SYSCTL(3) BSD Programmer's Manual SYSCTL(3)NAMEsysctl - get or set system information
SYNOPSIS
#include <sys/param.h>
#include <sys/sysctl.h>
int
sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
size_t newlen);
DESCRIPTION
The sysctl() function retrieves system information and allows processes
with appropriate privileges to set system information. The information
available from sysctl() consists of integers, strings, and tables. Infor-
mation may be retrieved and set from the command interface using the
sysctl(8) utility.
Unless explicitly noted below, sysctl() returns a consistent snapshot of
the data requested. Consistency is obtained by locking the destination
buffer into memory so that the data may be copied out without blocking.
Calls to sysctl() are serialized to avoid deadlock.
The state is described using a "Management Information Base (MIB)" style
name, listed in name, which is a namelen length array of integers.
The information is copied into the buffer specified by oldp. The size of
the buffer is given by the location specified by oldlenp before the call,
and that location gives the amount of data copied after a successful
call. If the amount of data available is greater than the size of the
buffer supplied, the call supplies as much data as fits in the buffer
provided and returns with the error code ENOMEM. If the old value is not
desired, oldp and oldlenp should be set to NULL.
The size of the available data can be determined by calling sysctl() with
a NULL parameter for oldp. The size of the available data will be re-
turned in the location pointed to by oldlenp. For some operations, the
amount of space may change often. For these operations, the system at-
tempts to round up so that the returned size is large enough for a call
to return the data shortly thereafter.
To set a new value, newp is set to point to a buffer of length newlen
from which the requested value is to be taken. If a new value is not to
be set, newp should be set to NULL and newlen set to 0.
The top level names are defined with a CTL_ prefix in <sys/sysctl.h>, and
are as follows. The next and subsequent levels down are found in the in-
clude files listed here, and described in separate sections below.
Name Next level names Description
CTL_DDB ddb/db_var.h Kernel debugger
CTL_DEBUG sys/sysctl.h Debugging
CTL_FS sys/sysctl.h File system
CTL_HW sys/sysctl.h Generic CPU, I/O
CTL_KERN sys/sysctl.h High kernel limits
CTL_MACHDEP sys/sysctl.h Machine dependent
CTL_NET sys/socket.h Networking
CTL_USER sys/sysctl.h User-level
CTL_VFS ufs/ffs/ffs_extern.h Virtual file system
CTL_VM uvm/uvm_param.h Virtual memory
For example, the following retrieves the maximum number of processes al-
lowed in the system:
int mib[2], maxproc;
size_t len;
mib[0] = CTL_KERN;
mib[1] = KERN_MAXPROC;
len = sizeof(maxproc);
if (sysctl(mib, 2, &maxproc, &len, NULL, 0) == -1)
err(1, "sysctl");
To retrieve the standard search path for the system utilities:
int mib[2];
size_t len;
char *p;
mib[0] = CTL_USER;
mib[1] = USER_CS_PATH;
if (sysctl(mib, 2, NULL, &len, NULL, 0) == -1)
err(1, "sysctl");
if ((p = malloc(len)) == NULL)
err(1, NULL);
if (sysctl(mib, 2, p, &len, NULL, 0) == -1)
err(1, "sysctl");
CTL_DDB
Integer information and settable variables are available for the CTL_DDB
level, as described below. More information is also available in ddb(4).
Second level name Type Changeable
DBCTL_CONSOLE integer yes
DBCTL_LOG integer yes
DBCTL_MAXLINE integer yes
DBCTL_MAXWIDTH integer yes
DBCTL_PANIC integer yes
DBCTL_RADIX integer yes
DBCTL_TABSTOP integer yes
DBCTL_CRASH integer yes
DBCTL_CONSOLE
When this variable is set, an architecture dependent magic key
sequence on the console or a debugger button will permit entry
into the kernel debugger. As described in securelevel(7), a secu-
rity level greater than 1 blocks modification of this variable.
DBCTL_LOG
When set, ddb output is also logged in the kernel message buffer.
DBCTL_MAXLINE
Determines the number of lines to page in ddb(4). This variable
is also available as the ddb $lines variable.
DBCTL_MAXWIDTH
Determines the maximum width of a line in ddb(4). This variable
is also available as the ddb $maxwidth variable.
DBCTL_PANIC
When this variable is set, system panics may drop into the kernel
debugger. As described in securelevel(7), a security level
greater than 1 blocks modification of this variable.
DBCTL_RADIX
Determines the default radix or base for non-prefixed numbers en-
tered into ddb(4). This variable is also available as the ddb
$radix variable.
DBCTL_TABSTOP
Width of a tab stop in ddb(4). This variable is also available as
the ddb $tabstops variable.
DBCTL_CRASH
Set this to a value larger than 1 to crash the kernel with a pan-
ic. This is only allowed if the value was 1 before, and the sys-
tem is continuable. This value can only be raised from 0 to 1 in
securelevel 0 or insecure mode.
CTL_DEBUG
The debugging variables vary from system to system. A debugging variable
may be added or deleted without need to recompile sysctl() to know about
it. Each time it runs, sysctl() gets the list of debugging variables from
the kernel and displays their current values. The system defines twenty
struct ctldebug variables named debug0 through debug19. They are declared
as separate variables so that they can be individually initialized at the
location of their associated variable. The loader prevents multiple use
of the same variable by issuing errors if a variable is initialized in
more than one place. For example, to export the variable dospecialcheck
as a debugging variable, the following declaration would be used:
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
CTL_FS
The string and integer information available for the CTL_FS level is de-
tailed below. The changeable column shows whether a process with ap-
propriate privileges may change the value.
Second level name Type Changeable
FS_POSIX_SETUID integer yes
FS_POSIX_SETUID
When this variable is set, ownership changes on a file will cause
the S_ISUID and S_ISGID bits to be cleared. As detailed in
securelevel(7), this variable may not be changed if the
securelevel is > 0.
CTL_HW
The string and integer information available for the CTL_HW level is de-
tailed below. The changeable column shows whether a process with ap-
propriate privileges may change the value.
Second level name Type Changeable
HW_BYTEORDER integer no
HW_CPUSPEED integer no
HW_DISKCOUNT integer no
HW_DISKNAMES string no
HW_DISKSTATS struct no
HW_MACHINE string no
HW_MODEL string no
HW_NCPU integer no
HW_PAGESIZE integer no
HW_PHYSMEM integer no
HW_SENSORS struct no
HW_SETPERF integer yes
HW_USERMEM integer no
HW_BYTEORDER
The byteorder (4321 or 1234).
HW_CPUSPEED
The current CPU frequency (in MHz).
HW_DISKCOUNT
The number of disks currently attached to the system.
HW_DISKNAMES
A comma-separated list of disk names.
HW_DISKSTATS
An array of struct diskstats structures containing disk statis-
tics.
HW_MACHINE
The machine class.
HW_MODEL
The machine model.
HW_NCPU
The number of CPUs.
HW_PAGESIZE
The software page size.
HW_PHYSMEM
The total physical memory, in bytes.
HW_SENSORS
An array of struct sensor structures containing information from
the hardware monitoring sensors.
HW_SETPERF
Current CPU performance (percentage).
HW_USERMEM
The amount of available non-kernel memory in bytes.
