NAME
sysctl
—
get or set system
information
SYNOPSIS
#include
<sys/param.h>
#include <sys/sysctl.h>
int
sysctl
(const
int *name, u_int
namelen, void
*oldp, size_t
*oldlenp, void
*newp, size_t
newlen);
DESCRIPTION
The
sysctl
()
function retrieves system information and allows processes with appropriate
privileges to set system information. The information available from
sysctl
() consists of integers, strings, and tables.
Information may be retrieved and set using the
sysctl(8) utility; the variable names used by this utility are given
here in parentheses.
Unless explicitly noted below,
sysctl
()
returns a consistent snapshot of the data requested. Consistency is obtained
by locking the destination buffer into memory so that the data may be copied
out without blocking. Calls to sysctl
() are
serialized to avoid deadlock.
The state is described using a “Management Information Base (MIB)” style name, listed in name, which is a namelen length array of integers.
The information is copied into the buffer specified by
oldp. The size of the buffer is given by the location
specified by oldlenp before the call, and that
location gives the amount of data copied after a successful call. If the
amount of data available is greater than the size of the buffer supplied,
the call supplies as much data as fits in the buffer provided and returns
with the error code ENOMEM
. If the old value is not
desired, oldp and oldlenp should
be set to NULL
.
The size of the available data can be determined by
calling
sysctl
()
with a NULL
parameter for
oldp. The size of the available data will be returned
in the location pointed to by oldlenp. For some
operations, the amount of space may change often. For these operations, the
system attempts to round up so that the returned size is large enough for a
call to return the data shortly thereafter.
To set a new value, newp is set to point to
a buffer of length newlen from which the requested
value is to be taken. If a new value is not to be set,
newp should be set to NULL
and
newlen set to 0.
The top level names are defined with a
CTL_
prefix in
<sys/sysctl.h>
, and are as
follows. The next and subsequent levels down are found in the include files
listed here, and described in separate sections below.
Name | Next level names | Description |
CTL_DDB |
ddb/db_var.h | Kernel debugger |
CTL_DEBUG |
sys/sysctl.h | Debugging |
CTL_FS |
sys/sysctl.h | File system |
CTL_HW |
sys/sysctl.h | Generic CPU, I/O |
CTL_KERN |
sys/sysctl.h | High kernel limits |
CTL_MACHDEP |
sys/sysctl.h | Machine dependent |
CTL_NET |
sys/socket.h | Networking |
CTL_VFS |
ufs/ffs/ffs_extern.h | Virtual file system |
CTL_VM |
uvm/uvm_param.h | Virtual memory |
For example, the following retrieves the maximum number of processes allowed in the system:
int mib[2], maxproc; size_t len; mib[0] = CTL_KERN; mib[1] = KERN_MAXPROC; len = sizeof(maxproc); if (sysctl(mib, 2, &maxproc, &len, NULL, 0) == -1) err(1, "sysctl");
CTL_DDB
Integer information and settable variables are available for the
CTL_DDB level
, as described below. More information
is also available in
ddb(4).
Second level name | Type | Changeable |
DBCTL_CONSOLE |
integer | yes |
DBCTL_LOG |
integer | yes |
DBCTL_MAXLINE |
integer | yes |
DBCTL_MAXWIDTH |
integer | yes |
DBCTL_PANIC |
integer | yes |
DBCTL_RADIX |
integer | yes |
DBCTL_TABSTOP |
integer | yes |
DBCTL_TRIGGER |
integer | yes |
DBCTL_CONSOLE
(ddb.console)- When this variable is set, an architecture dependent magic key sequence on the console or a debugger button will permit entry into the kernel debugger. When running with a securelevel(7) greater than 0, this variable may not be raised.
DBCTL_LOG
(ddb.log)- When set, ddb output is also logged in the kernel message buffer.
DBCTL_MAXLINE
(ddb.max_line)- Determines the number of lines to page in
ddb(4). This variable is also available as the ddb
$lines
variable. DBCTL_MAXWIDTH
(ddb.max_width)- Determines the maximum width of a line in
ddb(4). This variable is also available as the ddb
$maxwidth
variable. DBCTL_PANIC
(ddb.panic)- When this variable is set, system panics may drop into the kernel debugger. When running with a securelevel(7) greater than 0, this variable may not be raised.
DBCTL_RADIX
(ddb.radix)- Determines the default radix or base for non-prefixed numbers entered into
ddb(4). This variable is also available as the ddb
$radix
variable. DBCTL_TABSTOP
(ddb.tab_stop_width)- Width of a tab stop in
ddb(4). This variable is also available as the ddb
$tabstops
variable. DBCTL_TRIGGER
(ddb.trigger)- When
DBCTL_CONSOLE
is set, writing toDBCTL_TRIGGER
causes the system to enter ddb(4). When running with a securelevel(7) greater than 0, the process writing to this variable must be running on the console in order to enter ddb(4).
CTL_DEBUG
The debugging variables vary from system to system. A debugging
variable may be added or deleted without need to recompile
sysctl
()
to know about it. Each time it runs, sysctl
() gets
the list of debugging variables from the kernel and displays their current
values. The system defines twenty struct ctldebug
variables named debug0 through
debug19. They are declared as separate variables so
that they can be individually initialized at the location of their
associated variable. The loader prevents multiple use of the same variable
by issuing errors if a variable is initialized in more than one place. For
example, to export the variable dospecialcheck as a
debugging variable, the following declaration would be used:
int dospecialcheck = 1; struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
CTL_FS
The string and integer information available for the
CTL_FS
level is detailed below. The changeable
column shows whether a process with appropriate privileges may change the
value.
Second level name | Type | Changeable |
FS_POSIX_SETUID |
integer | yes |
FS_POSIX_SETUID
(fx.posix.setuid)- When this variable is set, ownership changes on a file will cause the S_ISUID and S_ISGID bits to be cleared. When running with a securelevel(7) greater than 0, this variable may not be changed.
CTL_HW
The string and integer information available for the
CTL_HW
level is detailed below. The changeable
column shows whether a process with appropriate privileges may change the
value.
Second level name | Type | Changeable |
HW_ALLOWPOWERDOWN |
integer | yes |
HW_BYTEORDER |
integer | no |
HW_CPUSPEED |
integer | no |
HW_DISKCOUNT |
integer | no |
HW_DISKNAMES |
string | no |
HW_DISKSTATS |
struct | no |
HW_MACHINE |
string | no |
HW_MODEL |
string | no |
HW_NCPU |
integer | no |
HW_NCPUFOUND |
integer | no |
HW_PAGESIZE |
integer | no |
HW_PERFPOLICY |
string | yes |
HW_PHYSMEM |
integer | no |
HW_PHYSMEM64 |
int64_t | no |
HW_PRODUCT |
string | no |
HW_SENSORS |
node | not applicable |
HW_SETPERF |
integer | yes |
HW_USERMEM |
integer | no |
HW_USERMEM64 |
int64_t | no |
HW_UUID |
string | no |
HW_VENDOR |
string | no |
HW_VERSION |
string | no |
HW_ALLOWPOWERDOWN
(hw.allowpowerdown)- Some machines generate an interrupt when the power button is pressed and a driver can catch that interrupt. When this variable is set, such an event will cause the system to perform a regular shutdown and power off the machine. When running with a securelevel(7) greater than 0, this variable may not be changed.
HW_BYTEORDER
(hw.byteorder)- The byteorder (4321 or 1234).
HW_CPUSPEED
(hw.cpuspeed)- The current CPU frequency (in MHz).
HW_DISKCOUNT
(hw.diskcount)- The number of disks currently attached to the system.
HW_DISKNAMES
(hw.disknames)- A comma-separated list of disk names.
HW_DISKSTATS
(hw.diskstats)- An array of
struct diskstats
structures containing disk statistics. HW_MACHINE
(hw.machine)- The machine class.
HW_MODEL
(hw.model)- The machine model.
HW_NCPU
(hw.ncpu)- The number of CPUs being used.
HW_NCPUFOUND
(hw.ncpufound)- The number of CPUs found.
HW_PAGESIZE
(hw.pagesize)- The software page size.
HW_PERFPOLICY
(hw.perfpolicy)- The performance policy for power management. Can be one of “manual”, “auto”, or “high”.
HW_PHYSMEM
- The total physical memory, in bytes. This variable is deprecated; use
HW_PHYSMEM64
instead. HW_PHYSMEM64
(hw.physmem)- The total physical memory, in bytes.
HW_PRODUCT
(hw.product)- The product name of the machine.
HW_SENSORS
(hw.sensors)- Third level comprises an array of
struct sensordev
structures containing information about devices that may attach hardware monitoring sensors.Third, fourth and fifth levels together comprise an array of
struct sensor
structures containing snapshot readings of hardware monitoring sensors. In such usage, third level indicates the numerical representation of the sensor device name to which the sensor is attached (a device's xname and number are matched with the help ofstruct sensordev
structure above), fourth level indicates sensor type and fifth level is an ordinal sensor number (unique to the specified sensor type on the specified sensor device).The sensordev and sensor structures and sensor_type enumeration are defined in
<sys/sensors.h>
. HW_SERIALNO
(hw.serialno)- The serial number of the machine.
