NAME

SYNOPSIS

DESCRIPTION

int mib[2], maxproc; 
size_t len; 
 
mib[0] = CTL_KERN; 
mib[1] = KERN_MAXPROC; 
len = sizeof(maxproc); 
if (sysctl(mib, 2, &maxproc, &len, NULL, 0) == -1) 
	err(1, "sysctl");

CTL_DDB

 

 

DBCTL_CONSOLE (ddb.console)

When this variable is set, an architecture dependent magic key sequence on the console or a debugger button will permit entry into the kernel debugger. When running with a securelevel(7) greater than 0, this variable may not be raised.

 

 

DBCTL_LOG (ddb.log)

When set, ddb output is also logged in the kernel message buffer.

 

 

DBCTL_MAXLINE (ddb.max_line)

Determines the number of lines to page in ddb(4). This variable is also available as the ddb $lines variable.

 

 

DBCTL_MAXWIDTH (ddb.max_width)

Determines the maximum width of a line in ddb(4). This variable is also available as the ddb $maxwidth variable.

 

 

DBCTL_PANIC (ddb.panic)

When this variable is set, system panics may drop into the kernel debugger. When running with a securelevel(7) greater than 0, this variable may not be raised.

 

 

DBCTL_RADIX (ddb.radix)

Determines the default radix or base for non-prefixed numbers entered into ddb(4). This variable is also available as the ddb $radix variable.

 

 

DBCTL_TABSTOP (ddb.tab_stop_width)

Width of a tab stop in ddb(4). This variable is also available as the ddb $tabstops variable.

 

 

DBCTL_TRIGGER (ddb.trigger)

When DBCTL_CONSOLE is set, writing to DBCTL_TRIGGER causes the system to enter ddb(4). When running with a securelevel(7) greater than 0, the process writing to this variable must be running on the console in order to enter ddb(4).

CTL_DEBUG

int dospecialcheck = 1; 
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };

CTL_FS

 

 

FS_POSIX_SETUID (fx.posix.setuid)

When this variable is set, ownership changes on a file will cause the S_ISUID and S_ISGID bits to be cleared. When running with a securelevel(7) greater than 0, this variable may not be changed.

CTL_HW

 

 

HW_ALLOWPOWERDOWN (hw.allowpowerdown)

Some machines generate an interrupt when the power button is pressed and a driver can catch that interrupt. When this variable is set, such an event will cause the system to perform a regular shutdown and power off the machine. When running with a securelevel(7) greater than 0, this variable may not be changed.

 

 

HW_BYTEORDER (hw.byteorder)

The byteorder (4321 or 1234).

 

 

HW_CPUSPEED (hw.cpuspeed)

The current CPU frequency (in MHz).

 

 

HW_DISKCOUNT (hw.diskcount)

The number of disks currently attached to the system.

 

 

HW_DISKNAMES (hw.disknames)

A comma-separated list of disk names.

 

 

HW_DISKSTATS (hw.diskstats)

An array of struct diskstats structures containing disk statistics.

 

 

HW_MACHINE (hw.machine)

The machine class.

 

 

HW_MODEL (hw.model)

The machine model.

 

 

HW_NCPU (hw.ncpu)

The number of CPUs being used.

 

 

HW_NCPUFOUND (hw.ncpufound)

The number of CPUs found.

 

 

HW_PAGESIZE (hw.pagesize)

The software page size.

 

 

HW_PERFPOLICY (hw.perfpolicy)

The performance policy for power management. Can be one of “manual”, “auto”, or “high”.

 

 

HW_PHYSMEM

The total physical memory, in bytes. This variable is deprecated; use HW_PHYSMEM64 instead.

 

 

HW_PHYSMEM64 (hw.physmem)

The total physical memory, in bytes.

 

 

HW_PRODUCT (hw.product)

The product name of the machine.

 

 

HW_SENSORS (hw.sensors)

Third level comprises an array of struct sensordev structures containing information about devices that may attach hardware monitoring sensors.

Third, fourth and fifth levels together comprise an array of struct sensor structures containing snapshot readings of hardware monitoring sensors. In such usage, third level indicates the numerical representation of the sensor device name to which the sensor is attached (a device's xname and number are matched with the help of struct sensordev structure above), fourth level indicates sensor type and fifth level is an ordinal sensor number (unique to the specified sensor type on the specified sensor device).

The sensordev and sensor structures and sensor_type enumeration are defined in <sys/sensors.h>.

 

 

HW_SERIALNO (hw.serialno)

The serial number of the machine.

 

 

HW_SETPERF (hw.setperf)

Current CPU performance (percentage). It is only modifiable if HW_PERFPOLICY is set to “manual”.

 

 

HW_USERMEM

The amount of available non-kernel memory in bytes. This variable is deprecated; use HW_USERMEM64 instead.

 

 

HW_USERMEM64 (hw.usermem)

The amount of available non-kernel memory in bytes.

 

 

HW_UUID (hw.uuid)

The universal unique identification number assigned to the machine.

 

 

HW_VENDOR (hw.vendor)

The vendor name for this machine.

 

 

HW_VERSION (hw.version)

The version or revision of this machine.

CTL_KERN

 

 

KERN_ALLOWKMEM (kern.allowkmem)

Allow userland processes access to /dev/kmem. When running with a securelevel(7) greater than 0, this variable may not be changed.

 

 

KERN_ARGMAX (kern.argmax)

The maximum number of bytes allowed among the arguments to exec(3).

 

 

KERN_BOOTTIME (kern.boottime)

A struct timeval structure is returned. This structure contains the time that the system was booted.

 

 

KERN_CACHEPCT (kern.bufcachepercent)

The maximum percentage of physical memory the buffer cache may use; the default is 20%.

 

 

KERN_CCPU (kern.ccpu)

The scheduler exponential decay value.

 

 

KERN_CLOCKRATE (kern.clockrate)

A struct clockinfo structure is returned. This structure contains the clock, statistics clock and profiling clock frequencies, the number of micro-seconds per hz tick, and the clock skew rate.

 

 

KERN_CONSDEV (kern.consdev)

The console device.

 

 

KERN_CPTIME (kern.cp_time)

An array of longs of size CPUSTATES is returned, containing statistics about the number of ticks spent by the system in interrupt processing, user processes (nice(1) or normal), system processing, or idling.

 

 

KERN_CPTIME2 (kern.cp_time2)

Similar to KERN_CPTIME, but obtains information from only the single CPU specified by the third level name given.

 

 

KERN_DNSJACKPORT (kern.dnsjackport)

When non-zero, the localhost port to which all DNS sockets should be redirected.

 

 

KERN_DOMAINNAME (kern.domainname)

Get or set the YP domain name.

 

 

KERN_FILE (kern.file)

Return the entire file table, or a subset of it. An array of struct kinfo_file structures is returned, whose size depends on the current number of selected files in the system. The third and fourth level names are as follows:

Third level name	Fourth level is:
KERN_FILE_BYFILE	A file type
KERN_FILE_BYPID	A process ID
KERN_FILE_BYUID	A user ID

The fifth level name is the size of the struct kinfo_file and the sixth level name is the number of structures to return.

 

 

KERN_FORKSTAT (kern.forkstat)

A struct forkstat structure is returned. This structure contains information about the number of fork(2), vfork(2), and __tfork(3) system calls as well as kernel thread creations since system startup, and the number of pages of virtual memory involved in each.

 

 

KERN_FSCALE (kern.fscale)

The kernel fixed-point scale factor.

 

 

KERN_FSYNC (kern.fsync)

Return 1 if the File Synchronisation Option is available on this system, otherwise 0.

 

 

KERN_GLOBAL_PTRACE (kern.global_ptrace)

When set to 1, permit ptrace(2) to attach to any process with the appropriate privileges. When set to 0, processes may only attach to their own descendants.

 

 

KERN_HOSTID (kern.hostid)

Get or set the host ID.

 

 

KERN_HOSTNAME (kern.hostname)

Get or set the hostname.

 

 

KERN_JOB_CONTROL (kern.job_control)

Return 1 if job control is available on this system, otherwise 0.

