👤
Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

NetBSD 6.1.5 - man page for sysctl (netbsd section 7)

SYSCTL(7)		       BSD Miscellaneous Information Manual			SYSCTL(7)

NAME
     sysctl -- system information variables

DESCRIPTION
     The sysctl(3) library function and the sysctl(8) utility are used to get and set values of
     system variables, maintained by the kernel.  The variables are organized in a tree and iden-
     tified by a sequence of numbers, conventionally separated by dots with the topmost identi-
     fier at the left side.  The numbers have corresponding text names.  The sysctlnametomib(3)
     function or the -M argument to the sysctl(8) utility can be used to convert the text repre-
     sentation to the numeric one.

     The individual sysctl variables are described below, both the textual and numeric form where
     applicable.  The textual names can be used as argument to the sysctl(8) utility and in the
     file /etc/sysctl.conf.  The numeric names are usually defined as preprocessor constants and
     are intended for use by programs.	Every such constant expands to one integer, which identi-
     fies the sysctl variable relative to the upper level of the tree.	See the sysctl(3) manual
     page for programming examples.

   Top level names
     The top level names are defined with a CTL_ prefix in <sys/sysctl.h>, and are as follows.
     The next and subsequent levels down are found in the include files listed here, and
     described in separate sections below.

     Name	 Constant	 Next level names     Description
     kern	 CTL_KERN	 <sys/sysctl.h>       High kernel limits
     vm 	 CTL_VM 	 <uvm/uvm_param.h>    Virtual memory
     vfs	 CTL_VFS	 <sys/mount.h>	      Filesystem
     net	 CTL_NET	 <sys/socket.h>       Networking
     debug	 CTL_DEBUG	 <sys/sysctl.h>       Debugging
     hw 	 CTL_HW 	 <sys/sysctl.h>       Generic CPU, I/O
     machdep	 CTL_MACHDEP	 <sys/sysctl.h>       Machine dependent
     user	 CTL_USER	 <sys/sysctl.h>       User-level
     ddb	 CTL_DDB	 <sys/sysctl.h>       In-kernel debugger
     proc	 CTL_PROC	 <sys/sysctl.h>       Per-process
     vendor	 CTL_VENDOR	 ?		      Vendor specific
     emul	 CTL_EMUL	 <sys/sysctl.h>       Emulation settings
     security	 CTL_SECURITY	 <sys/sysctl.h>       Security settings

   The debug.* subtree
     The debugging variables vary from system to system.  A debugging variable may be added or
     deleted without need to recompile sysctl to know about it.  Each time it runs, sysctl gets
     the list of debugging variables from the kernel and displays their current values.  The sys-
     tem defines twenty (struct ctldebug) variables named debug0 through debug19.  They are
     declared as separate variables so that they can be individually initialized at the location
     of their associated variable.  The loader prevents multiple use of the same variable by
     issuing errors if a variable is initialized in more than one place.  For example, to export
     the variable dospecialcheck as a debugging variable, the following declaration would be
     used:

	   int dospecialcheck = 1;
	   struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };

     Note that the dynamic implementation of sysctl currently in use largely makes this particu-
     lar sysctl interface obsolete.  See sysctl(8) for more information.

   The vfs.* subtree
     A distinguished second level name, vfs.generic (VFS_GENERIC), is used to get general infor-
     mation about all file systems.  It has the following third level identifiers:

     vfs.generic.maxtypenum (VFS_MAXTYPENUM)
	     The highest valid file system type number.

     vfs.generic.conf (VFS_CONF)
	     Returns configuration information about the file system type given as a fourth level
	     identifier.

     vfs.generic.usermount (VFS_USERMOUNT)
	     Determines if non superuser mounts are allowed, defaults to 0.

     vfs.generic.magiclinks (VFS_MAGICLINKS)
	     Controls if expansion of variables is going to be performed on pathnames or not.
	     Defaults to no variable expansion, 0.  Variables are of the form @name and the vari-
	     ables supported are described in symlink(7) under ``MAGIC SYMLINKS''.

     A second level name for controlling the wapbl(4) (Write Ahead Physical Block Logging file
     system journalling) capabilities with the following third level identifiers:

     vfs.wapbl.flush_disk_cache
	     Controls whether to attempt to flush the disk cache on each commit.  It defaults to
	     1 and it should always be on to ensure data integrity in case of a crash.	For slow
	     disks, turning it off can improve performance.

     vfs.wapbl.verbose_commit
	     For each transaction log commit, print the number of bytes written and the time it
	     took to commit as seconds.nanoseconds.

     The remaining second level identifiers are the file system names, identified by the type
     number returned by a statvfs(2) call or from vfs.generic.conf.

     The third level identifiers available for each file system are given in the header file that
     defines the mount argument structure for that file system.

   The hw.* subtree
     The string and integer information available for the hw level is detailed below.  The
     changeable column shows whether a process with appropriate privilege may change the value.

	   Second level name  Type	 Changeable
	   hw.alignbytes      integer	 no
	   hw.byteorder       integer	 no
	   hw.cnmagic	      string	 yes
	   hw.disknames       string	 no
	   hw.diskstats       struct	 no
	   hw.machine	      string	 no
	   hw.machine_arch    string	 no
	   hw.model	      string	 no
	   hw.ncpu	      integer	 no
	   hw.pagesize	      integer	 no
	   hw.physmem	      integer	 no
	   hw.physmem64       quad	 no
	   hw.usermem	      integer	 no
	   hw.usermem64       quad	 no

     hw.alignbytes (HW_ALIGNBYTES)
	     Alignment constraint for all possible data types.	This shows the value ALIGNBYTES
	     in <machine/param.h>, at the kernel compilation time.

     hw.byteorder (HW_BYTEORDER)
	     The byteorder (4321, or 1234).

     hw.cnmagic (HW_CNMAGIC)
	     The console magic key sequence.

     hw.disknames (HW_DISKNAMES)
	     The list of (space separated) disk device names on the system.

     hw.iostatnames (HW_IOSTATNAMES)
	     A space separated list of devices that will have I/O statistics collected on them.

     hw.iostats (HW_IOSTATS)
	     Return statistical information on the NFS mounts, disk and tape devices on the sys-
	     tem.  An array of struct io_sysctl structures is returned, whose size depends on the
	     current number of such objects in the system.  The third level name is the size of
	     the struct io_sysctl.  The type of object can be determined by examining the type
	     element of struct io_sysctl.  Which can be IOSTAT_DISK (disk drive), IOSTAT_TAPE
	     (tape drive), or IOSTAT_NFS (NFS mount).

     hw.machine (HW_MACHINE)
	     The machine class.

     hw.machine_arch (HW_MACHINE_ARCH)
	     The machine CPU class.

     hw.model (HW_MODEL)
	     The machine model.

     hw.ncpu (HW_NCPU)
	     The number of CPUs.

     hw.pagesize (HW_PAGESIZE)
	     The software page size.

     hw.physmem (HW_PHYSMEM)
	     The bytes of physical memory as a 32-bit integer.

     hw.physmem64 (HW_PHYSMEM64)
	     The bytes of physical memory as a 64-bit integer.

     hw.usermem (HW_USERMEM)
	     The bytes of non-kernel memory as a 32-bit integer.

     hw.usermem64 (HW_USERMEM64)
	     The bytes of non-kernel memory as a 64-bit integer.

   The kern.* subtree
     This subtree includes data generally related to the kernel.  The string and integer informa-
     tion available for the kern level is detailed below.  The changeable column shows whether a
     process with appropriate privilege may change the value.

     Second level name		       Type		       Changeable
     kern.aio_listio_max	       integer		       yes
     kern.aio_max		       integer		       yes
     kern.arandom		       integer		       no
     kern.argmax		       integer		       no
     kern.boothowto		       integer		       no
     kern.boottime		       struct timeval	       no
     kern.ccpu			       integer		       no
     kern.clockrate		       struct clockinfo        no
     kern.consdev		       integer		       no
     kern.coredump		       node		       not applicable
     kern.cp_id 		       struct		       no
     kern.cp_time		       uint64_t[]	       no
     kern.cryptodevallowsoft	       integer		       yes
     kern.defcorename		       string		       yes
     kern.detachall		       integer		       yes
     kern.domainname		       string		       yes
     kern.drivers		       struct kinfo_drivers    no
     kern.dump_on_panic 	       integer		       yes
     kern.file			       struct file	       no
     kern.forkfsleep		       integer		       yes
     kern.fscale		       integer		       no
     kern.fsync 		       integer		       no
     kern.hardclock_ticks	       integer		       no
     kern.hostid		       integer		       yes
     kern.hostname		       string		       yes
     kern.iov_max		       integer		       no
     kern.ipc			       node		       not applicable
     kern.job_control		       integer		       no
     kern.labeloffset		       integer		       no
     kern.labelsector		       integer		       no
     kern.login_name_max	       integer		       no
     kern.logsigexit		       integer		       yes
     kern.mapped_files		       integer		       no
     kern.maxfiles		       integer		       yes
     kern.maxpartitions 	       integer		       no
     kern.maxphys		       integer		       no
     kern.maxproc		       integer		       yes
     kern.maxptys		       integer		       yes
     kern.maxvnodes		       integer		       yes
     kern.mbuf			       node		       not applicable
     kern.memlock		       integer		       no
     kern.memlock_range 	       integer		       no
     kern.memory_protection	       integer		       no
     kern.module		       node		       not applicable
     kern.monotonic_clock	       integer		       no
     kern.mqueue		       node		       not applicable
     kern.msgbuf		       integer		       no
     kern.msgbufsize		       integer		       no
     kern.ngroups		       integer		       no
     kern.ntptime		       struct ntptimeval       no
     kern.osrelease		       string		       no
     kern.osrevision		       integer		       no
     kern.ostype		       string		       no
     kern.pipe			       node		       not applicable
     kern.posix1version 	       integer		       no
     kern.posix_aio		       integer		       no
     kern.posix_barriers	       integer		       no
     kern.posix_reader_writer_locks    integer		       no
     kern.posix_semaphores	       integer		       no
     kern.posix_spin_locks	       integer		       no
     kern.posix_threads 	       integer		       no
     kern.posix_timers		       integer		       no
     kern.proc			       struct kinfo_proc       no
     kern.proc2 		       struct kinfo_proc2      no
     kern.proc_args		       string		       no
     kern.profiling		       node		       not applicable
     kern.rawpartition		       integer		       no
     kern.root_device		       string		       no
     kern.root_partition	       integer		       no
     kern.rtc_offset		       integer		       yes
     kern.saved_ids		       integer		       no
     kern.sbmax 		       integer		       yes
     kern.securelevel		       integer		       raise only
     kern.somaxkva		       integer		       yes
     kern.synchronized_io	       integer		       no
     kern.timecounter		       node		       not applicable
     kern.timex 		       struct		       no
     kern.tkstat		       node		       not applicable
     kern.tty			       node		       not applicable
     kern.urandom		       integer		       no
     kern.usercrypto		       integer		       yes
     kern.userasymcrypto	       integer		       yes
     kern.veriexec		       node		       not applicable
     kern.version		       string		       no
     kern.vnode 		       struct vnode	       no

     kern.aio_listio_max
	     The maximum number of asynchronous I/O operations in a single list I/O call.  Like
	     with all variables related to aio(3), the variable may be created and removed dynam-
	     ically upon loading or unloading the corresponding kernel module.

