NAME

sysctl — get or set system information

SYNOPSIS

#include <sys/types.h>
#include <sys/sysctl.h>

int
sysctl(const int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen);

DESCRIPTION

The sysctl() function retrieves system information and allows processes with appropriate privileges to set system information. The information available from sysctl() consists of integers, strings, and tables. Information may be retrieved and set using the sysctl(8) utility; the variable names used by this utility are given here in parentheses.

Unless explicitly noted below, sysctl() returns a consistent snapshot of the data requested. Consistency is obtained by locking the destination buffer into memory so that the data may be copied out without blocking. Calls to sysctl() are serialized to avoid deadlock.

The state is described using a “Management Information Base (MIB)” style name, listed in name, which is a namelen length array of integers.

The information is copied into the buffer specified by oldp. The size of the buffer is given by the location specified by oldlenp before the call, and that location gives the amount of data copied after a successful call. If the amount of data available is greater than the size of the buffer supplied, the call supplies as much data as fits in the buffer provided and returns with the error code ENOMEM. If the old value is not desired, oldp and oldlenp should be set to NULL.

The size of the available data can be determined by calling sysctl() with a NULL parameter for oldp. The size of the available data will be returned in the location pointed to by oldlenp. For some operations, the amount of space may change often. For these operations, the system attempts to round up so that the returned size is large enough for a call to return the data shortly thereafter.

The terminating NUL character is included in the lengths of string values.

To set a new value, newp is set to point to a buffer of length newlen from which the requested value is to be taken. If a new value is not to be set, newp should be set to NULL and newlen set to 0.

The top level names are defined with a CTL_ prefix in <sys/sysctl.h>, and are as follows. The next and subsequent levels down are found in the include files listed here, and described in separate sections below.

Name	Next level names	Description
`CTL_DDB`	ddb/db_var.h	Kernel debugger
`CTL_DEBUG`	sys/sysctl.h	Debugging
`CTL_FS`	sys/sysctl.h	File system
`CTL_HW`	sys/sysctl.h	Generic CPU, I/O
`CTL_KERN`	sys/sysctl.h	High kernel limits
`CTL_MACHDEP`	sys/sysctl.h	Machine dependent
`CTL_NET`	sys/socket.h	Networking
`CTL_VFS`	ufs/ffs/ffs_extern.h	Virtual file system
`CTL_VM`	uvm/uvmexp.h	Virtual memory

For example, the following retrieves the maximum number of processes allowed in the system:

int mib[2], maxproc;
size_t len;

mib[0] = CTL_KERN;
mib[1] = KERN_MAXPROC;
len = sizeof(maxproc);
if (sysctl(mib, 2, &maxproc, &len, NULL, 0) == -1)
	err(1, "sysctl");

CTL_DDB

Integer information and settable variables are available for the CTL_DDB level, as described below. More information is also available in ddb(4).

Second level name	Type	Changeable
`DBCTL_CONSOLE`	integer	yes
`DBCTL_LOG`	integer	yes
`DBCTL_MAXLINE`	integer	yes
`DBCTL_MAXWIDTH`	integer	yes
`DBCTL_PANIC`	integer	yes
`DBCTL_RADIX`	integer	yes
`DBCTL_TABSTOP`	integer	yes
`DBCTL_TRIGGER`	integer	yes

DBCTL_CONSOLE (ddb.console): When this variable is set, an architecture dependent magic key sequence on the console or a debugger button will permit entry into the kernel debugger. When running with a securelevel(7) greater than 0, this variable may not be raised.
DBCTL_LOG (ddb.log): When set, ddb output is also logged in the kernel message buffer.
DBCTL_MAXLINE (ddb.max_line): Determines the number of lines to page in ddb(4). This variable is also available as the ddb $lines variable.
DBCTL_MAXWIDTH (ddb.max_width): Determines the maximum width of a line in ddb(4). This variable is also available as the ddb $maxwidth variable.
DBCTL_PANIC (ddb.panic): When this variable is set, system panics may drop into the kernel debugger. When running with a securelevel(7) greater than 0, this variable may not be raised.
DBCTL_RADIX (ddb.radix): Determines the default radix or base for non-prefixed numbers entered into ddb(4). This variable is also available as the ddb $radix variable.
DBCTL_TABSTOP (ddb.tab_stop_width): Width of a tab stop in ddb(4). This variable is also available as the ddb $tabstops variable.
DBCTL_TRIGGER (ddb.trigger): When DBCTL_CONSOLE is set, writing to DBCTL_TRIGGER causes the system to enter ddb(4). When running with a securelevel(7) greater than 0, the process writing to this variable must be running on the console in order to enter ddb(4).

CTL_DEBUG

The debugging variables vary from system to system. A debugging variable may be added or deleted without need to recompile sysctl() to know about it. Each time it runs, sysctl() gets the list of debugging variables from the kernel and displays their current values. The system defines twenty struct ctldebug variables named debug0 through debug19. They are declared as separate variables so that they can be individually initialized at the location of their associated variable. The loader prevents multiple use of the same variable by issuing errors if a variable is initialized in more than one place. For example, to export the variable dospecialcheck as a debugging variable, the following declaration would be used:

int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };

CTL_FS

The string and integer information available for the CTL_FS level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Second level name	Type	Changeable
`FS_POSIX_SETUID`	integer	yes

FS_POSIX_SETUID (fs.posix.setuid): When this variable is set, ownership changes on a file will cause the S_ISUID and S_ISGID bits to be cleared. When running with a securelevel(7) greater than 0, this variable may not be changed.

CTL_HW

The string and integer information available for the CTL_HW level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Second level name	Type	Changeable
`HW_ALLOWPOWERDOWN`	integer	yes
`HW_BATTERY`	node	not applicable
`HW_BYTEORDER`	integer	no
`HW_CPUSPEED`	integer	no
`HW_DISKCOUNT`	integer	no
`HW_DISKNAMES`	string	no
`HW_DISKSTATS`	struct	no
`HW_MACHINE`	string	no
`HW_MODEL`	string	no
`HW_NCPU`	integer	no
`HW_NCPUFOUND`	integer	no
`HW_NCPUONLINE`	integer	no
`HW_PAGESIZE`	integer	no
`HW_PERFPOLICY`	string	yes
`HW_PHYSMEM`	integer	no
`HW_PHYSMEM64`	int64_t	no
`HW_POWER`	integer	no
`HW_PRODUCT`	string	no
`HW_SENSORS`	node	not applicable
`HW_SETPERF`	integer	yes
`HW_SMT`	integer	yes
`HW_UCOMNAMES`	string	no
`HW_USERMEM`	integer	no
`HW_USERMEM64`	int64_t	no
`HW_UUID`	string	no
`HW_VENDOR`	string	no
`HW_VERSION`	string	no

HW_ALLOWPOWERDOWN (hw.allowpowerdown)

Some machines generate an interrupt when the power button is pressed and a driver can catch that interrupt. When this variable is set, such an event will cause the system to perform a regular shutdown and power off the machine. When running with a securelevel(7) greater than 0, this variable may not be changed.

HW_BATTERY (hw.battery)

Control battery charging. These are only available on hardware that supports battery charging control. There are three subnodes:

Third level name	Type	Changeable
`HW_BATTERY_CHARGEMODE`	integer	yes
`HW_BATTERY_CHARGESTART`	integer	maybe
`HW_BATTERY_CHARGESTOP`	integer	yes

Their meanings are as follows:

HW_BATTERY_CHARGEMODE (hw.battery.chargemode): Control if the battery is charged or discharged. A value of -1 means to (forcibly) discharge the battery. A value of 0 means to inhibit charging the battery. A value of 1 means to charge the battery, subject to the configured limits.
HW_BATTERY_CHARGESTART (hw.battery.chargestart): The percentage below which the battery will start charging. Not all hardware allows setting this value. On hardware that does not allow setting this value the battery will typically start charging at a fixed percentage point below the value configured through HW_BATTERY_CHARGESTOP.
HW_BATTERY_CHARGESTOP (hw.battery.chargestop): The percentage above which the battery will stop charging. Setting the value to 100 will fully charge the battery.

By setting HW_BATTERY_CHARGEMODE to 1, and setting both HW_BATTERY_CHARGESTART and HW_BATTERY_CHARGESTOP, the battery will be kept charged at a percentage between the configured limits.

HW_BYTEORDER (hw.byteorder)

The byteorder (4321 or 1234).

HW_CPUSPEED (hw.cpuspeed)

The current CPU frequency (in MHz).

HW_DISKCOUNT (hw.diskcount)

The number of disks currently attached to the system.

HW_DISKNAMES (hw.disknames)

A comma-separated list of disk names.

HW_DISKSTATS (hw.diskstats)

An array of struct diskstats structures containing disk statistics.

HW_MACHINE (hw.machine)

The kernel architecture as returned by uname(1) -m and by machine(1).

HW_MODEL (hw.model)

The machine model.

HW_NCPU (hw.ncpu)

The number of CPUs configured.

HW_NCPUFOUND (hw.ncpufound)

The number of CPUs found.

HW_NCPUONLINE (hw.ncpuonline)

The number of CPUs online.

HW_PAGESIZE (hw.pagesize)

The software page size.

HW_PERFPOLICY (hw.perfpolicy)

The performance policy for power management. Can be one of “manual”, “auto”, or “high”. If the policy contains a comma, the second part specifies an alternative policy used while the system is running on battery. The sysctl API only exports the currently applicable policy. The default setting is “high,auto”.

HW_PHYSMEM

The total physical memory, in bytes. This variable is deprecated; use HW_PHYSMEM64 instead.

HW_PHYSMEM64 (hw.physmem)

The total physical memory, in bytes.

