sysctl —
system information variables
The sysctl(3) library function and
  the sysctl(8) utility are used
  to get and set values of system variables, maintained by the kernel. The
  variables are organized in a tree and identified by a sequence of numbers,
  conventionally separated by dots with the topmost identifier at the left side.
  The numbers have corresponding text names. The
  sysctlnametomib(3)
  function or the -M argument to the
  sysctl(8) utility can be used to
  convert the text representation to the numeric one.
The individual sysctl variables are described below, both the
    textual and numeric form where applicable. The textual names can be used as
    argument to the sysctl(8)
    utility and in the file /etc/sysctl.conf. The
    numeric names are usually defined as preprocessor constants and are intended
    for use by programs. Every such constant expands to one integer, which
    identifies the sysctl variable relative to the upper level of the tree. See
    the sysctl(3) manual page for
    programming examples.
The top level names are defined with a CTL_ prefix in
  <sys/sysctl.h>, and are as
  follows. The next and subsequent levels down are found in the include files
  listed here, and described in separate sections below.
The debugging variables vary from system to system. A debugging variable may be
  added or deleted without need to recompile sysctl to
  know about it. Each time it runs, sysctl gets the list
  of debugging variables from the kernel and displays their current values. The
  system defines twenty (struct ctldebug) variables named
  debug0 through debug19. They
  are declared as separate variables so that they can be individually
  initialized at the location of their associated variable. The loader prevents
  multiple use of the same variable by issuing errors if a variable is
  initialized in more than one place. For example, to export the variable
  dospecialcheck as a debugging variable, the following
  declaration would be used:
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
 
Note that the dynamic implementation of
    sysctl currently in use largely makes this
    particular sysctl interface obsolete. See
    sysctl(8) for more
    information.
A distinguished second level name, vfs.generic
  (VFS_GENERIC), is used to get general information
  about all file systems. It has the following third level identifiers:
  - vfs.generic.maxtypenum(- VFS_MAXTYPENUM)
- The highest valid file system type number.
- vfs.generic.conf(- VFS_CONF)
- Returns configuration information about the file system type given as a
      fourth level identifier.
- vfs.generic.usermount(- VFS_USERMOUNT)
- Determines if non superuser mounts are allowed, defaults to
      0.
- vfs.generic.magiclinks(- VFS_MAGICLINKS)
- Controls if expansion of variables is going to be performed on pathnames
      or not. Defaults to no variable expansion, 0.
      Variables are of the form@nameand the variables
      supported are described in
      symlink(7) under
      “MAGIC SYMLINKS”.
A second level name for controlling the
    wapbl(4) (Write Ahead Physical
    Block Logging file system journalling) capabilities with the following third
    level identifiers:
  - vfs.wapbl.flush_disk_cache
- Controls whether to attempt to flush the disk cache on each commit. It
      defaults to 1 and it should always be on to ensure integrity of file
      system metadata in the event of a power loss. For slow disks, turning it
      off can improve performance.
- vfs.wapbl.verbose_commit
- For each transaction log commit, print the number of bytes written and the
      time it took to commit as seconds.nanoseconds.
The remaining second level identifiers are the file system names,
    identified by the type number returned by a
    statvfs(2) call or from
    vfs.generic.conf.
The third level identifiers available for each file system are
    given in the header file that defines the mount argument structure for that
    file system.
The string and integer information available for the hw
  level is detailed below. The changeable column shows whether a process with
  appropriate privilege may change the value.
  