     kern.aio_max
	     The maximum number of asynchronous I/O operations.

     kern.arandom
	     This variable picks a random number each time it is queried.  The used random number
	     generator (RNG) is based on arc4random(3).

     kern.argmax (KERN_ARGMAX)
	     The maximum bytes of argument to execve(2).

     kern.boothowto
	     Flags passed from the boot loader; see reboot(2) for the meanings of the flags.

     kern.boottime (KERN_BOOTTIME)
	     A struct timeval structure is returned.  This structure contains the time that the
	     system was booted.

     kern.ccpu (KERN_CCPU)
	     The scheduler exponential decay value.

     kern.clockrate (KERN_CLOCKRATE)
	     A struct clockinfo structure is returned.	This structure contains the clock, sta-
	     tistics clock and profiling clock frequencies, the number of micro-seconds per hz
	     tick, and the clock skew rate.  Refer to hz(9) for additional details.

     kern.consdev (KERN_CONSDEV)
	     Console device.

     kern.coredump
	     Settings related to set-id processes coredumps.  By default, set-id processes do not
	     dump core in situations where other processes would.  The settings in this node
	     allows an administrator to change this behavior.

	     The third level name is kern.coredump.setid and fourth level variables are described
	     below.

		   Fourth level name		Type	   Changeable
		   kern.coredump.setid.dump	integer    yes
		   kern.coredump.setid.group	integer    yes
		   kern.coredump.setid.mode	integer    yes
		   kern.coredump.setid.owner	integer    yes
		   kern.coredump.setid.path	string	   yes

	     kern.coredump.setid.dump
		     If non-zero, set-id processes will dump core.

	     kern.coredump.setid.group
		     The group-id for the set-id processes' coredump.

	     kern.coredump.setid.mode
		     The mode for the set-id processes' coredump.  See chmod(1).

	     kern.coredump.setid.owner
		     The user-id that will be used as the owner of the set-id processes' core-
		     dump.

	     kern.coredump.setid.path
		     The path to which set-id processes' coredumps will be saved to.  Same syntax
		     as kern.defcorename.

     kern.cp_id (KERN_CP_ID)
	     Mapping of CPU number to CPU id.

     kern.cp_time (KERN_CP_TIME)
	     Returns an array of CPUSTATES uint64_ts. This array contains the number of clock
	     ticks spent in different CPU states.  On multi-processor systems, the sum across all
	     CPUs is returned unless appropriate space is given for one data set for each CPU.
	     Data for a specific CPU can also be obtained by adding the number of the CPU at the
	     end of the MIB, enlarging it by one.

     kern.cryptodevallowsoft
	     This variable controls userland access to hardware versus software transforms in the
	     crypto(4) system.	The available values are as follows:

		   < 0	Always force userlevel requests to use software transforms.

		   = 0	If present, use hardware and grant userlevel requests for non-accelerated
			transforms (handling the latter in software).

		   > 0	Allow user requests only for transforms which are hardware-accelerated.

     kern.defcorename (KERN_DEFCORENAME)
	     Default template for the name of core dump files (see also proc.pid.corename in the
	     per-process variables proc.*, and core(5) for format of this template).  The default
	     value is %n.core and can be changed with the kernel configuration option options
	     DEFCORENAME (see options(4) ).

     kern.detachall
	     Detach all devices at shutdown.

     kern.domainname (KERN_DOMAINNAME)
	     Get or set the YP domain name.

     kern.drivers (KERN_DRIVERS)
	     Return an array of struct kinfo_drivers that contains the name and major device num-
	     bers of all the device drivers in the current kernel.  The d_name field is always a
	     NUL terminated string.  The d_bmajor field will be set to -1 if the driver doesn't
	     have a block device.

     kern.dump_on_panic (KERN_DUMP_ON_PANIC)
	     Perform a crash dump on system panic(9).

     kern.file (KERN_FILE)
	     Return the entire file table.  The returned data consists of a single struct
	     filelist followed by an array of struct file, whose size depends on the current num-
	     ber of such objects in the system.

     kern.forkfsleep (KERN_FORKFSLEEP)
	     If fork(2) system call fails due to limit on number of processes (either the global
	     maxproc limit or user's one), wait for this many milliseconds before returning
	     EAGAIN error to process.  Useful to keep heavily forking runaway processes in bay.
	     Default zero (no sleep).  Maximum is 20 seconds.

     kern.fscale (KERN_FSCALE)
	     The kernel fixed-point scale factor.

     kern.fsync (KERN_FSYNC)
	     Return 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') File Synchronization Option is
	     available on this system, otherwise 0.

     kern.hardclock_ticks (KERN_HARDCLOCK_TICKS)
	     Returns the number of hardclock(9) ticks.

     kern.hostid (KERN_HOSTID)
	     Get or set the host identifier.  This is aimed to replace the legacy gethostid(3)
	     and sethostid(3) system calls.

     kern.hostname (KERN_HOSTNAME)
	     Get or set the hostname(1).

     kern.iov_max (KERN_IOV_MAX)
	     Return the maximum number of iovec structures that a process has available for use
	     with preadv(2), pwritev(2), readv(2), recvmsg(2), sendmsg(2) and writev(2).

     kern.ipc (KERN_SYSVIPC)
	     Return information about the SysV IPC parameters.	The third level names for the ipc
	     variables are detailed below.

		   Third level name	    Type       Changeable
		   kern.ipc.sysvmsg	    integer    no
		   kern.ipc.sysvsem	    integer    no
		   kern.ipc.sysvshm	    integer    no
		   kern.ipc.sysvipc_info    struct     no
		   kern.ipc.shmmax	    integer    yes
		   kern.ipc.shmmni	    integer    yes
		   kern.ipc.shmseg	    integer    yes
		   kern.ipc.shmmaxpgs	    integer    yes
		   kern.ipc.shm_use_phys    integer    yes
		   kern.ipc.msgmni	    integer    yes
		   kern.ipc.msgseg	    integer    yes
		   kern.ipc.semmni	    integer    yes
		   kern.ipc.semmns	    integer    yes
		   kern.ipc.semmnu	    integer    yes

	     kern.ipc.sysvmsg (KERN_SYSVIPC_MSG)
		     Returns 1 if System V style message queue functionality is available on this
		     system, otherwise 0.

	     kern.ipc.sysvsem (KERN_SYSVIPC_SEM)
		     Returns 1 if System V style semaphore functionality is available on this
		     system, otherwise 0.

	     kern.ipc.sysvshm (KERN_SYSVIPC_SHM)
		     Returns 1 if System V style share memory functionality is available on this
		     system, otherwise 0.

	     kern.ipc.sysvipc_info (KERN_SYSVIPC_INFO)
		     Return System V style IPC configuration and run-time information.	The
		     fourth level name selects the System V style IPC facility.

			   Fourth level name	    Type
			   KERN_SYSVIPC_MSG_INFO    struct msg_sysctl_info
			   KERN_SYSVIPC_SEM_INFO    struct sem_sysctl_info
			   KERN_SYSVIPC_SHM_INFO    struct shm_sysctl_info

		     KERN_SYSVIPC_MSG_INFO
			     Return information on the System V style message facility.  The
			     msg_sysctl_info structure is defined in <sys/msg.h>.

		     KERN_SYSVIPC_SEM_INFO
			     Return information on the System V style semaphore facility.  The
			     sem_sysctl_info structure is defined in <sys/sem.h>.

		     KERN_SYSVIPC_SHM_INFO
			     Return information on the System V style shared memory facility.
			     The shm_sysctl_info structure is defined in <sys/shm.h>.

	     kern.ipc.shmmax (KERN_SYSVIPC_SHMMAX)
		     Max shared memory segment size in bytes.

	     kern.ipc.shmmni (KERN_SYSVIPC_SHMMNI)
		     Max number of shared memory identifiers.

	     kern.ipc.shmseg (KERN_SYSVIPC_SHMSEG)
		     Max shared memory segments per process.

	     kern.ipc.shmmaxpgs (KERN_SYSVIPC_SHMMAXPGS)
		     Max amount of shared memory in pages.

	     kern.ipc.shm_use_phys (KERN_SYSVIPC_SHMUSEPHYS)
		     Locking of shared memory in physical memory.  If 0, memory can be swapped
		     out, otherwise it will be locked in physical memory.

	     kern.ipc.msgmni
		     Max number of message queue identifiers.

	     kern.ipc.msgseg
		     Max number of number of message segments.

	     kern.ipc.semmni
		     Max number of number of semaphore identifiers.

	     kern.ipc.semmns
		     Max number of number of semaphores in system.

	     kern.ipc.semmnu
		     Max number of undo structures in system.

     kern.job_control (KERN_JOB_CONTROL)
	     Return 1 if job control is available on this system, otherwise 0.

     kern.labeloffset (KERN_LABELOFFSET)
	     The offset within the sector specified by KERN_LABELSECTOR of the disklabel(5).

     kern.labelsector (KERN_LABELSECTOR)
	     The sector number containing the disklabel(5).

     kern.login_name_max (KERN_LOGIN_NAME_MAX)
	     The size of the storage required for a login name, in bytes, including the terminat-
	     ing NUL.

     kern.logsigexit (KERN_LOGSIGEXIT)
	     If this flag is non-zero, the kernel will log(9) all process exits due to signals
	     which create a core(5) file, and whether the coredump was created.

     kern.mapped_files (KERN_MAPPED_FILES)
	     Returns 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') Memory Mapped Files Option is
	     available on this system, otherwise 0.

     kern.maxfiles (KERN_MAXFILES)
	     The maximum number of open files that may be open in the system.

     kern.maxpartitions (KERN_MAXPARTITIONS)
	     The maximum number of partitions allowed per disk.

     kern.maxphys (KERN_MAXPHYS)
	     Maximum raw I/O transfer size.

     kern.maxproc (KERN_MAXPROC)
	     The maximum number of simultaneous processes the system will allow.

     kern.maxptys (KERN_MAXPTYS)
	     The maximum number of pseudo terminals.  This value can be both raised and lowered,
	     though it cannot be set lower than number of currently used ptys.	See also pty(4).

     kern.maxvnodes (KERN_MAXVNODES)
	     The maximum number of vnodes available on the system.  This can only be raised.

     kern.mbuf (KERN_MBUF)
	     Return information about the mbuf control variables.  Mbufs are data structures
	     which store network packets and other data structures in the networking code, see
	     mbuf(9).  The third level names for the mbuf variables are detailed below.  The
	     changeable column shows whether a process with appropriate privilege may change the
	     value.