CTL_KERN
The string and integer information available for the CTL_KERN level is
detailed below. The changeable column shows whether a process with ap-
propriate privileges may change the value. The types of data currently
available are process information, system vnodes, the open file entries,
routing table entries, virtual memory statistics, load average history,
and clock rate information.
Second level name Type Changeable
KERN_ALLOWPSA integer yes
KERN_ALLOWPSE integer yes
KERN_ARGMAX integer no
KERN_ARND integer yes
KERN_BOOTTIME struct timeval no
KERN_CCPU integer no
KERN_CLOCKRATE struct clockinfo no
KERN_CPTIME long[CPUSTATES] no
KERN_CPTIME2 u_int64_t[CPUSTATES] no
KERN_CRYPTODEVALLOWSOFT integer yes
KERN_DOMAINNAME string yes
KERN_EMUL node not applicable
KERN_EMULUNAME string yes
KERN_FILE struct file no
KERN_FORKSTAT struct forkstat no
KERN_FSCALE integer no
KERN_FSYNC integer no
KERN_HOSTID integer yes
KERN_HOSTNAME string yes
KERN_INTRCNT node not applicable
KERN_JOB_CONTROL integer no
KERN_MALLOCSTATS node no
KERN_MAXCLUSTERS integer yes
KERN_MAXFILES integer yes
KERN_MAXPARTITIONS integer no
KERN_MAXPROC integer yes
KERN_MAXVNODES integer yes
KERN_MBSTAT struct mbstat no
KERN_MSGBUF char[] no
KERN_MSGBUFSIZE integer no
KERN_NCHSTATS struct nchstats no
KERN_NFILES integer no
KERN_NGROUPS integer no
KERN_NOSUIDCOREDUMP integer yes
KERN_NPROCS integer no
KERN_NSELCOLL integer no
KERN_NUMVNODES integer no
KERN_OSRELEASE string no
KERN_OSREV integer no
KERN_OSTYPE string no
KERN_OSVERSION string no
KERN_POSIX1 integer no
KERN_PROC struct kinfo_proc no
KERN_PROC2 struct kinfo_proc2 no
KERN_PROC_ARGS node not applicable
KERN_RAWPARTITION integer no
KERN_RND struct rndstats no
KERN_SAVED_IDS integer no
KERN_SECURELVL integer raise only
KERN_SEMINFO node not applicable
KERN_SHMINFO node not applicable
KERN_SOMAXCONN integer yes
KERN_SOMINCONN integer yes
KERN_SPLASSERT int yes
KERN_STACKGAPRANDOM integer yes
KERN_SYSVIPC_INFO node not applicable
KERN_SYSVMSG integer no
KERN_SYSVSEM integer no
KERN_SYSVSHM integer no
KERN_TTY node not applicable
KERN_TTYCOUNT integer no
KERN_USERASYMCRYPTO integer yes
KERN_USERCRYPTO integer yes
KERN_USERMOUNT integer yes
KERN_VERSION string no
KERN_VNODE struct vnode no
KERN_WATCHDOG node not applicable
KERN_ALLOWPSA
If 0, users are not allowed to view processes of other users, for
example with the -a option to ps(1).
KERN_ALLOWPSE
If 0, users are not allowed to view the environment of processes
of other users, for example with the -e option to ps(1).
KERN_ARGMAX
The maximum number of bytes allowed among the arguments to
exec(3).
KERN_ARND
Returns a random integer from the kernel arc4random(9) function.
This can be useful if /dev/arandom is not available (see
random(4)). This sysctl is writable since MirOS #8.
KERN_BOOTTIME
A struct timeval structure is returned. This structure contains
the time that the system was booted.
KERN_CCPU
The scheduler exponential decay value.
KERN_CLOCKRATE
A struct clockinfo structure is returned. This structure contains
the clock, statistics clock and profiling clock frequencies, the
number of micro-seconds per hz tick, and the clock skew rate.
KERN_CPTIME
An array of longs of size CPUSTATES is returned, containing
statistics about the number of ticks spent by the system among
all processors in interrupt processing, user processes
(nice(1) or normal), system processing, or idling.
KERN_CPTIME2
Similar to KERN_CPTIME, but obtains information from only the
single CPU specified by the third level name given.
KERN_CRYPTODEVALLOWSOFT
Permits userland to use /dev/crypto even if there is no hardware
crypto accelerator in the system.
KERN_DOMAINNAME
Get or set the domain name.
KERN_EMUL
Enable binary emulation.
Third level name Type Changeable
KERN_EMUL_ENABLED integer yes
KERN_EMUL_NAME string no
KERN_EMUL_NEMULS integer no
Third level names in KERN_EMUL other than KERN_EMUL_NEMULS refer
to a specific emulation available in the kernel. Valid values
range from 1 to the return value of KERN_EMUL_NEMULS. The fourth
level names available are KERN_EMUL_NAME, which returns a string
with the emulation name, and KERN_EMUL_ENABLED, which is an adju-
stable integer.
Note that using this interface exposes duplicate entries which
are consolidated by the userland frontend.
KERN_EMULUNAME
Sets the ostype value the uname(3) call returns for applications
executed in the linuxulator.
KERN_FILE
Return the entire file table. The returned data consists of a
single struct filehead followed by an array of struct file, whose
size depends on the current number of such objects in the system.
KERN_FORKSTAT
A struct forkstat structure is returned. This structure contains
information about the number of fork(2), vfork(2), and rfork(2)
system calls as well as kernel thread creations since system
startup, and the number of pages of virtual memory involved in
each.
KERN_FSCALE
The kernel fixed-point scale factor.
KERN_FSYNC
Return 1 if the File Synchronisation Option is available on this
system, otherwise 0.
KERN_HOSTID
Get or set the host ID.
KERN_HOSTNAME
Get or set the hostname.
KERN_JOB_CONTROL
Return 1 if job control is available on this system, otherwise 0.
KERN_MALLOCSTATS
Return kernel memory bucket statistics. The third level names are
detailed below. There are no changeable values in this branch.
Third level name Type
KERN_MALLOC_BUCKET node
KERN_MALLOC_BUCKETS string
KERN_MALLOC_KMEMNAMES string
KERN_MALLOC_KMEMSTATS node
The variables are as follows:
KERN_MALLOC_BUCKET.<size>
A node containing the statistics for the memory bucket of
the specified size (in decimal notation, the number of
bytes per bucket element, e.g., 16, 32, 128). Each node
returns a struct kmembuckets.
If a value is specified that does not correspond directly
to a bucket size, the statistics for the closest larger
bucket size will be returned instead.
Note that bucket sizes are typically powers of 2.
KERN_MALLOC_BUCKETS
Return a comma-separated list of the bucket sizes used by
the kernel.
KERN_MALLOC_KMEMNAMES
Return a comma-separated list of the names of the kernel
malloc(9) types.
KERN_MALLOC_KMEMSTATS
A node containing the statistics for the memory types of
the specified name. Each node returns a struct kmemstats.
KERN_MAXCLUSTERS
The maximum number of mbuf(9) clusters that may be allocated.
KERN_MAXFILES
The maximum number of open files that may be open in the system.
KERN_MAXPARTITIONS
The maximum number of partitions allowed per disk.