    | Second level name | Type | Changeable | 
  
    | hw.alignbytes | integer | no | 
  
    | hw.byteorder | integer | no | 
  
    | hw.cnmagic | string | yes | 
  
    | hw.disknames | string | no | 
  
    | hw.diskstats | struct | no | 
  
    | hw.machine | string | no | 
  
    | hw.machine_arch | string | no | 
  
    | hw.model | string | no | 
  
    | hw.ncpu | integer | no | 
  
    | hw.ncpuonline | integer | no | 
  
    | hw.pagesize | integer | no | 
  
    | hw.physmem | integer | no | 
  
    | hw.physmem64 | quad | no | 
  
    | hw.usermem | integer | no | 
  
    | hw.usermem64 | quad | no | 
  - hw.alignbytes(- HW_ALIGNBYTES)
- Alignment constraint for all possible data types. This shows the value
      ALIGNBYTESin<machine/param.h>, at the
      kernel compilation time.
- hw.byteorder(- HW_BYTEORDER)
- The byteorder (4321, or 1234).
- hw.cnmagic(- HW_CNMAGIC)
- The console magic key sequence.
- hw.disknames(- HW_DISKNAMES)
- The list of (space separated) disk device names on the system.
- hw.iostatnames(- HW_IOSTATNAMES)
- A space separated list of devices that will have I/O statistics collected
      on them.
- hw.iostats(- HW_IOSTATS)
- Return statistical information on the NFS mounts, disk and tape devices on
      the system. An array of struct io_sysctl structures
      is returned, whose size depends on the current number of such objects in
      the system. The third level name is the size of the struct
      io_sysctl. The type of object can be determined by examining the
      type element of struct
      io_sysctl. Which can be IOSTAT_DISK(disk
      drive),IOSTAT_TAPE(tape drive), orIOSTAT_NFS(NFS mount).
- hw.machine(- HW_MACHINE)
- The machine class.
- hw.machine_arch(- HW_MACHINE_ARCH)
- The machine CPU class.
- hw.model(- HW_MODEL)
- The machine model.
- hw.ncpu(- HW_NCPU)
- The number of CPUs configured.
- hw.ncpuonline(- HW_NCPUONLINE)
- The number of CPUs online.
- hw.pagesize(- HW_PAGESIZE)
- The software page size.
- hw.physmem(- HW_PHYSMEM)
- The bytes of physical memory as a 32-bit integer.
- hw.physmem64(- HW_PHYSMEM64)
- The bytes of physical memory as a 64-bit integer.
- hw.usermem(- HW_USERMEM)
- The bytes of non-kernel memory as a 32-bit integer.
- hw.usermem64(- HW_USERMEM64)
- The bytes of non-kernel memory as a 64-bit integer.
This subtree includes data generally related to the kernel. The string and
  integer information available for thekern level is
  detailed below. The changeable column shows whether a process with appropriate
  privilege may change the value.
  