		   Third level name	    Type       Changeable
		   kern.mbuf.mblowat	    integer    yes
		   kern.mbuf.mclbytes	    integer    yes
		   kern.mbuf.mcllowat	    integer    yes
		   kern.mbuf.msize	    integer    yes
		   kern.mbuf.nmbclusters    integer    yes

	     The variables are as follows:

	     kern.mbuf.mblowat (MBUF_MBLOWAT)
		     The mbuf low water mark.

	     kern.mbuf.mclbytes (MBUF_MCLBYTES)
		     The mbuf cluster size.

	     kern.mbuf.mcllowat (MBUF_MCLLOWAT)
		     The mbuf cluster low water mark.

	     kern.mbuf.msize (MBUF_MSIZE)
		     The mbuf base size.

	     kern.mbuf.nmbclusters (MBUF_NMBCLUSTERS)
		     The limit on the number of mbuf clusters.	The variable can only be
		     increased, and only increased on machines with direct-mapped pool pages.

     kern.memlock (KERN_MEMLOCK)
	     Returns 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') Process Memory Locking Option
	     is available on this system, otherwise 0.

     kern.memlock_range (KERN_MEMLOCK_RANGE)
	     Returns 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') Range Memory Locking Option is
	     available on this system, otherwise 0.

     kern.memory_protection (KERN_MEMORY_PROTECTION)
	     Returns 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') Memory Protection Option is
	     available on this system, otherwise 0.

     kern.module
	     Settings related to kernel modules.  The third level names for the settings are
	     described below.

		   Third level name	   Type       Changeable
		   kern.module.autoload    integer    yes
		   kern.module.verbose	   integer    yes

	     The variables are as follows:

	     kern.module.autoload
		     A boolean that controls whether kernel modules are loaded automatically.
		     See module(7) for additional details.

	     kern.module.verbose
		     A boolean that enables or disables verbose debug messages related to kernel
		     modules.

     kern.monotonic_clock (KERN_MONOTONIC_CLOCK)
	     Returns the standard version the implementation of the IEEE Std 1003.1b-1993
	     (``POSIX.1'') Monotonic Clock Option conforms to, otherwise 0.

     kern.mqueue
	     Settings related to POSIX message queues; see mqueue(3).  This node is created
	     dynamically when the corresponding kernel module is loaded.  The third level names
	     for the settings are described below.

		   Third level name		 Type	    Changeable
		   kern.mqueue.mq_open_max	 integer    yes
		   kern.mqueue.mq_prio_max	 integer    yes
		   kern.mqueue.mq_max_msgsize	 integer    yes
		   kern.mqueue.mq_def_maxmsg	 integer    yes
		   kern.mqueue.mq_max_maxmsg	 integer    yes

	     The variables are:

	     kern.mqueue.mq_open_max
		     The maximum number of message queue descriptors any single process can open.

	     kern.mqueue.mq_prio_max
		     The maximum priority of a message.

	     kern.mqueue.mq_max_msgsize
		     The maximum size of a message in a message queue.

	     kern.mqueue.mq_def_maxmsg
		     The default maximum message count.

	     kern.mqueue.mq_max_maxmsg
		     The maximum number of messages in a message queue.

     kern.msgbuf (KERN_MSGBUF)
	     The kernel message buffer, rotated so that the head of the circular kernel message
	     buffer is at the start of the returned data.  The returned data may contain NUL
	     bytes.

     kern.msgbufsize (KERN_MSGBUFSIZE)
	     The maximum number of characters that the kernel message buffer can hold.

     kern.ngroups (KERN_NGROUPS)
	     The maximum number of supplemental groups.

     kern.ntptime (KERN_NTPTIME)
	     A struct ntptimeval structure is returned.  This structure contains data used by the
	     ntpd(8) program.

     kern.osrelease (KERN_OSRELEASE)
	     The system release string.

     kern.osrevision (KERN_OSREV)
	     The system revision string.

     kern.ostype (KERN_OSTYPE)
	     The system type string.

     kern.pipe (KERN_PIPE)
	     Pipe settings.  The third level names for the  integer pipe settings is detailed
	     below.  The changeable column shows whether a process with appropriate privilege may
	     change the value.

		   Third level name	    Type       Changeable
		   kern.pipe.kvasiz	    integer    yes
		   kern.pipe.maxbigpipes    integer    yes
		   kern.pipe.maxkvasz	    integer    yes
		   kern.pipe.limitkva	    integer    yes
		   kern.pipe.nbigpipes	    integer    yes

	     The variables are as follows:

	     kern.pipe.kvasiz (KERN_PIPE_KVASIZ)
		     Amount of kernel memory consumed by pipe buffers.

	     kern.pipe.maxbigpipes (KERN_PIPE_MAXBIGPIPES)
		     Maximum number of ``big'' pipes.

	     kern.pipe.maxkvasz (KERN_PIPE_MAXKVASZ)
		     Maximum amount of kernel memory to be used for pipes.

	     kern.pipe.limitkva (KERN_PIPE_LIMITKVA)
		     Limit for direct transfers via page loan.

	     kern.pipe.nbigpipes (KERN_PIPE_NBIGPIPES)
		     Number of ``big'' pipes.

     kern.posix1version (KERN_POSIX1)
	     The version of ISO/IEC 9945 (IEEE Std 1003.1 (``POSIX.1'')) with which the system
	     attempts to comply.

     kern.posix_aio
	     The version of IEEE Std 1003.1 (``POSIX.1'') and its Asynchronous I/O option to
	     which the system attempts to conform.

     kern.posix_barriers (KERN_POSIX_BARRIERS)
	     The version of IEEE Std 1003.1 (``POSIX.1'') and its Barriers option to which the
	     system attempts to conform, otherwise 0.

     kern.posix_reader_writer_locks (KERN_POSIX_READER_WRITER_LOCKS)
	     The version of IEEE Std 1003.1 (``POSIX.1'') and its Read-Write Locks option to
	     which the system attempts to conform, otherwise 0.

     kern.posix_semaphores (KERN_POSIX_SEMAPHORES)
	     The version of IEEE Std 1003.1 (``POSIX.1'') and its Semaphores option to which the
	     system attempts to conform, otherwise 0.

     kern.posix_spin_locks (KERN_POSIX_SPIN_LOCKS)
	     The version of IEEE Std 1003.1 (``POSIX.1'') and its Spin Locks option to which the
	     system attempts to conform, otherwise 0.

     kern.posix_threads (KERN_POSIX_THREADS)
	     The version of IEEE Std 1003.1 (``POSIX.1'') and its Threads option to which the
	     system attempts to conform, otherwise 0.

     kern.posix_timers (KERN_POSIX_TIMERS)
	     The version of IEEE Std 1003.1 (``POSIX.1'') and its Timers option to which the sys-
	     tem attempts to conform, otherwise 0.

     kern.proc (KERN_PROC)
	     Return the entire process table, or a subset of it.  An array of struct kinfo_proc
	     structures is returned, whose size depends on the current number of such objects in
	     the system.  The third and fourth level numeric names are as follows:

		   Third level name	Fourth level is:
		   KERN_PROC_ALL	None
		   KERN_PROC_GID	A group ID
		   KERN_PROC_PID	A process ID
		   KERN_PROC_PGRP	A process group
		   KERN_PROC_RGID	A real group ID
		   KERN_PROC_RUID	A real user ID
		   KERN_PROC_SESSION	A session ID
		   KERN_PROC_TTY	A tty device
		   KERN_PROC_UID	A user ID

     kern.proc2 (KERN_PROC2)
	     As for KERN_PROC, but an array of struct kinfo_proc2 structures are returned.  The
	     fifth level name is the size of the struct kinfo_proc2 and the sixth level name is
	     the number of structures to return.

     kern.proc_args (KERN_PROC_ARGS)
	     Return the argv or environment strings (or the number thereof) of a process.  Multi-
	     ple strings are returned separated by NUL characters.  The third level name is the
	     process ID.  The fourth level name is as follows:

		   KERN_PROC_ARGV     The argv strings
		   KERN_PROC_ENV      The environ strings
		   KERN_PROC_NARGV    The number of argv strings
		   KERN_PROC_NENV     The number of environ strings

     kern.profiling (KERN_PROF)
	     Return profiling information about the kernel.  If the kernel is not compiled for
	     profiling, attempts to retrieve any of the KERN_PROF values will fail with
	     EOPNOTSUPP.  The third level names for the string and integer profiling information
	     is detailed below.  The changeable column shows whether a process with appropriate
	     privilege may change the value.

		   Third level name	       Type		   Changeable
		   kern.profiling.count        u_short[]	   yes
		   kern.profiling.froms        u_short[]	   yes
		   kern.profiling.gmonparam    struct gmonparam    no
		   kern.profiling.state        integer		   yes
		   kern.profiling.tos	       struct tostruct	   yes

	     The variables are as follows:

	     kern.profiling.count (GPROF_COUNT)
		     Array of statistical program counter counts.

	     kern.profiling.froms (GPROF_FROMS)
		     Array indexed by program counter of call-from points.

	     kern.profiling.gmonparams (GPROF_GMONPARAM)
		     Structure giving the sizes of the above arrays.

	     kern.profiling.state (GPROF_STATE)
		     Profiling state.  If set to GMON_PROF_ON, starts profiling.  If set to
		     GMON_PROF_OFF, stops profiling.

	     kern.profiling.tos (GPROF_TOS)
		     Array of struct tostruct describing destination of calls and their counts.

     kern.rawpartition (KERN_RAWPARTITION)
	     The raw partition of a disk (a == 0).

     kern.root_device (KERN_ROOT_DEVICE)
	     The name of the root device (e.g., ``wd0'').

     kern.root_partition (KERN_ROOT_PARTITION)
	     The root partition on the root device (a == 0).

     kern.rtc_offset (KERN_RTC_OFFSET)
	     Return the offset of real time clock from UTC in minutes.

     kern.saved_ids (KERN_SAVED_IDS)
	     Returns 1 if saved set-group and saved set-user ID is available.

     kern.sbmax (KERN_SBMAX)
	     Maximum socket buffer size.

     kern.securelevel (KERN_SECURELVL)
	     See secmodel_securelevel(9).

     kern.somaxkva (KERN_SOMAXKVA)
	     Maximum amount of kernel memory to be used for socket buffers.

     kern.synchronized_io (KERN_SYNCHRONIZED_IO)
	     Returns 1 if the IEEE Std 1003.1b-1993 (``POSIX.1'') Synchronized I/O Option is
	     available on this system, otherwise 0.

     kern.timecounter (dynamic)
	     Display and control the timecounter source of the system.