 

 

KERN_MALLOCSTATS (kern.malloc)

Return kernel memory bucket statistics. The third level names are detailed below. There are no changeable values in this branch.

Third level name	Type
KERN_MALLOC_BUCKET	node
KERN_MALLOC_BUCKETS	string
KERN_MALLOC_KMEMNAMES	string
KERN_MALLOC_KMEMSTATS	node

The variables are as follows:

 

 

KERN_MALLOC_BUCKET.<size> (kern.malloc.bucket)

A node containing the statistics for the memory bucket of the specified size (in decimal notation, the number of bytes per bucket element, e.g., 16, 32, 128). Each node returns a struct kmembuckets.

If a value is specified that does not correspond directly to a bucket size, the statistics for the closest larger bucket size will be returned instead.

Note that bucket sizes are typically powers of 2.

 

 

KERN_MALLOC_BUCKETS (kern.malloc.buckets)

Return a comma-separated list of the bucket sizes used by the kernel.

 

 

KERN_MALLOC_KMEMNAMES (kern.malloc.kmemnames)

Return a comma-separated list of the names of the kernel malloc(9) types.

 

 

KERN_MALLOC_KMEMSTATS (kern.malloc.kmemstat)

A node containing the statistics for the memory types of the specified name. Each node returns a struct kmemstats.

 

 

KERN_MAXCLUSTERS (kern.maxclusters)

The maximum number of mbuf(9) clusters that may be allocated.

 

 

KERN_MAXFILES (kern.maxfiles)

The maximum number of open files that may be open in the system.

 

 

KERN_MAXLOCKSPERUID (kerb.maxlocksperuid)

The maximum number of file locks per user; the default is 1024.

 

 

KERN_MAXPARTITIONS (kern.maxpartitions)

The maximum number of partitions allowed per disk.

 

 

KERN_MAXPROC (kern.maxproc)

The maximum number of simultaneous processes the system will allow.

 

 

KERN_MAXTHREAD (kern.maxthread)

The maximum number of simultaneous threads the system will allow.

 

 

KERN_MAXVNODES (kern.maxvnodes)

The maximum number of vnodes available on the system.

 

 

KERN_MBSTAT (kern.mbstat)

A struct mbstat structure is returned, containing statistics on mbuf(9) usage.

 

 

KERN_MSGBUF (kern.msgbuf)

Returns a buffer containing kernel log messages; see dmesg(8).

 

 

KERN_MSGBUFSIZE (kern.msgbufsize)

The size of the kernel message buffer.

 

 

KERN_NCHSTATS (kern.nchstats)

A struct nchstats structure is returned. This structure contains information about the filename to inode(5) mapping cache.

 

 

KERN_NFILES (kern.nfiles)

Number of open files.

 

 

KERN_NGROUPS (kern.ngroups)

The maximum number of supplemental groups.

 

 

KERN_NOSUIDCOREDUMP (kern.nosuidcoredump)

Whether a process may dump core after changing user or group ID:

value	condition	dump core to
0	euid == 0	current directory
1	never
2	always	/var/crash
3	depends	/var/crash/$programname/

 

 

KERN_NPROCS (kern.nprocs)

The number of entries in the kernel process table.

 

 

KERN_NSELCOLL (kern.nselcoll)

Number of select(2) collisions.

 

 

KERN_NTHREADS (kern.nthreads)

The number of entries in the kernel thread table.

 

 

KERN_NUMVNODES (kern.numvnodes)

Number of vnodes in use.

 

 

KERN_OSRELEASE (kern.osrelease)

The system release string.

 

 

KERN_OSREV (kern.osrevision)

The system revision number.

 

 

KERN_OSTYPE (kern.ostype)

The system type string.

 

 

KERN_OSVERSION (kern.osversion)

The kernel build version.

 

 

KERN_POSIX1 (kern.posix1version)

The version of ISO/IEC 9945 (POSIX 1003.1) with which the system attempts to comply.

 

 

KERN_PROC (kern.proc)

Return the entire process table, or a subset of it. An array of struct kinfo_proc structures is returned, whose size depends on the current number of selected processes in the system. The third and fourth level names are as follows:

Third level name	Fourth level is:
KERN_PROC_ALL	None
KERN_PROC_KTHREAD	A kernel thread
KERN_PROC_PID	A process ID
KERN_PROC_PGRP	A process group
KERN_PROC_RUID	A real user ID
KERN_PROC_SESSION	A session PID
KERN_PROC_TTY	A tty device
KERN_PROC_UID	A user ID

The fifth level name is the size of the struct kinfo_proc and the sixth level name is the number of structures to return.

 

 

KERN_PROC_ARGS (kern.procargs)

Returns the arguments or environment of a process. The third level name is the PID of the process. The fourth level name is one of:

KERN_PROC_ARGV

KERN_PROC_ENV

KERN_PROC_NARGV

KERN_PROC_NENV

KERN_PROC_NARGV and KERN_PROC_NENV return the number of elements as an int in the argv or env array. KERN_PROC_ARGV returns the argv array and KERN_PROC_ENV returns the environ array. The buffer pointed to by oldp is filled with an array of char pointers followed by the strings themselves. The last char pointer is a NULL pointer.

 

 

KERN_PROC_CWD (kern.proc_cwd)

Return the current working directory of a process. The third level name is the target process ID. A NUL-terminated string is returned.

 

 

KERN_PROC_NOBROADCASTKILL (kern.proc_nobroadcastkill)

When set, a process will no longer be signaled when sending broadcast signals. The third level name is the target process ID.

 

 

KERN_PROC_VMMAP (kern.proc_vmmap)

Return the entire process VM map entries. An array of struct kinfo_vmentry structures is returned, whose size depends on the current number of VM map entries of the selected process. Iteration is possible by setting the base address in the first element of struct kinfo_vmentry.

 

 

KERN_PROF (kern.profiling)

Return profiling information about the kernel. If the kernel is not compiled for profiling, attempts to retrieve any of the KERN_PROF values will fail with EOPNOTSUPP. The third level names for the string and integer profiling information are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Third level name	Type	Changeable
GPROF_COUNT	u_short[]	yes
GPROF_FROMS	u_short[]	yes
GPROF_GMONPARAM	struct gmonparam	no
GPROF_STATE	integer	yes
GPROF_TOS	struct tostruct	yes

The variables are as follows:

 

 

GPROF_COUNT

Array of statistical program counter counts.

 

 

GPROF_FROMS

Array indexed by program counter of call-from points.

 

 

GPROF_GMONPARAM

Structure giving the sizes of the above arrays.

 

 

GPROF_STATE

Returns GMON_PROF_ON or GMON_PROF_OFF to show that profiling is running or stopped.

 

 

GPROF_TOS

Array of struct tostruct describing destination of calls and their counts.

 

 

KERN_RAWPARTITION (kern.rawpartition)

The raw partition of a disk (a == 0).

 

 

KERN_SAVED_IDS (kern.saved_ids)

Returns 1 if saved set-group-ID and saved set-user-ID are available.

 

 

KERN_SECURELVL (kern.securelevel)

The system security level. This level may be raised by processes with appropriate privileges. It may only be lowered by process 1.

 

 

KERN_SEMINFO (kern.seminfo)

Return the elements of struct seminfo. If the kernel is not compiled with System V style semaphore support, attempts to retrieve any of the KERN_SEMINFO values will fail with EOPNOTSUPP. The third level names for the elements of struct seminfo are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Third level name	Type	Changeable
KERN_SEMINFO_SEMAEM	integer	no
KERN_SEMINFO_SEMMNI	integer	yes
KERN_SEMINFO_SEMMNS	integer	yes
KERN_SEMINFO_SEMMNU	integer	yes
KERN_SEMINFO_SEMMSL	integer	yes
KERN_SEMINFO_SEMOPM	integer	yes
KERN_SEMINFO_SEMUME	integer	no
KERN_SEMINFO_SEMUSZ	integer	no
KERN_SEMINFO_SEMVMX	integer	no

The variables are as follows:

 

 

KERN_SEMINFO_SEMAEM (kern.seminfo.semaem)

The adjust on exit maximum value.