KERN_MAXPROC
The maximum number of simultaneous processes the system will al-
low.
KERN_MAXVNODES
The maximum number of vnodes available on the system.
KERN_MBSTAT
A struct mbstat structure is returned, containing statistics on
mbuf(9) usage.
KERN_MSGBUF
Returns a buffer containing kernel log messages.
KERN_MSGBUFSIZE
The size of the kernel message buffer.
KERN_NCHSTATS
A struct nchstats structure is returned. This structure contains
information about the filename to inode(5) mapping cache.
KERN_NFILES
Number of open files.
KERN_NGROUPS
The maximum number of supplemental groups.
KERN_NOSUIDCOREDUMP
Programs with their set-user-ID bit set will not dump core when
this is set.
KERN_NPROCS
The number of entries in the kernel process table.
KERN_NSELCOLL
Number of select(2) collisions.
KERN_NUMVNODES
Number of vnodes in use.
KERN_OSRELEASE
The system release string.
KERN_OSREV
The system revision number.
KERN_OSTYPE
The system type string.
KERN_OSVERSION
The kernel build version.
KERN_POSIX1
The version of ISO/IEC 9945 (POSIX 1003.1) with which the system
attempts to comply.
KERN_PROC
Return the entire process table, or a subset of it. An array of
struct kinfo_proc structures is returned, whose size depends on
the current number of such objects in the system. The third and
fourth level names are as follows:
Third level name Fourth level is:
KERN_PROC_ALL None
KERN_PROC_KTHREAD A kernel thread
KERN_PROC_PID A process ID
KERN_PROC_PGRP A process group
KERN_PROC_RUID A real user ID
KERN_PROC_SESSION A session PID
KERN_PROC_TTY A tty device
KERN_PROC_UID A user ID
KERN_PROC2
Like KERN_PROC but an array of struct kinfo_proc2 structures is
returned. The fifth level name is the size of the struct
kinfo_proc2 and the sixth level name is the number of structures
to return.
KERN_PROC_ARGS
Returns the arguments or environment of a process. The third lev-
el name is the PID of the process. The fourth level name is one
of:
KERN_PROC_ARGV
KERN_PROC_ENV
KERN_PROC_NARGV
KERN_PROC_NENV
KERN_PROC_NARGV and KERN_PROC_NENV return the number of elements
as an int in the argv or env array. KERN_PROC_ARGV returns the
argv array and KERN_PROC_ENV returns the environ array.
KERN_RAWPARTITION
The raw partition of a disk (a == 0).
KERN_RND
Returns statistics about the /dev/random device in a struct
rndstats structure.
KERN_SAVED_IDS
Returns 1 if saved set-group-ID and saved set-user-ID are avail-
able.
KERN_SECURELVL
The system security level. This level may be raised by processes
with appropriate privileges. It may only be lowered by process 1.
KERN_SEMINFO
Return the elements of struct seminfo. If the kernel is not com-
piled with System V style semaphore support, attempts to retrieve
any of the KERN_SEMINFO values will fail with EOPNOTSUPP. The
third level names for the elements of struct seminfo are detailed
below. The changeable column shows whether a process with ap-
propriate privileges may change the value.
Third level name Type Changeable
KERN_SEMINFO_SEMAEM integer no
KERN_SEMINFO_SEMMNI integer yes
KERN_SEMINFO_SEMMNS integer yes
KERN_SEMINFO_SEMMNU integer yes
KERN_SEMINFO_SEMMSL integer yes
KERN_SEMINFO_SEMOPM integer yes
KERN_SEMINFO_SEMUME integer no
KERN_SEMINFO_SEMUSZ integer no
KERN_SEMINFO_SEMVMX integer no
The variables are as follows:
KERN_SEMINFO_SEMAEM
The adjust on exit maximum value.
KERN_SEMINFO_SEMMNI
The maximum number of semaphore identifiers allowed.
KERN_SEMINFO_SEMMNS
The maximum number of semaphores allowed in the system.
KERN_SEMINFO_SEMMNU
The maximum number of semaphore undo structures allowed
in the system.
KERN_SEMINFO_SEMMSL
The maximum number of semaphores allowed per ID.
KERN_SEMINFO_SEMOPM
The maximum number of operations per semop(2) call.
KERN_SEMINFO_SEMUME
The maximum number of undo entries per process.
KERN_SEMINFO_SEMUSZ
The size (in bytes) of the undo structure.
KERN_SEMINFO_SEMVMX
The semaphore maximum value.
KERN_SHMINFO
Return the elements of struct shminfo. If the kernel is not com-
piled with System V style shared memory support, attempts to re-
trieve any of the KERN_SHMINFO values will fail with EOPNOTSUPP.
The third level names for the elements of struct shminfo are de-
tailed below. The changeable column shows whether a process with
appropriate privileges may change the value.
Third level name Type Changeable
KERN_SHMINFO_SHMALL integer yes
KERN_SHMINFO_SHMMAX integer yes
KERN_SHMINFO_SHMMIN integer yes
KERN_SHMINFO_SHMMNI integer yes
KERN_SHMINFO_SHMSEG integer yes
The variables are as follows:
KERN_SHMINFO_SHMALL
The maximum amount of total shared memory allowed in the
system (in pages).
KERN_SHMINFO_SHMMAX
The maximum shared memory segment size (in bytes).
KERN_SHMINFO_SHMMIN
The minimum shared memory segment size (in bytes).
KERN_SHMINFO_SHMMNI
The maximum number of shared memory identifiers in the
system.
KERN_SHMINFO_SHMSEG
The maximum number of shared memory segments per process.
KERN_SOMAXCONN
Upper bound on the number of half-open connections a process can
allow to be associated with a socket, using listen(2). The de-
fault value is 128.
KERN_SOMINCONN
Lower bound on the number of half-open connections a process can
allow to be associated with a socket, using listen(2). The de-
fault value is 80.
KERN_SPLASSERT
Modify the system interrupt priority level. Valid values are:
0 Disable error checking.
1 Print a message if an error is detected.
2 Print a message if an error is detected, and a stack
trace if possible.
3 The same as 2, but also drop into the kernel debugger.
Any other value causes a system panic on errors. See splassert(9)
for more information.
KERN_STACKGAPRANDOM
Sets the range of the random value added to the stack pointer on
each program execution. The random value is added to make buffer
overflow exploitation slightly harder. The bigger the number, the
harder it is to brute force this added protection, but it also
means bigger waste of memory.
KERN_SYSVIPC_INFO
Return System V style IPC configuration and run-time information.
The third level name selects the System V style IPC facility.
Third level name Type
KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info
KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info
KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info
KERN_SYSVIPC_MSG_INFO
Return information on the System V style message facili-
ty. The msg_sysctl_info structure is defined in
<sys/msg.h>.
KERN_SYSVIPC_SEM_INFO
Return information on the System V style semaphore facil-
ity. The sem_sysctl_info structure is defined in
<sys/sem.h>.
KERN_SYSVIPC_SHM_INFO
Return information on the System V style shared memory
facility. The shm_sysctl_info structure is defined in
<sys/shm.h>.
KERN_SYSVMSG
Returns 1 if System V style message queue functionality is avail-
able on this system, otherwise 0.
KERN_SYSVSEM
Returns 1 if System V style semaphore functionality is available
on this system, otherwise 0.