		   Third level name			Type	   Changeable
		   kern.timecounter.choice		string	   no
		   kern.timecounter.hardware		string	   yes
		   kern.timecounter.timestepwarnings	integer    yes

	     The variables are as follows:

	     kern.timecounter.choice (dynamic)
		     The list of available timecounters with their quality and frequency.

	     kern.timecounter.hardware (dynamic)
		     The currently selected timecounter source.

	     kern.timecounter.timestepwarnings (dynamic)
		     If non-zero display a message each time the time is stepped.

     kern.timex (KERN_TIMEX)
	     Not available.

     kern.tkstat (KERN_TKSTAT)
	     Return information about the number of characters sent and received on ttys.  The
	     third level names for the tty statistic variables are detailed below.  The change-
	     able column shows whether a process with appropriate privilege may change the value.

		   Third level name	Type	Changeable
		   kern.tkstat.cancc	quad	no
		   kern.tkstat.nin	quad	no
		   kern.tkstat.nout	quad	no
		   kern.tkstat.rawcc	quad	no

	     The variables are as follows:

	     kern.tkstat.cancc (KERN_TKSTAT_CANCC)
		     The number of canonical input characters.

	     kern.tkstat.nin (KERN_TKSTAT_NIN)
		     The total number of input characters.

	     kern.tkstat.nout (KERN_TKSTAT_NOUT)
		     The total number of output characters.

	     kern.tkstat.rawcc (KERN_TKSTAT_RAWCC)
		     The number of raw input characters.

     kern.tty
	     The third level names for the tty setup variables are detailed below.  The change-
	     able column shows whether a process with appropriate privilege may change the value.

		   Third level name  Type   Changeable
		   kern.tty.qsize    int    yes

	     The variables are as follows:

	     kern.tty.qsize
		     Control/display the size of the default input and output queues selected
		     during tty creation.  Is converted to a power of two and its range is
		     between 1024 and 65536.

     kern.urandom (KERN_URND)
	     Random integer value.

     kern.usercrypto
	     When enabled, allows userland to open(2) the /dev/crypto special device, used by the
	     crypto(4) system.

     kern.userasymcrypto
	     Enables or disables the use of software asymmetric crypto support in the crypto(4)
	     system.

     kern.veriexec
	     Runtime information for veriexec(8).

		   Third level name	       Type	  Changeable
		   kern.veriexec.algorithms    string	  no
		   kern.veriexec.count	       node	  not applicable
		   kern.veriexec.strict        integer	  yes
		   kern.veriexec.verbose       integer	  yes

	     kern.veriexec.algorithms
		     Returns a string with the supported algorithms in Veriexec.

	     kern.veriexec.count
		     Sub-nodes are added to this node as new mounts are monitored by Veriexec.
		     Each mount will be under its own tableN node.  Under each node there will be
		     three variables, indicating the mount point, the file system type, and the
		     number of entries.

	     kern.veriexec.strict
		     Controls the strict level of Veriexec.  See security(7) for more information
		     on each level's implications.

	     kern.veriexec.verbose
		     Controls the verbosity level of Veriexec.	If 0, only the minimal indication
		     required will be given about what's happening - fingerprint mismatches,
		     removal of entries from the tables, modification of a fingerprinted file.
		     If 1, more messages will be printed (ie., when a file with a valid finger-
		     print is accessed).  Verbose level 2 is debug mode.

     kern.version (KERN_VERSION)
	     The system version string.

     kern.vnode (KERN_VNODE)
	     Return the entire vnode table.  Note, the vnode table is not necessarily a consis-
	     tent snapshot of the system.  The returned data consists of an array whose size
	     depends on the current number of such objects in the system.  Each element of the
	     array contains the kernel address of a vnode struct vnode * followed by the vnode
	     itself struct vnode.

   The machdep.* subtree
     The set of variables defined is architecture dependent.  Most architectures define at least
     the following variables.

	   Second level name	    Type    Changeable
	   machdep.booted_kernel    string  no

   The net.* subtree
     The string and integer information available for the net level is detailed below.	The
     changeable column shows whether a process with appropriate privilege may change the value.
     The second and third levels are typically the protocol family and protocol number, though
     this is not always the case.

	   Second level name	Type			       Changeable
	   net.route		routing messages	       no
	   net.inet		IPv4 values		       yes
	   net.inet6		IPv6 values		       yes
	   net.key		IPsec key management values    yes

     net.route (PF_ROUTE)
	     Return the entire routing table or a subset of it.  The data is returned as a
	     sequence of routing messages (see route(4) for the header file, format and meaning).
	     The length of each message is contained in the message header.

	     The third level name is a protocol number, which is currently always 0.  The fourth
	     level name is an address family, which may be set to 0 to select all address fami-
	     lies.  The fifth and sixth level names are as follows:

		   Fifth level name    Sixth level is:
		   NET_RT_FLAGS        rtflags
		   NET_RT_DUMP	       None
		   NET_RT_IFLIST       None

     net.inet (PF_INET)
	     Get or set various global information about the IPv4 (Internet Protocol version 4).
	     The third level name is the protocol.  The fourth level name is the variable name.
	     The currently defined protocols and names are:

		 Protocol name	  Variable name 	 Type	    Changeable
		 arp		  down			 integer    yes
		 arp		  keep			 integer    yes
		 arp		  log_movements 	 integer    yes
		 arp		  log_permanent_modify	 integer    yes
		 arp		  log_wrong_iface	 integer    yes
		 arp		  prune 		 integer    yes
		 arp		  refresh		 integer    yes
		 carp		  allow 		 integer    yes
		 carp		  preempt		 integer    yes
		 carp		  log			 integer    yes
		 carp		  arpbalance		 integer    yes
		 icmp		  errppslimit		 integer    yes
		 icmp		  maskrepl		 integer    yes
		 icmp		  rediraccept		 integer    yes
		 icmp		  redirtimeout		 integer    yes
		 icmp		  bmcastecho		 integer    yes
		 ip		  allowsrcrt		 integer    yes
		 ip		  anonportmax		 integer    yes
		 ip		  anonportmin		 integer    yes
		 ip		  checkinterface	 integer    yes
		 ip		  directed-broadcast	 integer    yes
		 ip		  do_loopback_cksum	 integer    yes
		 ip		  forwarding		 integer    yes
		 ip		  forwsrcrt		 integer    yes
		 ip		  gifttl		 integer    yes
		 ip		  grettl		 integer    yes
		 ip		  hashsize		 integer    yes
		 ip		  hostzerobroadcast	 integer    yes
		 ip		  lowportmin		 integer    yes
		 ip		  lowportmax		 integer    yes
		 ip6		  maxdynroutes		 integer    yes
		 ip6		  maxifprefixes 	 integer    yes
		 ip6		  maxifdefrouters	 integer    yes
		 ip		  maxflows		 integer    yes
		 ip		  maxfragpackets	 integer    yes
		 ip6		  neighborgcthresh	 integer    yes
		 ip		  mtudisc		 integer    yes
		 ip		  mtudisctimeout	 integer    yes
		 ip		  random_id		 integer    yes
		 ip		  redirect		 integer    yes
		 ip		  subnetsarelocal	 integer    yes
		 ip		  ttl			 integer    yes
		 tcp		  rfc1323		 integer    yes
		 tcp		  sendspace		 integer    yes
		 tcp		  recvspace		 integer    yes
		 tcp		  mssdflt		 integer    yes
		 tcp		  syn_cache_limit	 integer    yes
		 tcp		  syn_bucket_limit	 integer    yes
		 tcp		  syn_cache_interval	 integer    yes
		 tcp		  init_win		 integer    yes
		 tcp		  init_win_local	 integer    yes
		 tcp		  mss_ifmtu		 integer    yes
		 tcp		  win_scale		 integer    yes
		 tcp		  timestamps		 integer    yes
		 tcp		  compat_42		 integer    yes
		 tcp		  cwm			 integer    yes
		 tcp		  cwm_burstsize 	 integer    yes
		 tcp		  ack_on_push		 integer    yes
		 tcp		  keepidle		 integer    yes
		 tcp		  keepintvl		 integer    yes
		 tcp		  keepcnt		 integer    yes
		 tcp		  slowhz		 integer    no
		 tcp		  keepinit		 integer    yes
		 tcp		  log_refused		 integer    yes
		 tcp		  rstppslimit		 integer    yes
		 tcp		  ident 		 struct     no
		 tcp		  drop			 struct     no
		 tcp		  sack.enable		 integer    yes
		 tcp		  sack.globalholes	 integer    no
		 tcp		  sack.globalmaxholes	 integer    yes
		 tcp		  sack.maxholes 	 integer    yes
		 tcp		  ecn.enable		 integer    yes
		 tcp		  ecn.maxretries	 integer    yes
		 tcp		  congctl.selected	 string     yes
		 tcp		  congctl.available	 string     yes
		 tcp		  abc.enable		 integer    yes
		 tcp		  abc.aggressive	 integer    yes
		 udp		  checksum		 integer    yes
		 udp		  do_loopback_cksum	 integer    yes
		 udp		  recvspace		 integer    yes
		 udp		  rfc6056.selected	 string     yes
		 udp		  rfc6056.available	 string     yes
		 udp		  sendspace		 integer    yes

	     The variables are as follows:

	     arp.down
		     Failed ARP entry lifetime.

	     arp.keep
		     Valid ARP entry lifetime.

	     arp.prune
		     ARP cache pruning interval.

	     arp.refresh
		     ARP entry refresh interval.

	     carp.allow
		     If set to 0, incoming carp(4) packets will not be processed.  If set to any
		     other value, processing will occur.  Enabled by default.