 

 

KERN_SEMINFO_SEMMNI (kern.seminfo.semni)

The maximum number of semaphore identifiers allowed.

 

 

KERN_SEMINFO_SEMMNS (kern.seminfo.semmns)

The maximum number of semaphores allowed in the system.

 

 

KERN_SEMINFO_SEMMNU (kern.seminfo.semnu)

The maximum number of semaphore undo structures allowed in the system.

 

 

KERN_SEMINFO_SEMMSL (kern.seminfo.semmsl)

The maximum number of semaphores allowed per ID.

 

 

KERN_SEMINFO_SEMOPM (kern.seminfo.semopm)

The maximum number of operations per semop(2) call.

 

 

KERN_SEMINFO_SEMUME (kern.seminfo.semume)

The maximum number of undo entries per process.

 

 

KERN_SEMINFO_SEMUSZ (kern.seminfo.semusz)

The size (in bytes) of the undo structure.

 

 

KERN_SEMINFO_SEMVMX (kern.seminfo.semvmx)

The semaphore maximum value.

 

 

KERN_SHMINFO (kern.shminfo)

Return the elements of struct shminfo. If the kernel is not compiled with System V style shared memory support, attempts to retrieve any of the KERN_SHMINFO values will fail with EOPNOTSUPP. The third level names for the elements of struct shminfo are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Third level name	Type	Changeable
KERN_SHMINFO_SHMALL	integer	yes
KERN_SHMINFO_SHMMAX	integer	yes
KERN_SHMINFO_SHMMIN	integer	yes
KERN_SHMINFO_SHMMNI	integer	yes
KERN_SHMINFO_SHMSEG	integer	yes

The variables are as follows:

 

 

KERN_SHMINFO_SHMALL (kern.shminfo.shmall)

The maximum amount of total shared memory allowed in the system (in pages).

 

 

KERN_SHMINFO_SHMMAX (kern.shminfo.shmmax)

The maximum shared memory segment size (in bytes).

 

 

KERN_SHMINFO_SHMMIN (kern.shminfo.shmmin)

The minimum shared memory segment size (in bytes).

 

 

KERN_SHMINFO_SHMMNI (kern.shminfo.shmmni)

The maximum number of shared memory identifiers in the system.

 

 

KERN_SHMINFO_SHMSEG (kern.shminfo.shmseg)

The maximum number of shared memory segments per process.

 

 

KERN_SOMAXCONN (kern.somaxconn)

Upper bound on the number of half-open connections a process can allow to be associated with a socket, using listen(2). The default value is 128.

 

 

KERN_SOMINCONN (kern.sominconn)

Lower bound on the number of half-open connections a process can allow to be associated with a socket, using listen(2). The default value is 80.

 

 

KERN_SPLASSERT (kern.splassert)

Modify the system interrupt priority level. Valid values are:

0

Disable error checking.

1

Print a message if an error is detected.

2

Print a message if an error is detected, and a stack trace if possible.

3

The same as 2, but also drop into the kernel debugger.

Any other value causes a system panic on errors. See splassert(9) for more information.

 

 

KERN_STACKGAPRANDOM (kern.stackgap_random)

Sets the range of the random value added to the stack pointer on each program execution. The random value is added to make buffer overflow exploitation slightly harder. The bigger the number, the harder it is to brute force this added protection, but it also means bigger waste of memory.

 

 

KERN_SYSVIPC_INFO (kern.sysvipc_info)

Return System V style IPC configuration and run-time information. The third level name selects the System V style IPC facility.

Third level name	Type
KERN_SYSVIPC_MSG_INFO	struct msg_sysctl_info
KERN_SYSVIPC_SEM_INFO	struct sem_sysctl_info
KERN_SYSVIPC_SHM_INFO	struct shm_sysctl_info

 

 

KERN_SYSVIPC_MSG_INFO

Return information on the System V style message facility. The msg_sysctl_info structure is defined in <sys/msg.h>.

 

 

KERN_SYSVIPC_SEM_INFO

Return information on the System V style semaphore facility. The sem_sysctl_info structure is defined in <sys/sem.h>.

 

 

KERN_SYSVIPC_SHM_INFO

Return information on the System V style shared memory facility. The shm_sysctl_info structure is defined in <sys/shm.h>.

 

 

KERN_SYSVMSG (kern.sysvmsg)

Returns 1 if System V style message queue functionality is available on this system, otherwise 0.

 

 

KERN_SYSVSEM (kern.sysvem)

Returns 1 if System V style semaphore functionality is available on this system, otherwise 0.

 

 

KERN_SYSVSHM (kern.sysvshm)

Returns 1 if System V style shared memory functionality is available on this system, otherwise 0.

 

 

KERN_TIMECOUNTER (kern.timecounter)

Return statistics information about the kernel time counter. The third level names information is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Third level name	Type	Changeable
KERN_TIMECOUNTER_CHOICE	string	no
KERN_TIMECOUNTER_HARDWARE	string	yes
KERN_TIMECOUNTER_TICK	integer	no
KERN_TIMECOUNTER_TIMESTEPWARNINGS	integer	yes

The variables are as follows:

 

 

KERN_TIMECOUNTER_CHOICE (kern.timecounter.choice)

Get the list of kernel time counter sources and their claimed quality (higher is better).

 

 

KERN_TIMECOUNTER_HARDWARE (kern.timecounter.hardware)

Get or set the kernel time counter source by name.

 

 

KERN_TIMECOUNTER_TICK (kern.timecounter.tick)

Get the number of times we have reset the kernel time counter information.

 

 

KERN_TIMECOUNTER_TIMESTEPWARNINGS (kern.timecounter.timestepwarnings)

Get or set a flag to log a message when the kernel time is stepped.

 

 

KERN_TTY (kern.tty)

Return statistics information about tty input/output. The third level names information is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Third level name	Type	Changeable
KERN_TTY_INFO	struct itty	no
KERN_TTY_TKCANCC	int64_t	no
KERN_TTY_TKNIN	int64_t	no
KERN_TTY_TKNOUT	int64_t	no
KERN_TTY_TKRAWCC	int64_t	no

The variables are as follows:

 

 

KERN_TTY_INFO (kern.tty.ttyinfo)

Returns an array of struct itty structures containing tty statistics.

 

 

KERN_TTY_TKCANCC (kern.tty.tk_cancc)

Returns the number of input characters in canonical mode.

 

 

KERN_TTY_TKNIN (kern.tty.tk_nin)

Returns the number of input characters from a tty(4).

 

 

KERN_TTY_TKNOUT (kern.tty.tk_nout)

Returns the number of output characters on a tty(4).

 

 

KERN_TTY_TKRAWCC (kern.tty.tk_rawcc)

Returns the number of input characters in raw mode.

 

 

KERN_TTYCOUNT (kern.ttycount)

Number of available tty(4) devices.

 

 

KERN_VERSION (kern.version)

The system version string.

 

 

KERN_WATCHDOG (kern.watchdog)

Return information on hardware watchdog timers. If the kernel does not support a hardware watchdog timer, attempts to retrieve or set any of the KERN_WATCHDOG values will fail with EOPNOTSUPP.

Third level name	Type	Changeable
KERN_WATCHDOG_AUTO	integer	yes
KERN_WATCHDOG_PERIOD	integer	yes

The variables are as follows:

 

 

KERN_WATCHDOG_AUTO (kern.watchdog.auto)

If set to 1, the kernel refreshes the watchdog timer periodically. If set to 0, a userland process must ensure that the watchdog timer gets refreshed by setting the KERN_WATCHDOG_PERIOD variable.

 

 

KERN_WATCHDOG_PERIOD (kern.watchdog.period)

The period of the watchdog timer in seconds. Set to 0 to disable the watchdog timer.

 

 

KERN_WXABORT (kern.wxabort)

Generate an abort, rather than returning an error, on W^X violation.

CTL_MACHDEP

CTL_NET

 

 

PF_ROUTE

Return the entire routing table or a subset of it. The data is returned as a sequence of routing messages (see route(4) for the header file, format, and meaning). The length of each message is contained in the message header.