HW_SETPERF
(hw.setperf)- Current CPU performance (percentage). It is only modifiable if
HW_PERFPOLICY
is set to “manual”. HW_USERMEM
- The amount of available non-kernel memory in bytes. This variable is
deprecated; use
HW_USERMEM64
instead. HW_USERMEM64
(hw.usermem)- The amount of available non-kernel memory in bytes.
HW_UUID
(hw.uuid)- The universal unique identification number assigned to the machine.
HW_VENDOR
(hw.vendor)- The vendor name for this machine.
HW_VERSION
(hw.version)- The version or revision of this machine.
CTL_KERN
The string and integer information available for the
CTL_KERN
level is detailed below. The changeable
column shows whether a process with appropriate privileges may change the
value. The types of data currently available are process information, system
vnodes, the open file entries, routing table entries, virtual memory
statistics, load average history, and clock rate information.
Second level name | Type | Changeable |
KERN_ALLOWKMEM |
integer | yes |
KERN_ARGMAX |
integer | no |
KERN_BOOTTIME |
struct timeval | no |
KERN_CACHEPCT |
integer | yes |
KERN_CCPU |
integer | no |
KERN_CLOCKRATE |
struct clockinfo | no |
KERN_CONSDEV |
dev_t | no |
KERN_CPTIME |
long[CPUSTATES] | no |
KERN_CPTIME2 |
u_int64_t[CPUSTATES] | no |
KERN_DNSJACKPORT |
integer | yes |
KERN_DOMAINNAME |
string | yes |
KERN_FILE |
struct kinfo_file | no |
KERN_FORKSTAT |
struct forkstat | no |
KERN_FSCALE |
integer | no |
KERN_FSYNC |
integer | no |
KERN_GLOBAL_PTRACE |
integer | yes |
KERN_HOSTID |
integer | yes |
KERN_HOSTNAME |
string | yes |
KERN_INTRCNT |
node | not applicable |
KERN_JOB_CONTROL |
integer | no |
KERN_MALLOCSTATS |
node | no |
KERN_MAXCLUSTERS |
integer | yes |
KERN_MAXFILES |
integer | yes |
KERN_MAXLOCKSPERUID |
integer | yes |
KERN_MAXPARTITIONS |
integer | no |
KERN_MAXPROC |
integer | yes |
KERN_MAXTHREAD |
integer | yes |
KERN_MAXVNODES |
integer | yes |
KERN_MBSTAT |
struct mbstat | no |
KERN_MSGBUF |
char[] | no |
KERN_MSGBUFSIZE |
integer | no |
KERN_NCHSTATS |
struct nchstats | no |
KERN_NFILES |
integer | no |
KERN_NGROUPS |
integer | no |
KERN_NOSUIDCOREDUMP |
integer | yes |
KERN_NPROCS |
integer | no |
KERN_NSELCOLL |
integer | no |
KERN_NTHREADS |
integer | no |
KERN_NUMVNODES |
integer | no |
KERN_OSRELEASE |
string | no |
KERN_OSREV |
integer | no |
KERN_OSTYPE |
string | no |
KERN_OSVERSION |
string | no |
KERN_POSIX1 |
integer | no |
KERN_PROC |
struct kinfo_proc | no |
KERN_PROC_ARGS |
node | not applicable |
KERN_PROC_CWD |
string | not applicable |
KERN_PROC_NOBROADCASTKILL |
node | not applicable |
KERN_PROC_VMMAP |
struct kinfo_vmentry | no |
KERN_PROF |
node | not applicable |
KERN_RAWPARTITION |
integer | no |
KERN_SAVED_IDS |
integer | no |
KERN_SECURELVL |
integer | raise only |
KERN_SEMINFO |
node | not applicable |
KERN_SHMINFO |
node | not applicable |
KERN_SOMAXCONN |
integer | yes |
KERN_SOMINCONN |
integer | yes |
KERN_SPLASSERT |
int | yes |
KERN_STACKGAPRANDOM |
integer | yes |
KERN_SYSVIPC_INFO |
node | not applicable |
KERN_SYSVMSG |
integer | no |
KERN_SYSVSEM |
integer | no |
KERN_SYSVSHM |
integer | no |
KERN_TIMECOUNTER |
node | not applicable |
KERN_TTY |
node | not applicable |
KERN_TTYCOUNT |
integer | no |
KERN_VERSION |
string | no |
KERN_WATCHDOG |
node | not applicable |
KERN_WXABORT |
integer | yes |
KERN_ALLOWKMEM
(kern.allowkmem)- Allow userland processes access to /dev/kmem. When running with a securelevel(7) greater than 0, this variable may not be changed.
KERN_ARGMAX
(kern.argmax)- The maximum number of bytes allowed among the arguments to exec(3).
KERN_BOOTTIME
(kern.boottime)- A
struct timeval
structure is returned. This structure contains the time that the system was booted. KERN_CACHEPCT
(kern.bufcachepercent)- The maximum percentage of physical memory the buffer cache may use; the default is 20%.
KERN_CCPU
(kern.ccpu)- The scheduler exponential decay value.
KERN_CLOCKRATE
(kern.clockrate)- A
struct clockinfo
structure is returned. This structure contains the clock, statistics clock and profiling clock frequencies, the number of micro-seconds per hz tick, and the clock skew rate. KERN_CONSDEV
(kern.consdev)- The console device.
KERN_CPTIME
(kern.cp_time)- An array of longs of size
CPUSTATES
is returned, containing statistics about the number of ticks spent by the system in interrupt processing, user processes (nice(1) or normal), system processing, or idling. KERN_CPTIME2
(kern.cp_time2)- Similar to
KERN_CPTIME
, but obtains information from only the single CPU specified by the third level name given. KERN_DNSJACKPORT
(kern.dnsjackport)- When non-zero, the localhost port to which all DNS sockets should be redirected.
KERN_DOMAINNAME
(kern.domainname)- Get or set the YP domain name.
KERN_FILE
(kern.file)- Return the entire file table, or a subset of it. An array of
struct kinfo_file
structures is returned, whose size depends on the current number of selected files in the system. The third and fourth level names are as follows:Third level name Fourth level is: KERN_FILE_BYFILE
A file type KERN_FILE_BYPID
A process ID KERN_FILE_BYUID
A user ID The fifth level name is the size of the
struct kinfo_file
and the sixth level name is the number of structures to return. KERN_FORKSTAT
(kern.forkstat)- A
struct forkstat
structure is returned. This structure contains information about the number of fork(2), vfork(2), and __tfork(3) system calls as well as kernel thread creations since system startup, and the number of pages of virtual memory involved in each. KERN_FSCALE
(kern.fscale)- The kernel fixed-point scale factor.
KERN_FSYNC
(kern.fsync)- Return 1 if the File Synchronisation Option is available on this system, otherwise 0.
KERN_GLOBAL_PTRACE
(kern.global_ptrace)- When set to 1, permit ptrace(2) to attach to any process with the appropriate privileges. When set to 0, processes may only attach to their own descendants.
KERN_HOSTID
(kern.hostid)- Get or set the host ID.
KERN_HOSTNAME
(kern.hostname)- Get or set the hostname.
KERN_JOB_CONTROL
(kern.job_control)- Return 1 if job control is available on this system, otherwise 0.
KERN_MALLOCSTATS
(kern.malloc)- Return kernel memory bucket statistics. The third level names are detailed
below. There are no changeable values in this branch.
Third level name Type KERN_MALLOC_BUCKET
node KERN_MALLOC_BUCKETS
string KERN_MALLOC_KMEMNAMES
string KERN_MALLOC_KMEMSTATS
node The variables are as follows:
KERN_MALLOC_BUCKET.<size>
(kern.malloc.bucket)- A node containing the statistics for the memory bucket of the
specified size (in decimal notation, the number of bytes per bucket
element, e.g., 16, 32, 128). Each node returns a
struct kmembuckets
.If a value is specified that does not correspond directly to a bucket size, the statistics for the closest larger bucket size will be returned instead.
Note that bucket sizes are typically powers of 2.
KERN_MALLOC_BUCKETS
(kern.malloc.buckets)- Return a comma-separated list of the bucket sizes used by the kernel.
KERN_MALLOC_KMEMNAMES
(kern.malloc.kmemnames)- Return a comma-separated list of the names of the kernel malloc(9) types.
KERN_MALLOC_KMEMSTATS
(kern.malloc.kmemstat)- A node containing the statistics for the memory types of the specified
name. Each node returns a
struct kmemstats
.
KERN_MAXCLUSTERS
(kern.maxclusters)- The maximum number of mbuf(9) clusters that may be allocated.
KERN_MAXFILES
(kern.maxfiles)- The maximum number of open files that may be open in the system.
KERN_MAXLOCKSPERUID
(kerb.maxlocksperuid)- The maximum number of file locks per user; the default is 1024.
KERN_MAXPARTITIONS
(kern.maxpartitions)- The maximum number of partitions allowed per disk.
