer yes
integer yes
Enable combining multiple reads into one request to improve performance.
Enable combining multiple writes into one request.
The minimum size of a directory, in bytes, before it is considered for hashing.
The maximum amount of memory, in bytes, to be used for storing directory hashes.
The amount of memory currently used by all directory hashes.
When enabled, the kernel will attempt to relocate growing files so that they are contiguous on disk, reducing fragmentation.
NFS
struct nfsstats yes
int yes
The number of I/O kernel threads for NFS clients. The default is 4; the maximum is 20.
FUSE
int no
int no
int no
int no
The number of inbound fusebufs.
The number of FUSE devices opened.
The number of pages used for fusebuf memory.
The number of fusebufs waiting for a response.

The string and integer information available for the CTL_VM level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

integer yes
struct loadavg no
integer no
struct vmtotal no
integer no
struct psstrings no
swap encrypt values yes
integer no
struct uvmexp no
integer yes
integer yes
Percentage of physical memory available for pages which contain anonymous mapping.
Return the load average history. The returned data consists of a struct loadavg.
The time for a process to be blocked before being swappable, in seconds.
Return the system wide virtual memory statistics. The returned data consists of a struct vmtotal.
Number of pages in kmem_map.
Returns the address of the process struct ps_strings. The ps(1) program uses it to locate the argument and environment strings.
Contains statistics about swap encryption. The string and integer information available for the third level is detailed below.
integer no
integer no
integer yes
The number of encryption keys that have been randomly created. The swap partition is divided into sections of normally 512KB. Each section has its own encryption key.
The number of encryption keys that have been deleted, thus effectively erasing the data that has been encrypted with them. Encryption keys are deleted when their reference counter reaches zero.
Set to 1 to enable swap encryption for all processes. A 0 disables swap encryption. Pages still on swap receive a grandfather clause. Turning this option on does not affect legacy swap data already on the disk, but all newly written data will be encrypted. When swap encryption is turned on, automatic crash(8) dumps are disabled.
The number of bytes allocated for each kernel stack.
Contains statistics about the UVM memory management system.
Percentage of physical memory available for pages which contain cached file data.
Percentage of physical memory available for pages which contain cached executable data.

If the call to sysctl() is unsuccessful, -1 is returned and errno is set appropriately.

sys/sysctl.h
definitions for top level identifiers, second level kernel and hardware identifiers, and user level identifiers
sys/socket.h
definitions for second level network identifiers
sys/gmon.h
definitions for third level profiling identifiers
ufs/ffs/ffs_extern.h
definitions for third level virtual file system identifiers (ffs)
nfs/nfs.h
definitions for third level virtual file system identifiers (nfs)
uvm/uvm_param.h
definitions for second level virtual memory identifiers
uvm/uvm_swap_encrypt.h
definitions for third level virtual memory identifiers
net/if.h
definitions for packet input/output queue identifiers
net/pipex.h
definitions for third level PIPEX identifiers
netinet/in.h
definitions for third level IPv4/v6 identifiers and fourth level IP and IPv6 identifiers
netinet/icmp_var.h
definitions for fourth level ICMP identifiers
netinet/icmp6.h
definitions for fourth level ICMPv6 identifiers
netinet/tcp_var.h
definitions for fourth level TCP identifiers
netinet/udp_var.h
definitions for fourth level UDP identifiers
machine/cpu.h
definitions for second level CPU identifiers

The following errors may be reported:

[]
The buffer name, oldp, newp, or length pointer oldlenp contains an invalid address.
[]
The name array is less than two or greater than CTL_MAXNAME.
[]
A non-null newp pointer is given and its specified length in newlen is too large or too small.
[]
The length pointed to by oldlenp is too short to hold the requested value.
[]
The mib specified does not exist, or exceeds the range that is possible.
[]
If the mib is a sparsely populated array, this error may be returned instead.
[]
The name array specifies an intermediate rather than terminal name.
[]
The name array specifies a value that is unknown.
[]
An attempt is made to set a read-only value.
[]
A process without appropriate privileges attempts to set a value.
[]
An attempt to change a value protected by the current kernel security level is made.
[]
No process could be found which corresponds to the given process ID.

pathconf(2), sysconf(3), ddb(4), sysctl.conf(5), securelevel(7), sysctl(8)

The sysctl() function first appeared in 4.4BSD.

June 9, 2013 OpenBSD-5.4