HW_POWER (hw.power)

Machine has wall-power.

HW_PRODUCT (hw.product)

The product name of the machine.

HW_SENSORS (hw.sensors)

Third level comprises an array of struct sensordev structures containing information about devices that may attach hardware monitoring sensors.

Third, fourth and fifth levels together comprise an array of struct sensor structures containing snapshot readings of hardware monitoring sensors. In such usage, third level indicates the numerical representation of the sensor device name to which the sensor is attached (a device's xname and number are matched with the help of struct sensordev structure above), fourth level indicates sensor type and fifth level is an ordinal sensor number (unique to the specified sensor type on the specified sensor device).

The sensordev and sensor structures and sensor_type enumeration are defined in <sys/sensors.h>.

HW_SERIALNO (hw.serialno)

The serial number of the machine.

HW_SETPERF (hw.setperf)

Current CPU performance (percentage). It is only modifiable if HW_PERFPOLICY is set to “manual”.

HW_SMT (hw.smt)

If set to 1, enable simultaneous multithreading (SMT) on CPUs that support it. Disabled by default.

HW_UCOMNAMES (hw.ucomnames)

A comma-separated list of currently attached ucom(4) devices in the following format:

ucomN:usbbus.rootport.route.interface

The route consists of five hexadecimal digits identifying the path from the root port to the port containing the interface.

HW_USERMEM

The amount of available non-kernel memory in bytes. This variable is deprecated; use HW_USERMEM64 instead.

HW_USERMEM64 (hw.usermem)

The amount of available non-kernel memory in bytes.

HW_UUID (hw.uuid)

The universal unique identification number assigned to the machine.

HW_VENDOR (hw.vendor)

The vendor name for this machine.

HW_VERSION (hw.version)

The version or revision of this machine.

CTL_KERN

The string and integer information available for the CTL_KERN level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value. The types of data currently available are process information, system vnodes, the open file entries, routing table entries, virtual memory statistics, load average history, and clock rate information.

Second level name	Type	Changeable
`KERN_ALLOWDT`	integer	yes
`KERN_ALLOWKMEM`	integer	yes
`KERN_ARGMAX`	integer	no
`KERN_AUDIO`	node	yes
`KERN_BOOTTIME`	struct timeval	no
`KERN_CACHEPCT`	integer	yes
`KERN_CCPU`	integer	no
`KERN_CLOCKRATE`	struct clockinfo	no
`KERN_CONSDEV`	dev_t	no
`KERN_CPTIME`	long[CPUSTATES]	no
`KERN_CPTIME2`	u_int64_t[CPUSTATES]	no
`KERN_CPUSTATS`	struct cpustats	no
`KERN_DOMAINNAME`	string	yes
`KERN_FILE`	struct kinfo_file	no
`KERN_FORKSTAT`	struct forkstat	no
`KERN_FSCALE`	integer	no
`KERN_FSYNC`	integer	no
`KERN_GLOBAL_PTRACE`	integer	yes
`KERN_HOSTID`	integer	yes
`KERN_HOSTNAME`	string	yes
`KERN_INTRCNT`	node	not applicable
`KERN_JOB_CONTROL`	integer	no
`KERN_MALLOCSTATS`	node	no
`KERN_MAXCLUSTERS`	integer	yes
`KERN_MAXFILES`	integer	yes
`KERN_MAXLOCKSPERUID`	integer	yes
`KERN_MAXPARTITIONS`	integer	no
`KERN_MAXPROC`	integer	yes
`KERN_MAXTHREAD`	integer	yes
`KERN_MAXVNODES`	integer	yes
`KERN_MBSTAT`	struct mbstat	no
`KERN_MSGBUF`	char[]	no
`KERN_MSGBUFSIZE`	integer	no
`KERN_NCHSTATS`	struct nchstats	no
`KERN_NFILES`	integer	no
`KERN_NGROUPS`	integer	no
`KERN_NOSUIDCOREDUMP`	integer	yes
`KERN_NPROCS`	integer	no
`KERN_NTHREADS`	integer	no
`KERN_NUMVNODES`	integer	no
`KERN_OSRELEASE`	string	no
`KERN_OSREV`	integer	no
`KERN_OSTYPE`	string	no
`KERN_OSVERSION`	string	no
`KERN_PFSTATUS`	struct pf_status	no
`KERN_POOL_DEBUG`	integer	yes
`KERN_POSIX1`	integer	no
`KERN_PROC`	struct kinfo_proc	no
`KERN_PROC_ARGS`	node	not applicable
`KERN_PROC_CWD`	string	not applicable
`KERN_PROC_NOBROADCASTKILL`	node	not applicable
`KERN_PROC_VMMAP`	struct kinfo_vmentry	no
`KERN_PROF`	node	not applicable
`KERN_RAWPARTITION`	integer	no
`KERN_SAVED_IDS`	integer	no
`KERN_SECURELVL`	integer	raise only
`KERN_SEMINFO`	node	not applicable
`KERN_SHMINFO`	node	not applicable
`KERN_SOMAXCONN`	integer	yes
`KERN_SOMINCONN`	integer	yes
`KERN_SPLASSERT`	int	yes
`KERN_STACKGAPRANDOM`	integer	yes
`KERN_SYSVIPC_INFO`	node	not applicable
`KERN_SYSVMSG`	integer	no
`KERN_SYSVSEM`	integer	no
`KERN_SYSVSHM`	integer	no
`KERN_TIMECOUNTER`	node	not applicable
`KERN_TTY`	node	not applicable
`KERN_TTYCOUNT`	integer	no
`KERN_UTC_OFFSET`	integer	yes
`KERN_VERSION`	string	no
`KERN_VIDEO`	node	yes
`KERN_WATCHDOG`	node	not applicable
`KERN_WITNESS`	node	not applicable
`KERN_WXABORT`	integer	yes

KERN_ALLOWDT (kern.allowdt)

Allow userland processes access to /dev/dt. When running with a securelevel(7) greater than 0, this variable may not be changed.

KERN_ALLOWKMEM (kern.allowkmem)

Allow userland processes access to /dev/mem and /dev/kmem. When running with a securelevel(7) greater than 0, this variable may not be changed.

KERN_ARGMAX (kern.argmax)

The maximum number of bytes allowed among the arguments to execve(2).

KERN_AUDIO (kern.audio)

Control device-independent aspects of the audio(4) subsystem.

Third level name	Type	Changeable
`KERN_AUDIO_RECORD`	integer	yes
`KERN_AUDIO_KBDCONTROL`	integer	yes

The variables are as follows:

KERN_AUDIO_RECORD (kern.audio.record): If set to the default value of 0, recording is muted by default for all audio devices. Otherwise, audio recording is enabled by default. For individual devices, this setting can be overridden with the mixerctl(8) record.enable variable.
KERN_AUDIO_KBDCONTROL (kern.audio.kbdcontrol): If set to the default value of 1, the wskbd(4) driver will attempt to adjust the level of the first audio(4) device when the volume keys of multimedia keyboards are pressed.

KERN_BOOTTIME (kern.boottime)

A struct timeval structure is returned. This structure contains the time that the system was booted.

KERN_CACHEPCT (kern.bufcachepercent)

The maximum percentage of DMA-reachable physical memory the buffer cache may use.

KERN_CCPU (kern.ccpu)

The scheduler exponential decay value.

KERN_CLOCKRATE (kern.clockrate)

A struct clockinfo structure is returned. This structure contains the hard clock, statistics clock and profiling clock frequencies, and the number of microseconds per hard clock tick.

KERN_CONSDEV (kern.consdev)

The console device.

KERN_CPTIME (kern.cp_time)

An array of longs of size CPUSTATES is returned, containing statistics about the number of ticks spent by the system in interrupt processing, user processes (nice(1) or normal), system processing, lock spinning, or idling.

KERN_CPTIME2 (kern.cp_time2)

Similar to KERN_CPTIME, but obtains information from only the single CPU specified by the third level name given.

KERN_CPUSTATS

A struct cpustats structure is returned. This structure contains the array described in KERN_CPTIME2 and a bit mask indicating the status of the CPU specified by the third level name.

KERN_DOMAINNAME (kern.domainname)

Get or set the YP domain name like with getdomainname(3), setdomainname(3), and domainname(1).

KERN_FILE (kern.file)

Return the entire file table, or a subset of it. An array of struct kinfo_file structures is returned, whose size depends on the current number of selected files in the system. The third and fourth level names are as follows:

Third level name	Fourth level is:
`KERN_FILE_BYFILE`	A file type
`KERN_FILE_BYPID`	A process ID
`KERN_FILE_BYUID`	A user ID

The fifth level name is the size of the struct kinfo_file and the sixth level name is the number of structures to return.

KERN_FORKSTAT (kern.forkstat)

A struct forkstat structure is returned. This structure contains information about the number of fork(2), vfork(2), and __tfork(3) system calls as well as kernel thread creations since system startup, and the number of pages of virtual memory involved in each.

KERN_FSCALE (kern.fscale)

The kernel fixed-point scale factor.

KERN_FSYNC (kern.fsync)

Return 1 if the File Synchronisation Option is available on this system, otherwise 0.

KERN_GLOBAL_PTRACE (kern.global_ptrace)

When set to 1, permit ptrace(2) to attach to any process with the appropriate privileges. When set to 0, processes may only attach to their own descendants.

KERN_HOSTID (kern.hostid)

Get or set the host ID.

KERN_HOSTNAME (kern.hostname)

Get or set the hostname like with gethostname(3), sethostname(3), and hostname(1).

KERN_JOB_CONTROL (kern.job_control)

Return 1 if job control is available on this system, otherwise 0.

KERN_MALLOCSTATS (kern.malloc)

Return kernel memory bucket statistics. The third level names are detailed below. There are no changeable values in this branch.