The third level name is a protocol number, which is currently always 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows:

Fifth level name	Sixth level is:
NET_RT_DUMP	priority
NET_RT_FLAGS	rtflags
NET_RT_IFLIST	None
NET_RT_IFNAMES	None
NET_RT_STATS	None

 

 

NET_RT_DUMP

If set to 0, show all routes. If set to any number, show all routes with that number priority. If set to a negative number, show routes that do not have the positive priority value.

An optional seventh level name can be provided to select the routing table on which to run the operation. If not provided, the table with ID 0 is used.

 

 

PF_INET

Get or set various global information about IPv4 (Internet Protocol version 4). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are:

Protocol name	Variable name	Type	Changeable
ah	enable	integer	yes
bpf	bufsize	integer	yes
bpf	maxbufsize	integer	yes
carp	allow	integer	yes
carp	log	integer	yes
carp	preempt	integer	yes
divert	recvspace	integer	yes
divert	sendspace	integer	yes
esp	enable	integer	yes
esp	udpencap	integer	yes
esp	udpencap_port	integer	yes
etherip	allow	integer	yes
gre	allow	integer	yes
gre	wccp	integer	yes
icmp	bmcastecho	integer	yes
icmp	errppslimit	integer	yes
icmp	maskrepl	integer	yes
icmp	rediraccept	integer	yes
icmp	redirtimeout	integer	yes
icmp	stats	structure	no
icmp	tstamprepl	integer	yes
ip	arpdown	integer	yes
ip	arptimeout	integer	yes
ip	directed-broadcast	integer	yes
ip	encdebug	integer	yes
ip	forwarding	integer	yes
ip	ifq	node	N/A
ip	ipsec-allocs	integer	yes
ip	ipsec-auth-alg	string	yes
ip	ipsec-bytes	integer	yes
ip	ipsec-comp-alg	string	yes
ip	ipsec-enc-alg	string	yes
ip	ipsec-expire-acquire	integer	yes
ip	ipsec-firstuse	integer	yes
ip	ipsec-invalid-life	integer	yes
ip	ipsec-pfs	integer	yes
ip	ipsec-soft-allocs	integer	yes
ip	ipsec-soft-bytes	integer	yes
ip	ipsec-soft-firstuse	integer	yes
ip	ipsec-soft-timeout	integer	yes
ip	ipsec-timeout	integer	yes
ip	maxqueue	integer	yes
ip	mforwarding	integer	yes
ip	mtudisc	integer	yes
ip	mtudisctimeout	integer	yes
ip	multipath	integer	yes
ip	portfirst	integer	yes
ip	porthifirst	integer	yes
ip	porthilast	integer	yes
ip	portlast	integer	yes
ip	redirect	integer	yes
ip	sourceroute	integer	yes
ip	stats	structure	no
ip	ttl	integer	yes
ipcomp	enable	integer	yes
ipip	allow	integer	yes
mobileip	allow	integer	yes
tcp	ackonpush	integer	yes
tcp	always_keepalive	integer	yes
tcp	baddynamic	array	yes
tcp	ecn	integer	yes
tcp	ident	structure	no
tcp	keepidle	integer	yes
tcp	keepinittime	integer	yes
tcp	keepintvl	integer	yes
tcp	mssdflt	integer	yes
tcp	reasslimit	integer	yes
tcp	rfc1323	integer	yes
tcp	rfc3390	integer	yes
tcp	rootonly	array	yes
tcp	rstppslimit	integer	yes
tcp	sack	integer	yes
tcp	slowhz	integer	no
tcp	stats	structure	no
tcp	synbucketlimit	integer	yes
tcp	syncachelimit	integer	yes
tcp	synhashsize	integer	yes
tcp	synuselimit	integer	yes
udp	baddynamic	array	yes
udp	checksum	integer	yes
udp	recvspace	integer	yes
udp	rootonly	array	yes
udp	sendspace	integer	yes
udp	stats	structure	no

The variables are as follows:

 

 

ah.enable (net.inet.ah.enable)

If set to 1, enable the Authentication Header (AH) IPsec protocol. Enabled by default. See ipsec(4) for more information.

 

 

bpf.bufsize (net.bpf.bufsize)

The initial size of bpf(4) buffers.

 

 

bpf.maxbufsize (net.bpf.maxbufsize)

The maximum size a user may request a bpf(4) buffer to be.

 

 

carp.allow (net.inet.carp.allow)

If set to 0, incoming carp(4) packets will not be processed. If set to any other value, processing will occur. Enabled by default.

 

 

carp.log (net.inet.carp.log)

Controls the verbosity of carp(4) logging. May be a value between 0 and 7 corresponding with syslog(3) priorities. The default value is 2.

 

 

carp.preempt (net.inet.carp.preempt)

If set to 0, carp(4) will not attempt to become master if it is receiving advertisements from another active master. If set to any other value, carp will become master of the virtual host if it believes it can send advertisements more frequently than the current master. Disabled by default.

 

 

divert.recvspace (net.inet.divert.recvspace)

Returns the default divert receive buffer size.

 

 

divert.sendspace (net.inet.divert.sendspace)

Returns the default divert send buffer size.

 

 

esp.enable (net.inet.esp.enable)

If set to 1, enable the Encapsulating Security Payload (ESP) IPsec protocol. Enabled by default. See ipsec(4) for more information.

 

 

esp.udpencap (net.inet.esp.udpencap)

If set to 1, enable processing of UDP encapsulated ESP packets. Enabled by default.

 

 

esp.udpencap_port (net.inet.udpencap_port)

Contains the value of the UDP port that triggers decapsulation for incoming UDP encapsulated ESP packets. The default port is 4500.

 

 

etherip.allow (net.inet.etherip.allow)

If set to 0, incoming Ethernet-in-IPv4 packets will not be processed. If set to any other value, processing will occur.

 

 

gre.allow (net.inet.gre.allow)

If set to 0, incoming GRE packets will not be processed. If set to any other value, processing will occur.

 

 

gre.wccp (net.inet.gre.wccp)

If set to 0, incoming WCCPv1-style GRE packets will not be processed. If set to any other value, and gre.allow allows GRE packet processing, WCCPv1-style GRE packets will be processed.

 

 

icmp.bmcastecho (net.inet.icmp.bmcastecho)

If set to 1, respond to ICMP echo requests destined for broadcast and multicast addresses. Note, enabling this could open a system to a type of denial of service attack called “smurfing”, and is thus not advised.

 

 

icmp.errppslimit (net.inet.icmp.errppslimit)

This variable specifies the maximum number of outgoing ICMP error messages per second. ICMP error messages exceeding this value are subject to rate limitation and will not go out from the node. A negative value disables rate limitation.

 

 

icmp.maskrepl (kern.inet.icmp.maskrepl)

Returns 1 if ICMP network mask requests are to be answered.

 

 

icmp.rediraccept (kern.inet.icmp.rediraccept)

If set to non-zero, the host will accept ICMP redirect packets. Note that routers will never accept ICMP redirect packets, and the variable is meaningful on IP hosts only.

 

 

icmp.redirtimeout (net.inet.icmp.redrttimeout)

This variable specifies the lifetime of routing entries generated by incoming ICMP redirects. The default timeout is 10 minutes.

 

 

icmp.stats (kern.inet.icmp.stats)

Returns the ICMP statistics in a struct icmpstat.

 

 

icmp.tstamprepl (net.inet.icmp.tstamprepl)

If set to 1, reply to ICMP timestamp requests. If set to 0, ignore timestamp requests.

 

 

ip.arpdown (net.inet.ip.arpdown)

Lifetime of unresolved ARP entries, in seconds.

 

 

ip.arptimeout (net.inet.ip.arptimeout)

Lifetime of resolved ARP entries, in seconds.

 

 

ip.directed-broadcast (net.inet.ip.directed-broadcast)

Returns 1 if directed broadcast behavior is enabled for the host.

 

 

ip.encdebug (net.inet.ip.encdebug)

Returns 1 when error message reporting is enabled for the host. If the kernel has been compiled with the ENCDEBUG option, then debugging information will also be reported when this variable is set.