    | Second level name | Type | Changeable | 
  
    | kern.aio_listio_max | integer | yes | 
  
    | kern.aio_max | integer | yes | 
  
    | kern.arandom | integer | no | 
  
    | kern.argmax | integer | no | 
  
    | kern.boothowto | integer | no | 
  
    | kern.boottime | struct timespec | no | 
  
    | kern.buildinfo | string | no | 
  
    | kern.ccpu | integer | no | 
  
    | kern.clockrate | struct clockinfo | no | 
  
    | kern.consdev | integer | no | 
  
    | kern.coredump | node | not applicable | 
  
    | kern.cp_id | struct | no | 
  
    | kern.cp_time | uint64_t[] | no | 
  
    | kern.cryptodevallowsoft | integer | yes | 
  
    | kern.defcorename | string | yes | 
  
    | kern.detachall | integer | yes | 
  
    | kern.domainname | string | yes | 
  
    | kern.drivers | struct kinfo_drivers | no | 
  
    | kern.dump_on_panic | integer | yes | 
  
    | kern.expose_address | integer | yes | 
  
    | kern.file | struct file | no | 
  
    | kern.forkfsleep | integer | yes | 
  
    | kern.fscale | integer | no | 
  
    | kern.fsync | integer | no | 
  
    | kern.hardclock_ticks | integer | no | 
  
    | kern.hostid | integer | yes | 
  
    | kern.hostname | string | yes | 
  
    | kern.iov_max | integer | no | 
  
    | kern.ipc | node | not applicable | 
  
    | kern.job_control | integer | no | 
  
    | kern.labeloffset | integer | no | 
  
    | kern.labelsector | integer | no | 
  
    | kern.login_name_max | integer | no | 
  
    | kern.logsigexit | integer | yes | 
  
    | kern.mapped_files | integer | no | 
  
    | kern.maxfiles | integer | yes | 
  
    | kern.maxlwp | integer | yes | 
  
    | kern.maxpartitions | integer | no | 
  
    | kern.maxphys | integer | no | 
  
    | kern.maxproc | integer | yes | 
  
    | kern.maxptys | integer | yes | 
  
    | kern.maxvnodes | integer | yes | 
  
    | kern.messages | integer | yes | 
  
    | kern.mbuf | node | not applicable | 
  
    | kern.memlock | integer | no | 
  
    | kern.memlock_range | integer | no | 
  
    | kern.memory_protection | integer | no | 
  
    | kern.module | node | not applicable | 
  
    | kern.monotonic_clock | integer | no | 
  
    | kern.mqueue | node | not applicable | 
  
    | kern.msgbuf | integer | no | 
  
    | kern.msgbufsize | integer | no | 
  
    | kern.ngroups | integer | no | 
  
    | kern.ntptime | struct ntptimeval | no | 
  
    | kern.osrelease | string | no | 
  
    | kern.osrevision | integer | no | 
  
    | kern.ostype | string | no | 
  
    | kern.pipe | node | not applicable | 
  
    | kern.pool | struct pool_sysctl | no | 
  
    | kern.posix1version | integer | no | 
  
    | kern.posix_aio | integer | no | 
  
    | kern.posix_barriers | integer | no | 
  
    | kern.posix_reader_writer_locks | integer | no | 
  
    | kern.posix_semaphores | integer | no | 
  
    | kern.posix_spin_locks | integer | no | 
  
    | kern.posix_threads | integer | no | 
  
    | kern.posix_timers | integer | no | 
  
    | kern.proc | struct kinfo_proc | no | 
  
    | kern.proc2 | struct kinfo_proc2 | no | 
  
    | kern.proc_args | string | no | 
  
    | kern.profiling | node | not applicable | 
  
    | kern.rawpartition | integer | no | 
  
    | kern.root_device | string | no | 
  
    | kern.root_partition | integer | no | 
  
    | kern.rtc_offset | integer | yes | 
  
    | kern.saved_ids | integer | no | 
  
    | kern.sbmax | integer | yes | 
  
    | kern.sched | node | not applicable | 
  
    | kern.securelevel | integer | raise only | 
  
    | kern.somaxkva | integer | yes | 
  
    | kern.sooptions | integer | yes | 
  
    | kern.synchronized_io | integer | no | 
  
    | kern.timecounter | node | not applicable | 
  
    | kern.timex | struct | no | 
  
    | kern.tkstat | node | not applicable | 
  
    | kern.tty | node | not applicable | 
  
    | kern.urandom | integer | no | 
  
    | kern.usercrypto | integer | yes | 
  
    | kern.userasymcrypto | integer | yes | 
  
    | kern.veriexec | node | not applicable | 
  
    | kern.version | string | no | 
  
    | kern.vnode | struct vnode | no | 
  - kern.aio_listio_max
- The maximum number of asynchronous I/O operations in a single list I/O
      call. Like with all variables related to
      aio(3), the variable may be
      created and removed dynamically upon loading or unloading the
      corresponding kernel module.
- kern.aio_max
- The maximum number of asynchronous I/O operations.
- kern.arandom(- KERN_ARND)
- This variable returns up to 256 bytes of random data. Multiple queries can
      be used to obtain an infinite amount of non-blocking cryptographically
      secure random data. The used random number generator (RNG) is based on
      arc4random(3).
- kern.argmax(- KERN_ARGMAX)
- The maximum bytes of argument to
      execve(2).
- kern.boothowto
- Flags passed from the boot loader; see
      reboot(2) for the meanings
      of the flags.
- kern.boottime(- KERN_BOOTTIME)
- A struct timespec structure is returned. This
      structure contains the time that the system was booted. That time is
      defined (for this purpose) to be the time at which the kernel first
      started accumulating clock ticks.
- kern.bufq
- This variable contains information on the
      bufq(9) subsystem. Currently,
      the only third level name implemented is
      kern.bufq.strategieswhich provides a list of
      buffer queue strategies currently available.
- kern.buildinfo
- When the kernel is built, the build environment may optionally provide
      arbitrary information to be stored in this variable.
- kern.ccpu(- KERN_CCPU)
- The scheduler exponential decay value.
- kern.clockrate(- KERN_CLOCKRATE)
- A struct clockinfo structure is returned. This
      structure contains the clock, statistics clock and profiling clock
      frequencies, the number of micro-seconds per hz tick, and the clock skew
      rate. Refer to hz(9) for
      additional details.
- kern.consdev(- KERN_CONSDEV)
- Console device.
- kern.coredump
- Settings related to set-id processes coredumps. By default, set-id
      processes do not dump core in situations where other processes would. The
      settings in this node allows an administrator to change this behavior.
    The third level name is
        kern.coredump.setidand fourth level variables
        are described below.
 