Third level name	Type
`KERN_MALLOC_BUCKET`	node
`KERN_MALLOC_BUCKETS`	string
`KERN_MALLOC_KMEMNAMES`	string
`KERN_MALLOC_KMEMSTATS`	node

The variables are as follows:

KERN_MALLOC_BUCKET.<size> (kern.malloc.bucket)

A node containing the statistics for the memory bucket of the specified size (in decimal notation, the number of bytes per bucket element, e.g., 16, 32, 128). Each node returns a struct kmembuckets.

If a value is specified that does not correspond directly to a bucket size, the statistics for the closest larger bucket size will be returned instead.

Note that bucket sizes are typically powers of 2.

KERN_MALLOC_BUCKETS (kern.malloc.buckets)

Return a comma-separated list of the bucket sizes used by the kernel.

KERN_MALLOC_KMEMNAMES (kern.malloc.kmemnames)

Return a comma-separated list of the names of the kernel malloc(9) types.

KERN_MALLOC_KMEMSTATS (kern.malloc.kmemstat)

A node containing the statistics for the memory types of the specified name. Each node returns a struct kmemstats.

KERN_MAXCLUSTERS (kern.maxclusters)

The maximum number of mbuf(9) clusters that may be allocated.

KERN_MAXFILES (kern.maxfiles)

The maximum number of open files that may be open in the system.

KERN_MAXLOCKSPERUID (kern.maxlocksperuid)

The maximum number of file locks per user; the default is 1024.

KERN_MAXPARTITIONS (kern.maxpartitions)

The maximum number of partitions allowed per disk.

KERN_MAXPROC (kern.maxproc)

The maximum number of simultaneous processes the system will allow.

KERN_MAXTHREAD (kern.maxthread)

The maximum number of simultaneous threads the system will allow.

KERN_MAXVNODES (kern.maxvnodes)

The maximum number of vnodes available on the system.

KERN_MBSTAT (kern.mbstat)

A struct mbstat structure is returned, containing statistics on mbuf(9) usage.

KERN_MSGBUF (kern.msgbuf)

Returns a buffer containing kernel log messages; see dmesg(8).

KERN_MSGBUFSIZE (kern.msgbufsize)

The size of the kernel message buffer.

KERN_NCHSTATS (kern.nchstats)

A struct nchstats structure is returned. This structure contains information about the filename to inode(5) mapping cache.

KERN_NFILES (kern.nfiles)

Number of open files.

KERN_NGROUPS (kern.ngroups)

The maximum number of supplemental groups.

KERN_NOSUIDCOREDUMP (kern.nosuidcoredump)

Whether a process may dump core after changing user or group ID:

value	condition	dump core to
0	euid == 0	current directory
1	never
2	always	/var/crash
3	depends	/var/crash/$programname/

KERN_NPROCS (kern.nprocs)

The number of entries in the kernel process table.

KERN_NTHREADS (kern.nthreads)

The number of entries in the kernel thread table.

KERN_NUMVNODES (kern.numvnodes)

Number of vnodes in use.

KERN_OSRELEASE (kern.osrelease)

The system release string as returned by uname(1) -r.

KERN_OSREV (kern.osrevision)

The system revision number.

KERN_OSTYPE (kern.ostype)

The system type string as returned by uname(1) -s; it is always “OpenBSD”.

KERN_OSVERSION (kern.osversion)

The kernel build version as returned by uname(1) -v.

KERN_PFSTATUS

The struct pf_status structure.

KERN_POOL_DEBUG (kern.pool_debug)

Modify the memory pool debug level. Valid values are:

0: Disable pool debugging.
1: Enable use after free detection.
2: In addition to 1, when calling either malloc(9) or pool_get(9) with flags indicating that sleeping is allowed then always yield. Useful to detect potential races.

KERN_POSIX1 (kern.posix1version)

The version of ISO/IEC 9945 (POSIX 1003.1) with which the system attempts to comply.

KERN_PROC (kern.proc)

Return the entire process table, or a subset of it. An array of struct kinfo_proc structures is returned, whose size depends on the current number of selected processes in the system. The third and fourth level names are as follows:

Third level name	Fourth level is:
`KERN_PROC_ALL`	None
`KERN_PROC_KTHREAD`	A kernel thread
`KERN_PROC_PID`	A process ID
`KERN_PROC_PGRP`	A process group
`KERN_PROC_RUID`	A real user ID
`KERN_PROC_SESSION`	A session PID
`KERN_PROC_TTY`	A tty device
`KERN_PROC_UID`	A user ID

The fifth level name is the size of the struct kinfo_proc and the sixth level name is the number of structures to return.

KERN_PROC_ARGS (kern.procargs)

Returns the arguments or environment of a process. The third level name is the PID of the process. The fourth level name is one of:

KERN_PROC_NARGV and KERN_PROC_NENV return the number of elements as an int in the argv or env array. KERN_PROC_ARGV returns the argv array and KERN_PROC_ENV returns the environ array. The buffer pointed to by oldp is filled with an array of char pointers followed by the strings themselves. The last char pointer is a NULL pointer.

KERN_PROC_CWD (kern.proc_cwd)

Return the current working directory of a process. The third level name is the target process ID. A NUL-terminated string is returned.

KERN_PROC_NOBROADCASTKILL (kern.proc_nobroadcastkill)

When set, a process will no longer be signaled when sending broadcast signals. The third level name is the target process ID.

KERN_PROC_VMMAP (kern.proc_vmmap)

Return the entire process VM map entries. An array of struct kinfo_vmentry structures is returned, whose size depends on the current number of VM map entries of the selected process. Iteration is possible by setting the base address in the first element of struct kinfo_vmentry.

KERN_PROF (kern.profiling)

Return profiling information about the kernel. If the kernel is not compiled for profiling, attempts to retrieve any of the KERN_PROF values will fail with EOPNOTSUPP. The third level names for the string and integer profiling information are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Third level name	Type	Changeable
`GPROF_COUNT`	u_short[]	yes
`GPROF_FROMS`	u_short[]	yes
`GPROF_GMONPARAM`	struct gmonparam	no
`GPROF_STATE`	integer	yes
`GPROF_TOS`	struct tostruct	yes

The variables are as follows:

GPROF_COUNT: Array of statistical program counter counts.
GPROF_FROMS: Array indexed by program counter of call-from points.
GPROF_GMONPARAM: Structure giving the sizes of the above arrays.
GPROF_STATE: Returns GMON_PROF_ON or GMON_PROF_OFF to show that profiling is running or stopped.
GPROF_TOS: Array of struct tostruct describing destination of calls and their counts.

KERN_RAWPARTITION (kern.rawpartition)

The raw partition of a disk (a == 0).

KERN_SAVED_IDS (kern.saved_ids)

Returns 1 if saved set-group-ID and saved set-user-ID are available.

KERN_SECURELVL (kern.securelevel)

The system security level. This level may be raised by processes with appropriate privileges. It may only be lowered by process 1.

KERN_SEMINFO (kern.seminfo)

Return the elements of struct seminfo. If the kernel is not compiled with System V style semaphore support, attempts to retrieve any of the KERN_SEMINFO values will fail with EOPNOTSUPP. The third level names for the elements of struct seminfo are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Third level name	Type	Changeable
`KERN_SEMINFO_SEMAEM`	integer	no
`KERN_SEMINFO_SEMMNI`	integer	yes
`KERN_SEMINFO_SEMMNS`	integer	yes
`KERN_SEMINFO_SEMMNU`	integer	yes
`KERN_SEMINFO_SEMMSL`	integer	yes
`KERN_SEMINFO_SEMOPM`	integer	yes
`KERN_SEMINFO_SEMUME`	integer	no
`KERN_SEMINFO_SEMUSZ`	integer	no
`KERN_SEMINFO_SEMVMX`	integer	no

The variables are as follows:

KERN_SEMINFO_SEMAEM (kern.seminfo.semaem): The adjust on exit maximum value.
KERN_SEMINFO_SEMMNI (kern.seminfo.semmni): The maximum number of semaphore identifiers allowed.
KERN_SEMINFO_SEMMNS (kern.seminfo.semmns): The maximum number of semaphores allowed in the system.
KERN_SEMINFO_SEMMNU (kern.seminfo.semmnu): The maximum number of semaphore undo structures allowed in the system.
KERN_SEMINFO_SEMMSL (kern.seminfo.semmsl): The maximum number of semaphores allowed per ID.
KERN_SEMINFO_SEMOPM (kern.seminfo.semopm): The maximum number of operations per semop(2) call.
KERN_SEMINFO_SEMUME (kern.seminfo.semume): The maximum number of undo entries per process.
KERN_SEMINFO_SEMUSZ (kern.seminfo.semusz): The size (in bytes) of the undo structure.
KERN_SEMINFO_SEMVMX (kern.seminfo.semvmx): The semaphore maximum value.

KERN_SHMINFO (kern.shminfo)

Return the elements of struct shminfo. If the kernel is not compiled with System V style shared memory support, attempts to retrieve any of the KERN_SHMINFO values will fail with EOPNOTSUPP. The third level names for the elements of struct shminfo are detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Third level name	Type	Changeable
`KERN_SHMINFO_SHMALL`	integer	yes
`KERN_SHMINFO_SHMMAX`	integer	yes
`KERN_SHMINFO_SHMMIN`	integer	yes
`KERN_SHMINFO_SHMMNI`	integer	yes
`KERN_SHMINFO_SHMSEG`	integer	yes

The variables are as follows:

KERN_SHMINFO_SHMALL (kern.shminfo.shmall): The maximum amount of total shared memory allowed in the system (in pages).
KERN_SHMINFO_SHMMAX (kern.shminfo.shmmax): The maximum shared memory segment size (in bytes).
KERN_SHMINFO_SHMMIN (kern.shminfo.shmmin): The minimum shared memory segment size (in bytes).
KERN_SHMINFO_SHMMNI (kern.shminfo.shmmni): The maximum number of shared memory identifiers in the system.
KERN_SHMINFO_SHMSEG (kern.shminfo.shmseg): The maximum number of shared memory segments per process.