 

 

ip.forwarding (net.inet.ip.forwarding)

If set to 1, then IP forwarding is enabled for the host, indicating the host is acting as a router. If set to 2, then IP forwarding is restricted to traffic that has been IPsec encapsulated or decapsulated by the host. The default value is 0.

 

 

ip.ifq

Fifth level comprises an array of struct ifqueue structures containing information about IP packet input queue. The fifth level names for the elements of struct ifqueue are detailed below.

Fifth level name	Type	Changeable
IFQCTL_DROPS	integer	no
IFQCTL_LEN	integer	no
IFQCTL_MAXLEN	integer	yes

The variables are as follows:

IFQCTL_DROPS (net.inet.ip.ifq.drops)

Returns number of packet dropped.

IFQCTL_LEN (net.inet.ip.ifq.len)

Returns the current queue length.

IFQCTL_MAXLEN (bet.inet.ip.ifq.maxlen)

Get or set the maximum number of queue length.

 

 

ip.ipsec-allocs (net.inet.ip.ipsec-allocs)

The number of IPsec flows that can use a security association before it expires. If set to less than or equal to zero, the security association will not expire because of this counter. The default value is 0.

 

 

ip.ipsec-auth-alg (net.inet.ip.ipsec-auth-alg)

This is the default authentication algorithm the kernel will instruct key management daemons to negotiate when establishing security associations on behalf of the kernel. Such security associations can occur as a result of a process having requested some security level through setsockopt(2), or as a result of dynamic VPN entries. Supported values are hmac-md5, hmac-sha1, and hmac-ripemd160. If set to any other value, it is left to the key management daemons to select an authentication algorithm for the security association. The default value is hmac-sha1.

 

 

ip.ipsec-bytes (net.inet.ip.ipsec-bytes)

The number of bytes that will be processed by a security association before it expires. If set to less than or equal to zero, the security association will not expire because of this counter. The default value is 0.

 

 

ip.ipsec-comp-alg (net.inet.ip.ipsec-comp-alg)

The compression algorithm to use with an IP Compression Association (IPCA). Possible values are “deflate” and “lzs”. Note that lzs is only available with hifn(4). See ipsecctl(8) for more information.

 

 

ip.ipsec-enc-alg (net.inet.ip.ipsec-enc-alg)

This is the default encryption algorithm the kernel will instruct key management daemons to negotiate when establishing security associations on behalf of the kernel. Such security associations can occur as a result of a process having requested some security level through setsockopt(2), or as a result of dynamic VPN entries. Supported values are aes, des, 3des, blowfish and cast128. If set to any other value, it is left to the key management daemons to select an encryption algorithm for the security association. The default value is aes.

 

 

ip.ipsec-expire-acquire (net.inet.ip.ipsec-expire-acquire)

How long the kernel should allow key management to dynamically acquire security associations before re-sending a request. The default value is 30 seconds.

 

 

ip.ipsec-firstuse (net.inet.ip.ipsec-firstuse)

The number of seconds after a security association is first used before it expires. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 7200 seconds.

 

 

ip.ipsec-invalid-life (net.inet.ip.ipsec-invalid-life)

The lifetime of embryonic Security Associations (SAs that key management daemons have reserved but not fully established yet) in seconds. If set to less than or equal to zero, embryonic SAs will not expire. The default value is 60.

 

 

ip.ipsec-pfs (net.inet.ip.ipsec-pfs)

If set to any non-zero value, the kernel will ask the key management daemons to use Perfect Forward Secrecy when establishing IPsec Security Associations. Perfect Forward Secrecy makes IPsec Security Associations cryptographically distinct from each other, such that breaking the key for one such SA does not compromise any others. Requiring PFS for every security association significantly increases the computational load of isakmpd(8) exchanges. The default value is 1.

 

 

ip.ipsec-soft-allocs (net.inet.ip.ipsec-soft-allocs)

The number of IPsec flows that can use a security association before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0.

 

 

ip.ipsec-soft-bytes (net.inet.ip.ipsec-soft-bytes)

The number of bytes that will be processed by a security association before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0.

 

 

ip.ipsec-soft-firstuse (net.inet.ip.ipsec-soft-firstuse)

The number of seconds after a security association is first used before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 3600 seconds.

 

 

ip.ipsec-soft-timeout (net.inet.ip.ipsec-soft-timeout)

The number of seconds after a security association is established before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 80000 seconds.

 

 

ip.ipsec-timeout (net.inet.ip.ipsec-timeout)

The number of seconds after a security association is established before it will expire. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 86400 seconds.

 

 

ip.maxqueue (net.inet.ip.maxqueue)

Fragment flood protection. Sets the maximum number of unassembled IP fragments in the fragment queue.

 

 

ip.mforwarding (net.inet.ip.mforwarding)

If set to 1, then multicast forwarding is enabled for the host. The default is 0.

 

 

ip.mtudisc (net.inet.ip.mtudisc)

Returns 1 if Path MTU Discovery is enabled.

 

 

ip.mtudisctimeout (net.inet.ip.mtudisctimeout)

Number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will attempt to probe a larger path MTU.

 

 

ip.multipath (net.inet.ip.multipath)

This variable enables multipath routing for IPv4 addresses. If set to 0, only the first route selected will be used for a given destination regardless of how many routes exist in the routing table.

 

 

ip.portfirst (net.inet.ip.portfirst)

Minimum registered port number for TCP/UDP port allocation. Registered ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 1024 or greater than 49151. Must be less than ip.portlast.

 

 

ip.porthifirst (net.inet.ip.porthifirst)

Minimum dynamic/private port number for TCP/UDP port allocation. Dynamic/private ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 49152 or greater than 65535. Must be less than ip.porthilast.

 

 

ip.porthilast (net.inet.ip.porthilast)

Maximum dynamic/private port number for TCP/UDP port allocation. Dynamic/private ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 49152 or greater than 65535. Must be greater than ip.porthifirst.

 

 

ip.portlast (net.inet.ip.portlast)

Maximum registered port number for TCP/UDP port allocation. Registered ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 1024 or greater than 49151. Must be greater than ip.portfirst.

 

 

ip.redirect (net.inet.ip.redirect)

Returns 1 when ICMP redirects may be sent by the host. This option is ignored unless the host is routing IP packets, and should normally be enabled on all systems.

 

 

ip.sourceroute (net.inet.ip.sourceroute)

Returns 1 when forwarding of source-routed packets is enabled for the host. When running with a securelevel(7) greater than 0, this variable may not be changed.

 

 

ip.stats (net.inet.ip.stats)

Returns the IP statistics in a struct ipstat.

 

 

ip.ttl (net.inet.ip.ttl)

The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to normal transport protocols, not to ICMP.

 

 

ipcomp.enable (net.inet.ipcomp.enable)

Enable the IPComp protocol. See ipsecctl(8) for more information.

 

 

ipip.allow (net.inet.ipip.allow)

If set to 0, incoming IP-in-IP packets will not be processed. If set to any other value, processing will occur; furthermore, if set to 2, no checks for spoofing of loopback addresses will be done. This is useful only for debugging purposes, and should never be used in production systems.

 

 

mobileip.allow (net.inet.mobileip.allow)

If set to 0, incoming Mobile IP encapsulated packets (RFC 2004) will not be processed. If set to any other value, processing will occur.

 

 

tcp.ackonpush (net.inet.tcp.ackonpush)

Returns 1 if TCP segments with the TH_PUSH flag set are being acknowledged immediately, otherwise 0.

 

 

tcp.baddynamic (net.inet.tcp.baddynamic)

An array of in_port_t is returned specifying the bitmask of TCP ports between 512 and 1023 inclusive that should not be allocated dynamically by the kernel (i.e., they must be bound specifically by port number).

 

 

tcp.ecn (net.inet.tcp.ecn)

Returns 1 if Explicit Congestion Notifications for TCP are enabled.

 

 

tcp.ident (net.inet.tcp.ident)

A struct tcp_ident_mapping specifying a local and foreign endpoint of a TCP socket is filled in with the effective and real UIDs of the process that owns the socket. If no such socket exists, then the effective and real UID values are both set to -1.