KERN_SYSVSHM
Returns 1 if System V style shared memory functionality is avail-
able on this system, otherwise 0.
KERN_TTY
Return statistics information about tty input/output. The third
level names information is detailed below. The changeable column
shows whether a process with appropriate privileges may change
the value.
Third level name Type Changeable
KERN_TTY_INFO struct itty no
KERN_TTY_NPTYS integer no
KERN_TTY_MAXPTYS integer yes
KERN_TTY_TKCANCC int64_t no
KERN_TTY_TKNIN int64_t no
KERN_TTY_TKNOUT int64_t no
KERN_TTY_TKRAWCC int64_t no
The variables are as follows:
KERN_TTY_INFO
Returns an array of struct itty structures containing tty
statistics.
KERN_TTY_MAXPTYS
The maximum number of pty(4) devices supported by the
kernel. This is the upper bound on KERN_TTY_NPTYS.
KERN_TTY_NPTYS
The current number of pty(4) devices allocated by the
kernel.
KERN_TTY_TKCANCC
Returns the number of input characters in canonical mode.
KERN_TTY_TKNIN
Returns the number of input characters from a tty(4).
KERN_TTY_TKNOUT
Returns the number of output characters on a tty(4).
KERN_TTY_TKRAWCC
Returns the number of input characters in raw mode.
KERN_TTYCOUNT
Number of available tty(4) devices.
KERN_USERASYMCRYPTO
Permits userland to use /dev/crypto for cryptographic support for
asymmetric (public) key operations via hardware cryptographic
devices. KERN_USERCRYPTO (see below) must also be set.
KERN_USERCRYPTO
Permits userland to use /dev/crypto and /dev/tpm for cryptograph-
ic support via hardware cryptographic devices.
KERN_USERMOUNT
Return non-zero if regular users can issue mount(2) requests. The
default value is 0.
KERN_VERSION
The system version string.
KERN_VNODE
Return the entire vnode table. Note, the vnode table is not
necessarily a consistent snapshot of the system. The returned
data consists of an array whose size depends on the current
number of such objects in the system. Each element of the array
contains the kernel address of a vnode (struct vnode *) followed
by the vnode itself (struct vnode).
KERN_WATCHDOG
Return information on hardware watchdog timers. If the kernel
does not support a hardware watchdog timer, attempts to retrieve
or set any of the KERN_WATCHDOG values will fail with EOPNOTSUPP.
Third level name Type Changeable
KERN_WATCHDOG_AUTO integer yes
KERN_WATCHDOG_PERIOD integer yes
The variables are as follows:
KERN_WATCHDOG_AUTO
If set to 1, the kernel refreshes the watchdog timer
periodically. If set to 0, a userland process must ensure
that the watchdog timer gets refreshed by setting the
KERN_WATCHDOG_PERIOD variable.
KERN_WATCHDOG_PERIOD
The period of the watchdog timer in seconds. Set to 0 to
disable the watchdog timer.
CTL_MACHDEP
The set of variables defined is architecture dependent. Most architec-
tures define at least the following variables.
Second level name Type Changeable
CPU_CONSDEV dev_t no
CTL_NET
The string and integer information available for the CTL_NET level is de-
tailed below. The changeable column shows whether a process with ap-
propriate privileges may change the value.
Second level name Type Changeable
PF_ROUTE routing messages no
PF_INET IPv4 values yes
PF_INET6 IPv6 values yes
PF_KEY key management yes
PF_ROUTE
Return the entire routing table or a subset of it. The data is
returned as a sequence of routing messages (see route(4) for the
header file, format, and meaning). The length of each message is
contained in the message header.
The third level name is a protocol number, which is currently al-
ways 0. The fourth level name is an address family, which may be
set to 0 to select all address families. The fifth and sixth lev-
el names are as follows:
Fifth level name Sixth level is:
NET_RT_DUMP None
NET_RT_FLAGS rtflags
NET_RT_IFLIST None
PF_INET
Get or set various global information about IPv4 (Internet
Protocol version 4). The third level name is the protocol. The
fourth level name is the variable name. The currently defined
protocols and names are:
Protocol name Variable name Type Changeable
ah enable integer yes
bpf bufsize integer yes
bpf maxbufsize integer yes
carp allow integer yes
carp arpbalance integer yes
carp log integer yes
carp preempt integer yes
esp enable integer yes
esp udpencap integer yes
esp udpencap_port integer yes
etherip allow integer yes
gre allow integer yes
gre wccp integer yes
icmp bmcastecho integer yes
icmp errppslimit integer yes
icmp maskrepl integer yes
icmp rediraccept integer yes
icmp redirtimeout integer yes
icmp tstamprepl integer yes
ip directed-broadcast integer yes
ip encdebug integer yes
ip forwarding integer yes
ip ipsec-allocs integer yes
ip ipsec-auth-alg string yes
ip ipsec-bytes integer yes
ip ipsec-comp-alg string yes
ip ipsec-enc-alg string yes
ip ipsec-expire-acquire integer yes
ip ipsec-firstuse integer yes
ip ipsec-invalid-life integer yes
ip ipsec-pfs integer yes
ip ipsec-soft-allocs integer yes
ip ipsec-soft-bytes integer yes
ip ipsec-soft-firstuse integer yes
ip ipsec-soft-timeout integer yes
ip ipsec-timeout integer yes
ip maxqueue integer yes
ip mtudisc integer yes
ip mtudisctimeout integer yes
ip portfirst integer yes
ip porthifirst integer yes
ip porthilast integer yes
ip portlast integer yes
ip redirect integer yes
ip sourceroute integer yes
ip ttl integer yes
ipcomp enable integer yes
ipip allow integer yes
mobileip allow integer yes
tcp ackonpush integer yes
tcp baddynamic array yes
tcp ecn integer yes
tcp ident structure no
tcp keepidle integer yes
tcp keepinittime integer yes
tcp keepintvl integer yes
tcp mssdflt integer yes
tcp reasslimit integer yes
tcp recvspace integer yes
tcp rfc1323 integer yes
tcp rfc3390 integer yes
tcp rstppslimit integer yes
tcp sack integer yes
tcp sendspace integer yes
tcp slowhz integer no
tcp synbucketlimit integer yes
tcp syncachelimit integer yes
udp baddynamic array yes
udp checksum integer yes
udp recvspace integer yes
udp sendspace integer yes
The variables are as follows:
ah.enable
If set to 1, enable the Authentication Header (AH) IPsec
protocol. Enabled by default. See ipsec(4) for more in-
formation.
bpf.bufsize
The initial size of bpf(4) buffers.
bpf.maxbufsize
The maximum size a user may request a bpf(4) buffer to
be.
carp.allow
If set to 0, incoming carp(4) packets will not be pro-
cessed. If set to any other value, processing will occur.