KERN_SOMAXCONN (kern.somaxconn)

Upper bound on the number of half-open connections a process can allow to be associated with a socket, using listen(2). The default value is 128.

KERN_SOMINCONN (kern.sominconn)

Lower bound on the number of half-open connections a process can allow to be associated with a socket, using listen(2). The default value is 80.

KERN_SPLASSERT (kern.splassert)

Modify the system interrupt priority level. Valid values are:

0: Disable error checking.
1: Print a message if an error is detected.
2: Print a message if an error is detected, and a stack trace if possible.
3: The same as 2, but also drop into the kernel debugger.

Any other value causes a system panic on errors. See splassert(9) for more information.

KERN_STACKGAPRANDOM (kern.stackgap_random)

Sets the range of the random value added to the stack pointer on each program execution. The random value is added to make buffer overflow exploitation slightly harder. The bigger the number, the harder it is to brute force this added protection, but it also means bigger waste of memory.

KERN_SYSVIPC_INFO (kern.sysvipc_info)

Return System V style IPC configuration and run-time information. The third level name selects the System V style IPC facility.

Third level name	Type
`KERN_SYSVIPC_MSG_INFO`	struct msg_sysctl_info
`KERN_SYSVIPC_SEM_INFO`	struct sem_sysctl_info
`KERN_SYSVIPC_SHM_INFO`	struct shm_sysctl_info

KERN_SYSVIPC_MSG_INFO: Return information on the System V style message facility. The msg_sysctl_info structure is defined in <sys/msg.h>.
KERN_SYSVIPC_SEM_INFO: Return information on the System V style semaphore facility. The sem_sysctl_info structure is defined in <sys/sem.h>.
KERN_SYSVIPC_SHM_INFO: Return information on the System V style shared memory facility. The shm_sysctl_info structure is defined in <sys/shm.h>.

KERN_SYSVMSG (kern.sysvmsg)

Returns 1 if System V style message queue functionality is available on this system, otherwise 0.

KERN_SYSVSEM (kern.sysvem)

Returns 1 if System V style semaphore functionality is available on this system, otherwise 0.

KERN_SYSVSHM (kern.sysvshm)

Returns 1 if System V style shared memory functionality is available on this system, otherwise 0.

KERN_TIMECOUNTER (kern.timecounter)

Return statistics information about the kernel time counter. The third level names information is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Third level name	Type	Changeable
`KERN_TIMECOUNTER_CHOICE`	string	no
`KERN_TIMECOUNTER_HARDWARE`	string	yes
`KERN_TIMECOUNTER_TICK`	integer	no
`KERN_TIMECOUNTER_TIMESTEPWARNINGS`	integer	yes

The variables are as follows:

KERN_TIMECOUNTER_CHOICE (kern.timecounter.choice): Get the list of kernel time counter sources and their claimed quality (higher is better).
KERN_TIMECOUNTER_HARDWARE (kern.timecounter.hardware): Get or set the kernel time counter source by name.
KERN_TIMECOUNTER_TICK (kern.timecounter.tick): Get the number of times we have reset the kernel time counter information.
KERN_TIMECOUNTER_TIMESTEPWARNINGS (kern.timecounter.timestepwarnings): Get or set a flag to log a message when the kernel time is stepped.

KERN_TTY (kern.tty)

Return statistics information about tty input/output. The third level names information is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Third level name	Type	Changeable
`KERN_TTY_INFO`	struct itty	no
`KERN_TTY_TKCANCC`	int64_t	no
`KERN_TTY_TKNIN`	int64_t	no
`KERN_TTY_TKNOUT`	int64_t	no
`KERN_TTY_TKRAWCC`	int64_t	no

The variables are as follows:

KERN_TTY_INFO (kern.tty.ttyinfo): Returns an array of struct itty structures containing tty statistics.
KERN_TTY_TKCANCC (kern.tty.tk_cancc): Returns the number of input characters in canonical mode.
KERN_TTY_TKNIN (kern.tty.tk_nin): Returns the number of input characters from a tty(4).
KERN_TTY_TKNOUT (kern.tty.tk_nout): Returns the number of output characters on a tty(4).
KERN_TTY_TKRAWCC (kern.tty.tk_rawcc): Returns the number of input characters in raw mode.

KERN_TTYCOUNT (kern.ttycount)

Number of available tty(4) devices.

KERN_UTC_OFFSET (kern.utc_offset)

The real-time clock's (RTC) offset from Coordinated Universal Time (UTC) expressed as minutes East of UTC+0. When set, time read from the RTC is adjusted to remove the offset and time written to the RTC is adjusted to reapply it. This may simplify multibooting with an operating system that does not run the RTC in UTC mode. When running with a securelevel(7) greater than 0, this variable may not be changed.

KERN_VERSION (kern.version)

The system version string.

KERN_VIDEO (kern.video)

Control device-independent aspects of the video(4) subsystem. Currently, there is one subnode:

Third level name	Type	Changeable
`KERN_VIDEO_RECORD`	integer	yes

Its meaning is as follows:

KERN_VIDEO_RECORD (kern.video.record): If set to the default value of 0, recording is blanked for all video devices. If the value is non-zero, video recording is enabled.

KERN_WATCHDOG (kern.watchdog)

Return information on hardware watchdog timers. If the kernel does not support a hardware watchdog timer, attempts to retrieve or set any of the KERN_WATCHDOG values will fail with EOPNOTSUPP.

Third level name	Type	Changeable
`KERN_WATCHDOG_AUTO`	integer	yes
`KERN_WATCHDOG_PERIOD`	integer	yes

The variables are as follows:

KERN_WATCHDOG_AUTO (kern.watchdog.auto): If set to 1, the kernel refreshes the watchdog timer periodically. If set to 0, a userland process must ensure that the watchdog timer gets refreshed by setting the KERN_WATCHDOG_PERIOD variable.
KERN_WATCHDOG_PERIOD (kern.watchdog.period): The period of the watchdog timer in seconds. Set to 0 to disable the watchdog timer.

KERN_WITNESS (kern.witness)

Control settings of witness(4).

Third level name	Type	Changeable
`KERN_WITNESS_LOCKTRACE`	integer	yes
`KERN_WITNESS_WATCH`	integer	yes

The variables are as follows:

KERN_WITNESS_LOCKTRACE (kern.witness.locktrace)

When set, witness(4) saves a stack trace on each lock acquisition. The stack traces of acquired locks can be viewed using ddb(4).

KERN_WITNESS_WATCH (kern.witness.watch)

Control how witness(4) behaves on error. Valid values are:

-1: Disable witness(4) completely. System reboot is needed to re-enable it.
0: Disable lock order checking.
1: Print a message if an error is detected.
2: Print a message if an error is detected, and a stack trace if possible.
3: The same as 2, but also drop into the kernel debugger.

KERN_WXABORT (kern.wxabort)

Generate an abort, rather than returning an error, on W^X violation.

CTL_MACHDEP

The set of variables defined is architecture dependent. Most architectures define at least the following variables.

Second level name	Type	Changeable
`CPU_CONSDEV`	dev_t	no

Consult the example file /etc/examples/sysctl.conf for a non-exhaustive list of machdep variables.

CTL_NET

The string and integer information available for the CTL_NET level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Second level name	Type	Changeable
`PF_ROUTE`	routing messages	no
`PF_INET`	IPv4 values	yes
`PF_INET6`	IPv6 values	yes
`PF_UNIX`	UNIX-domain values	yes
`PF_KEY`	key management	no
`PF_MPLS`	MPLS values	yes
`PF_PIPEX`	PIPEX values	yes

PF_ROUTE

Return the entire routing table or a subset of it. The data is returned as a sequence of routing messages (see route(4) for the header file, format, and meaning). The length of each message is contained in the message header.

The third level name is a protocol number, which is currently always 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows:

Fifth level name	Sixth level is:
`NET_RT_DUMP`	priority
`NET_RT_FLAGS`	rtflags
`NET_RT_IFLIST`	None
`NET_RT_IFNAMES`	None
`NET_RT_STATS`	None
`NET_RT_TABLE`	rtableid

NET_RT_DUMP: If set to 0, show all routes. If set to any number, show all routes with that number priority. If set to a negative number, show routes that do not have the positive priority value.

An optional seventh level name can be provided to select the routing table on which to run the operation. If not provided, the current routing table is used.