KERN_MAXPROC
(kern.maxproc)- The maximum number of simultaneous processes the system will allow.
KERN_MAXTHREAD
(kern.maxthread)- The maximum number of simultaneous threads the system will allow.
KERN_MAXVNODES
(kern.maxvnodes)- The maximum number of vnodes available on the system.
KERN_MBSTAT
(kern.mbstat)- A
struct mbstat
structure is returned, containing statistics on mbuf(9) usage. KERN_MSGBUF
(kern.msgbuf)- Returns a buffer containing kernel log messages; see dmesg(8).
KERN_MSGBUFSIZE
(kern.msgbufsize)- The size of the kernel message buffer.
KERN_NCHSTATS
(kern.nchstats)- A
struct nchstats
structure is returned. This structure contains information about the filename to inode(5) mapping cache. KERN_NFILES
(kern.nfiles)- Number of open files.
KERN_NGROUPS
(kern.ngroups)- The maximum number of supplemental groups.
KERN_NOSUIDCOREDUMP
(kern.nosuidcoredump)- Whether a process may dump core after changing user or group ID:
value condition dump core to 0 euid == 0 current directory 1 never 2 always /var/crash 3 depends /var/crash/$programname/ KERN_NPROCS
(kern.nprocs)- The number of entries in the kernel process table.
KERN_NSELCOLL
(kern.nselcoll)- Number of select(2) collisions.
KERN_NTHREADS
(kern.nthreads)- The number of entries in the kernel thread table.
KERN_NUMVNODES
(kern.numvnodes)- Number of vnodes in use.
KERN_OSRELEASE
(kern.osrelease)- The system release string.
KERN_OSREV
(kern.osrevision)- The system revision number.
KERN_OSTYPE
(kern.ostype)- The system type string.
KERN_OSVERSION
(kern.osversion)- The kernel build version.
KERN_POSIX1
(kern.posix1version)- The version of ISO/IEC 9945 (POSIX 1003.1) with which the system attempts to comply.
KERN_PROC
(kern.proc)- Return the entire process table, or a subset of it. An array of
struct kinfo_proc
structures is returned, whose size depends on the current number of selected processes in the system. The third and fourth level names are as follows:Third level name Fourth level is: KERN_PROC_ALL
None KERN_PROC_KTHREAD
A kernel thread KERN_PROC_PID
A process ID KERN_PROC_PGRP
A process group KERN_PROC_RUID
A real user ID KERN_PROC_SESSION
A session PID KERN_PROC_TTY
A tty device KERN_PROC_UID
A user ID The fifth level name is the size of the
struct kinfo_proc
and the sixth level name is the number of structures to return. KERN_PROC_ARGS
(kern.procargs)- Returns the arguments or environment of a process. The third level name is
the PID of the process. The fourth level name is one of:
KERN_PROC_ARGV
KERN_PROC_ENV
KERN_PROC_NARGV
KERN_PROC_NENV
KERN_PROC_NARGV
andKERN_PROC_NENV
return the number of elements as an int in the argv or env array.KERN_PROC_ARGV
returns the argv array andKERN_PROC_ENV
returns the environ array. The buffer pointed to by oldp is filled with an array of char pointers followed by the strings themselves. The last char pointer is aNULL
pointer. KERN_PROC_CWD
(kern.proc_cwd)- Return the current working directory of a process. The third level name is the target process ID. A NUL-terminated string is returned.
KERN_PROC_NOBROADCASTKILL
(kern.proc_nobroadcastkill)- When set, a process will no longer be signaled when sending broadcast signals. The third level name is the target process ID.
KERN_PROC_VMMAP
(kern.proc_vmmap)- Return the entire process VM map entries. An array of
struct kinfo_vmentry
structures is returned, whose size depends on the current number of VM map entries of the selected process. Iteration is possible by setting the base address in the first element ofstruct kinfo_vmentry
. KERN_PROF
(kern.profiling)- Return profiling information about the kernel. If the kernel is not
compiled for profiling, attempts to retrieve any of the
KERN_PROF
values will fail withEOPNOTSUPP
. The third level names for the string and integer profiling information are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.Third level name Type Changeable GPROF_COUNT
u_short[] yes GPROF_FROMS
u_short[] yes GPROF_GMONPARAM
struct gmonparam no GPROF_STATE
integer yes GPROF_TOS
struct tostruct yes The variables are as follows:
GPROF_COUNT
- Array of statistical program counter counts.
GPROF_FROMS
- Array indexed by program counter of call-from points.
GPROF_GMONPARAM
- Structure giving the sizes of the above arrays.
GPROF_STATE
- Returns
GMON_PROF_ON
orGMON_PROF_OFF
to show that profiling is running or stopped. GPROF_TOS
- Array of
struct tostruct
describing destination of calls and their counts.
KERN_RAWPARTITION
(kern.rawpartition)- The raw partition of a disk (a == 0).
KERN_SAVED_IDS
(kern.saved_ids)- Returns 1 if saved set-group-ID and saved set-user-ID are available.
KERN_SECURELVL
(kern.securelevel)- The system security level. This level may be raised by processes with appropriate privileges. It may only be lowered by process 1.
KERN_SEMINFO
(kern.seminfo)- Return the elements of
struct seminfo
. If the kernel is not compiled with System V style semaphore support, attempts to retrieve any of theKERN_SEMINFO
values will fail withEOPNOTSUPP
. The third level names for the elements ofstruct seminfo
are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.Third level name Type Changeable KERN_SEMINFO_SEMAEM
integer no KERN_SEMINFO_SEMMNI
integer yes KERN_SEMINFO_SEMMNS
integer yes KERN_SEMINFO_SEMMNU
integer yes KERN_SEMINFO_SEMMSL
integer yes KERN_SEMINFO_SEMOPM
integer yes KERN_SEMINFO_SEMUME
integer no KERN_SEMINFO_SEMUSZ
integer no KERN_SEMINFO_SEMVMX
integer no The variables are as follows:
KERN_SEMINFO_SEMAEM
(kern.seminfo.semaem)- The adjust on exit maximum value.
KERN_SEMINFO_SEMMNI
(kern.seminfo.semni)- The maximum number of semaphore identifiers allowed.
KERN_SEMINFO_SEMMNS
(kern.seminfo.semmns)- The maximum number of semaphores allowed in the system.
KERN_SEMINFO_SEMMNU
(kern.seminfo.semnu)- The maximum number of semaphore undo structures allowed in the system.
KERN_SEMINFO_SEMMSL
(kern.seminfo.semmsl)- The maximum number of semaphores allowed per ID.
KERN_SEMINFO_SEMOPM
(kern.seminfo.semopm)- The maximum number of operations per semop(2) call.
KERN_SEMINFO_SEMUME
(kern.seminfo.semume)- The maximum number of undo entries per process.
KERN_SEMINFO_SEMUSZ
(kern.seminfo.semusz)- The size (in bytes) of the undo structure.
KERN_SEMINFO_SEMVMX
(kern.seminfo.semvmx)- The semaphore maximum value.
KERN_SHMINFO
(kern.shminfo)- Return the elements of
struct shminfo
. If the kernel is not compiled with System V style shared memory support, attempts to retrieve any of theKERN_SHMINFO
values will fail withEOPNOTSUPP
. The third level names for the elements ofstruct shminfo
are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.Third level name Type Changeable KERN_SHMINFO_SHMALL
integer yes KERN_SHMINFO_SHMMAX
integer yes KERN_SHMINFO_SHMMIN
integer yes KERN_SHMINFO_SHMMNI
integer yes KERN_SHMINFO_SHMSEG
integer yes The variables are as follows:
KERN_SHMINFO_SHMALL
(kern.shminfo.shmall)- The maximum amount of total shared memory allowed in the system (in pages).
KERN_SHMINFO_SHMMAX
(kern.shminfo.shmmax)- The maximum shared memory segment size (in bytes).
KERN_SHMINFO_SHMMIN
(kern.shminfo.shmmin)- The minimum shared memory segment size (in bytes).
KERN_SHMINFO_SHMMNI
(kern.shminfo.shmmni)- The maximum number of shared memory identifiers in the system.
KERN_SHMINFO_SHMSEG
(kern.shminfo.shmseg)- The maximum number of shared memory segments per process.
KERN_SOMAXCONN
(kern.somaxconn)- Upper bound on the number of half-open connections a process can allow to be associated with a socket, using listen(2). The default value is 128.
KERN_SOMINCONN
(kern.sominconn)- Lower bound on the number of half-open connections a process can allow to be associated with a socket, using listen(2). The default value is 80.
KERN_SPLASSERT
(kern.splassert)- Modify the system interrupt priority level. Valid values are:
- 0
- Disable error checking.
- 1
- Print a message if an error is detected.
- 2
- Print a message if an error is detected, and a stack trace if possible.
- 3
- The same as 2, but also drop into the kernel debugger.
Any other value causes a system panic on errors. See splassert(9) for more information.