Enabled by default.
carp.arpbalance
If set to any value other than 0, the ARP balancing func-
tionality of carp(4) is enabled. When ARP requests are
received for an IP address which is part of any virtual
host, carp will hash the source IP in the ARP request to
select one of the virtual hosts from the set of all the
virtual hosts which have that IP address. The master of
that host will respond with the correct virtual MAC ad-
dress. Disabled by default.
carp.log
If set to any value other than 0, carp(4) will log er-
rors. Disabled by default.
carp.preempt
If set to 0, carp(4) will not attempt to become master if
it is receiving advertisements from another active mas-
ter. If set to any other value, carp will become master
of the virtual host if it believes it can send advertise-
ments more frequently than the current master. Disabled
by default.
esp.enable
If set to 1, enable the Encapsulating Security Payload
(ESP) IPsec protocol. Enabled by default. See ipsec(4)
for more information.
esp.udpencap
If set to 1, enable processing of UDP encapsulated ESP
packets. Disabled by default.
esp.udpencap_port
Contains the value of the UDP port that triggers decapsu-
lation for incoming UDP encapsulated ESP packets. The de-
fault port is 4500.
etherip.allow
If set to 0, incoming Ethernet-in-IPv4 packets will not
be processed. If set to any other value, processing will
occur.
gre.allow
If set to 0, incoming GRE packets will not be processed.
If set to any other value, processing will occur.
gre.wccp
If set to 0, incoming WCCPv1-style GRE packets will not
be processed. If set to any other value, and gre.allow
allows GRE packet processing, WCCPv1-style GRE packets
will be processed.
icmp.bmcastecho
If set to 1, respond to ICMP echo requests destined for
broadcast and multicast addresses. Note, enabling this
could open a system to a type of denial of service attack
called "smurfing", and is thus not advised.
icmp.errppslimit
This variable specifies the maximum number of outgoing
ICMP error messages per second. ICMP error messages
exceeding this value are subject to rate limitation and
will not go out from the node. A negative value disables
rate limitation.
icmp.maskrepl
Returns 1 if ICMP network mask requests are to be
answered.
icmp.rediraccept
If set to non-zero, the host will accept ICMP redirect
packets. Note that routers will never accept ICMP
redirect packets, and the variable is meaningful on IP
hosts only.
icmp.redirtimeout
This variable specifies the lifetime of routing entries
generated by incoming ICMP redirects. The default timeout
is 10 minutes.
icmp.tstamprepl
If set to 1, reply to ICMP timestamp requests. If set to
0, ignore timestamp requests.
ip.directed-broadcast
Returns 1 if directed broadcast behavior is enabled for
the host.
ip.encdebug
Returns 1 when error message reporting is enabled for the
host. If the kernel has been compiled with the ENCDEBUG
option, then debugging information will also be reported
when this variable is set.
ip.forwarding
If set to 1, then IP forwarding is enabled for the host,
indicating the host is acting as a router. If set to 2,
then IP forwarding is restricted to traffic that has been
IPsec encapsulated or decapsulated by the host. The de-
fault value is 0.
ip.ipsec-allocs
The number of IPsec flows that can use a security associ-
ation before it expires. If set to less than or equal to
zero, the security association will not expire because of
this counter. The default value is 0.
ip.ipsec-auth-alg
This is the default authentication algorithm the kernel
will instruct key management daemons to negotiate when
establishing security associations on behalf of the ker-
nel. Such security associations can occur as a result of
a process having requested some security level through
setsockopt(2), or as a result of dynamic vpn(8) entries.
Supported values are hmac-md5, hmac-sha1, and hmac-
ripemd160. If set to any other value, it is left to the
key management daemons to select an authentication algo-
rithm for the security association. The default value is
hmac-sha1.
ip.ipsec-bytes
The number of bytes that will be processed by a security
association before it expires. If set to less than or
equal to zero, the security association will not expire
because of this counter. The default value is 0.
ip.ipsec-comp-alg
The compression algorithm to use with an IP Compression
Association (IPCA). Possible values are "deflate" and
"lzs". Note that lzs is only available with hifn(4). See
ipsecadm(8) for more information.
ip.ipsec-enc-alg
This is the default encryption algorithm the kernel will
instruct key management daemons to negotiate when estab-
lishing security associations on behalf of the kernel.
Such security associations can occur as a result of a
process having requested some security level through
setsockopt(2), or as a result of dynamic vpn(8) entries.
Supported values are aes, des, 3des, blowfish, cast128,
and skipjack. If set to any other value, it is left to
the key management daemons to select an encryption algo-
rithm for the security association. The default value is
aes.
ip.ipsec-expire-acquire
How long the kernel should allow key management to dynam-
ically acquire security associations before re-sending a
request. The default value is 30 seconds.
ip.ipsec-firstuse
The number of seconds after a security association is
first used before it expires. If set to less than or
equal to zero, the security association will not expire
because of this timer. The default value is 7200 seconds.
ip.ipsec-invalid-life
The lifetime of embryonic Security Associations (SAs that
key management daemons have reserved but not fully esta-
blished yet) in seconds. If set to less than or equal to
zero, embryonic SAs will not expire. The default value is
60.
ip.ipsec-pfs
If set to any non-zero value, the kernel will ask the key
management daemons to use Perfect Forward Secrecy when
establishing IPsec Security Associations. Perfect Forward
Secrecy makes IPsec Security Associations cryptographi-
cally distinct from each other, such that breaking the
key for one such SA does not compromise any others. Re-
quiring PFS for every security association significantly
increases the computational load of isakmpd(8) exchanges.
The default value is 1.
ip.ipsec-soft-allocs
The number of IPsec flows that can use a security associ-
ation before a message is sent by the kernel to key
management for renegotiation of the security association.
If set to less than or equal to zero, no message is sent
to key management. The default value is 0.
ip.ipsec-soft-bytes
The number of bytes that will be processed by a security
association before a message is sent by the kernel to key
management for renegotiation of the security association.
If set to less than or equal to zero, no message is sent
to key management. The default value is 0.
ip.ipsec-soft-firstuse
The number of seconds after a security association is
first used before a message is sent by the kernel to key
management for renegotiation of the security association.
If set to less than or equal to zero, no message is sent
to key management. The default value is 3600 seconds.
ip.ipsec-soft-timeout
The number of seconds after a security association is es-
tablished before a message is sent by the kernel to key
management for renegotiation of the security association.
If set to less than or equal to zero, no message is sent
to key management. The default value is 80000 seconds.
ip.ipsec-timeout
The number of seconds after a security association is es-
tablished before it will expire. If set to less than or
equal to zero, the security association will not expire
because of this timer. The default value is 86400
seconds.
ip.maxqueue
Fragment flood protection. Sets the maximum number of
unassembled IP fragments in the fragment queue.
ip.mtudisc
Returns 1 if Path MTU Discovery is enabled.
ip.mtudisctimeout
Returns the number of seconds in which a route added by
the Path MTU Discovery engine will time out. When the
route times out, the Path MTU Discovery engine will at-
tempt to probe a larger path MTU.
ip.portfirst
Minimum registered port number for TCP/UDP port alloca-
tion. Registered ports can be used by ordinary user
processes or programs executed by ordinary users. Cannot
be less than 1024 or greater than 49151. Must be less
than ip.portlast.
ip.porthifirst
Minimum dynamic/private port number for TCP/UDP port al-
location. Dynamic/private ports can be used by ordinary
user processes or programs executed by ordinary users.
Cannot be less than 49152 or greater than 65535. Must be
less than ip.porthilast.
ip.porthilast
Maximum dynamic/private port number for TCP/UDP port al-
location. Dynamic/private ports can be used by ordinary
user processes or programs executed by ordinary users.