PF_INET

Get or set various global information about IPv4 (Internet Protocol version 4). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are:

Protocol name	Variable name	Type	Changeable
ah	enable	integer	yes
bpf	bufsize	integer	yes
bpf	maxbufsize	integer	yes
carp	allow	integer	yes
carp	log	integer	yes
carp	preempt	integer	yes
divert	recvspace	integer	yes
divert	sendspace	integer	yes
esp	enable	integer	yes
esp	udpencap	integer	yes
esp	udpencap_port	integer	yes
etherip	allow	integer	yes
gre	allow	integer	yes
gre	wccp	integer	yes
icmp	bmcastecho	integer	yes
icmp	errppslimit	integer	yes
icmp	maskrepl	integer	yes
icmp	rediraccept	integer	yes
icmp	redirtimeout	integer	yes
icmp	stats	structure	no
icmp	tstamprepl	integer	yes
ip	arpqueued	integer	no
ip	arpdown	integer	yes
ip	arptimeout	integer	yes
ip	arpq	node	N/A
ip	directed-broadcast	integer	yes
ip	encdebug	integer	yes
ip	forwarding	integer	yes
ip	ipsec-allocs	integer	yes
ip	ipsec-auth-alg	string	yes
ip	ipsec-bytes	integer	yes
ip	ipsec-comp-alg	string	yes
ip	ipsec-enc-alg	string	yes
ip	ipsec-expire-acquire	integer	yes
ip	ipsec-firstuse	integer	yes
ip	ipsec-invalid-life	integer	yes
ip	ipsec-pfs	integer	yes
ip	ipsec-soft-allocs	integer	yes
ip	ipsec-soft-bytes	integer	yes
ip	ipsec-soft-firstuse	integer	yes
ip	ipsec-soft-timeout	integer	yes
ip	ipsec-timeout	integer	yes
ip	maxqueue	integer	yes
ip	mforwarding	integer	yes
ip	mtudisc	integer	yes
ip	mtudisctimeout	integer	yes
ip	multipath	integer	yes
ip	portfirst	integer	yes
ip	porthifirst	integer	yes
ip	porthilast	integer	yes
ip	portlast	integer	yes
ip	redirect	integer	yes
ip	sourceroute	integer	yes
ip	stats	structure	no
ip	ttl	integer	yes
ipcomp	enable	integer	yes
ipip	allow	integer	yes
tcp	ackonpush	integer	yes
tcp	always_keepalive	integer	yes
tcp	baddynamic	array	yes
tcp	ecn	integer	yes
tcp	ident	structure	no
tcp	keepidle	integer	yes
tcp	keepinittime	integer	yes
tcp	keepintvl	integer	yes
tcp	mssdflt	integer	yes
tcp	reasslimit	integer	yes
tcp	rfc1323	integer	yes
tcp	rfc3390	integer	yes
tcp	rootonly	array	yes
tcp	rstppslimit	integer	yes
tcp	sack	integer	yes
tcp	stats	structure	no
tcp	synbucketlimit	integer	yes
tcp	syncachelimit	integer	yes
tcp	synhashsize	integer	yes
tcp	synuselimit	integer	yes
tcp	tso	integer	yes
udp	baddynamic	array	yes
udp	checksum	integer	yes
udp	recvspace	integer	yes
udp	rootonly	array	yes
udp	sendspace	integer	yes
udp	stats	structure	no

The variables are as follows:

ah.enable (net.inet.ah.enable)

If set to 1, enable the Authentication Header (AH) IPsec protocol. Enabled by default. See ipsec(4) for more information.

bpf.bufsize (net.bpf.bufsize)

The initial size of bpf(4) buffers.

bpf.maxbufsize (net.bpf.maxbufsize)

The maximum size a user may request a bpf(4) buffer to be.

carp.allow (net.inet.carp.allow)

If set to 0, incoming carp(4) packets will not be processed. If set to any other value, processing will occur. Enabled by default.

carp.log (net.inet.carp.log)

Controls the verbosity of carp(4) logging. May be a value between 0 and 7 corresponding with syslog(3) priorities. The default value is 2.

carp.preempt (net.inet.carp.preempt)

If set to 0, carp(4) will not attempt to become master if it is receiving advertisements from another active master. If set to any other value, carp will become master of the virtual host if it believes it can send advertisements more frequently than the current master. Disabled by default.

divert.recvspace (net.inet.divert.recvspace)

Returns the default divert receive buffer size.

divert.sendspace (net.inet.divert.sendspace)

Returns the default divert send buffer size.

esp.enable (net.inet.esp.enable)

If set to 1, enable the Encapsulating Security Payload (ESP) IPsec protocol. Enabled by default. See ipsec(4) for more information.

esp.udpencap (net.inet.esp.udpencap)

If set to 1, enable processing of UDP encapsulated ESP packets. Enabled by default.

esp.udpencap_port (net.inet.udpencap_port)

Contains the value of the UDP port that triggers decapsulation for incoming UDP encapsulated ESP packets. The default port is 4500.

etherip.allow (net.inet.etherip.allow)

If set to 0, incoming Ethernet-in-IPv4 packets will not be processed. If set to any other value, processing will occur.

gre.allow (net.inet.gre.allow)

If set to 0, incoming GRE packets will not be processed. If set to any other value, processing will occur.

gre.wccp (net.inet.gre.wccp)

If set to 0, incoming WCCPv1-style GRE packets will not be processed. If set to any other value, and gre.allow allows GRE packet processing, WCCPv1-style GRE packets will be processed.

icmp.bmcastecho (net.inet.icmp.bmcastecho)

If set to 1, respond to ICMP echo requests destined for broadcast and multicast addresses. Note, enabling this could open a system to a type of denial of service attack called "smurfing", and is thus not advised.

icmp.errppslimit (net.inet.icmp.errppslimit)

This variable specifies the maximum number of outgoing ICMP error messages per second. ICMP error messages exceeding this value are subject to rate limitation and will not go out from the node. A negative value disables rate limitation.

icmp.maskrepl (kern.inet.icmp.maskrepl)

Returns 1 if ICMP network mask requests are to be answered.

icmp.rediraccept (kern.inet.icmp.rediraccept)

If set to non-zero, the host will accept ICMP redirect packets. Note that routers will never accept ICMP redirect packets, and the variable is meaningful on IP hosts only.

icmp.redirtimeout (net.inet.icmp.redrttimeout)

This variable specifies the lifetime of routing entries generated by incoming ICMP redirects. The default timeout is 10 minutes.

icmp.stats (kern.inet.icmp.stats)

Returns the ICMP statistics in a struct icmpstat.

icmp.tstamprepl (net.inet.icmp.tstamprepl)

If set to 1, reply to ICMP timestamp requests. If set to 0, ignore timestamp requests.

ip.arpqueued (net.inet.ip.arpqueued)

Number of packets ARP resolution is holding onto until it gets a MAC address for an IP.

ip.arpdown (net.inet.ip.arpdown)

Lifetime of unresolved ARP entries, in seconds.

ip.arptimeout (net.inet.ip.arptimeout)

Lifetime of resolved ARP entries, in seconds.

ip.arpq

Fifth level comprises an array of struct ifqueue structures containing information about ARP queue. The fifth level names for the elements of struct ifqueue are detailed below.

Fifth level name	Type	Changeable
`IFQCTL_DROPS`	integer	no
`IFQCTL_LEN`	integer	no
`IFQCTL_MAXLEN`	integer	yes

The variables are as follows:

IFQCTL_DROPS (net.inet.ip.arpq.drops): Returns number of packet dropped.
IFQCTL_LEN (net.inet.ip.arpq.len): Returns the current queue length.
IFQCTL_MAXLEN (net.inet.ip.arpq.maxlen): Get or set the maximum number of queue length.

ip.directed-broadcast (net.inet.ip.directed-broadcast)

Returns 1 if directed broadcast behavior is enabled for the host.

ip.encdebug (net.inet.ip.encdebug)

Returns 1 when error message reporting is enabled for the host. If the kernel has been compiled with the ENCDEBUG option, then debugging information will also be reported when this variable is set.

ip.forwarding (net.inet.ip.forwarding)

If set to 0, IP forwarding is disabled. The IP stack also requires the destination IP address of incoming packets to match the IP address of the network interface the packet is bound to. If set to 1, IP forwarding is enabled for the host, indicating the host is acting as a router. If set to 2, IP forwarding is restricted to traffic that has been IPsec encapsulated or decapsulated by the host. Enabling packet forwarding (values either 1 or 2) relaxes the requirements on incoming packets, so that its destination address must match just any IP address bound to the host. The default value is 0.

ip.ipsec-allocs (net.inet.ip.ipsec-allocs)

The number of IPsec flows that can use a security association before it expires. If set to less than or equal to zero, the security association will not expire because of this counter. The default value is 0.

ip.ipsec-auth-alg (net.inet.ip.ipsec-auth-alg)

This is the default authentication algorithm the kernel will instruct key management daemons to negotiate when establishing security associations on behalf of the kernel. Such security associations can occur as a result of a process having requested some security level through setsockopt(2), or as a result of dynamic VPN entries. Supported values are hmac-md5, hmac-sha1, and hmac-ripemd160. If set to any other value, it is left to the key management daemons to select an authentication algorithm for the security association. The default value is hmac-sha1.

ip.ipsec-bytes (net.inet.ip.ipsec-bytes)

The number of bytes that will be processed by a security association before it expires. If set to less than or equal to zero, the security association will not expire because of this counter. The default value is 0.

ip.ipsec-comp-alg (net.inet.ip.ipsec-comp-alg)

The compression algorithm to use with an IP Compression Association (IPCA). Currently the only possible value is “deflate”.

ip.ipsec-enc-alg (net.inet.ip.ipsec-enc-alg)

This is the default encryption algorithm the kernel will instruct key management daemons to negotiate when establishing security associations on behalf of the kernel. Such security associations can occur as a result of a process having requested some security level through setsockopt(2), or as a result of dynamic VPN entries. Supported values are aes, des, 3des, blowfish and cast128. If set to any other value, it is left to the key management daemons to select an encryption algorithm for the security association. The default value is aes.

ip.ipsec-expire-acquire (net.inet.ip.ipsec-expire-acquire)

How long the kernel should allow key management to dynamically acquire security associations before re-sending a request. The default value is 30 seconds.

ip.ipsec-firstuse (net.inet.ip.ipsec-firstuse)

The number of seconds after a security association is first used before it expires. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 7200 seconds.

ip.ipsec-invalid-life (net.inet.ip.ipsec-invalid-life)