KERN_STACKGAPRANDOM
(kern.stackgap_random)- Sets the range of the random value added to the stack pointer on each program execution. The random value is added to make buffer overflow exploitation slightly harder. The bigger the number, the harder it is to brute force this added protection, but it also means bigger waste of memory.
KERN_SYSVIPC_INFO
(kern.sysvipc_info)- Return System V style IPC configuration and run-time information. The
third level name selects the System V style IPC facility.
Third level name Type KERN_SYSVIPC_MSG_INFO
struct msg_sysctl_info KERN_SYSVIPC_SEM_INFO
struct sem_sysctl_info KERN_SYSVIPC_SHM_INFO
struct shm_sysctl_info KERN_SYSVIPC_MSG_INFO
- Return information on the System V style message facility. The
msg_sysctl_info
structure is defined in
<sys/msg.h>
. KERN_SYSVIPC_SEM_INFO
- Return information on the System V style semaphore facility. The
sem_sysctl_info
structure is defined in
<sys/sem.h>
. KERN_SYSVIPC_SHM_INFO
- Return information on the System V style shared memory facility. The
shm_sysctl_info
structure is defined in
<sys/shm.h>
.
KERN_SYSVMSG
(kern.sysvmsg)- Returns 1 if System V style message queue functionality is available on this system, otherwise 0.
KERN_SYSVSEM
(kern.sysvem)- Returns 1 if System V style semaphore functionality is available on this system, otherwise 0.
KERN_SYSVSHM
(kern.sysvshm)- Returns 1 if System V style shared memory functionality is available on this system, otherwise 0.
KERN_TIMECOUNTER
(kern.timecounter)- Return statistics information about the kernel time counter. The third
level names information is detailed below. The changeable column shows
whether a process with appropriate privileges may change the value.
Third level name Type Changeable KERN_TIMECOUNTER_CHOICE
string no KERN_TIMECOUNTER_HARDWARE
string yes KERN_TIMECOUNTER_TICK
integer no KERN_TIMECOUNTER_TIMESTEPWARNINGS
integer yes The variables are as follows:
KERN_TIMECOUNTER_CHOICE
(kern.timecounter.choice)- Get the list of kernel time counter sources and their claimed quality (higher is better).
KERN_TIMECOUNTER_HARDWARE
(kern.timecounter.hardware)- Get or set the kernel time counter source by name.
KERN_TIMECOUNTER_TICK
(kern.timecounter.tick)- Get the number of times we have reset the kernel time counter information.
KERN_TIMECOUNTER_TIMESTEPWARNINGS
(kern.timecounter.timestepwarnings)- Get or set a flag to log a message when the kernel time is stepped.
KERN_TTY
(kern.tty)- Return statistics information about tty input/output. The third level
names information is detailed below. The changeable column shows whether a
process with appropriate privileges may change the value.
Third level name Type Changeable KERN_TTY_INFO
struct itty no KERN_TTY_TKCANCC
int64_t no KERN_TTY_TKNIN
int64_t no KERN_TTY_TKNOUT
int64_t no KERN_TTY_TKRAWCC
int64_t no The variables are as follows:
KERN_TTY_INFO
(kern.tty.ttyinfo)- Returns an array of
struct itty
structures containing tty statistics. KERN_TTY_TKCANCC
(kern.tty.tk_cancc)- Returns the number of input characters in canonical mode.
KERN_TTY_TKNIN
(kern.tty.tk_nin)- Returns the number of input characters from a tty(4).
KERN_TTY_TKNOUT
(kern.tty.tk_nout)- Returns the number of output characters on a tty(4).
KERN_TTY_TKRAWCC
(kern.tty.tk_rawcc)- Returns the number of input characters in raw mode.
KERN_TTYCOUNT
(kern.ttycount)- Number of available tty(4) devices.
KERN_VERSION
(kern.version)- The system version string.
KERN_WATCHDOG
(kern.watchdog)- Return information on hardware watchdog timers. If the kernel does not
support a hardware watchdog timer, attempts to retrieve or set any of the
KERN_WATCHDOG
values will fail withEOPNOTSUPP
.Third level name Type Changeable KERN_WATCHDOG_AUTO
integer yes KERN_WATCHDOG_PERIOD
integer yes The variables are as follows:
KERN_WATCHDOG_AUTO
(kern.watchdog.auto)- If set to 1, the kernel refreshes the watchdog timer periodically. If
set to 0, a userland process must ensure that the watchdog timer gets
refreshed by setting the
KERN_WATCHDOG_PERIOD
variable. KERN_WATCHDOG_PERIOD
(kern.watchdog.period)- The period of the watchdog timer in seconds. Set to 0 to disable the watchdog timer.
KERN_WXABORT
(kern.wxabort)- Generate an abort, rather than returning an error, on W^X violation.
CTL_MACHDEP
The set of variables defined is architecture dependent. Most architectures define at least the following variables.
Second level name | Type | Changeable |
CPU_CONSDEV |
dev_t | no |
Consult the example file
/etc/example/sysctl.conf for a non-exhaustive list
of machdep
variables.
CTL_NET
The string and integer information available for the
CTL_NET
level is detailed below. The changeable
column shows whether a process with appropriate privileges may change the
value.
Second level name | Type | Changeable |
PF_ROUTE |
routing messages | no |
PF_INET |
IPv4 values | yes |
PF_INET6 |
IPv6 values | yes |
PF_KEY |
key management | no |
PF_MPLS |
MPLS values | yes |
PF_PIPEX |
PIPEX values | yes |
PF_ROUTE
- Return the entire routing table or a subset of it. The data is returned as
a sequence of routing messages (see
route(4) for the header file, format, and meaning). The length of
each message is contained in the message header.
The third level name is a protocol number, which is currently always 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows:
Fifth level name Sixth level is: NET_RT_DUMP
priority NET_RT_FLAGS
rtflags NET_RT_IFLIST
None NET_RT_IFNAMES
None NET_RT_STATS
None NET_RT_DUMP
- If set to 0, show all routes. If set to any number, show all routes with that number priority. If set to a negative number, show routes that do not have the positive priority value.
An optional seventh level name can be provided to select the routing table on which to run the operation. If not provided, the table with ID 0 is used.
PF_INET
- Get or set various global information about IPv4 (Internet Protocol
version 4). The third level name is the protocol. The fourth level name is
the variable name. The currently defined protocols and names are:
Protocol name Variable name Type Changeable ah enable integer yes bpf bufsize integer yes bpf maxbufsize integer yes carp allow integer yes carp log integer yes carp preempt integer yes divert recvspace integer yes divert sendspace integer yes esp enable integer yes esp udpencap integer yes esp udpencap_port integer yes etherip allow integer yes gre allow integer yes gre wccp integer yes icmp bmcastecho integer yes icmp errppslimit integer yes icmp maskrepl integer yes icmp rediraccept integer yes icmp redirtimeout integer yes icmp stats structure no icmp tstamprepl integer yes ip arpdown integer yes ip arptimeout integer yes ip directed-broadcast integer yes ip encdebug integer yes ip forwarding integer yes ip ifq node N/A ip ipsec-allocs integer yes ip ipsec-auth-alg string yes ip ipsec-bytes integer yes ip ipsec-comp-alg string yes ip ipsec-enc-alg string yes ip ipsec-expire-acquire integer yes ip ipsec-firstuse integer yes ip ipsec-invalid-life integer yes ip ipsec-pfs integer yes ip ipsec-soft-allocs integer yes ip ipsec-soft-bytes integer yes ip ipsec-soft-firstuse integer yes ip ipsec-soft-timeout integer yes ip ipsec-timeout integer yes ip maxqueue integer yes ip mforwarding integer yes ip mtudisc integer yes ip mtudisctimeout integer yes ip multipath integer yes ip portfirst integer yes ip porthifirst integer yes ip porthilast integer yes ip portlast integer yes ip redirect integer yes ip sourceroute integer yes ip stats structure no ip ttl integer yes ipcomp enable integer yes ipip allow integer yes mobileip allow integer yes tcp ackonpush integer yes tcp always_keepalive integer yes tcp baddynamic array yes tcp ecn integer yes tcp ident structure no tcp keepidle integer yes tcp keepinittime integer yes tcp keepintvl integer yes tcp mssdflt integer yes tcp reasslimit integer yes tcp rfc1323 integer yes tcp rfc3390 integer yes tcp rootonly array yes tcp rstppslimit integer yes tcp sack integer yes tcp slowhz integer no tcp stats structure no tcp synbucketlimit integer yes tcp syncachelimit integer yes tcp synhashsize integer yes tcp synuselimit integer yes udp baddynamic array yes udp checksum integer yes udp recvspace integer yes udp rootonly array yes udp sendspace integer yes udp stats structure no The variables are as follows:
ah.enable
(net.inet.ah.enable)- If set to 1, enable the Authentication Header (AH) IPsec protocol. Enabled by default. See ipsec(4) for more information.
bpf.bufsize
(net.bpf.bufsize)- The initial size of bpf(4) buffers.
bpf.maxbufsize
(net.bpf.maxbufsize)- The maximum size a user may request a bpf(4) buffer to be.