Cannot be less than 49152 or greater than 65535. Must be
greater than ip.porthifirst.
ip.portlast
Maximum registered port number for TCP/UDP port alloca-
tion. Registered ports can be used by ordinary user
processes or programs executed by ordinary users. Cannot
be less than 1024 or greater than 49151. Must be greater
than ip.portfirst.
ip.redirect
Returns 1 when ICMP redirects may be sent by the host.
This option is ignored unless the host is routing IP
packets, and should normally be enabled on all systems.
ip.sourceroute
Returns 1 when forwarding of source-routed packets is en-
abled for the host. As detailed in securelevel(7), this
variable may not be changed if the securelevel is > 0.
ip.ttl The maximum time-to-live (hop count) value for an IP
packet sourced by the system. This value applies to nor-
mal transport protocols, not to ICMP.
ipcomp.enable
Enable the IPComp protocol. See ipsecadm(8) for more in-
formation.
ipip.allow
If set to 0, incoming IP-in-IP packets will not be pro-
cessed. If set to any other value, processing will occur;
furthermore, if set to 2, no checks for spoofing of loop-
back addresses will be done. This is useful only for de-
bugging purposes, and should never be used in production
systems.
mobileip.allow
If set to 0, incoming MobileIP encapsulated packets (RFC
2004) will not be processed. If set to any other value,
processing will occur.
tcp.ackonpush
Returns 1 if TCP segments with the TH_PUSH flag set are
being acknowledged immediately, otherwise 0.
tcp.baddynamic
An array of in_port_t is returned specifying the bitmask
of TCP ports between 512 and 1023 inclusive that should
not be allocated dynamically by the kernel (i.e., they
must be bound specifically by port number).
tcp.ecn
Returns 1 if Explicit Congestion Notifications for TCP
are enabled.
tcp.ident
A struct tcp_ident_mapping specifying a local and foreign
endpoint of a TCP socket is filled in with the effective
and real UIDs of the process that owns the socket. If no
such socket exists, then the effective and real UID
values are both set to -1.
tcp.keepidle
If the socket option SO_KEEPALIVE has been set on a sock-
et, then this value specifies how much time a connection
needs to be idle before keepalives are sent. See also
tcp.slowhz.
tcp.keepinittime
Unused.
tcp.keepintvl
Time after a keepalive probe is sent until, in the ab-
sence of any response, another probe is sent. See also
tcp.slowhz.
tcp.mssdflt
The maximum segment size that is used as default for
non-local connections. The default value is 512.
tcp.reasslimit
The maximum number of out-of-order TCP segments the sys-
tem will store for reassembly.
tcp.recvspace
Returns the default TCP receive buffer size.
tcp.rfc1323
Returns 1 if RFC 1323 extensions to TCP are enabled.
tcp.rfc3390
Returns 1 if the TCP Initial Window is increased, as
specified in RFC 3390.
tcp.rstppslimit
This variable specifies the maximum number of outgoing
TCP RST packets per second. TCP RST packets exceeding
this value are subject to rate limitation and will not go
out from the node. A negative value disables rate limita-
tion.
tcp.sack
Returns 1 if RFC 2018 Selective Acknowledgements are en-
abled.
tcp.sendspace
Returns the default TCP send buffer size.
tcp.slowhz
The units for tcp.keepidle and tcp.keepintvl; those vari-
ables are in ticks of a clock that ticks tcp.slowhz times
per second. (That is, their values must be divided by the
tcp.slowhz value to get times in seconds.)
tcp.synbucketlimit
The maximum number of entries allowed per hash bucket in
the TCP SYN cache.
tcp.syncachelimit
The maximum number of entries allowed in the TCP SYN
cache.
udp.baddynamic
Analogous to tcp.baddynamic but for UDP sockets.
udp.checksum
Returns 1 when UDP checksums are being computed and
checked. Disabling UDP checksums is strongly discouraged.
udp.recvspace
Returns the default UDP receive buffer size.
udp.sendspace
Returns the default UDP send buffer size.
PF_INET6
Get or set various global information about IPv6 (Internet
Protocol version 6). The third level name is the protocol. The
fourth level name is the variable name. The currently defined
protocols and names are:
Protocol name Variable name Type Changeable
icmp6 errppslimit integer yes
icmp6 mtudisc_hiwat integer yes
icmp6 mtudisc_lowat integer yes
icmp6 nd6_debug integer yes
icmp6 nd6_delay integer yes
icmp6 nd6_maxnudhint integer yes
icmp6 nd6_mmaxtries integer yes
icmp6 nd6_prune integer yes
icmp6 nd6_umaxtries integer yes
icmp6 nd6_useloopback integer yes
icmp6 nodeinfo integer yes
icmp6 rediraccept integer yes
icmp6 redirtimeout integer yes
ip6 accept_rtadv integer yes
ip6 auto_flowlabel integer yes
ip6 dad_count integer yes
ip6 defmcasthlim integer yes
ip6 forwarding integer yes
ip6 hdrnestlimit integer yes
ip6 hlim integer yes
ip6 kame_version string no
ip6 keepfaith integer yes
ip6 log_interval integer yes
ip6 maxfragpackets integer yes
ip6 maxfrags integer yes
ip6 redirect integer yes
ip6 rr_prune integer yes
ip6 use_deprecated integer yes
ip6 v6only integer no
The variables are as follows:
icmp6.errppslimit
This variable specifies the maximum number of outgoing
ICMPv6 error messages per second. ICMPv6 error messages
exceeding this value are subject to rate limitation and
will not go out from the node. A negative value will dis-
able the rate limitation.
icmp6.mtudisc_hiwat
icmp6.mtudisc_lowat
These variables define the maximum number of routing
table entries created due to path MTU discovery
(preventing denial-of-service attacks with ICMPv6 too big
messages). After IPv6 path MTU discovery happens, path
MTU information is kept in the routing table. If the
number of routing table entries exceeds this value, the
kernel will not attempt to keep the path MTU information.
icmp6.mtudisc_hiwat is used when we have verified ICMPv6
too big messages. icmp6.mtudisc_lowat is used when we
have unverified ICMPv6 too big messages. Verification is
performed by using address/port pairs kept in connected
PCBs. A negative value disables the upper limit.
icmp6.nd6_debug
If set to non-zero, IPv6 neighbor discovery will generate
debugging messages. The debug output is useful for diag-
nosing IPv6 interoperability issues. The flag must be set
to 0 for normal operation.
icmp6.nd6_delay
This variable specifies the DELAY_FIRST_PROBE_TIME timing
constant in IPv6 neighbor discovery specification (RFC
2461), in seconds.
icmp6.nd6_maxnudhint
IPv6 neighbor discovery permits upper layer protocols to
supply reachability hints, to avoid unnecessary neighbor
discovery exchanges. This variable defines the number of
consecutive hints the neighbor discovery layer will take.
For example, by setting the variable to 3, neighbor
discovery will take a maximum of 3 consecutive hints.