The lifetime of embryonic Security Associations (SAs that key management daemons have reserved but not fully established yet) in seconds. If set to less than or equal to zero, embryonic SAs will not expire. The default value is 60.

ip.ipsec-pfs (net.inet.ip.ipsec-pfs)

If set to any non-zero value, the kernel will ask the key management daemons to use Perfect Forward Secrecy when establishing IPsec Security Associations. Perfect Forward Secrecy makes IPsec Security Associations cryptographically distinct from each other, such that breaking the key for one such SA does not compromise any others. Requiring PFS for every security association significantly increases the computational load of isakmpd(8) exchanges. The default value is 1.

ip.ipsec-soft-allocs (net.inet.ip.ipsec-soft-allocs)

The number of IPsec flows that can use a security association before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0.

ip.ipsec-soft-bytes (net.inet.ip.ipsec-soft-bytes)

The number of bytes that will be processed by a security association before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 0.

ip.ipsec-soft-firstuse (net.inet.ip.ipsec-soft-firstuse)

The number of seconds after a security association is first used before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 3600 seconds.

ip.ipsec-soft-timeout (net.inet.ip.ipsec-soft-timeout)

The number of seconds after a security association is established before a message is sent by the kernel to key management for renegotiation of the security association. If set to less than or equal to zero, no message is sent to key management. The default value is 80000 seconds.

ip.ipsec-timeout (net.inet.ip.ipsec-timeout)

The number of seconds after a security association is established before it will expire. If set to less than or equal to zero, the security association will not expire because of this timer. The default value is 86400 seconds.

ip.maxqueue (net.inet.ip.maxqueue)

Fragment flood protection. Sets the maximum number of unassembled IP fragments in the fragment queue.

ip.mforwarding (net.inet.ip.mforwarding)

If set to 1, then multicast forwarding is enabled for the host. The default is 0.

ip.mtudisc (net.inet.ip.mtudisc)

Returns 1 if Path MTU Discovery is enabled.

ip.mtudisctimeout (net.inet.ip.mtudisctimeout)

Number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will attempt to probe a larger path MTU.

ip.multipath (net.inet.ip.multipath)

This variable enables multipath routing for IPv4 addresses. If set to 0, only the first route selected will be used for a given destination regardless of how many routes exist in the routing table.

ip.portfirst (net.inet.ip.portfirst)

Minimum registered port number for TCP/UDP port allocation. Registered ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 1024 or greater than 49151. Must be less than ip.portlast.

ip.porthifirst (net.inet.ip.porthifirst)

Minimum dynamic/private port number for TCP/UDP port allocation. Dynamic/private ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 49152 or greater than 65535. Must be less than ip.porthilast.

ip.porthilast (net.inet.ip.porthilast)

Maximum dynamic/private port number for TCP/UDP port allocation. Dynamic/private ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 49152 or greater than 65535. Must be greater than ip.porthifirst.

ip.portlast (net.inet.ip.portlast)

Maximum registered port number for TCP/UDP port allocation. Registered ports can be used by ordinary user processes or programs executed by ordinary users. Cannot be less than 1024 or greater than 49151. Must be greater than ip.portfirst.

ip.redirect (net.inet.ip.redirect)

Returns 1 when ICMP redirects may be sent by the host. This option is ignored unless the host is routing IP packets, and should normally be enabled on all systems.

ip.sourceroute (net.inet.ip.sourceroute)

Returns 1 when forwarding of source-routed packets is enabled for the host. When running with a securelevel(7) greater than 0, this variable may not be changed.

ip.stats (net.inet.ip.stats)

Returns the IP statistics in a struct ipstat.

ip.ttl (net.inet.ip.ttl)

The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to normal transport protocols, not to ICMP.

ipcomp.enable (net.inet.ipcomp.enable)

Enable the IPComp protocol. See ipcomp(4) for more information.

ipip.allow (net.inet.ipip.allow)

If set to 0, incoming IP-in-IP packets will not be processed. If set to any other value, processing will occur; furthermore, if set to 2, no checks for spoofing of loopback addresses will be done. This is useful only for debugging purposes, and should never be used in production systems.

tcp.ackonpush (net.inet.tcp.ackonpush)

Returns 1 if TCP segments with the TH_PUSH flag set are being acknowledged immediately, otherwise 0.

tcp.baddynamic (net.inet.tcp.baddynamic)

An array of in_port_t is returned specifying the bitmask of TCP ports between 512 and 1023 inclusive that should not be allocated dynamically by the kernel (i.e., they must be bound specifically by port number).

tcp.ecn (net.inet.tcp.ecn)

Returns 1 if Explicit Congestion Notifications for TCP are enabled.

tcp.ident (net.inet.tcp.ident)

A struct tcp_ident_mapping specifying a local and foreign endpoint of a TCP socket is filled in with the effective and real UIDs of the process that owns the socket. If no such socket exists, then the effective and real UID values are both set to -1.

tcp.keepidle (net.inet.tcp.keepidle)

If the socket option SO_KEEPALIVE has been set on a socket, then this value specifies how much time in seconds a connection needs to be idle before keepalives are sent.

tcp.keepinittime (net.inet.tcp.keepinittime)

Time in seconds to keep alive the initial SYN packet of a TCP handshake.

tcp.keepintvl (net.inet.tcp.keepintvl)

Time in seconds after a keepalive probe is sent until, in the absence of any response, another probe is sent.

tcp.always_keepalive (net.inet.tcp.always_keepalive)

Act as if the option SO_KEEPALIVE was set on all TCP sockets.

tcp.mssdflt (net.inet.tcp.mssdflt)

The maximum segment size that is used as default for non-local connections. The default value is 512.

tcp.reasslimit (net.inet.tcp.reasslimit)

The maximum number of out-of-order TCP segments the system will store for reassembly.

tcp.rfc1323 (net.inet.tcp.rfc1323)

Returns 1 if RFC 1323 extensions to TCP are enabled.

tcp.rfc3390 (net.inet.tcp.rfc3390)

Returns 1 if the TCP Initial Window is increased to 4 * MSS or 4380 bytes, as specified in RFC 3390. Returns 2 if the TCP Initial Window is increased to 10 * MSS or 14600 bytes, as specified in RFC 6928.

tcp.rootonly (net.inet.tcp.rootonly)

An array of in_port_t is returned specifying the bitmask of TCP ports that can only be bound by processes with root euid. When running with a securelevel(7) greater than 0, this variable may not be changed.

tcp.rstppslimit (net.inet.tcp.rstppslimit)

This variable specifies the maximum number of outgoing TCP RST packets per second. TCP RST packets exceeding this value are subject to rate limitation and will not go out from the node. A negative value disables rate limitation.

tcp.sack (net.inet.tcp.sack)

Returns 1 if RFC 2018 Selective Acknowledgements are enabled.

tcp.stats (net.inet.tcp.stats)

Returns the TCP statistics in a struct tcpstat.

tcp.synbucketlimit (net.inet.tcp.synbucketlimit)

The maximum number of entries allowed per hash bucket in the TCP SYN cache.

tcp.syncachelimit (net.inet.tcp.syncachelimit)

The maximum number of entries allowed in the TCP SYN cache.

tcp.synhashsize (net.inet.tcp.synhashsize)

The number of buckets in the TCP SYN cache hash array. After the value is set, the actual size changes when the alternative SYN cache becomes empty and both SYN caches are swapped.

tcp.synuselimit (net.inet.tcp.synuselimit)

The minimum number of times the hash function for the TCP SYN cache is used before it is reseeded.

tcp.tso (net.inet.tcp.tso)

If set to 0, disable TCP segmentation offload (TSO). If set to 1, TSO is enabled (the default).

udp.baddynamic (net.inet.udp.baddynamic)

Analogous to tcp.baddynamic but for UDP sockets.

udp.checksum (net.inet.udp.checksum)

Returns 1 when UDP checksums are being computed and checked. Disabling UDP checksums is strongly discouraged.

udp.recvspace (net.inet.udp.recvspace)

Returns the default UDP receive buffer size.

udp.rootonly (net.inet.udp.rootonly)

Analogous to tcp.rootonly but for UDP sockets.

udp.sendspace (net.inet.udp.sendspace)

Returns the default UDP send buffer size.

udp.stats (net.inet.udp.stats)

Returns the UDP statistics in a struct udpstat.