carp.allow
(net.inet.carp.allow)- If set to 0, incoming carp(4) packets will not be processed. If set to any other value, processing will occur. Enabled by default.
carp.log
(net.inet.carp.log)- Controls the verbosity of carp(4) logging. May be a value between 0 and 7 corresponding with syslog(3) priorities. The default value is 2.
carp.preempt
(net.inet.carp.preempt)- If set to 0, carp(4) will not attempt to become master if it is receiving advertisements from another active master. If set to any other value, carp will become master of the virtual host if it believes it can send advertisements more frequently than the current master. Disabled by default.
divert.recvspace
(net.inet.divert.recvspace)- Returns the default divert receive buffer size.
divert.sendspace
(net.inet.divert.sendspace)- Returns the default divert send buffer size.
esp.enable
(net.inet.esp.enable)- If set to 1, enable the Encapsulating Security Payload (ESP) IPsec protocol. Enabled by default. See ipsec(4) for more information.
esp.udpencap
(net.inet.esp.udpencap)- If set to 1, enable processing of UDP encapsulated ESP packets. Enabled by default.
esp.udpencap_port
(net.inet.udpencap_port)- Contains the value of the UDP port that triggers decapsulation for incoming UDP encapsulated ESP packets. The default port is 4500.
etherip.allow
(net.inet.etherip.allow)- If set to 0, incoming Ethernet-in-IPv4 packets will not be processed. If set to any other value, processing will occur.
gre.allow
(net.inet.gre.allow)- If set to 0, incoming GRE packets will not be processed. If set to any other value, processing will occur.
gre.wccp
(net.inet.gre.wccp)- If set to 0, incoming WCCPv1-style GRE packets will not be processed. If set to any other value, and gre.allow allows GRE packet processing, WCCPv1-style GRE packets will be processed.
icmp.bmcastecho
(net.inet.icmp.bmcastecho)- If set to 1, respond to ICMP echo requests destined for broadcast and multicast addresses. Note, enabling this could open a system to a type of denial of service attack called "smurfing", and is thus not advised.
icmp.errppslimit
(net.inet.icmp.errppslimit)- This variable specifies the maximum number of outgoing ICMP error messages per second. ICMP error messages exceeding this value are subject to rate limitation and will not go out from the node. A negative value disables rate limitation.
icmp.maskrepl
(kern.inet.icmp.maskrepl)- Returns 1 if ICMP network mask requests are to be answered.
icmp.rediraccept
(kern.inet.icmp.rediraccept)- If set to non-zero, the host will accept ICMP redirect packets. Note that routers will never accept ICMP redirect packets, and the variable is meaningful on IP hosts only.
icmp.redirtimeout
(net.inet.icmp.redrttimeout)- This variable specifies the lifetime of routing entries generated by incoming ICMP redirects. The default timeout is 10 minutes.
icmp.stats
(kern.inet.icmp.stats)- Returns the ICMP statistics in a struct icmpstat.
icmp.tstamprepl
(net.inet.icmp.tstamprepl)- If set to 1, reply to ICMP timestamp requests. If set to 0, ignore timestamp requests.
ip.arpdown
(net.inet.ip.arpdown)- Lifetime of unresolved ARP entries, in seconds.
ip.arptimeout
(net.inet.ip.arptimeout)- Lifetime of resolved ARP entries, in seconds.
ip.directed-broadcast
(net.inet.ip.directed-broadcast)- Returns 1 if directed broadcast behavior is enabled for the host.
ip.encdebug
(net.inet.ip.encdebug)- Returns 1 when error message reporting is enabled for the host. If the
kernel has been compiled with the
ENCDEBUG
option, then debugging information will also be reported when this variable is set. ip.forwarding
(net.inet.ip.forwarding)- If set to 1, then IP forwarding is enabled for the host, indicating the host is acting as a router. If set to 2, then IP forwarding is restricted to traffic that has been IPsec encapsulated or decapsulated by the host. The default value is 0.
ip.ifq
- Fifth level comprises an array of
struct ifqueue
structures containing information about IP packet input queue. The fifth level names for the elements ofstruct ifqueue
are detailed below.Fifth level name Type Changeable IFQCTL_DROPS
integer no IFQCTL_LEN
integer no IFQCTL_MAXLEN
integer yes The variables are as follows:
IFQCTL_DROPS
(net.inet.ip.ifq.drops)- Returns number of packet dropped.
IFQCTL_LEN
(net.inet.ip.ifq.len)- Returns the current queue length.
IFQCTL_MAXLEN
(bet.inet.ip.ifq.maxlen)- Get or set the maximum number of queue length.
ip.ipsec-allocs
(net.inet.ip.ipsec-allocs)- The number of IPsec flows that can use a security association before it expires. If set to less than or equal to zero, the security association will not expire because of this counter. The default value is 0.
ip.ipsec-auth-alg
(net.inet.ip.ipsec-auth-alg)- This is the default authentication algorithm the kernel will instruct key management daemons to negotiate when establishing security associations on behalf of the kernel. Such security associations can occur as a result of a process having requested some security level through setsockopt(2), or as a result of dynamic VPN entries. Supported values are hmac-md5, hmac-sha1, and hmac-ripemd160. If set to any other value, it is left to the key management daemons to select an authentication algorithm for the security association. The default value is hmac-sha1.
ip.ipsec-bytes
(net.inet.ip.ipsec-bytes)- The number of bytes that will be processed by a security association before it expires. If set to less than or equal to zero, the security association will not expire because of this counter. The default value is 0.
ip.ipsec-comp-alg
(net.inet.ip.ipsec-comp-alg)- The compression algorithm to use with an IP Compression Association (IPCA). Possible values are “deflate” and “lzs”. Note that lzs is only available with hifn(4). See ipsecctl(8) for more information.
ip.ipsec-enc-alg
(net.inet.ip.ipsec-enc-alg)- This is the default encryption algorithm the kernel will instruct key management daemons to negotiate when establishing security associations on behalf of the kernel. Such security associations can occur as a result of a process having requested some security level through setsockopt(2), or as a result of dynamic VPN entries. Supported values are aes, des, 3des, blowfish and cast128. If set to any other value, it is left to the key management daemons to select an encryption algorithm for the security association. The default value is aes.
ip.ipsec-expire-acquire
(net.inet.ip.ipsec-expire-acquire)- How long the kernel should allow key management to dynamically acquire security associations before re-sending a request. The default value is 30 seconds.
ip.ipsec-firstuse
(net.inet.ip.ipsec-firstuse)- The number of seconds after a security association is first used before it expires. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 7200 seconds.
ip.ipsec-invalid-life
(net.inet.ip.ipsec-invalid-life)- The lifetime of embryonic Security Associations (SAs that key management daemons have reserved but not fully established yet) in seconds. If set to less than or equal to zero, embryonic SAs will not expire. The default value is 60.
ip.ipsec-pfs
(net.inet.ip.ipsec-pfs)- If set to any non-zero value, the kernel will ask the key management daemons to use Perfect Forward Secrecy when establishing IPsec Security Associations. Perfect Forward Secrecy makes IPsec Security Associations cryptographically distinct from each other, such that breaking the key for one such SA does not compromise any others. Requiring PFS for every security association significantly increases the computational load of isakmpd(8) exchanges. The default value is 1.
ip.ipsec-soft-allocs
(net.inet.ip.ipsec-soft-allocs)- The number of IPsec flows that can use a security association before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0.
ip.ipsec-soft-bytes
(net.inet.ip.ipsec-soft-bytes)- The number of bytes that will be processed by a security association before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0.
ip.ipsec-soft-firstuse
(net.inet.ip.ipsec-soft-firstuse)- The number of seconds after a security association is first used before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 3600 seconds.
ip.ipsec-soft-timeout
(net.inet.ip.ipsec-soft-timeout)- The number of seconds after a security association is established before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 80000 seconds.
ip.ipsec-timeout
(net.inet.ip.ipsec-timeout)- The number of seconds after a security association is established before it will expire. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 86400 seconds.
ip.maxqueue
(net.inet.ip.maxqueue)- Fragment flood protection. Sets the maximum number of unassembled IP fragments in the fragment queue.
ip.mforwarding
(net.inet.ip.mforwarding)- If set to 1, then multicast forwarding is enabled for the host. The default is 0.
ip.mtudisc
(net.inet.ip.mtudisc)- Returns 1 if Path MTU Discovery is enabled.
ip.mtudisctimeout
(net.inet.ip.mtudisctimeout)- Number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will attempt to probe a larger path MTU.
ip.multipath
(net.inet.ip.multipath)- This variable enables multipath routing for IPv4 addresses. If set to 0, only the first route selected will be used for a given destination regardless of how many routes exist in the routing table.
ip.portfirst
(net.inet.ip.portfirst)- Minimum registered port number for TCP/UDP port allocation. Registered ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 1024 or greater than 49151. Must be less than ip.portlast.
ip.porthifirst
(net.inet.ip.porthifirst)- Minimum dynamic/private port number for TCP/UDP port allocation. Dynamic/private ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 49152 or greater than 65535. Must be less than ip.porthilast.