 

 

tcp.keepidle (net.inet.tcp.keepidle)

If the socket option SO_KEEPALIVE has been set on a socket, then this value specifies how much time a connection needs to be idle before keepalives are sent. See also tcp.slowhz.

 

 

tcp.keepinittime (net.inet.tcp.keepinittime)

Time to keep alive the initial SYN packet of a TCP handshake.

 

 

tcp.keepintvl (net.inet.tcp.keepintvl)

Time after a keepalive probe is sent until, in the absence of any response, another probe is sent. See also tcp.slowhz.

 

 

tcp.always_keepalive (net.inet.tcp.always_keepalive)

Act as if the option SO_KEEPALIVE was set on all TCP sockets.

 

 

tcp.mssdflt (net.inet.tcp.mssdflt)

The maximum segment size that is used as default for non-local connections. The default value is 512.

 

 

tcp.reasslimit (net.inet.tcp.reasslimit)

The maximum number of out-of-order TCP segments the system will store for reassembly.

 

 

tcp.rfc1323 (net.inet.tcp.rfc1323)

Returns 1 if RFC 1323 extensions to TCP are enabled.

 

 

tcp.rfc3390 (net.inet.tcp.rfc3390)

Returns 1 if the TCP Initial Window is increased to 4 * MSS or 4380 bytes, as specified in RFC 3390. Returns 2 if the TCP Initial Window is increased to 10 * MSS or 14600 bytes, as specified in draft-ietf-tcpm-initcwnd.

 

 

tcp.rootonly (net.inet.tcp.rootonly)

An array of in_port_t is returned specifying the bitmask of TCP ports that can only be bound by processes with root euid. When running with a securelevel(7) greater than 0, this variable may not be changed.

 

 

tcp.rstppslimit (net.inet.tcp.rstppslimit)

This variable specifies the maximum number of outgoing TCP RST packets per second. TCP RST packets exceeding this value are subject to rate limitation and will not go out from the node. A negative value disables rate limitation.

 

 

tcp.sack (net.inet.tcp.sack)

Returns 1 if RFC 2018 Selective Acknowledgements are enabled.

 

 

tcp.slowhz (net.inet.tcp.slowhz)

The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks of a clock that ticks tcp.slowhz times per second. (That is, their values must be divided by the tcp.slowhz value to get times in seconds.)

 

 

tcp.stats (net.inet.tcp.stats)

Returns the TCP statistics in a struct tcpstat.

 

 

tcp.synbucketlimit (net.inet.tcp.synbucketlimit)

The maximum number of entries allowed per hash bucket in the TCP SYN cache.

 

 

tcp.syncachelimit (net.inet.tcp.syncachelimit)

The maximum number of entries allowed in the TCP SYN cache.

 

 

tcp.synhashsize (net.inet.tcp.synhashsize)

The number of buckets in the TCP SYN cache hash array. After the value is set, the actual size changes when the alternative SYN cache becomes empty and both SYN caches are swapped.

 

 

tcp.synuselimit (net.inet.tcp.synuselimit)

The minimum number of times the hash function for the TCP SYN cache is used before it is reseeded.

 

 

udp.baddynamic (net.inet.udp.baddynamic)

Analogous to tcp.baddynamic but for UDP sockets.

 

 

udp.checksum (net.inet.udp.checksum)

Returns 1 when UDP checksums are being computed and checked. Disabling UDP checksums is strongly discouraged.

 

 

udp.recvspace (net.inet.udp.recvspace)

Returns the default UDP receive buffer size.

 

 

udp.rootonly (net.inet.udp.rootonly)

Analogous to tcp.rootonly but for UDP sockets.

 

 

udp.sendspace (net.inet.udp.sendspace)

Returns the default UDP send buffer size.

 

 

udp.stats (net.inet.udp.stats)

Returns the UDP statistics in a struct udpstat.

 

 

PF_INET6

Get or set various global information about IPv6 (Internet Protocol version 6). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are:

Protocol name	Variable name	Type	Changeable
icmp6	errppslimit	integer	yes
icmp6	mtudisc_hiwat	integer	yes
icmp6	mtudisc_lowat	integer	yes
icmp6	nd6_debug	integer	yes
icmp6	nd6_delay	integer	yes
icmp6	nd6_maxnudhint	integer	yes
icmp6	nd6_mmaxtries	integer	yes
icmp6	nd6_prune	integer	yes
icmp6	nd6_umaxtries	integer	yes
icmp6	redirtimeout	integer	yes
ip6	auto_flowlabel	integer	yes
ip6	dad_count	integer	yes
ip6	dad_pending	integer	yes
ip6	defmcasthlim	integer	yes
ip6	forwarding	integer	yes
ip6	hdrnestlimit	integer	yes
ip6	hlim	integer	yes
ip6	ifq	node	N/A
ip6	log_interval	integer	yes
ip6	maxdynroutes	integer	yes
ip6	maxfragpackets	integer	yes
ip6	maxfrags	integer	yes
ip6	maxifprefixes	integer	yes
ip6	maxifdefrouters	integer	yes
ip6	mforwarding	integer	yes
ip6	mtudisctimeout	integer	yes
ip6	multicast_mtudisc	integer	yes
ip6	multipath	integer	yes
ip6	neighborgcthresh	integer	yes
ip6	redirect	integer	yes
ip6	use_deprecated	integer	yes

The variables are as follows:

icmp6.errppslimit (net.inet6.icmp6.errppslimit)

This variable specifies the maximum number of outgoing ICMPv6 error messages per second. ICMPv6 error messages exceeding this value are subject to rate limitation and will not go out from the node. A negative value will disable the rate limitation.

icmp6.mtudisc_hiwat (net.inet6.icmp6.mtudisc_hiwat)

 

icmp6.mtudisc_lowat (net.inet6.icmp6.mtudisc_lowat)

These variables define the maximum number of routing table entries created due to path MTU discovery (preventing denial-of-service attacks with ICMPv6 too big messages). After IPv6 path MTU discovery happens, path MTU information is kept in the routing table. If the number of routing table entries exceeds this value, the kernel will not attempt to keep the path MTU information. icmp6.mtudisc_hiwat is used when we have verified ICMPv6 too big messages. icmp6.mtudisc_lowat is used when we have unverified ICMPv6 too big messages. Verification is performed by using address/port pairs kept in connected PCBs. A negative value disables the upper limit.

icmp6.nd6_debug (net.inet6.icmp6.nd6_debug)

If set to non-zero, IPv6 neighbor discovery will generate debugging messages. The debug output is useful for diagnosing IPv6 interoperability issues. The flag must be set to 0 for normal operation.

icmp6.nd6_delay (net.inet6.icmp6.nd6_delay)

This variable specifies the DELAY_FIRST_PROBE_TIME timing constant in IPv6 neighbor discovery specification (RFC 4861), in seconds.

icmp6.nd6_maxnudhint (net.inet6.icmp6.nd6_maxnudhint)

IPv6 neighbor discovery permits upper layer protocols to supply reachability hints, to avoid unnecessary neighbor discovery exchanges. This variable defines the number of consecutive hints the neighbor discovery layer will take. For example, by setting the variable to 3, neighbor discovery will take a maximum of 3 consecutive hints. After receiving 3 hints, the neighbor discovery layer will instead perform the normal neighbor discovery process.

icmp6.nd6_mmaxtries (net.inet6.icmp6.nd6_mmaxtries)

This variable specifies the MAX_MULTICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 4861).

icmp6.nd6_prune (net.inet6.icmp6.nd6_prune)

This variable specifies the interval between IPv6 neighbor cache babysitting in seconds.

icmp6.nd6_umaxtries (net.inet6.icmp6.nd6_umaxtries)

This variable specifies the MAX_UNICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 4861).

icmp6.redirtimeout (net.inet6.icmp6.redirtimeout)

The variable specifies the lifetime of routing entries generated by incoming ICMPv6 redirects.

ip6.auto_flowlabel (net.inet6.ip6.auto_flowlabel)