PF_INET6

Get or set various global information about IPv6 (Internet Protocol version 6). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are:

Protocol name	Variable name	Type	Changeable
icmp6	errppslimit	integer	yes
icmp6	mtudisc_hiwat	integer	yes
icmp6	mtudisc_lowat	integer	yes
icmp6	nd6_debug	integer	yes
icmp6	nd6_delay	integer	yes
icmp6	nd6_maxnudhint	integer	yes
icmp6	nd6_mmaxtries	integer	yes
icmp6	nd6_umaxtries	integer	yes
icmp6	redirtimeout	integer	yes
ip6	auto_flowlabel	integer	yes
ip6	dad_count	integer	yes
ip6	dad_pending	integer	yes
ip6	defmcasthlim	integer	yes
ip6	forwarding	integer	yes
ip6	hdrnestlimit	integer	yes
ip6	hlim	integer	yes
ip6	log_interval	integer	yes
ip6	maxdynroutes	integer	yes
ip6	maxfragpackets	integer	yes
ip6	maxfrags	integer	yes
ip6	mforwarding	integer	yes
ip6	mtudisctimeout	integer	yes
ip6	multicast_mtudisc	integer	yes
ip6	multipath	integer	yes
ip6	neighborgcthresh	integer	yes
ip6	redirect	integer	yes
ip6	soiikey	uint8_t[IP6_SOIIKEY_LEN]	yes
ip6	use_deprecated	integer	yes

The variables are as follows:

icmp6.errppslimit (net.inet6.icmp6.errppslimit): This variable specifies the maximum number of outgoing ICMPv6 error messages per second. ICMPv6 error messages exceeding this value are subject to rate limitation and will not go out from the node. A negative value will disable the rate limitation.
icmp6.mtudisc_hiwat (net.inet6.icmp6.mtudisc_hiwat)
icmp6.mtudisc_lowat (net.inet6.icmp6.mtudisc_lowat): These variables define the maximum number of routing table entries created due to path MTU discovery (preventing denial-of-service attacks with ICMPv6 too big messages). After IPv6 path MTU discovery happens, path MTU information is kept in the routing table. If the number of routing table entries exceeds this value, the kernel will not attempt to keep the path MTU information. icmp6.mtudisc_hiwat is used when we have verified ICMPv6 too big messages. icmp6.mtudisc_lowat is used when we have unverified ICMPv6 too big messages. Verification is performed by using address/port pairs kept in connected PCBs. A negative value disables the upper limit.
icmp6.nd6_debug (net.inet6.icmp6.nd6_debug): If set to non-zero, IPv6 neighbor discovery will generate debugging messages. The debug output is useful for diagnosing IPv6 interoperability issues. The flag must be set to 0 for normal operation.
icmp6.nd6_delay (net.inet6.icmp6.nd6_delay): This variable specifies the DELAY_FIRST_PROBE_TIME timing constant in IPv6 neighbor discovery specification (RFC 4861), in seconds.
icmp6.nd6_maxnudhint (net.inet6.icmp6.nd6_maxnudhint): IPv6 neighbor discovery permits upper layer protocols to supply reachability hints, to avoid unnecessary neighbor discovery exchanges. This variable defines the number of consecutive hints the neighbor discovery layer will take. For example, by setting the variable to 3, neighbor discovery will take a maximum of 3 consecutive hints. After receiving 3 hints, the neighbor discovery layer will instead perform the normal neighbor discovery process.
icmp6.nd6_mmaxtries (net.inet6.icmp6.nd6_mmaxtries): This variable specifies the MAX_MULTICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 4861).
icmp6.nd6_umaxtries (net.inet6.icmp6.nd6_umaxtries): This variable specifies the MAX_UNICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 4861).
icmp6.redirtimeout (net.inet6.icmp6.redirtimeout): The variable specifies the lifetime of routing entries generated by incoming ICMPv6 redirects.
ip6.auto_flowlabel (net.inet6.ip6.auto_flowlabel): On connected transport protocol packets, fill the IPv6 flowlabel field to help intermediate routers identify packet flows.
ip6.dad_count (net.inet6.ip6.dad_count): This variable configures the number of IPv6 DAD (duplicated address detection) probe packets. These packets are generated when IPv6 interfaces are first brought up.
ip6.dad_pending (net.inet6.ip6.dad_pending): This variable displays the number of pending IPv6 DAD (duplicated address detection) before completion. It is used to make sure that DAD is completed before netstart(8) is executed.
ip6.defmcasthlim (net.inet6.ip6.defmcasthlim): The default hop limit value for an IPv6 multicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overriding this value are documented in ip6(4).
ip6.forwarding (net.inet6.ip6.forwarding): Returns 1 when IPv6 forwarding is enabled for the node, meaning that the node is acting as a router. Returns 0 when IPv6 forwarding is disabled for the node, meaning that the node is acting as a host. Note that IPv6 defines node behavior for the “router” and “host” cases quite differently, and changing this variable during operation may cause serious trouble. Hence, this variable should only be set at bootstrap time. As with IPv4, if forwarding is disabled then the destination address of incoming packets must match the IP address bound to the interface. If forwarding is enabled, the check is relaxed so that the destination IP address of incoming packets must match just any address bound to the host.
ip6.hdrnestlimit (net.inet6.ip6.hdrnestlimit): The number of IPv6 extension headers permitted on incoming IPv6 packets. If set to 0, the node will accept as many extension headers as possible.
ip6.hlim (net.inet6.ip6.hlim): The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. Methods for overriding this value are documented in ip6(4).
ip6.log_interval (net.inet6.ip6.log_interval): This variable permits adjusting the amount of logs generated by the IPv6 packet forwarding engine. The value indicates the number of seconds of interval which must elapse between log output.
ip6.maxdynroutes (net.inet6.ip6.maxdynroutes): Maximum number of routes created by redirect. Set to negative to disable. The default value is 4096.
ip6.maxfragpackets (net.inet6.ip6.maxfragpackets): The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any fragmented packets. -1 means that the node will accept as many fragmented packets as it receives. The flag is provided basically for avoiding possible DoS attacks.
ip6.maxfrags (net.inet6.ip6.maxfrags): The maximum number of fragments the node will accept. 0 means that the node will not accept any fragments. -1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks.
ip6.mforwarding (net.inet6.ip6.mforwarding): If set to 1, then multicast forwarding is enabled for the host. The default is 0.
ip6.multicast_mtudisc (net.inet6.ip6.multicast_mtudisc): This variable controls generation of ICMPv6 Too Big messages when the machine is performing as an IPv6 multicast router. If set to 1, an ICMPv6 Too Big message will be generated for multicast packets which were too big to be forwarded. If set to 0, the ICMPv6 Too Big message will be suppressed.
ip6.multipath (net.inet6.ip6.multipath): This variable enables multipath routing for IPv6 addresses. If set to 0, only the first route selected will be used for a given destination regardless of how many routes exist in the routing table.
ip6.mtudisctimeout (net.inet6.ip6.mtudisctimeout): Number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will attempt to probe a larger path MTU.
ip6.neighborgcthresh (net.inet6.ip6.neighborgcthresh): Maximum number of entries in neighbor cache. Set to negative to disable. The default value is 2048.
ip6.redirect (net.inet6.ip6.redirect): Returns 1 when ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, and should normally be enabled on all systems.
ip6.soii (net.inet6.ip6.soiikey): This variable configures the secret key for the RFC 7217 algorithm to calculate a persistent Semantically Opaque Interface Identifier (SOII) for IPv6 Stateless Address Autoconfiguration (SLAAC) addresses. It must be IP6_SOIIKEY_LEN bytes long.
ip6.use_deprecated (net.inet6.ip6.use_deprecated): This variable controls the use of deprecated addresses, specified in RFC 4862 5.5.4.

We reuse net.inet.tcp and net.inet.udp for TCP/UDP over IPv6.

PF_UNIX

Get or set various global information about UNIX-domain protocol family. The third level name is the socket type. The fourth level name is the variable name. The currently defined socket types and names are:

Socket type	Variable name	Type	Changeable
stream	recvspace	integer	yes
stream	sendspace	integer	yes
dgram	recvspace	integer	yes
dgram	sendspace	integer	yes
seqpacket	recvspace	integer	yes
seqpacket	sendspace	integer	yes
inflight		integer	no
deferred		integer	no

The variables are as follows:

stream.recvspace (net.unix.stream.recvspace): Returns the default SOCK_STREAM receive buffer size.
stream.sendspace (net.unix.stream.sendspace): Returns the default SOCK_STREAM send buffer size.
dgram.recvspace (net.unix.dgram.recvspace): Returns the default SOCK_DGRAM receive buffer size.
dgram.sendspace (net.unix.dgram.sendspace): Returns the default SOCK_DGRAM send buffer size.
seqpacket.recvspace (net.unix.seqpacket.recvspace): Returns the default SOCK_SEQPACKET receive buffer size.
seqpacket.sendspace (net.unix.seqpacket.sendspace): Returns the default SOCK_SEQPACKET send buffer size.
inflight (net.unix.inflight): Returns the number of file descriptors inflight.
deferred (net.unix.deferred): Returns the number of file descriptors to be closed.

PF_KEY

Return ipsec(4) database dumps. The second level name is PF_KEY_V2. The third level name selects the database as follows:

NET_KEY_SADB_DUMP: Security Association database (SADB).
NET_KEY_SPD_DUMP: IPsec flow database (SPD).

PF_MPLS

Get or set global information about MPLS (Multiprotocol Label Switching).

Third level name	Type	Changeable
`MPLSCTL_DEFTTL`	integer	yes
`MPLSCTL_MAPTTL_IP`	integer	yes
`MPLSCTL_MAPTTL_IP6`	integer	yes

MPLSCTL_DEFTTL (net.mpls.ttl): Set or get the default TTL value which is used for MPLS (Shim) Header. The default is 255.
MPLSCTL_MAPTTL_IP (net.mpls.mapttl_ip): If set to 1, the TTL field is synchronized between the IP header and the MPLS label stack. If set to 0, the IP header TTL is not modified while passing through MPLS and the MPLS label stack is initialized with the MPLSCTL_DEFTTL. The default is 1.
MPLSCTL_MAPTTL_IP6 (net.mpls.mapttl_ip6): If set to 1, the TTL field is synchronized between the IPv6 header and the MPLS label stack. If set to 0, the IPv6 header TTL is not modified while passing through MPLS and the MPLS label stack is initialized with the MPLSCTL_DEFTTL. The default is 0.

PF_PIPEX (net.pipex)

Get or set global information about PIPEX.

The currently defined variable names are:

Third level name	Type	Changeable
`PIPEXCTL_ENABLE`	integer	yes

PIPEXCTL_ENABLE: If set to 1, enable PIPEX processing. The default is 0.

CTL_VFS

The string and integer information available for the CTL_VFS level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Second level name	Type	Changeable
`VFS_GENERIC`	VFS generic info	no
`filesystem #`	filesystem info	no

VFS_GENERIC

This second level identifier requests generic information about the VFS layer. Within it, the following third level identifiers exist:

Third level name	Type	Changeable
`VFS_CONF`	struct vfsconf	no
`VFS_MAXTYPENUM`	int	no

filesystem #

After finding the filesystem dependent vfc_typenum using VFS_GENERIC with VFS_CONF, it is possible to access filesystem dependent information.