	     carp.arpbalance
		     If set to any value other than 0, the ARP balancing functionality of carp(4)
		     is enabled.  When ARP requests are received for an IP address which is part
		     of any virtual host, carp will hash the source IP in the ARP request to
		     select one of the virtual hosts from the set of all the virtual hosts which
		     have that IP address.  The master of that host will respond with the correct
		     virtual MAC address.  Disabled by default.

	     carp.log
		     If set to any value other than 0, carp(4) will log errors.  Disabled by
		     default.

	     carp.preempt
		     If set to 0, carp(4) will not attempt to become master if it is receiving
		     advertisements from another active master.  If set to any other value, carp
		     will become master of the virtual host if it believes it can send advertise-
		     ments more frequently than the current master.  Disabled by default.

	     ip.allowsrcrt
		     If set to 1, the host accepts source routed packets.

	     ip.anonportmax
		     The highest port number to use for TCP and UDP ephemeral port allocation.
		     This cannot be set to less than 1024 or greater than 65535, and must be
		     greater than ip.anonportmin.

	     ip.anonportmin
		     The lowest port number to use for TCP and UDP ephemeral port allocation.
		     This cannot be set to less than 1024 or greater than 65535.

	     ip.checkinterface
		     If set to non-zero, the host will reject packets addressed to it that arrive
		     on an interface not bound to that address.  Currently, this must be disabled
		     if ipnat is used to translate the destination address to another local
		     interface, or if addresses are added to the loopback interface instead of
		     the interface where the packets for those packets are received.

	     ip.directed-broadcast
		     If set to 1, enables directed broadcast behavior for the host.

	     ip.do_loopback_cksum
		     Perform IP checksum on loopback.

	     ip.forwarding
		     If set to 1, enables IP forwarding for the host, meaning that the host is
		     acting as a router.

	     ip.forwsrcrt
		     If set to 1, enables forwarding of source-routed packets for the host.  This
		     value may only be changed if the kernel security level is less than 1.

	     ip.gifttl
		     The maximum time-to-live (hop count) value for an IPv4 packet generated by
		     gif(4) tunnel interface.

	     ip.grettl
		     The maximum time-to-live (hop count) value for an IPv4 packet generated by
		     gre(4) tunnel interface.

	     ip.hashsize
		     The size of IPv4 Fast Forward hash table.	This value must be a power of 2
		     (64, 256...).  A larger hash table size results in fewer collisions.  Also
		     see ip.maxflows.

	     ip.hostzerobroadcast
		     All zeroes address is broadcast address.

	     ip.lowportmax
		     The highest port number to use for TCP and UDP reserved port allocation.
		     This cannot be set to less than 0 or greater than 1024, and must be greater
		     than ip.lowportmin.

	     ip.lowportmin
		     The lowest port number to use for TCP and UDP reserved port allocation.
		     This cannot be set to less than 0 or greater than 1024, and must be smaller
		     than ip.lowportmax.

	     ip.maxflows
		     IPv4 Fast Forwarding is enabled by default.  If set to 0, IPv4 Fast Forward-
		     ing is disabled.  ip.maxflows controls the maximum amount of flows which can
		     be created.  The default value is 256.

	     ip.maxfragpackets
		     The maximum number of fragmented packets the node will accept.  0 means that
		     the node will not accept any fragmented packets.  -1 means that the node
		     will accept as many fragmented packets as it receives.  The flag is provided
		     basically for avoiding possible DoS attacks.

	     ip.mtudisc
		     If set to 1, enables Path MTU Discovery (RFC 1191).  When Path MTU Discovery
		     is enabled, the transmitted TCP segment size will be determined by the
		     advertised maximum segment size (MSS) from the remote end, as constrained by
		     the path MTU.  If MTU Discovery is disabled, the transmitted segment size
		     will never be greater than tcp.mssdflt (the local maximum segment size).

	     ip.mtudisctimeout
		     The number of seconds in which a route added by the Path MTU Discovery
		     engine will time out.  When the route times out, the Path MTU Discovery
		     engine will attempt to probe a larger path MTU.

	     ip.random_id
		     Assign random ip_id values.

	     ip.redirect
		     If set to 1, ICMP redirects may be sent by the host.  This option is ignored
		     unless the host is routing IP packets, and should normally be enabled on all
		     systems.

	     ip.subnetsarelocal
		     If set to 1, subnets are to be considered local addresses.

	     ip.ttl  The maximum time-to-live (hop count) value for an IP packet sourced by the
		     system.  This value applies to normal transport protocols, not to ICMP.

	     icmp.errppslimit
		     The variable specifies the maximum number of outgoing ICMP error messages,
		     per second.  ICMP error messages that exceeded the value are subject to rate
		     limitation and will not go out from the node.  Negative value disables rate
		     limitation.

	     icmp.maskrepl
		     If set to 1, ICMP network mask requests are to be answered.

	     icmp.rediraccept
		     If set to non-zero, the host will accept ICMP redirect packets.  Note that
		     routers will never accept ICMP redirect packets, and the variable is mean-
		     ingful on IP hosts only.

	     icmp.redirtimeout
		     The variable specifies lifetime of routing entries generated by incoming
		     ICMP redirect.  This defaults to 600 seconds.

	     icmp.returndatabytes
		     Number of bytes to return in an ICMP error message.

	     icmp.bmcastecho
		     If set to 1, enables responding to ICMP echo or timestamp request to the
		     broadcast address.

	     tcp.ack_on_push
		     If set to 1, TCP is to immediately transmit an ACK upon reception of a
		     packet with PUSH set.  This can avoid losing a round trip time in some rare
		     situations, but has the caveat of potentially defeating TCP's delayed ACK
		     algorithm.  Use of this option is generally not recommended, but the vari-
		     able exists in case your configuration really needs it.

	     tcp.compat_42
		     If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation.
		     Use of this option is not recommended, although it may be required in order
		     to communicate with extremely old TCP implementations.

	     tcp.cwm
		     If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window
		     Monitoring algorithm.  This algorithm prevents line-rate bursts of packets
		     that could otherwise occur when data begins flowing on an idle TCP connec-
		     tion.  These line-rate bursts can contribute to network and router conges-
		     tion.  This can be particularly useful on World Wide Web servers which sup-
		     port HTTP/1.1, which has lingering connections.

	     tcp.cwm_burstsize
		     The Congestion Window Monitoring allowed burst size, in terms of packet
		     count.

	     tcp.delack_ticks
		     Number of ticks to delay sending an ACK.

	     tcp.do_loopback_cksum
		     Perform TCP checksum on loopback.

	     tcp.init_win
		     A value indicating the TCP initial congestion window.  If this value is 0,
		     an auto-tuning algorithm designed to use an initial window of approximately
		     4K bytes is in use.  Otherwise, this value indicates a fixed number of pack-
		     ets.

	     tcp.init_win_local
		     Like tcp.init_win, but used when communicating with hosts on a local net-
		     work.

	     tcp.keepcnt
		     Number of keepalive probes sent before declaring a connection dead.  If set
		     to zero, there is no limit; keepalives will be sent until some kind of
		     response is received from the peer.

	     tcp.keepidle
		     Time a connection must be idle before keepalives are sent (if keepalives are
		     enabled for the connection).  See also tcp.slowhz.

	     tcp.keepintvl
		     Time after a keepalive probe is sent until, in the absence of any response,
		     another probe is sent.  See also tcp.slowhz.

	     tcp.log_refused
		     If set to 1, refused TCP connections to the host will be logged.

	     tcp.keepinit
		     Timeout in seconds during connection establishment.

	     tcp.mss_ifmtu
		     If set to 1, TCP calculates the outgoing maximum segment size based on the
		     MTU of the appropriate interface.	If set to 0, it is calculated based on
		     the greater of the MTU of the interface, and the largest (non-loopback)
		     interface MTU on the system.

	     tcp.mssdflt
		     The default maximum segment size both advertised to the peer and to use when
		     either the peer does not advertise a maximum segment size to us during con-
		     nection setup or Path MTU Discovery (ip.mtudisc) is disabled.  Do not change
		     this value unless you really know what you are doing.

	     tcp.recvspace
		     The default TCP receive buffer size.

	     tcp.rfc1323
		     If set to 1, enables RFC 1323 extensions to TCP.

	     tcp.rstppslimit
		     The variable specifies the maximum number of outgoing TCP RST packets, per
		     second.  TCP RST packet that exceeded the value are subject to rate limita-
		     tion and will not go out from the node.  Negative value disables rate limi-
		     tation.

	     tcp.ident
		     Return the user ID of a connected socket pair.  (RFC1413 Identification Pro-
		     tocol lookups.)

	     tcp.drop
		     Drop a TCP socket pair connection.

	     tcp.sack.enable
		     If set to 1, enables RFC 2018 Selective ACKnowledgement.

	     tcp.sack.globalholes
		     Global number of TCP SACK holes.

	     tcp.sack.globalmaxholes
		     Global maximum number of TCP SACK holes.

	     tcp.sack.maxholes
		     Maximum number of TCP SACK holes allowed per connection.

	     tcp.ecn.enable
		     If set to 1, enables RFC 3168 Explicit Congestion Notification.

	     tcp.ecn.maxretries
		     Number of times to retry sending the ECN-setup packet.

	     tcp.sendspace
		     The default TCP send buffer size.

	     tcp.slowhz
		     The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks
		     of a clock that ticks tcp.slowhz times per second.  (That is, their values
		     must be divided by the tcp.slowhz value to get times in seconds.)

	     tcp.syn_bucket_limit
		     The maximum number of entries allowed per hash bucket in the TCP compressed
		     state engine.

	     tcp.syn_cache_limit
		     The maximum number of entries allowed in the TCP compressed state engine.

	     tcp.timestamps
		     If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options,
		     used for measuring TCP round trip times, are enabled.

	     tcp.win_scale
		     If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options,
		     for increasing the TCP window size, are enabled.

	     tcp.congctl.available
		     The available TCP congestion control algorithms.

	     tcp.congctl.selected
		     The currently selected TCP congestion control algorithm.

	     tcp.abc.enable
		     If set to 1, use RFC 3465 Appropriate Byte Counting (ABC).  If set to 0, use
		     traditional Packet Counting.

	     tcp.abc.aggressive
		     Choose the L parameter found in RFC 3465.	L is the maximum cwnd increase
		     for an ack during slow start.  If set to 1, use L=2*SMSS.	If set to 0, use
		     L=1*SMSS.	It has no effect unless tcp.abc.enable is set to 1.

	     udp.checksum
		     If set to 1, UDP checksums are being computed.  Received non-zero UDP check-
		     sums are always checked.  Disabling UDP checksums is strongly discouraged.

	     udp.recvspace
		     The default UDP receive buffer size.

	     udp.rfc6056.available
		     The available RFC 6056 port randomization algorithms.

	     udp.rfc6056.selected
		     The currently selected RFC 6056 port randomization algorithm.

	     udp.sendspace
		     The default UDP send buffer size.