After receiving 3 hints, the neighbor discovery layer
will instead perform the normal neighbor discovery pro-
cess.
icmp6.nd6_mmaxtries
This variable specifies the MAX_MULTICAST_SOLICIT con-
stant in IPv6 neighbor discovery specification (RFC
2461).
icmp6.nd6_prune
This variable specifies the interval between IPv6 neigh-
bor cache babysitting in seconds.
icmp6.nd6_umaxtries
This variable specifies the MAX_UNICAST_SOLICIT constant
in IPv6 neighbor discovery specification (RFC 2461).
icmp6.nd6_useloopback
If set to non-zero, IPv6 will use the loopback interface
for local traffic.
icmp6.nodeinfo
This variable enables responses to ICMPv6 node informa-
tion queries. If set to 0, responses will not be generat-
ed for ICMPv6 node information queries. Since node infor-
mation queries can have a security impact, it is possible
to fine tune which responses should be answered. Two
separate bits can be set:
1 Respond to ICMPv6 FQDN queries, e.g. ping6 -w.
2 Respond to ICMPv6 node addresses queries, e.g.
ping6 -a.
icmp6.rediraccept
If set to non-zero, the host will accept ICMPv6 redirect
packets. Note that IPv6 routers will never accept ICMPv6
redirect packets, so the variable is only meaningful on
IPv6 hosts, not on routers.
icmp6.redirtimeout
The variable specifies the lifetime of routing entries
generated by incoming ICMPv6 redirects.
ip6.accept_rtadv
If set to non-zero, the node will accept ICMPv6 router
advertisement packets and autoconfigures address prefixes
and default routers. The node must be a host (not a
router) for the option to be meaningful (see
ip6.forwarding).
ip6.auto_flowlabel
On connected transport protocol packets, fill the IPv6
flowlabel field to help intermediate routers identify
packet flows.
ip6.dad_count
This variable configures the number of IPv6 DAD
(duplicated address detection) probe packets. These pack-
ets are generated when IPv6 interfaces are first brought
up.
ip6.defmcasthlim
The default hop limit value for an IPv6 multicast packet
sourced by the node. This value applies to all the tran-
sport protocols on top of IPv6. Methods for overriding
this value are documented in ip6(4).
ip6.forwarding
Returns 1 when IPv6 forwarding is enabled for the node,
meaning that the node is acting as a router. Returns 0
when IPv6 forwarding is disabled for the node, meaning
that the node is acting as a host. Note that IPv6 defines
node behavior for the "router" and "host" cases quite
differently, and changing this variable during operation
may cause serious trouble. Hence, this variable should
only be set at bootstrap time.
ip6.hdrnestlimit
The number of IPv6 extension headers permitted on incom-
ing IPv6 packets. If set to 0, the node will accept as
many extension headers as possible.
ip6.hlim
The default hop limit value for an IPv6 unicast packet
sourced by the node. This value applies to all the tran-
sport protocols on top of IPv6. Methods for overriding
this value are documented in ip6(4).
ip6.kame_version
This string identifies the version of the KAME IPv6 stack
implemented in the kernel.
ip6.keepfaith
If set to non-zero, enables the "FAITH" TCP relay IPv6-
to-IPv4 translator code in the kernel. Refer to faith(4)
and faithd(8) for more details.
ip6.log_interval
This variable permits adjusting the amount of logs gen-
erated by the IPv6 packet forwarding engine. The value
indicates the number of seconds of interval which must
elapse between log output.
ip6.maxfragpackets
The maximum number of fragmented packets the node will
accept. 0 means that the node will not accept any frag-
mented packets. -1 means that the node will accept as
many fragmented packets as it receives. The flag is pro-
vided basically for avoiding possible DoS attacks.
ip6.maxfrags
The maximum number of fragments the node will accept. 0
means that the node will not accept any fragments. -1
means that the node will accept as many fragments as it
receives. The flag is provided basically for avoiding
possible DoS attacks.
ip6.redirect
Returns 1 when ICMPv6 redirects may be sent by the node.
This option is ignored unless the node is routing IP
packets, and should normally be enabled on all systems.
ip6.rr_prune
This variable specifies the interval between IPv6 router
renumbering prefix babysitting in seconds.
ip6.use_deprecated
This variable controls the use of deprecated addresses,
specified in RFC 2462 5.5.4.
ip6.v6only
The variable specifies the initial value for the
IPV6_V6ONLY socket option for an AF_INET6 socket. It is
always 1 for OpenBSD.
We reuse net.inet.tcp and net.inet.udp for TCP/UDP over IPv6.
CTL_USER
The string and integer information available for the CTL_USER level is
detailed below. The changeable column shows whether a process with ap-
propriate privileges may change the value.
Second level name Type Changeable
USER_BC_BASE_MAX integer no
USER_BC_DIM_MAX integer no
USER_BC_SCALE_MAX integer no
USER_BC_STRING_MAX integer no
USER_COLL_WEIGHTS_MAX integer no
USER_CS_PATH string no
USER_EXPR_NEST_MAX integer no
USER_LINE_MAX integer no
USER_POSIX2_C_BIND integer no
USER_POSIX2_C_DEV integer no
USER_POSIX2_CHAR_TERM integer no
USER_POSIX2_FORT_DEV integer no
USER_POSIX2_FORT_RUN integer no
USER_POSIX2_LOCALEDEF integer no
USER_POSIX2_SW_DEV integer no
USER_POSIX2_UPE integer no
USER_POSIX2_VERSION integer no
USER_RE_DUP_MAX integer no
USER_STREAM_MAX integer no
USER_TZNAME_MAX integer no
USER_BC_BASE_MAX
The maximum ibase/obase values in the bc(1) utility.
USER_BC_DIM_MAX
The maximum array size in the bc(1) utility.
USER_BC_SCALE_MAX
The maximum scale value in the bc(1) utility.
USER_BC_STRING_MAX
The maximum string length in the bc(1) utility.
USER_COLL_WEIGHTS_MAX
The maximum number of weights that can be assigned to any entry
of the LC_COLLATE order keyword in the locale definition file.
USER_CS_PATH
Return a value for the PATH environment variable that finds all
the standard utilities.
USER_EXPR_NEST_MAX
The maximum number of expressions that can be nested within
parentheses by the expr(1) utility.
USER_LINE_MAX
The maximum length in bytes of a text-processing utility's input
line.
USER_POSIX2_C_BIND
Return 1 if the system's C-language development facilities sup-
port the C-Language Bindings Option, otherwise 0.
USER_POSIX2_C_DEV
Return 1 if the system supports the C-Language Development Utili-
ties Option, otherwise 0.
USER_POSIX2_CHAR_TERM
Return 1 if the system supports at least one terminal type capa-
ble of all operations described in POSIX 1003.2, otherwise 0.
USER_POSIX2_FORT_DEV
Return 1 if the system supports the FORTRAN Development Utilities
Option, otherwise 0.
USER_POSIX2_FORT_RUN
Return 1 if the system supports the FORTRAN Runtime Utilities Op-
tion, otherwise 0.
USER_POSIX2_LOCALEDEF
Return 1 if the system supports the creation of locales, other-
wise 0.
USER_POSIX2_SW_DEV
Return 1 if the system supports the Software Development Utili-
ties Option, otherwise 0.
USER_POSIX2_UPE
Return 1 if the system supports the User Portability Utilities
Option, otherwise 0.
USER_POSIX2_VERSION
The version of POSIX 1003.2 with which the system attempts to
comply.