Some filesystems may contain settings.

FFS

Third level name	Type	Changeable
`FFS_DIRHASH_DIRSIZE`	integer	yes
`FFS_DIRHASH_MAXMEM`	integer	yes
`FFS_DIRHASH_MEM`	integer	no
`FFS_MAX_SOFTDEPS`	integer	yes
`FFS_SD_BLK_LIMIT_HIT`	integer	yes
`FFS_SD_BLK_LIMIT_PUSH`	integer	yes
`FFS_SD_DIR_ENTRY`	integer	yes
`FFS_SD_DIRECT_BLK_PTRS`	integer	yes
`FFS_SD_INDIR_BLK_PTRS`	integer	yes
`FFS_SD_INO_LIMIT_HIT`	integer	yes
`FFS_SD_INO_LIMIT_PUSH`	integer	yes
`FFS_SD_INODE_BITMAP`	integer	yes
`FFS_SD_SYNC_LIMIT_HIT`	integer	yes
`FFS_SD_TICKDELAY`	integer	yes
`FFS_SD_WORKLIST_PUSH`	integer	yes

FFS_DIRHASH_DIRSIZE (vfs.ffs.dirhash_dirsize): The minimum size of a directory, in bytes, before it is considered for hashing.
FFS_DIRHASH_MAXMEM (vfs.ffs.dirhash_maxmem): The maximum amount of memory, in bytes, to be used for storing directory hashes.
FFS_DIRHASH_MEM (vfs.ffs.dirhash_mem): The amount of memory currently used by all directory hashes.
FFS_MAX_SOFTDEPS (vfs.ffs.max_softdeps): Maximum structures before slowdowns.
FFS_SD_BLK_LIMIT_HIT (vfs.ffs.sd_blk_limit_hit): Number of times block slowdown imposed.
FFS_SD_BLK_LIMIT_PUSH (vfs.ffs.sd_blk_limit_push): Number of times block limit neared.
FFS_SD_DIR_ENTRY (vfs.ffs.sd_dir_entry): Bufs redirtied as dir entry cannot write.
FFS_SD_DIRECT_BLK_PTRS (vfs.ffs.sd_direct_blk_ptrs): Bufs redirtied as direct ptrs not written.
FFS_SD_INDIR_BLK_PTRS (vfs.ffs.sd_indir_blk_ptrs): Bufs redirtied as indirect ptrs not written.
FFS_SD_INO_LIMIT_HIT (vfs.ffs.sd_ino_limit_hit): Number of times inode limit imposed.
FFS_SD_INO_LIMIT_PUSH (vfs.ffs.sd_ino_limit_push): Number of times inode limit neared.
FFS_SD_INODE_BITMAP (vfs.ffs.sd_inode_bitmap): Bufs redirtied as inode bitmap not written.
FFS_SD_SYNC_LIMIT_HIT (vfs.ffs.sd_sync_limit_hit): Number of synchronous slowdowns imposed.
FFS_SD_TICKDELAY (vfs.ffs.sd_tickdelay): Ticks to pause during slowdown.
FFS_SD_WORKLIST_PUSH (vfs.ffs.sd_worklist_push): Number of worklist cleanups.

NFS

Third level name	Type	Changeable
`NFS_NFSSTATS`	struct nfsstats	yes
`NFS_NIOTHREADS`	int	yes

NFS_NIOTHREADS (vfs.nfs.iothreads): The number of I/O kernel threads for NFS clients. The default is 4; the maximum is 20.

FUSE

Third level name	Type	Changeable
`FUSEFS_INFBUFS`	int	no
`FUSEFS_OPENDEVS`	int	no
`FUSEFS_POOL_NBPAGES`	int	no
`FUSEFS_WAITFBUFS`	int	no

FUSEFS_INFBUFS (vfs.fuse.fusefs_fbufs_in): The number of inbound fusebufs.
FUSEFS_OPENDEVS (vfs.fuse.fusefs_open_devices): The number of FUSE devices opened.
FUSEFS_POOL_NBPAGES (vfs.fuse.fusefs_pool_pages): The number of pages used for fusebuf memory.
FUSEFS_WAITFBUFS (vfs.fuse.fusefs_fbufs_wait): The number of fusebufs waiting for a response.

CTL_VM

The string and integer information available for the CTL_VM level is detailed below. The changeable column shows whether a process with appropriate privileges may change the value.

Second level name	Type	Changeable
`VM_ANONMIN`	integer	yes
`VM_LOADAVG`	struct loadavg	no
`VM_MALLOC_CONF`	string	yes
`VM_MAXSLP`	integer	no
`VM_METER`	struct vmtotal	no
`VM_NKMEMPAGES`	integer	no
`VM_PSSTRINGS`	struct psstrings	no
`VM_SWAPENCRYPT`	swap encrypt values	yes
`VM_USPACE`	integer	no
`VM_UVMEXP`	struct uvmexp	no
`VM_VNODEMIN`	integer	yes
`VM_VTEXTMIN`	integer	yes

VM_ANONMIN (vm.anonmin)

Percentage of physical memory available for pages which contain anonymous mapping.

VM_LOADAVG (vm.loadavg)

Return the load average history. The returned data consists of a struct loadavg.

VM_MALLOC_CONF (vm.malloc_conf)

String of option flags for the malloc(3) family of functions which will be applied to all programs starting in the future. The string contains a maximum of 15 characters.

VM_MAXSLP (vm.maxslp)

The time for a process to be blocked before being swappable, in seconds.

VM_METER (vm.vmmeter)

Return the system wide virtual memory statistics. The returned data consists of a struct vmtotal.

VM_NKMEMPAGES (vm.nkmempages)

Number of pages in kmem_map.

VM_PSSTRINGS (vm.psstrings)

Returns the address of the process struct ps_strings. The ps(1) program uses it to locate the argument and environment strings.

VM_SWAPENCRYPT

Contains statistics about swap encryption. The string and integer information available for the third level is detailed below.

Third level name	Type	Changeable
`SWPENC_CREATED`	integer	no
`SWPENC_DELETED`	integer	no
`SWPENC_ENABLE`	integer	yes

SWPENC_CREATED (vm.swapencrypt.keyscreated): The number of encryption keys that have been randomly created. The swap partition is divided into sections of normally 512KB. Each section has its own encryption key.
SWPENC_DELETED (vm.swapencrypt.keysdeleted): The number of encryption keys that have been deleted, thus effectively erasing the data that has been encrypted with them. Encryption keys are deleted when their reference counter reaches zero.
SWPENC_ENABLE (vm.swapencrypt.enable): Set to 1 to enable swap encryption for all processes. A 0 disables swap encryption. Turning this option on does not affect swap data already on the disk, but all newly written data will be encrypted. When swap encryption is turned on, automatic crash(8) dumps are disabled.

VM_USPACE (vm.uspace)

The number of bytes allocated for each kernel stack.

VM_UVMEXP (vm.uvmexp)

Contains statistics about the UVM memory management system.

VM_VNODEMIN (vm.vnodemin)

Percentage of physical memory available for pages which contain cached file data.

VM_VTEXTMIN (vm.vtextmin)

Percentage of physical memory available for pages which contain cached executable data.

RETURN VALUES

If the call to sysctl() is unsuccessful, -1 is returned and errno is set appropriately.

FILES

<sys/sysctl.h>: top level identifiers and second level kernel and hardware identifiers
<sys/socket.h>: second level network identifiers
<sys/gmon.h>: third level profiling identifiers
<uvm/uvmexp.h>: second level virtual memory identifiers
<uvm/uvm_swap_encrypt.h>: third level virtual memory identifiers
<net/if.h>: packet input/output queue identifiers
<net/pipex.h>: third level PIPEX identifiers
<netinet/in.h>: third and fourth level IPv4/v6 identifiers
<netinet/ip_divert.h>: fourth level divert identifiers
<netinet/icmp_var.h>: fourth level ICMP identifiers
<netinet/icmp6.h>: fourth level ICMPv6 identifiers
<netinet/tcp_var.h>: fourth level TCP identifiers
<netinet/udp_var.h>: fourth level UDP identifiers
<ddb/db_var.h>: second level ddb identifiers
<sys/mount.h>: second level vfs identifiers
<miscfs/fuse/fusefs.h>: third level fusefs identifiers
<nfs/nfs.h>: third level NFS identifiers
<ufs/ffs/ffs_extern.h>: third level FFS identifiers
<machine/cpu.h>: second level CPU identifiers

ERRORS

The following errors may be reported:

[EFAULT]: The buffer name, oldp, newp, or length pointer oldlenp contains an invalid address.
[EINVAL]: The name array is less than two or greater than CTL_MAXNAME.
[EINVAL]: A non-null newp pointer is given and its specified length in newlen is too large or too small.
[ENOMEM]: The length pointed to by oldlenp is too short to hold the requested value.
[ENOENT]: The mib specified does not exist, or exceeds the range that is possible.
[ENXIO]: If the mib is a sparsely populated array, this error may be returned instead.
[ENOTDIR]: The name array specifies an intermediate rather than terminal name.
[EOPNOTSUPP]: The name array specifies a value that is unknown.
[EPERM]: An attempt is made to set a read-only value.
[EPERM]: A process without appropriate privileges attempts to set a value.
[EPERM]: An attempt to change a value protected by the current kernel security level is made.
[ESRCH]: No process could be found which corresponds to the given process ID.

HISTORY

The sysctl() function first appeared in 4.4BSD.