	     For variables net.*.ipsec, please refer to ipsec(4).

     net.inet6 (PF_INET6)
	     Get or set various global information about the IPv6 (Internet Protocol version 6).
	     The third level name is the protocol.  The fourth level name is the variable name.
	     The currently defined protocols and names are:

		   Protocol name    Variable name	 Type	    Changeable
		   icmp6	    errppslimit 	 integer    yes
		   icmp6	    mtudisc_hiwat	 integer    yes
		   icmp6	    mtudisc_lowat	 integer    yes
		   icmp6	    nd6_debug		 integer    yes
		   icmp6	    nd6_delay		 integer    yes
		   icmp6	    nd6_maxnudhint	 integer    yes
		   icmp6	    nd6_mmaxtries	 integer    yes
		   icmp6	    nd6_prune		 integer    yes
		   icmp6	    nd6_umaxtries	 integer    yes
		   icmp6	    nd6_useloopback	 integer    yes
		   icmp6	    nodeinfo		 integer    yes
		   icmp6	    rediraccept 	 integer    yes
		   icmp6	    redirtimeout	 integer    yes
		   ip6		    accept_rtadv	 integer    yes
		   ip6		    anonportmax 	 integer    yes
		   ip6		    anonportmin 	 integer    yes
		   ip6		    auto_flowlabel	 integer    yes
		   ip6		    dad_count		 integer    yes
		   ip6		    defmcasthlim	 integer    yes
		   ip6		    forwarding		 integer    yes
		   ip6		    gifhlim		 integer    yes
		   ip6		    hashsize		 integer    yes
		   ip6		    hlim		 integer    yes
		   ip6		    hdrnestlimit	 integer    yes
		   ip6		    kame_version	 string     no
		   ip6		    keepfaith		 integer    yes
		   ip6		    log_interval	 integer    yes
		   ip6		    lowportmax		 integer    yes
		   ip6		    lowportmin		 integer    yes
		   ip6		    maxflows		 integer    yes
		   ip6		    maxfragpackets	 integer    yes
		   ip6		    maxfrags		 integer    yes
		   ip6		    redirect		 integer    yes
		   ip6		    rr_prune		 integer    yes
		   ip6		    use_deprecated	 integer    yes
		   ip6		    v6only		 integer    yes
		   udp6 	    do_loopback_cksum	 integer    yes
		   udp6 	    recvspace		 integer    yes
		   udp6 	    rfc6056.selected	 string     yes
		   udp6 	    rfc6056.available	 string     yes
		   udp6 	    sendspace		 integer    yes

	     The variables are as follows:

	     ip6.accept_rtadv
		     If set to non-zero, the node will accept ICMPv6 router advertisement packets
		     and autoconfigures address prefixes and default routers.  The node must be a
		     host (not a router) for the option to be meaningful.

	     ip6.anonportmax
		     The highest port number to use for TCP and UDP ephemeral port allocation.
		     This cannot be set to less than 1024 or greater than 65535, and must be
		     greater than ip6.anonportmin.

	     ip6.anonportmin
		     The lowest port number to use for TCP and UDP ephemeral port allocation.
		     This cannot be set to less than 1024 or greater than 65535.

	     ip6.auto_flowlabel
		     On connected transport protocol packets, fill IPv6 flowlabel field to help
		     intermediate routers to identify packet flows.

	     ip6.dad_count
		     The variable configures number of IPv6 DAD (duplicated address detection)
		     probe packets.  The packets will be generated when IPv6 interface addresses
		     are configured.

	     ip6.defmcasthlim
		     The default hop limit value for an IPv6 multicast packet sourced by the
		     node.  This value applies to all the transport protocols on top of IPv6.
		     There are APIs to override the value, as documented in ip6(4).

	     ip6.forwarding
		     If set to 1, enables IPv6 forwarding for the node, meaning that the node is
		     acting as a router.  If set to 0, disables IPv6 forwarding for the node,
		     meaning that the node is acting as a host.  IPv6 specification defines node
		     behavior for ``router'' case and ``host'' case quite differently, and chang-
		     ing this variable during operation may cause serious trouble.  It is recom-
		     mended to configure the variable at bootstrap time, and bootstrap time only.

	     ip6.gifhlim
		     The maximum hop limit value for an IPv6 packet generated by gif(4) tunnel
		     interface.

	     ip6.hdrnestlimit
		     The number of IPv6 extension headers permitted on incoming IPv6 packets.  If
		     set to 0, the node will accept as many extension headers as possible.

	     ip6.hashsize
		     The size of IPv6 Fast Forward hash table.	This value must be a power of 2
		     (64, 256, ...).  A larger hash table size results in fewer collisions.  Also
		     see ip6.maxflows.

	     ip6.hlim
		     The default hop limit value for an IPv6 unicast packet sourced by the node.
		     This value applies to all the transport protocols on top of IPv6.	There are
		     APIs to override the value, as documented in ip6(4).

	     ip6.kame_version
		     The string identifies the version of KAME IPv6 stack implemented in the ker-
		     nel.

	     ip6.keepfaith
		     If set to non-zero, it enables ``FAITH'' TCP relay IPv6-to-IPv4 translator
		     code in the kernel.  Refer faith(4) and faithd(8) for detail.

	     ip6.log_interval
		     The variable controls amount of logs generated by IPv6 packet forwarding
		     engine, by setting interval between log output (in seconds).

	     ip6.lowportmax
		     The highest port number to use for TCP and UDP reserved port allocation.
		     This cannot be set to less than 0 or greater than 1024, and must be greater
		     than ip6.lowportmin.

	     ip6.lowportmin
		     The lowest port number to use for TCP and UDP reserved port allocation.
		     This cannot be set to less than 0 or greater than 1024, and must be smaller
		     than ip6.lowportmax.

	     ip6.maxdynroutes
		     Maximum number of routes created by redirect.  Set it to negative to dis-
		     able.  The default value is 4096.

	     ip6.maxifprefixes
		     Maximum number of prefixes created by route advertisements per interface.
		     Set it to negative to disable.  The default value is 16.

	     ip6.maxifdefrouters 16
		     Maximum number of default routers created by route advertisements per inter-
		     face.  Set it to negative to disable.  The default value is 16.

	     ip6.maxflows
		     IPv6 Fast Forwarding is enabled by default.  If set to 0, IPv6 Fast Forward-
		     ing is disabled.  ip6.maxflows controls the maximum amount of flows which
		     can be created.  The default value is 256.

	     ip6.maxfragpackets
		     The maximum number of fragmented packets the node will accept.  0 means that
		     the node will not accept any fragmented packets.  -1 means that the node
		     will accept as many fragmented packets as it receives.  The flag is provided
		     basically for avoiding possible DoS attacks.

	     ip6.maxfrags
		     The maximum number of fragments the node will accept.  0 means that the node
		     will not accept any fragments.  -1 means that the node will accept as many
		     fragments as it receives.	The flag is provided basically for avoiding pos-
		     sible DoS attacks.

	     ip6.neighborgcthresh
		     Maximum number of entries in neighbor cache.  Set to negative to disable.
		     The default value is 2048.

	     ip6.redirect
		     If set to 1, ICMPv6 redirects may be sent by the node.  This option is
		     ignored unless the node is routing IP packets, and should normally be
		     enabled on all systems.

	     ip6.rr_prune
		     The variable specifies interval between IPv6 router renumbering prefix
		     babysitting, in seconds.

	     ip6.use_deprecated
		     The variable controls use of deprecated address, specified in RFC 2462
		     5.5.4.

	     ip6.v6only
		     The variable specifies initial value for IPV6_V6ONLY socket option for
		     AF_INET6 socket.  Please refer to ip6(4) for detail.

	     icmp6.errppslimit
		     The variable specifies the maximum number of outgoing ICMPv6 error messages,
		     per second.  ICMPv6 error messages that exceeded the value are subject to
		     rate limitation and will not go out from the node.  Negative value disables
		     rate limitation.

	     icmp6.mtudisc_hiwat

	     icmp6.mtudisc_lowat
		     The variables define the maximum number of routing table entries, created
		     due to path MTU discovery (prevents denial-of-service attacks with ICMPv6
		     too big messages).  When IPv6 path MTU discovery happens, we keep path MTU
		     information into the routing table.  If the number of routing table entries
		     exceed the value, the kernel will not attempt to keep the path MTU informa-
		     tion.  icmp6.mtudisc_hiwat is used when we have verified ICMPv6 too big mes-
		     sages.  icmp6.mtudisc_lowat is used when we have unverified ICMPv6 too big
		     messages.	Verification is performed by using address/port pairs kept in
		     connected pcbs.  Negative value disables the upper limit.

	     icmp6.nd6_debug
		     If set to non-zero, kernel IPv6 neighbor discovery code will generate debug-
		     ging messages.  The debug outputs are useful to diagnose IPv6 interoperabil-
		     ity issues.  The flag must be set to 0 for normal operation.

	     icmp6.nd6_delay
		     The variable specifies DELAY_FIRST_PROBE_TIME timing constant in IPv6 neigh-
		     bor discovery specification (RFC 2461), in seconds.

	     icmp6.nd6_maxnudhint
		     IPv6 neighbor discovery permits upper layer protocols to supply reachability
		     hints, to avoid unnecessary neighbor discovery exchanges.	The variable
		     defines the number of consecutive hints the neighbor discovery layer will
		     take.  For example, by setting the variable to 3, neighbor discovery layer
		     will take 3 consecutive hints in maximum.	After receiving 3 hints, neighbor
		     discovery layer will perform normal neighbor discovery process.

	     icmp6.nd6_mmaxtries
		     The variable specifies MAX_MULTICAST_SOLICIT constant in IPv6 neighbor dis-
		     covery specification (RFC 2461).

	     icmp6.nd6_prune
		     The variable specifies interval between IPv6 neighbor cache babysitting, in
		     seconds.

	     icmp6.nd6_umaxtries
		     The variable specifies MAX_UNICAST_SOLICIT constant in IPv6 neighbor discov-
		     ery specification (RFC 2461).

	     icmp6.nd6_useloopback
		     If set to non-zero, kernel IPv6 stack will use loopback interface for local
		     traffic.

	     icmp6.nodeinfo
		     The variable enables responses to ICMPv6 node information queries.  If you
		     set the variable to 0, responses will not be generated for ICMPv6 node
		     information queries.  Since node information queries can have a security
		     impact, it is possible to fine tune which responses should be answered.  Two
		     separate bits can be set.