On connected transport protocol packets, fill the IPv6 flowlabel field to help intermediate routers identify packet flows.

ip6.dad_count (net.inet6.ip6.dad_count)

This variable configures the number of IPv6 DAD (duplicated address detection) probe packets. These packets are generated when IPv6 interfaces are first brought up.

ip6.dad_pending (net.inet6.ip6.dad_pending)

This variable displays the number of pending IPv6 DAD (duplicated address detection) before completion. It is used to make sure that DAD is completed before netstart(8) is executed.

ip6.defmcasthlim (net.inet6.ip6.defmcasthlim)

The default hop limit value for an IPv6 multicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overriding this value are documented in ip6(4).

ip6.forwarding (net.inet6.ip6.forwarding)

Returns 1 when IPv6 forwarding is enabled for the node, meaning that the node is acting as a router. Returns 0 when IPv6 forwarding is disabled for the node, meaning that the node is acting as a host. Note that IPv6 defines node behavior for the “router” and “host” cases quite differently, and changing this variable during operation may cause serious trouble. Hence, this variable should only be set at bootstrap time.

ip6.hdrnestlimit (net.inet6.ip6.hdrnestlimit)

The number of IPv6 extension headers permitted on incoming IPv6 packets. If set to 0, the node will accept as many extension headers as possible.

ip6.hlim (net.inet6.ip6.hlim)

The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overriding this value are documented in ip6(4).

ip6.ifq (net.inet6.ip6.ifq)

Fifth level comprises an array of struct ifqueue structures containing information about IPv6 packet input queue. The fifth level names for the elements of struct ifqueue are detailed above in ip.ifq.

ip6.log_interval (net.inet6.ip6.log_interval)

This variable permits adjusting the amount of logs generated by the IPv6 packet forwarding engine. The value indicates the number of seconds of interval which must elapse between log output.

ip6.maxdynroutes (net.inet6.ip6.maxdynroutes)

Maximum number of routes created by redirect. Set to negative to disable. The default value is 4096.

ip6.maxfragpackets (net.inet6.ip6.maxfragpackets)

The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any fragmented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is provided basically for avoiding possible DoS attacks.

ip6.maxfrags (net.inet6.ip6.maxfrags)

The maximum number of fragments the node will accept. 0 means that the node will not accept any fragments. -1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks.

ip6.maxifprefixes (net.inet6.ip6.maxifprefixes)

Maximum number of prefixes created by route advertisements per interface. Set to negative to disable. The default value is 16.

ip6.maxifdefrouters (net.inet6.ip6.maxifdefrouters)

Maximum number of default routers created by route advertisements per interface. Set to negative to disable. The default value is 16.

ip6.mforwarding (net.inet6.ip6.mforwarding)

If set to 1, then multicast forwarding is enabled for the host. The default is 0.

ip6.multicast_mtudisc (net.inet6.ip6.multicast_mtudisc)

This variable controls generation of ICMPv6 Too Big messages when the machine is performing as an IPv6 multicast router. If set to 1, an ICMPv6 Too Big message will be generated for multicast packets which were too big to be forwarded. If set to 0, the ICMPv6 Too Big message will be suppressed.

ip6.multipath (net.inet6.ip6.multipath)

This variable enables multipath routing for IPv6 addresses. If set to 0, only the first route selected will be used for a given destination regardless of how many routes exist in the routing table.

ip6.mtudisctimeout (net.inet6.ip6.mtudisctimeout)

Number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will attempt to probe a larger path MTU.

ip6.neighborgcthresh (net.inet6.ip6.neighborgcthresh)

Maximum number of entries in neighbor cache. Set to negative to disable. The default value is 2048.

ip6.redirect (net.inet6.ip6.redirect)

Returns 1 when ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, and should normally be enabled on all systems.

ip6.use_deprecated (net.inet6.ip6.use_deprecated)

This variable controls the use of deprecated addresses, specified in RFC 4862 5.5.4.

We reuse net.inet.tcp and net.inet.udp for TCP/UDP over IPv6.

 

 

PF_KEY

Return ipsec(4) database dumps. The second level name is PF_KEY_V2. The third level name selects the database as follows:

NET_KEY_SADB_DUMP

Security Association database (SADB).

NET_KEY_SPD_DUMP

IPsec flow database (SPD).

 

 

PF_MPLS

Get or set global information about MPLS (Multiprotocol Label Switching).

Third level name	Type	Changeable
MPLSCTL_DEFTTL	integer	yes
MPLSCTL_IFQUEUE	node	not applicable
MPLSCTL_MAPTTL_IP	integer	yes
MPLSCTL_MAPTTL_IP6	integer	yes
MPLSCTL_MAXINKLOOP	integer	yes

 

 

MPLSCTL_DEFTTL (net.mpls.ttl)

Set or get the default TTL value which is used for MPLS (Shim) Header. The default is 255.

 

 

MPLSCTL_IFQUEUE (net.mpls.ifq)

Fourth level comprises an array of struct ifqueue structures containing information about MPLS packet input queue. The forth level names for the elements of struct ifqueue are same as described in ip.ifq in the PF_INET section.

 

 

MPLSCTL_MAPTTL_IP (net.mpls.mapttl_ip)

If set to 1 the TTL field is synchronized between the IP header and the MPLS label stack. If set to 0 the IP header TTL is not modified while passing through MPLS and the MPLS label stack is initialized with the MPLSCTL_DEFTTL. The default is 1.

 

 

MPLSCTL_MAPTTL_IP6 (net.mpls.mapttl_ip6)

If set to 1 the TTL field is synchronized between the IPv6 header and the MPLS label stack. If set to 0 the IPv6 header TTL is not modified while passing through MPLS and the MPLS label stack is initialized with the MPLSCTL_DEFTTL. The default is 0.

 

 

MPLSCTL_MAXINKLOOP (net.mpls.maxloop_inkernel)

Set or get the maxinum number of label stack operations (push, swap, pop) that can be made on a packet. The default is 16.

 

 

PF_PIPEX (net.pipex)

Get or set global information about PIPEX.

The currently defined variable names are:

Third level name	Type	Changeable
PIPEXCTL_ENABLE	integer	yes
PIPEXCTL_INQ	node	not applicable
PIPEXCTL_OUTQ	node	not applicable

 

 

PIPEXCTL_ENABLE

If set to 1, enable PIPEX processing. The default is 0.

 

 

PIPEXCTL_INQ (net.pipex.inq)

Fourth level comprises an array of struct ifqueue structures containing information about the PIPEX packet input queue. The forth level names for the elements of struct ifqueue are the same as described in ip.ifq in the PF_INET section.

 

 

PIPEXCTL_OUTQ (net.pipex.outq)

Fourth level comprises an array of struct ifqueue structures containing information about PIPEX packet output queue. The forth level names for the elements of struct ifqueue are same as described in ip.ifq in the PF_INET section.

CTL_VFS

 

 

VFS_GENERIC

This second level identifier requests generic information about the VFS layer. Within it, the following third level identifiers exist:

Third level name	Type	Changeable
VFS_CONF	struct vfsconf	no
VFS_MAXTYPENUM	int	no

 

 

filesystem #

After finding the filesystem dependent vfc_typenum using VFS_GENERIC with VFS_CONF, it is possible to access filesystem dependent information.

Some filesystems may contain settings.

 

 

FFS

Third level name	Type	Changeable
FFS_DIRHASH_DIRSIZE	integer	yes
FFS_DIRHASH_MAXMEM	integer	yes
FFS_DIRHASH_MEM	integer	no
FFS_MAX_SOFTDEPS	integer	yes
FFS_SD_BLK_LIMIT_HIT	integer	yes
FFS_SD_BLK_LIMIT_PUSH	integer	yes
FFS_SD_DIR_ENTRY	integer	yes
FFS_SD_DIRECT_BLK_PTRS	integer	yes
FFS_SD_INDIR_BLK_PTRS	integer	yes
FFS_SD_INO_LIMIT_HIT	integer	yes
FFS_SD_INO_LIMIT_PUSH	integer	yes
FFS_SD_INODE_BITMAP	integer	yes
FFS_SD_SYNC_LIMIT_HIT	integer	yes
FFS_SD_TICKDELAY	integer	yes
FFS_SD_WORKLIST_PUSH	integer	yes

 

 

FFS_DIRHASH_DIRSIZE (vfs.ffs.dirhash_dirsize)

The minimum size of a directory, in bytes, before it is considered for hashing.