ip.porthilast
(net.inet.ip.porthilast)- Maximum dynamic/private port number for TCP/UDP port allocation. Dynamic/private ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 49152 or greater than 65535. Must be greater than ip.porthifirst.
ip.portlast
(net.inet.ip.portlast)- Maximum registered port number for TCP/UDP port allocation. Registered ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 1024 or greater than 49151. Must be greater than ip.portfirst.
ip.redirect
(net.inet.ip.redirect)- Returns 1 when ICMP redirects may be sent by the host. This option is ignored unless the host is routing IP packets, and should normally be enabled on all systems.
ip.sourceroute
(net.inet.ip.sourceroute)- Returns 1 when forwarding of source-routed packets is enabled for the host. When running with a securelevel(7) greater than 0, this variable may not be changed.
ip.stats
(net.inet.ip.stats)- Returns the IP statistics in a struct ipstat.
ip.ttl
(net.inet.ip.ttl)- The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to normal transport protocols, not to ICMP.
ipcomp.enable
(net.inet.ipcomp.enable)- Enable the IPComp protocol. See ipsecctl(8) for more information.
ipip.allow
(net.inet.ipip.allow)- If set to 0, incoming IP-in-IP packets will not be processed. If set to any other value, processing will occur; furthermore, if set to 2, no checks for spoofing of loopback addresses will be done. This is useful only for debugging purposes, and should never be used in production systems.
mobileip.allow
(net.inet.mobileip.allow)- If set to 0, incoming Mobile IP encapsulated packets (RFC 2004) will not be processed. If set to any other value, processing will occur.
tcp.ackonpush
(net.inet.tcp.ackonpush)- Returns 1 if TCP segments with the
TH_PUSH
flag set are being acknowledged immediately, otherwise 0. tcp.baddynamic
(net.inet.tcp.baddynamic)- An array of
in_port_t
is returned specifying the bitmask of TCP ports between 512 and 1023 inclusive that should not be allocated dynamically by the kernel (i.e., they must be bound specifically by port number). tcp.ecn
(net.inet.tcp.ecn)- Returns 1 if Explicit Congestion Notifications for TCP are enabled.
tcp.ident
(net.inet.tcp.ident)- A
struct tcp_ident_mapping
specifying a local and foreign endpoint of a TCP socket is filled in with the effective and real UIDs of the process that owns the socket. If no such socket exists, then the effective and real UID values are both set to -1. tcp.keepidle
(net.inet.tcp.keepidle)- If the socket option
SO_KEEPALIVE
has been set on a socket, then this value specifies how much time a connection needs to be idle before keepalives are sent. See also tcp.slowhz. tcp.keepinittime
(net.inet.tcp.keepinittime)- Time to keep alive the initial SYN packet of a TCP handshake.
tcp.keepintvl
(net.inet.tcp.keepintvl)- Time after a keepalive probe is sent until, in the absence of any response, another probe is sent. See also tcp.slowhz.
tcp.always_keepalive
(net.inet.tcp.always_keepalive)- Act as if the option
SO_KEEPALIVE
was set on all TCP sockets. tcp.mssdflt
(net.inet.tcp.mssdflt)- The maximum segment size that is used as default for non-local connections. The default value is 512.
tcp.reasslimit
(net.inet.tcp.reasslimit)- The maximum number of out-of-order TCP segments the system will store for reassembly.
tcp.rfc1323
(net.inet.tcp.rfc1323)- Returns 1 if RFC 1323 extensions to TCP are enabled.
tcp.rfc3390
(net.inet.tcp.rfc3390)- Returns 1 if the TCP Initial Window is increased to 4 * MSS or 4380 bytes, as specified in RFC 3390. Returns 2 if the TCP Initial Window is increased to 10 * MSS or 14600 bytes, as specified in draft-ietf-tcpm-initcwnd.
tcp.rootonly
(net.inet.tcp.rootonly)- An array of
in_port_t
is returned specifying the bitmask of TCP ports that can only be bound by processes with root euid. When running with a securelevel(7) greater than 0, this variable may not be changed. tcp.rstppslimit
(net.inet.tcp.rstppslimit)- This variable specifies the maximum number of outgoing TCP RST packets per second. TCP RST packets exceeding this value are subject to rate limitation and will not go out from the node. A negative value disables rate limitation.
tcp.sack
(net.inet.tcp.sack)- Returns 1 if RFC 2018 Selective Acknowledgements are enabled.
tcp.slowhz
(net.inet.tcp.slowhz)- The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks of a clock that ticks tcp.slowhz times per second. (That is, their values must be divided by the tcp.slowhz value to get times in seconds.)
tcp.stats
(net.inet.tcp.stats)- Returns the TCP statistics in a struct tcpstat.
tcp.synbucketlimit
(net.inet.tcp.synbucketlimit)- The maximum number of entries allowed per hash bucket in the TCP SYN cache.
tcp.syncachelimit
(net.inet.tcp.syncachelimit)- The maximum number of entries allowed in the TCP SYN cache.
tcp.synhashsize
(net.inet.tcp.synhashsize)- The number of buckets in the TCP SYN cache hash array. After the value is set, the actual size changes when the alternative SYN cache becomes empty and both SYN caches are swapped.
tcp.synuselimit
(net.inet.tcp.synuselimit)- The minimum number of times the hash function for the TCP SYN cache is used before it is reseeded.
udp.baddynamic
(net.inet.udp.baddynamic)- Analogous to
tcp.baddynamic
but for UDP sockets. udp.checksum
(net.inet.udp.checksum)- Returns 1 when UDP checksums are being computed and checked. Disabling UDP checksums is strongly discouraged.
udp.recvspace
(net.inet.udp.recvspace)- Returns the default UDP receive buffer size.
udp.rootonly
(net.inet.udp.rootonly)- Analogous to
tcp.rootonly
but for UDP sockets. udp.sendspace
(net.inet.udp.sendspace)- Returns the default UDP send buffer size.
udp.stats
(net.inet.udp.stats)- Returns the UDP statistics in a struct udpstat.
PF_INET6
- Get or set various global information about IPv6 (Internet Protocol
version 6). The third level name is the protocol. The fourth level name is
the variable name. The currently defined protocols and names are:
Protocol name Variable name Type Changeable icmp6 errppslimit integer yes icmp6 mtudisc_hiwat integer yes icmp6 mtudisc_lowat integer yes icmp6 nd6_debug integer yes icmp6 nd6_delay integer yes icmp6 nd6_maxnudhint integer yes icmp6 nd6_mmaxtries integer yes icmp6 nd6_prune integer yes icmp6 nd6_umaxtries integer yes icmp6 redirtimeout integer yes ip6 auto_flowlabel integer yes ip6 dad_count integer yes ip6 dad_pending integer yes ip6 defmcasthlim integer yes ip6 forwarding integer yes ip6 hdrnestlimit integer yes ip6 hlim integer yes ip6 ifq node N/A ip6 log_interval integer yes ip6 maxdynroutes integer yes ip6 maxfragpackets integer yes ip6 maxfrags integer yes ip6 maxifprefixes integer yes ip6 maxifdefrouters integer yes ip6 mforwarding integer yes ip6 mtudisctimeout integer yes ip6 multicast_mtudisc integer yes ip6 multipath integer yes ip6 neighborgcthresh integer yes ip6 redirect integer yes ip6 use_deprecated integer yes The variables are as follows:
icmp6.errppslimit
(net.inet6.icmp6.errppslimit)- This variable specifies the maximum number of outgoing ICMPv6 error messages per second. ICMPv6 error messages exceeding this value are subject to rate limitation and will not go out from the node. A negative value will disable the rate limitation.
icmp6.mtudisc_hiwat
(net.inet6.icmp6.mtudisc_hiwat)icmp6.mtudisc_lowat
(net.inet6.icmp6.mtudisc_lowat)- These variables define the maximum number of routing table entries
created due to path MTU discovery (preventing denial-of-service
attacks with ICMPv6 too big messages). After IPv6 path MTU discovery
happens, path MTU information is kept in the routing table. If the
number of routing table entries exceeds this value, the kernel will
not attempt to keep the path MTU information.
icmp6.mtudisc_hiwat
is used when we have verified ICMPv6 too big messages.icmp6.mtudisc_lowat
is used when we have unverified ICMPv6 too big messages. Verification is performed by using address/port pairs kept in connected PCBs. A negative value disables the upper limit. icmp6.nd6_debug
(net.inet6.icmp6.nd6_debug)- If set to non-zero, IPv6 neighbor discovery will generate debugging messages. The debug output is useful for diagnosing IPv6 interoperability issues. The flag must be set to 0 for normal operation.
icmp6.nd6_delay
(net.inet6.icmp6.nd6_delay)- This variable specifies the
DELAY_FIRST_PROBE_TIME
timing constant in IPv6 neighbor discovery specification (RFC 4861), in seconds. icmp6.nd6_maxnudhint
(net.inet6.icmp6.nd6_maxnudhint)- IPv6 neighbor discovery permits upper layer protocols to supply reachability hints, to avoid unnecessary neighbor discovery exchanges. This variable defines the number of consecutive hints the neighbor discovery layer will take. For example, by setting the variable to 3, neighbor discovery will take a maximum of 3 consecutive hints. After receiving 3 hints, the neighbor discovery layer will instead perform the normal neighbor discovery process.