		     1	    Respond to ICMPv6 FQDN queries, e.g.  ping6 -w.

		     2	    Respond to ICMPv6 node addresses queries, e.g.  ping6 -a.

	     icmp6.rediraccept
		     If set to non-zero, the host will accept ICMPv6 redirect packets.	Note that
		     IPv6 routers will never accept ICMPv6 redirect packets, and the variable is
		     meaningful on IPv6 hosts (non-router) only.

	     icmp6.redirtimeout
		     The variable specifies lifetime of routing entries generated by incoming
		     ICMPv6 redirect.

	     udp6.do_loopback_cksum
		     Perform UDP checksum on loopback.

	     udp6.recvspace
		     Default UDP receive buffer size.

	     udp6.rfc6056.available
		     The available RFC 6056 port randomization algorithms for IPv6.

	     udp6.rfc6056.selected
		     The currently selected RFC 6056 port randomization algorithm for IPv6.

	     udp6.sendspace
		     Default UDP send buffer size.

	     We reuse net.*.tcp for TCP over IPv6, and therefore we do not have variables
	     net.*.tcp6.  Variables net.inet6.udp6 have identical meaning to net.inet.udp.
	     Please refer to PF_INET section above.  For variables net.*.ipsec6, please refer to
	     ipsec(4).

     net.key (PF_KEY)
	     Get or set various global information about the IPsec key management.  The third
	     level name is the variable name.  The currently defined variable and names are:

		   Variable name	Type	   Changeable
		   debug		integer    yes
		   spi_try		integer    yes
		   spi_min_value	integer    yes
		   spi_max_value	integer    yes
		   larval_lifetime	integer    yes
		   blockacq_count	integer    yes
		   blockacq_lifetime	integer    yes
		   esp_keymin		integer    yes
		   esp_auth		integer    yes
		   ah_keymin		integer    yes

	     The variables are as follows:

	     debug   Turn on debugging message from within the kernel.	The value is a bitmap, as
		     defined in <netkey/key_debug.h>.

	     spi_try
		     The number of times the kernel will try to obtain an unique SPI when it gen-
		     erates it from random number generator.

	     spi_min_value
		     Minimum SPI value when generating it within the kernel.

	     spi_max_value
		     Maximum SPI value when generating it within the kernel.

	     larval_lifetime
		     Lifetime for LARVAL SAD entries, in seconds.

	     blockacq_count
		     Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message.
		     It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the key
		     management daemon.

	     blockacq_lifetime
		     Lifetime of ACQUIRE PF_KEY message.

	     esp_keymin
		     Minimum ESP key length, in bits.  The value is used when the kernel creates
		     proposal payload on ACQUIRE PF_KEY message.

	     esp_auth
		     Whether ESP authentication should be used or not.	Non-zero value indicates
		     that ESP authentication should be used.  The value is used when the kernel
		     creates proposal payload on ACQUIRE PF_KEY message.

	     ah_keymin
		     Minimum AH key length, in bits, The value is used when the kernel creates
		     proposal payload on ACQUIRE PF_KEY message.

   The proc.* subtree
     The string and integer information available for the proc level is detailed below.  The
     changeable column shows whether a process with appropriate privilege may change the value.
     These values are per-process, and as such may change from one process to another.	When a
     process is created, the default values are inherited from its parent.  When a set-user-ID or
     set-group-ID binary is executed, the value of PROC_PID_CORENAME is reset to the system
     default value.  The second level name is either the magic value PROC_CURPROC, which points
     to the current process, or the PID of the target process.

	   Third level name	Type	  Changeable
	   proc.pid.corename	string	  yes
	   proc.pid.rlimit	node	  not applicable
	   proc.pid.stopfork	int	  yes
	   proc.pid.stopexec	int	  yes
	   proc.pid.stopexit	int	  yes

     proc.pid.corename (PROC_PID_CORENAME)
	     The template used for the core dump file name (see core(5) for details).  The base
	     name must either be core or end with the suffix .core (the super-user may set arbi-
	     trary names).  By default it points to KERN_DEFCORENAME.

     proc.pid.rlimit (PROC_PID_LIMIT)
	     Return resources limits, as defined for the getrlimit(2) and setrlimit(2) system
	     calls.  The fourth level name is one of:

	     proc.pid.rlimit.cputime (PROC_PID_LIMIT_CPU)
		     The maximum amount of CPU time (in seconds) to be used by each process.

	     proc.pid.rlimit.filesize (PROC_PID_LIMIT_FSIZE)
		     The largest size (in bytes) file that may be created.

	     proc.pid.rlimit.datasize (PROC_PID_LIMIT_DATA)
		     The maximum size (in bytes) of the data segment for a process; this defines
		     how far a program may extend its break with the sbrk(2) system call.

	     proc.pid.rlimit.stacksize (PROC_PID_LIMIT_STACK)
		     The maximum size (in bytes) of the stack segment for a process; this defines
		     how far a program's stack segment may be extended.  Stack extension is per-
		     formed automatically by the system.

	     proc.pid.rlimit.coredumpsize (PROC_PID_LIMIT_CORE)
		     The largest size (in bytes) core file that may be created.

	     proc.pid.rlimit.memoryuse (PROC_PID_LIMIT_RSS)
		     The maximum size (in bytes) to which a process's resident set size may grow.
		     This imposes a limit on the amount of physical memory to be given to a
		     process; if memory is tight, the system will prefer to take memory from pro-
		     cesses that are exceeding their declared resident set size.

	     proc.pid.rlimit.memorylocked (PROC_PID_LIMIT_MEMLOCK)
		     The maximum size (in bytes) which a process may lock into memory using the
		     mlock(2) function.

	     proc.pid.rlimit.maxproc (PROC_PID_LIMIT_NPROC)
		     The maximum number of simultaneous processes for this user id.

	     proc.pid.rlimit.descriptors (PROC_PID_LIMIT_NOFILE)
		     The maximum number of open files for this process.

	     proc.pid.rlimit.sbsize (PROC_PID_LIMIT_SBSIZE)
		     The maximum size (in bytes) of the socket buffers set by the setsockopt(2)
		     SO_RCVBUF and SO_SNDBUF options.

	     The fifth level name is one of soft (PROC_PID_LIMIT_TYPE_SOFT) or hard
	     (PROC_PID_LIMIT_TYPE_HARD), to select respectively the soft or hard limit.  Both are
	     of type integer.

     proc.pid.stopfork (PROC_PID_STOPFORK)
	     If non zero, the process' children will be stopped after fork(2) calls.  The chil-
	     dren is created in the SSTOP state and is never scheduled for running before being
	     stopped.  This feature helps attaching a process with a debugger such as gdb(1)
	     before it had the opportunity to actually do anything.

	     This value is inherited by the process's children, and it also apply to emulation
	     specific system calls that fork a new process, such as sproc() or clone().

     proc.pid.stopexec (PROC_PID_STOPEXEC)
	     If non zero, the process will be stopped on next exec(3) call.  The process created
	     by exec(3) is created in the SSTOP state and is never scheduled for running before
	     being stopped.  This feature helps attaching a process with a debugger such as
	     gdb(1) before it had the opportunity to actually do anything.

	     This value is inherited by the process's children.

     proc.pid.stopexit (PROC_PID_STOPEXIT)
	     If non zero, the process will be stopped on when it has cause to exit, either by way
	     of calling exit(3), _exit(2), or by the receipt of a specific signal.  The process
	     is stopped before any of its resources or vm space is released allowing examination
	     of the termination state of a process before it disappears.  This feature can be
	     used to examine the final conditions of the process's vmspace via pmap(1) or its
	     resource settings with sysctl(8) before it disappears.

	     This value is also inherited by the process's children.

   The user.* subtree (CTL_USER)
     The string and integer information available for the user level is detailed below.  The
     changeable column shows whether a process with appropriate privilege may change the value.

	   Second level name	    Type       Changeable
	   user.atexit_max	    integer    no
	   user.bc_base_max	    integer    no
	   user.bc_dim_max	    integer    no
	   user.bc_scale_max	    integer    no
	   user.bc_string_max	    integer    no
	   user.coll_weights_max    integer    no
	   user.cs_path 	    string     no
	   user.expr_nest_max	    integer    no
	   user.line_max	    integer    no
	   user.posix2_c_bind	    integer    no
	   user.posix2_c_dev	    integer    no
	   user.posix2_char_term    integer    no
	   user.posix2_fort_dev     integer    no
	   user.posix2_fort_run     integer    no
	   user.posix2_localedef    integer    no
	   user.posix2_sw_dev	    integer    no
	   user.posix2_upe	    integer    no
	   user.posix2_version	    integer    no
	   user.re_dup_max	    integer    no
	   user.stream_max	    integer    no
	   user.stream_max	    integer    no
	   user.tzname_max	    integer    no

     user.atexit_max (USER_ATEXIT_MAX)
	     The maximum number of functions that may be registered with atexit(3).

     user.bc_base_max (USER_BC_BASE_MAX)
	     The maximum ibase/obase values in the bc(1) utility.

     user.bc_dim_max (USER_BC_DIM_MAX)
	     The maximum array size in the bc(1) utility.

     user.bc_scale_max (USER_BC_SCALE_MAX)
	     The maximum scale value in the bc(1) utility.

     user.bc_string_max (USER_BC_STRING_MAX)
	     The maximum string length in the bc(1) utility.

     user.coll_weights_max (USER_COLL_WEIGHTS_MAX)
	     The maximum number of weights that can be assigned to any entry of the LC_COLLATE
	     order keyword in the locale definition file.

     user.cs_path (USER_CS_PATH)
	     Return a value for the PATH environment variable that finds all the standard utili-
	     ties.

     user.expr_nest_max (USER_EXPR_NEST_MAX)
	     The maximum number of expressions that can be nested within parenthesis by the
	     expr(1) utility.

     user.line_max (USER_LINE_MAX)
	     The maximum length in bytes of a text-processing utility's input line.

     user.posix2_char_term (USER_POSIX2_CHAR_TERM)
	     Return 1 if the system supports at least one terminal type capable of all operations
	     described in IEEE Std 1003.2 (``POSIX.2''), otherwise 0.

     user.posix2_c_bind (USER_POSIX2_C_BIND)
	     Return 1 if the system's C-language development facilities support the C-Language
	     Bindings Option, otherwise 0.

     user.posix2_c_dev (USER_POSIX2_C_DEV)
	     Return 1 if the system supports the C-Language Development Utilities Option, other-
	     wise 0.

     user.posix2_fort_dev (USER_POSIX2_FORT_DEV)
	     Return 1 if the system supports the FORTRAN Development Utilities Option, other-
	     wise 0.

     user.posix2_fort_run (USER_POSIX2_FORT_RUN)
	     Return 1 if the system supports the FORTRAN Runtime Utilities Option, otherwise 0.

     user.posix2_localedef (USER_POSIX2_LOCALEDEF)
	     Return 1 if the system supports the creation of locales, otherwise 0.

     user.posix2_sw_dev (USER_POSIX2_SW_DEV)
	     Return 1 if the system supports the Software Development Utilities Option, other-
	     wise 0.

     user.posix2_upe (USER_POSIX2_UPE)
	     Return 1 if the system supports the User Portability Utilities Option, otherwise 0.

     user.posix2_version (USER_POSIX2_VERSION)
	     The version of IEEE Std 1003.2 (``POSIX.2'') with which the system attempts to com-
	     ply.

     user.re_dup_max (USER_RE_DUP_MAX)
	     The maximum number of repeated occurrences of a regular expression permitted when
	     using interval notation.

     user.stream_max (USER_STREAM_MAX)
	     The minimum maximum number of streams that a process may have open at any one time.

     user.tzname_max (USER_TZNAME_MAX)
	     The minimum maximum number of types supported for the name of a timezone.