 

 

FFS_DIRHASH_MAXMEM (vfs.ffs.dirhash_maxmem)

The maximum amount of memory, in bytes, to be used for storing directory hashes.

 

 

FFS_DIRHASH_MEM (vfs.ffs.dirhash_mem)

The amount of memory currently used by all directory hashes.

 

 

FFS_MAX_SOFTDEPS (vfs.ffs.max_softdeps)

Maximum strcuctures before slowdowns.

 

 

FFS_SD_BLK_LIMIT_HIT (vfs.ffs.sd_blk_limit_hit)

Number of times block slowdown imposed.

 

 

FFS_SD_BLK_LIMIT_PUSH (vfs.ffs.sd_blk_limit_push)

Number of times block limit neared.

 

 

FFS_SD_DIR_ENTRY (vfs.ffs.sd_dir_entry)

Bufs redirtied as dir entry cannot write.

 

 

FFS_SD_DIRECT_BLK_PTRS (vfs.ffs.sd_direct_blk_ptrs)

Bufs redirtied as direct ptrs not written.

 

 

FFS_SD_INDIR_BLK_PTRS (vfs.ffs.sd_indir_blk_ptrs)

Bufs redirtied as indirect ptrs not written.

 

 

FFS_SD_INO_LIMIT_HIT (vfs.ffs.sd_ino_limit_hit)

Number of times inode limit imposed.

 

 

FFS_SD_INO_LIMIT_PUSH (vfs.ffs.sd_ino_limit_push)

Number of times inode limit neared.

 

 

FFS_SD_INODE_BITMAP (vfs.ffs.sd_inode_bitmap)

Bufs redirtied as inode bitmap not written.

 

 

FFS_SD_SYNC_LIMIT_HIT (vfs.ffs.sd_sync_limit_hit)

Number of synchronous slowdowns imposed.

 

 

FFS_SD_TICKDELAY (vfs.ffs.sd_tickdelay)

Ticks to pause during slowdown.

 

 

FFS_SD_WORKLIST_PUSH (vfs.ffs.sd_worklist_push)

Number of worklist cleanups.

 

 

NFS

Third level name	Type	Changeable
NFS_NFSSTATS	struct nfsstats	yes
NFS_NIOTHREADS	int	yes

 

 

NFS_NIOTHREADS (vfs.nfs.iothreads)

The number of I/O kernel threads for NFS clients. The default is 4; the maximum is 20.

 

 

FUSE

Third level name	Type	Changeable
FUSEFS_INFBUFS	int	no
FUSEFS_OPENDEVS	int	no
FUSEFS_POOL_NBPAGES	int	no
FUSEFS_WAITFBUFS	int	no

 

 

FUSEFS_INFBUFS (vfs.fuse.fusefs_fbufs_in)

The number of inbound fusebufs.

 

 

FUSEFS_OPENDEVS (vfs.fuse.fusefs_open_devices)

The number of FUSE devices opened.

 

 

FUSEFS_POOL_NBPAGES (vfs.fuse.fusefs_pool_pages)

The number of pages used for fusebuf memory.

 

 

FUSEFS_WAITFBUFS (vfs.fuse.fusefs_fbufs_wait)

The number of fusebufs waiting for a response.

CTL_VM

 

 

VM_ANONMIN (vm.anonmin)

Percentage of physical memory available for pages which contain anonymous mapping.

 

 

VM_LOADAVG (vm.loadavg)

Return the load average history. The returned data consists of a struct loadavg.

 

 

VM_MAXSLP (vm.maxslp)

The time for a process to be blocked before being swappable, in seconds.

 

 

VM_METER (vm.vmmeter)

Return the system wide virtual memory statistics. The returned data consists of a struct vmtotal.

 

 

VM_NKMEMPAGES (vm.nkmempages)

Number of pages in kmem_map.

 

 

VM_PSSTRINGS (vm.psstrings)

Returns the address of the process struct ps_strings. The ps(1) program uses it to locate the argument and environment strings.

 

 

VM_SWAPENCRYPT

Contains statistics about swap encryption. The string and integer information available for the third level is detailed below.

Third level name	Type	Changeable
SWPENC_CREATED	integer	no
SWPENC_DELETED	integer	no
SWPENC_ENABLE	integer	yes

 

 

SWPENC_CREATED (vm.swapencrypt.keyscreated)

The number of encryption keys that have been randomly created. The swap partition is divided into sections of normally 512KB. Each section has its own encryption key.

 

 

SWPENC_DELETED (vm.swapencrypt.keysdeleted)

The number of encryption keys that have been deleted, thus effectively erasing the data that has been encrypted with them. Encryption keys are deleted when their reference counter reaches zero.

 

 

SWPENC_ENABLE (vm.swapencrypt.enable)

Set to 1 to enable swap encryption for all processes. A 0 disables swap encryption. Pages still on swap receive a grandfather clause. Turning this option on does not affect legacy swap data already on the disk, but all newly written data will be encrypted. When swap encryption is turned on, automatic crash(8) dumps are disabled.

 

 

VM_USPACE (vm.uspace)

The number of bytes allocated for each kernel stack.

 

 

VM_UVMEXP (vm.uvmexp)

Contains statistics about the UVM memory management system.

 

 

VM_VNODEMIN (vm.vnodemin)

Percentage of physical memory available for pages which contain cached file data.

 

 

VM_VTEXTMIN (vm.vtextmin)

Percentage of physical memory available for pages which contain cached executable data.

RETURN VALUES

FILES

<sys/sysctl.h>

definitions for top level identifiers, second level kernel and hardware identifiers, and user level identifiers

<sys/socket.h>

definitions for second level network identifiers

<sys/gmon.h>

definitions for third level profiling identifiers

<ufs/ffs/ffs_extern.h>

definitions for third level virtual file system identifiers (ffs)

<nfs/nfs.h>

definitions for third level virtual file system identifiers (nfs)

<uvm/uvm_param.h>

definitions for second level virtual memory identifiers

<uvm/uvm_swap_encrypt.h>

definitions for third level virtual memory identifiers

<net/if.h>

definitions for packet input/output queue identifiers

<net/pipex.h>

definitions for third level PIPEX identifiers

<netinet/in.h>

definitions for third level IPv4/v6 identifiers and fourth level IP and IPv6 identifiers

<netinet/icmp_var.h>

definitions for fourth level ICMP identifiers

<netinet/icmp6.h>

definitions for fourth level ICMPv6 identifiers

<netinet/tcp_var.h>

definitions for fourth level TCP identifiers

<netinet/udp_var.h>

definitions for fourth level UDP identifiers

<machine/cpu.h>

definitions for second level CPU identifiers

ERRORS

 

 

[EFAULT]

The buffer name, oldp, newp, or length pointer oldlenp contains an invalid address.

 

 

[EINVAL]

The name array is less than two or greater than CTL_MAXNAME.

 

 

[EINVAL]

A non-null newp pointer is given and its specified length in newlen is too large or too small.

 

 

[ENOMEM]

The length pointed to by oldlenp is too short to hold the requested value.

 

 

[ENOENT]

The mib specified does not exist, or exceeds the range that is possible.

 

 

[ENXIO]

If the mib is a sparsely populated array, this error may be returned instead.

 

 

[ENOTDIR]

The name array specifies an intermediate rather than terminal name.

 

 

[EOPNOTSUPP]

The name array specifies a value that is unknown.

 

 

[EPERM]

An attempt is made to set a read-only value.

 

 

[EPERM]

A process without appropriate privileges attempts to set a value.

 

 

[EPERM]

An attempt to change a value protected by the current kernel security level is made.

 

 

[ESRCH]

No process could be found which corresponds to the given process ID.

SEE ALSO

HISTORY