USER_RE_DUP_MAX
The maximum number of repeated occurrences of a regular expres-
sion permitted when using interval notation.
USER_STREAM_MAX
The maximum number of streams that a process may have open at any
one time.
USER_TZNAME_MAX
The minimum maximum number of types supported for the name of a
timezone.
CTL_VFS
The string and integer information available for the CTL_VFS level is de-
tailed below. The changeable column shows whether a process with ap-
propriate privileges may change the value.
Second level name Type Changeable
VFS_GENERIC VM generic info no
filesystem # filesystem info no
VFS_GENERIC
This second level identifier requests generic information about
the VFS layer. Within it, the following third level identifiers
exist:
Third level name Type Changeable
VFS_CONF struct vfsconf no
VFS_MAXTYPENUM int no
filesystem #
After finding the filesystem dependent vfc_typenum using
VFS_GENERIC with VFS_CONF, it is possible to access filesystem
dependent information.
Some filesystems may contain settings.
ffs
Third level name Type Changeable
FFS_ASYNCFREE integer yes
FFS_CLUSTERREAD integer yes
FFS_CLUSTERWRITE integer yes
FFS_DIRHASH_DIRSIZE integer yes
FFS_DIRHASH_MAXMEM integer yes
FFS_DIRHASH_MEM integer no
FFS_MAXSOFTDEPS integer yes
FFS_REALLOCBLOCKS integer yes
FFS_SD_BLK_LIMIT_HIT integer yes
FFS_SD_BLK_LIMIT_PUSH integer yes
FFS_SD_DIR_ENTRY integer yes
FFS_SD_DIRECT_BLK_PTRS integer yes
FFS_SD_INDR_BLK_PTRS integer yes
FFS_SD_INO_LIMIT_HIT integer yes
FFS_SD_INO_LIMIT_PUSH integer yes
FFS_SD_INODE_BITMAP integer yes
FFS_SD_SYNC_LIMIT_HIT integer yes
FFS_SD_TICKDELAY integer yes
FFS_SD_WORKLIST_PUSH integer yes
FFS_CLUSTERREAD
Enable combining multiple reads into one request to
improve performance.
FFS_CLUSTERWRITE
Enable combining multiple writes into one request.
FFS_DIRHASH_DIRSIZE
The minimum size of a directory, in bytes, before it
is considered for hashing.
FFS_DIRHASH_MAXMEM
The maximum amount of memory, in bytes, to be used
for storing directory hashes.
FFS_DIRHASH_MEM
The amount of memory currently used by all directory
hashes.
FFS_REALLOCBLOCKS
When enabled, the kernel will attempt to relocate
growing files so that they are contiguous on disk,
reducing fragmentation.
nfs
Third level name Type Changeable
NFS_NFSSTATS struct nfsstats yes
NFS_NIOTHREADS int yes
CTL_VM
The string and integer information available for the CTL_VM level is de-
tailed below. The changeable column shows whether a process with ap-
propriate privileges may change the value.
Second level name Type Changeable
VM_ANONMIN integer yes
VM_LOADAVG struct loadavg no
VM_MAXSLP integer no
VM_METER struct vmtotal no
VM_NKMEMPAGES integer no
VM_PSSTRINGS struct psstrings no
VM_SWAPENCRYPT swap encrypt values yes
VM_USPACE integer no
VM_UVMEXP struct uvmexp no
VM_VNODEMIN integer yes
VM_VTEXTMIN integer yes
VM_ANONMIN
Percentage of physical memory available for pages which contain
anonymous mapping.
VM_LOADAVG
Return the load average history. The returned data consists of a
struct loadavg.
VM_MAXSLP
The time for a process to be blocked before being swappable, in
seconds.
VM_METER
Return the system wide virtual memory statistics. The returned
data consists of a struct vmtotal.
VM_NKMEMPAGES
Number of pages in kmem_map.
VM_PSSTRINGS
Returns the address of the process struct ps_strings. The ps(1)
program uses it to locate the argument and environment strings.
VM_SWAPENCRYPT
Contains statistics about swap encryption. The string and integer
information available for the third level is detailed below.
Third level name Type Changeable
SWPENC_CREATED integer no
SWPENC_DELETED integer no
SWPENC_ENABLE integer yes
SWPENC_CREATED
The number of encryption keys that have been randomly
created. The swap partition is divided into sections of
normally 512KB. Each section has its own encryption key.
SWPENC_DELETED
The number of encryption keys that have been deleted,
thus effectively erasing the data that has been encrypted
with them. Encryption keys are deleted when their refer-
ence counter reaches zero.
SWPENC_ENABLE
Set to 1 to enable swap encryption for all processes. A 0
disables swap encryption. Pages still on swap receive a
grandfather clause. Turning this option on does not af-
fect legacy swap data already on the disk, but all newly
written data will be encrypted. When swap encryption is
turned on, automatic crash(8) dumps are disabled.
VM_USPACE
The number of bytes allocated for each kernel stack.
VM_UVMEXP
Contains statistics about the UVM memory management system.
VM_VNODEMIN
Percentage of physical memory available for pages which contain
cached file data.
VM_VTEXTMIN
Percentage of physical memory available for pages which contain
cached executable data.
RETURN VALUES
If the call to sysctl() is unsuccessful, -1 is returned and errno is set
appropriately.
FILES
<sys/sysctl.h> definitions for top level identifiers, second
level kernel and hardware identifiers, and user
level identifiers
<sys/socket.h> definitions for second level network identif-
iers
<ufs/ffs/ffs_extern.h> definitions for third level virtual file system
identifiers (ffs)
<nfs/nfs.h> definitions for third level virtual file system
identifiers (nfs)
<uvm/uvm_param.h> definitions for second level virtual memory
identifiers
<uvm/uvm_swap_encrypt.h> definitions for third level virtual memory
identifiers
<netinet/in.h> definitions for third level IPv4/v6 identifiers
and fourth level IP and IPv6 identifiers
<netinet/icmp_var.h> definitions for fourth level ICMP identifiers
<netinet/icmp6.h> definitions for fourth level ICMPv6 identifiers
<netinet/tcp_var.h> definitions for fourth level TCP identifiers
<netinet/udp_var.h> definitions for fourth level UDP identifiers
ERRORS
The following errors may be reported:
[EFAULT] The buffer name, oldp, newp, or length pointer oldlenp con-
tains an invalid address.
[EINVAL] The name array is less than two or greater than
CTL_MAXNAME.
[EINVAL] A non-null newp pointer is given and its specified length
in newlen is too large or too small.
[ENOMEM] The length pointed to by oldlenp is too short to hold the
requested value.
[ENOTDIR] The name array specifies an intermediate rather than termi-
nal name.
[EOPNOTSUPP] The name array specifies a value that is unknown.
[EPERM] An attempt is made to set a read-only value.
[EPERM] A process without appropriate privileges attempts to set a
value.
[EPERM] An attempt to change a value protected by the current ker-
nel security level is made.
SEE ALSOpathconf(2), sysconf(3), ddb(4), sysctl.conf(5), securelevel(7),
compat_linux(8), compat_openbsd(8), sysctl(8)HISTORY
The sysctl() function first appeared in 4.4BSD.
MirOS BSD #10-current September 12, 2010 27