   The vm.* subtree (CTL_VM)
     The string and integer information available for the vm level is detailed below.  The
     changeable column shows whether a process with appropriate privilege may change the value.

	   Second level name	Type			Changeable
	   vm.anonmax		int			yes
	   vm.anonmin		int			yes
	   vm.bufcache		int			yes
	   vm.bufmem		int			no
	   vm.bufmem_hiwater	int			yes
	   vm.bufmem_lowater	int			yes
	   vm.execmax		int			yes
	   vm.execmin		int			yes
	   vm.filemax		int			yes
	   vm.filemin		int			yes
	   vm.loadavg		struct loadavg		no
	   vm.maxslp		int			no
	   vm.nkmempages	int			no
	   vm.uspace		int			no
	   vm.uvmexp		struct uvmexp		no
	   vm.uvmexp2		struct uvmexp_sysctl	no
	   vm.vmmeter		struct vmtotal		no

     vm.anonmax (VM_ANONMAX)
	     The percentage of physical memory which will be reclaimed from other types of memory
	     usage to store anonymous application data.

     vm.anonmin (VM_ANONMIN)
	     The percentage of physical memory which will be always be available for anonymous
	     application data.

     vm.bufcache (VM_BUFCACHE)
	     The percentage of physical memory which will be available for the buffer cache.

     vm.bufmem (VM_BUFMEM)
	     The amount of kernel memory that is being used by the buffer cache.

     vm.bufmem_lowater (VM_BUFMEM_LOWATER)
	     The minimum amount of kernel memory to reserve for the buffer cache.

     vm.bufmem_hiwater (VM_BUFMEM_HIWATER)
	     The maximum amount of kernel memory to be used for the buffer cache.

     vm.execmax (VM_EXECMAX)
	     The percentage of physical memory which will be reclaimed from other types of memory
	     usage to store cached executable data.

     vm.execmin (VM_EXECMIN)
	     The percentage of physical memory which will be always be available for cached exe-
	     cutable data.

     vm.filemax (VM_FILEMAX)
	     The percentage of physical memory which will be reclaimed from other types of memory
	     usage to store cached file data.

     vm.filemin (VM_FILEMIN)
	     The percentage of physical memory which will be always be available for cached file
	     data.

     vm.loadavg (VM_LOADAVG)
	     Return the load average history.  The returned data consists of a struct loadavg.

     vm.maxslp (VM_MAXSLP)
	     The value of the maxslp kernel global variable.

     vm.vmmeter (VM_METER)
	     Return system wide virtual memory statistics.  The returned data consists of a
	     struct vmtotal.

     vm.user_va0_disable
	     A flag which controls whether user processes can map virtual address 0.

     vm.uspace (VM_USPACE)
	     The number of bytes allocated for each kernel stack.

     vm.uvmexp (VM_UVMEXP)
	     Return system wide virtual memory statistics.  The returned data consists of a
	     struct uvmexp.

     vm.uvmexp2 (VM_UVMEXP2)
	     Return system wide virtual memory statistics.  The returned data consists of a
	     struct uvmexp_sysctl.

   The ddb.* subtree (CTL_DDB)
     The information available for the ddb level is detailed below.  The changeable column shows
     whether a process with appropriate privilege may change the value.

	   Second level name	Type	   Changeable
	   ddb.radix		integer    yes
	   ddb.maxoff		integer    yes
	   ddb.maxwidth 	integer    yes
	   ddb.lines		integer    yes
	   ddb.tabstops 	integer    yes
	   ddb.onpanic		integer    yes
	   ddb.fromconsole	integer    yes
	   ddb.tee_msgbuf	integer    yes
	   ddb.commandonenter	string	   yes

     ddb.radix (DDBCTL_RADIX)
	     The input and output radix.

     ddb.maxoff (DDBCTL_MAXOFF)
	     The maximum symbol offset.

     ddb.maxwidth (DDBCTL_MAXWIDTH)
	     The maximum output line width.

     ddb.lines (DDBCTL_LINES)
	     Number of display lines.

     ddb.tabstops (DDBCTL_TABSTOPS)
	     Tab width.

     ddb.onpanic (DDBCTL_ONPANIC)
	     If greater than zero, DDB will be entered if the kernel panics.  A value of 1 causes
	     the system to enter DDB on panic, while a value of 2 causes the kernel to attempt to
	     print out a stack trace before entering DDB.  A value of 0 causes the kernel to
	     attempt to print a stack trace, then reboot, while a value of -1 means neither a
	     stack trace will be printed nor DDB entered.

     ddb.fromconsole (DDBCTL_FROMCONSOLE)
	     If not zero, DDB may be entered by sending a break on a serial console or by a spe-
	     cial key sequence on a graphics console.

     ddb.tee_msgbuf
	     If not zero, DDB will output also to the kernel message buffer.

     ddb.commandonenter
	     If not empty, a command to be executed on each enter to the DDB.

     Some of these MIB nodes are also available as variables from within the debugger.	See
     ddb(4) for more details.

   The security.* subtree (CTL_SECURITY)
     The security level contains various security-related settings for the system.  The available
     second level names are:

	   Second level name	Type	   Changeable
	   security.curtain	integer    yes
	   security.models	node	   not applicable
	   security.pax 	node	   not applicable

     Available settings are detailed below.

     security.curtain
	     If non-zero, will filter return objects according to the user ID requesting informa-
	     tion about them, preventing from users any access to objects they do not own.

	     At the moment, it affects ps(1), netstat(1) (for PF_INET, PF_INET6, and PF_UNIX
	     PCBs), and w(1).

     security.models
	     NetBSD supports pluggable security models.  Every security model used, whether if
	     loaded as a module or built with the system, is required to add an entry to this
	     node with at least one element, ``name'', indicating the name of the security model.

	     In addition to the name, any settings and other information private to the security
	     model will be available under this node.  See secmodel(9) for more information.

     security.pax
	     Settings for PaX -- exploit mitigation features.  For more information on any of the
	     PaX features, please see paxctl(8) and security(7).  The available third and fourth
	     level names are:

	       Third and fourth level names		 Type	    Changeable
	       security.pax.aslr.enabled		 integer    yes
	       security.pax.aslr.global 		 integer    yes
	       security.pax.mprotect.enabled		 integer    yes
	       security.pax.mprotect.global		 integer    yes
	       security.pax.segvguard.enabled		 integer    yes
	       security.pax.segvguard.expiry_timeout	 integer    yes
	       security.pax.segvguard.global		 integer    yes
	       security.pax.segvguard.max_crashes	 integer    yes
	       security.pax.segvguard.suspend_timeout	 integer    yes

	     security.pax.aslr.enabled
		     Enable PaX ASLR (Address Space Layout Randomization).

		     The value of this knob must be non-zero for PaX ASLR to be enabled, even if
		     a program is set to explicit enable.

	     security.pax.aslr.global
		     Specifies the default global policy for programs without an explicit
		     enable/disable flag.

		     When non-zero, all programs will get PaX ASLR, except those exempted with
		     paxctl(8).  Otherwise, all programs will not get PaX ASLR, except those
		     specifically marked as such with paxctl(8).

	     security.pax.mprotect.enabled
		     Enable PaX MPROTECT restrictions.

		     These are mprotect(2) restrictions to better enforce a W^X policy.  The
		     value of this knob must be non-zero for PaX MPROTECT to be enabled, even if
		     a program is set to explicit enable.

	     security.pax.mprotect.global
		     Specifies the default global policy for programs without an explicit
		     enable/disable flag.

		     When non-zero, all programs will get the PaX MPROTECT restrictions, except
		     those exempted with paxctl(8).  Otherwise, all programs will not get the PaX
		     MPROTECT restrictions, except those specifically marked as such with
		     paxctl(8).

	     security.pax.segvguard.enabled
		     Enable PaX Segvguard.

		     PaX Segvguard can detect and prevent certain exploitation attempts, where an
		     attacker may try for example to brute-force function return addresses of
		     respawning daemons.

		     Note: The NetBSD interface and implementation of the Segvguard is still
		     experimental, and may change in future releases.

	     security.pax.segvguard.expiry_timeout
		     If the max number was not reached within this timeout (in seconds), the
		     entry will expire.

	     security.pax.segvguard.global
		     Specifies the default global policy for programs without an explicit
		     enable/disable flag.

		     When non-zero, all programs will get the PaX Segvguard, except those
		     exempted with paxctl(8).  Otherwise, no program will get the PaX Segvguard
		     restrictions, except those specifically marked as such with paxctl(8).

	     security.pax.segvguard.max_crashes
		     The maximum number of segfaults a program can receive before suspension.

	     security.pax.segvguard.suspend_timeout
		     Number of seconds to suspend a user from running a faulting program when the
		     limit was exceeded.

   The vendor.* subtree (CTL_VENDOR)
     The vendor toplevel name is reserved to be used by vendors who wish to have their own pri-
     vate MIB tree.  Intended use is to store values under ``vendor.<yourname>.*''.

SEE ALSO
     sysctl(3), ipsec(4), tcp(4), security(7), sysctl(8)

HISTORY
     The sysctl variables first appeared in 4.4BSD.

BSD					  June 22, 2012 				      BSD


All times are GMT -4. The time now is 12:00 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
×
UNIX.COM Login
Username:
Password:  
Show Password