icmp6.nd6_mmaxtries
(net.inet6.icmp6.nd6_mmaxtries)- This variable specifies the
MAX_MULTICAST_SOLICIT
constant in IPv6 neighbor discovery specification (RFC 4861). icmp6.nd6_prune
(net.inet6.icmp6.nd6_prune)- This variable specifies the interval between IPv6 neighbor cache babysitting in seconds.
icmp6.nd6_umaxtries
(net.inet6.icmp6.nd6_umaxtries)- This variable specifies the
MAX_UNICAST_SOLICIT
constant in IPv6 neighbor discovery specification (RFC 4861). icmp6.redirtimeout
(net.inet6.icmp6.redirtimeout)- The variable specifies the lifetime of routing entries generated by incoming ICMPv6 redirects.
ip6.auto_flowlabel
(net.inet6.ip6.auto_flowlabel)- On connected transport protocol packets, fill the IPv6 flowlabel field to help intermediate routers identify packet flows.
ip6.dad_count
(net.inet6.ip6.dad_count)- This variable configures the number of IPv6 DAD (duplicated address detection) probe packets. These packets are generated when IPv6 interfaces are first brought up.
ip6.dad_pending
(net.inet6.ip6.dad_pending)- This variable displays the number of pending IPv6 DAD (duplicated address detection) before completion. It is used to make sure that DAD is completed before netstart(8) is executed.
ip6.defmcasthlim
(net.inet6.ip6.defmcasthlim)- The default hop limit value for an IPv6 multicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overriding this value are documented in ip6(4).
ip6.forwarding
(net.inet6.ip6.forwarding)- Returns 1 when IPv6 forwarding is enabled for the node, meaning that the node is acting as a router. Returns 0 when IPv6 forwarding is disabled for the node, meaning that the node is acting as a host. Note that IPv6 defines node behavior for the “router” and “host” cases quite differently, and changing this variable during operation may cause serious trouble. Hence, this variable should only be set at bootstrap time.
ip6.hdrnestlimit
(net.inet6.ip6.hdrnestlimit)- The number of IPv6 extension headers permitted on incoming IPv6 packets. If set to 0, the node will accept as many extension headers as possible.
ip6.hlim
(net.inet6.ip6.hlim)- The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overriding this value are documented in ip6(4).
ip6.ifq
(net.inet6.ip6.ifq)- Fifth level comprises an array of
struct ifqueue
structures containing information about IPv6 packet input queue. The fifth level names for the elements ofstruct ifqueue
are detailed above inip.ifq
. ip6.log_interval
(net.inet6.ip6.log_interval)- This variable permits adjusting the amount of logs generated by the IPv6 packet forwarding engine. The value indicates the number of seconds of interval which must elapse between log output.
ip6.maxdynroutes
(net.inet6.ip6.maxdynroutes)- Maximum number of routes created by redirect. Set to negative to disable. The default value is 4096.
ip6.maxfragpackets
(net.inet6.ip6.maxfragpackets)- The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any fragmented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is provided basically for avoiding possible DoS attacks.
ip6.maxfrags
(net.inet6.ip6.maxfrags)- The maximum number of fragments the node will accept. 0 means that the node will not accept any fragments. -1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks.
ip6.maxifprefixes
(net.inet6.ip6.maxifprefixes)- Maximum number of prefixes created by route advertisements per interface. Set to negative to disable. The default value is 16.
ip6.maxifdefrouters
(net.inet6.ip6.maxifdefrouters)- Maximum number of default routers created by route advertisements per interface. Set to negative to disable. The default value is 16.
ip6.mforwarding
(net.inet6.ip6.mforwarding)- If set to 1, then multicast forwarding is enabled for the host. The default is 0.
ip6.multicast_mtudisc
(net.inet6.ip6.multicast_mtudisc)- This variable controls generation of ICMPv6 Too Big messages when the machine is performing as an IPv6 multicast router. If set to 1, an ICMPv6 Too Big message will be generated for multicast packets which were too big to be forwarded. If set to 0, the ICMPv6 Too Big message will be suppressed.
ip6.multipath
(net.inet6.ip6.multipath)- This variable enables multipath routing for IPv6 addresses. If set to 0, only the first route selected will be used for a given destination regardless of how many routes exist in the routing table.
ip6.mtudisctimeout
(net.inet6.ip6.mtudisctimeout)- Number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will attempt to probe a larger path MTU.
ip6.neighborgcthresh
(net.inet6.ip6.neighborgcthresh)- Maximum number of entries in neighbor cache. Set to negative to disable. The default value is 2048.
ip6.redirect
(net.inet6.ip6.redirect)- Returns 1 when ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, and should normally be enabled on all systems.
ip6.use_deprecated
(net.inet6.ip6.use_deprecated)- This variable controls the use of deprecated addresses, specified in RFC 4862 5.5.4.
We reuse
net.inet.tcp
andnet.inet.udp
for TCP/UDP over IPv6. PF_KEY
- Return ipsec(4) database dumps. The second level name is
PF_KEY_V2
. The third level name selects the database as follows:NET_KEY_SADB_DUMP
- Security Association database (SADB).
NET_KEY_SPD_DUMP
- IPsec flow database (SPD).
PF_MPLS
- Get or set global information about MPLS (Multiprotocol Label Switching).
Third level name Type Changeable MPLSCTL_DEFTTL
integer yes MPLSCTL_IFQUEUE
node not applicable MPLSCTL_MAPTTL_IP
integer yes MPLSCTL_MAPTTL_IP6
integer yes MPLSCTL_MAXINKLOOP
integer yes MPLSCTL_DEFTTL
(net.mpls.ttl)- Set or get the default TTL value which is used for MPLS (Shim) Header. The default is 255.
MPLSCTL_IFQUEUE
(net.mpls.ifq)- Fourth level comprises an array of
struct ifqueue
structures containing information about MPLS packet input queue. The forth level names for the elements ofstruct ifqueue are same as described in
ip.ifq
in thePF_INET
section. MPLSCTL_MAPTTL_IP
(net.mpls.mapttl_ip)- If set to 1 the TTL field is synchronized between the IP header and
the MPLS label stack. If set to 0 the IP header TTL is not modified
while passing through MPLS and the MPLS label stack is initialized
with the
MPLSCTL_DEFTTL
. The default is 1. MPLSCTL_MAPTTL_IP6
(net.mpls.mapttl_ip6)- If set to 1 the TTL field is synchronized between the IPv6 header and
the MPLS label stack. If set to 0 the IPv6 header TTL is not modified
while passing through MPLS and the MPLS label stack is initialized
with the
MPLSCTL_DEFTTL
. The default is 0. MPLSCTL_MAXINKLOOP
(net.mpls.maxloop_inkernel)- Set or get the maxinum number of label stack operations (push, swap, pop) that can be made on a packet. The default is 16.
PF_PIPEX
(net.pipex)- Get or set global information about PIPEX.
The currently defined variable names are:
Third level name Type Changeable PIPEXCTL_ENABLE
integer yes PIPEXCTL_INQ
node not applicable PIPEXCTL_OUTQ
node not applicable PIPEXCTL_ENABLE
- If set to 1, enable PIPEX processing. The default is 0.
PIPEXCTL_INQ
(net.pipex.inq)- Fourth level comprises an array of
struct ifqueue
structures containing information about the PIPEX packet input queue. The forth level names for the elements ofstruct ifqueue
are the same as described inip.ifq
in thePF_INET
section. PIPEXCTL_OUTQ
(net.pipex.outq)- Fourth level comprises an array of
struct ifqueue
structures containing information about PIPEX packet output queue. The forth level names for the elements ofstruct ifqueue are same as described in
ip.ifq
in thePF_INET
section.
CTL_VFS
The string and integer information available for the
CTL_VFS
level is detailed below. The changeable
column shows whether a process with appropriate privileges may change the
value.
Second level name | Type | Changeable |
VFS_GENERIC |
VFS generic info | no |
filesystem
# |
filesystem info | no |
VFS_GENERIC
- This second level identifier requests generic information about the VFS
layer. Within it, the following third level identifiers exist:
Third level name Type Changeable VFS_CONF
struct vfsconf no VFS_MAXTYPENUM
int no - filesystem #
- After finding the filesystem dependent vfc_typenum
using
VFS_GENERIC
withVFS_CONF
, it is possible to access filesystem dependent information.Some filesystems may contain settings.
- FFS
-
Third level name Type Changeable FFS_DIRHASH_DIRSIZE
integer yes FFS_DIRHASH_MAXMEM
integer yes FFS_DIRHASH_MEM
integer no FFS_MAX_SOFTDEPS
integer yes FFS_SD_BLK_LIMIT_HIT
integer yes FFS_SD_BLK_LIMIT_PUSH
integer yes FFS_SD_DIR_ENTRY
integer yes FFS_SD_DIRECT_BLK_PTRS
integer yes FFS_SD_INDIR_BLK_PTRS
integer yes FFS_SD_INO_LIMIT_HIT
integer yes FFS_SD_INO_LIMIT_PUSH
integer yes FFS_SD_INODE_BITMAP
integer yes FFS_SD_SYNC_LIMIT_HIT
integer yes FFS_SD_TICKDELAY
integer yes FFS_SD_WORKLIST_PUSH
integer yes FFS_DIRHASH_DIRSIZE
(vfs.ffs.dirhash_dirsize)- The minimum size of a directory, in bytes, before it is considered for hashing.
FFS_DIRHASH_MAXMEM
(vfs.ffs.dirhash_maxmem)- The maximum amount of memory, in bytes, to be used for storing directory hashes.
FFS_DIRHASH_MEM
(vfs.ffs.dirhash_mem)- The amount of memory currently used by all directory hashes.
FFS_MAX_SOFTDEPS
(vfs.ffs.max_softdeps)- Maximum strcuctures before slowdowns.
FFS_SD_BLK_LIMIT_HIT
(vfs.ffs.sd_blk_limit_hit)- Number of times block slowdown imposed.
FFS_SD_BLK_LIMIT_PUSH
(vfs.ffs.sd_blk_limit_push)- Number of times block limit neared.
FFS_SD_DIR_ENTRY
(vfs.ffs.sd_dir_entry)- Bufs redirtied as dir entry cannot write.
FFS_SD_DIRECT_BLK_PTRS
(vfs.ffs.sd_direct_blk_ptrs)- Bufs redirtied as direct ptrs not written.
FFS_SD_INDIR_BLK_PTRS
(vfs.ffs.sd_indir_blk_ptrs)- Bufs redirtied as indirect ptrs not written.
FFS_SD_INO_LIMIT_HIT
(vfs.ffs.sd_ino_limit_hit)- Number of times inode limit imposed.
FFS_SD_INO_LIMIT_PUSH
(vfs.ffs.sd_ino_limit_push)- Number of times inode limit neared.
FFS_SD_INODE_BITMAP
(vfs.ffs.sd_inode_bitmap)- Bufs redirtied as inode bitmap not written.
FFS_SD_SYNC_LIMIT_HIT
(vfs.ffs.sd_sync_limit_hit)- Number of synchronous slowdowns imposed.
FFS_SD_TICKDELAY
(vfs.ffs.sd_tickdelay)- Ticks to pause during slowdown.
FFS_SD_WORKLIST_PUSH
(vfs.ffs.sd_worklist_push)- Number of worklist cleanups.
- NFS
-
Third level name Type Changeable NFS_NFSSTATS
struct nfsstats yes NFS_NIOTHREADS
int yes NFS_NIOTHREADS
(vfs.nfs.iothreads)- The number of I/O kernel threads for NFS clients. The default is 4; the maximum is 20.
- FUSE
-
Third level name Type Changeable FUSEFS_INFBUFS
int no FUSEFS_OPENDEVS
int no FUSEFS_POOL_NBPAGES
int no FUSEFS_WAITFBUFS
int no FUSEFS_INFBUFS
(vfs.fuse.fusefs_fbufs_in)- The number of inbound fusebufs.
FUSEFS_OPENDEVS
(vfs.fuse.fusefs_open_devices)- The number of FUSE devices opened.
FUSEFS_POOL_NBPAGES
(vfs.fuse.fusefs_pool_pages)- The number of pages used for fusebuf memory.
FUSEFS_WAITFBUFS
(vfs.fuse.fusefs_fbufs_wait)- The number of fusebufs waiting for a response.
CTL_VM
The string and integer information available for the
CTL_VM
level is detailed below. The changeable
column shows whether a process with appropriate privileges may change the
value.
Second level name | Type | Changeable |
VM_ANONMIN |
integer | yes |
VM_LOADAVG |
struct loadavg | no |
VM_MAXSLP |
integer | no |
VM_METER |
struct vmtotal | no |
VM_NKMEMPAGES |
integer | no |
VM_PSSTRINGS |
struct psstrings | no |
VM_SWAPENCRYPT |
swap encrypt values | yes |
VM_USPACE |
integer | no |
VM_UVMEXP |
struct uvmexp | no |
VM_VNODEMIN |
integer | yes |
VM_VTEXTMIN |
integer | yes |
VM_ANONMIN
(vm.anonmin)- Percentage of physical memory available for pages which contain anonymous mapping.
VM_LOADAVG
(vm.loadavg)- Return the load average history. The returned data consists of a
struct loadavg
. VM_MAXSLP
(vm.maxslp)- The time for a process to be blocked before being swappable, in seconds.
VM_METER
(vm.vmmeter)- Return the system wide virtual memory statistics. The returned data
consists of a
struct vmtotal
. VM_NKMEMPAGES
(vm.nkmempages)- Number of pages in kmem_map.
VM_PSSTRINGS
(vm.psstrings)- Returns the address of the process
struct ps_strings
. The ps(1) program uses it to locate the argument and environment strings. VM_SWAPENCRYPT
- Contains statistics about swap encryption. The string and integer
information available for the third level is detailed below.
Third level name Type Changeable SWPENC_CREATED
integer no SWPENC_DELETED
integer no SWPENC_ENABLE
integer yes SWPENC_CREATED
(vm.swapencrypt.keyscreated)- The number of encryption keys that have been randomly created. The swap partition is divided into sections of normally 512KB. Each section has its own encryption key.
SWPENC_DELETED
(vm.swapencrypt.keysdeleted)- The number of encryption keys that have been deleted, thus effectively erasing the data that has been encrypted with them. Encryption keys are deleted when their reference counter reaches zero.
SWPENC_ENABLE
(vm.swapencrypt.enable)- Set to 1 to enable swap encryption for all processes. A 0 disables swap encryption. Pages still on swap receive a grandfather clause. Turning this option on does not affect legacy swap data already on the disk, but all newly written data will be encrypted. When swap encryption is turned on, automatic crash(8) dumps are disabled.
VM_USPACE
(vm.uspace)- The number of bytes allocated for each kernel stack.
VM_UVMEXP
(vm.uvmexp)- Contains statistics about the UVM memory management system.
VM_VNODEMIN
(vm.vnodemin)- Percentage of physical memory available for pages which contain cached file data.
VM_VTEXTMIN
(vm.vtextmin)- Percentage of physical memory available for pages which contain cached executable data.
RETURN VALUES
If the call to sysctl
() is unsuccessful,
-1 is returned and errno is set appropriately.
FILES
<sys/sysctl.h>
- definitions for top level identifiers, second level kernel and hardware identifiers, and user level identifiers
<sys/socket.h>
- definitions for second level network identifiers
<sys/gmon.h>
- definitions for third level profiling identifiers
<ufs/ffs/ffs_extern.h>
- definitions for third level virtual file system identifiers (ffs)
<nfs/nfs.h>
- definitions for third level virtual file system identifiers (nfs)
<uvm/uvm_param.h>
- definitions for second level virtual memory identifiers
<uvm/uvm_swap_encrypt.h>
- definitions for third level virtual memory identifiers
<net/if.h>
- definitions for packet input/output queue identifiers
<net/pipex.h>
- definitions for third level PIPEX identifiers
<netinet/in.h>
- definitions for third level IPv4/v6 identifiers and fourth level IP and IPv6 identifiers
<netinet/icmp_var.h>
- definitions for fourth level ICMP identifiers
<netinet/icmp6.h>
- definitions for fourth level ICMPv6 identifiers
<netinet/tcp_var.h>
- definitions for fourth level TCP identifiers
<netinet/udp_var.h>
- definitions for fourth level UDP identifiers
<machine/cpu.h>
- definitions for second level CPU identifiers
ERRORS
The following errors may be reported:
- [
EFAULT
] - The buffer name, oldp, newp, or length pointer oldlenp contains an invalid address.
- [
EINVAL
] - The name array is less than two or greater than
CTL_MAXNAME
. - [
EINVAL
] - A non-null newp pointer is given and its specified length in newlen is too large or too small.
- [
ENOMEM
] - The length pointed to by oldlenp is too short to hold the requested value.
- [
ENOENT
] - The mib specified does not exist, or exceeds the range that is possible.
- [
ENXIO
] - If the mib is a sparsely populated array, this error may be returned instead.
- [
ENOTDIR
] - The name array specifies an intermediate rather than terminal name.
- [
EOPNOTSUPP
] - The name array specifies a value that is unknown.
- [
EPERM
] - An attempt is made to set a read-only value.
- [
EPERM
] - A process without appropriate privileges attempts to set a value.
- [
EPERM
] - An attempt to change a value protected by the current kernel security level is made.
- [
ESRCH
] - No process could be found which corresponds to the given process ID.
SEE ALSO
pathconf(2), sysconf(3), ddb(4), sysctl.conf(5), securelevel(7), sysctl(8)
HISTORY
The sysctl
() function first appeared in
4.4BSD.