      
        | Fourth level name | Type | Changeable |  
        | kern.coredump.setid.dump | integer | yes |  
        | kern.coredump.setid.group | integer | yes |  
        | kern.coredump.setid.mode | integer | yes |  
        | kern.coredump.setid.owner | integer | yes |  
        | kern.coredump.setid.path | string | yes |  
 
      - kern.coredump.setid.dump
- If non-zero, set-id processes will dump core.
- kern.coredump.setid.group
- The group-id for the set-id processes' coredump.
- kern.coredump.setid.mode
- The mode for the set-id processes' coredump. See
          chmod(1).
- kern.coredump.setid.owner
- The user-id that will be used as the owner of the set-id processes'
          coredump.
- kern.coredump.setid.path
- The path to which set-id processes' coredumps will be saved to. Same
          syntax as kern.defcorename.
 
- kern.cp_id(- KERN_CP_ID)
- Mapping of CPU number to CPU id.
- kern.cp_time(- KERN_CP_TIME)
- Returns an array of CPUSTATESuint64_ts. This array contains the number of clock
      ticks spent in different CPU states. On multi-processor systems, the sum
      across all CPUs is returned unless appropriate space is given for one data
      set for each CPU. Data for a specific CPU can also be obtained by adding
      the number of the CPU at the end of the MIB, enlarging it by one.
- kern.cryptodevallowsoft
- This variable controls userland access to hardware versus software
      transforms in the crypto(4)
      system. The available values are as follows:
    
    
      - <
        0
- Always force userlevel requests to use software transforms.
- =
        0
- If present, use hardware and grant userlevel requests for
          non-accelerated transforms (handling the latter in software).
- >
        0
- Allow user requests only for transforms which are
          hardware-accelerated.
 
 
- kern.defcorename(- KERN_DEFCORENAME)
- Default template for the name of core dump files (see also
      proc.pid.corenamein the per-process variablesproc.*, and
      core(5) for format of this
      template). The default value is %n.core and can be
      changed with the kernel configuration optionoptions
      DEFCORENAME(see
      options(4) ).
- kern.detachall
- Detach all devices at shutdown.
- kern.domainname(- KERN_DOMAINNAME)
- Get or set the YP domain name.
- kern.drivers(- KERN_DRIVERS)
- Return an array of struct kinfo_drivers that
      contains the name and major device numbers of all the device drivers in
      the current kernel. The d_name field is always a NUL
      terminated string. The d_bmajor field will be set to
      -1 if the driver doesn't have a block device.
- kern.expose_address
- Expose kernel addresses in
      sysctl(3) calls used by
      fstat(1) and
      sockstat(1). If it is set
      to 0access is not allowed. If it is set to1then only processes that have opened
      /dev/kmem can have access. If it is set to2every process is allowed. Defaults to0forKASLRkernels and1otherwise. Allowing general access renders KASLR
      ineffective; allowing only kmem accessing programs weakens KASLR if those
      programs can be subverted to leak the addresses.
- kern.dump_on_panic(- KERN_DUMP_ON_PANIC)
- Perform a crash dump on system
      panic(9).
- kern.file(- KERN_FILE)
- Return the entire file table. The returned data consists of a single
      struct filelist followed by an array of
      struct file, whose size depends on the current
      number of such objects in the system.
- kern.forkfsleep(- KERN_FORKFSLEEP)
- If fork(2) system call fails
      due to limit on number of processes (either the global maxproc limit or
      user's one), wait for this many milliseconds before returning
      EAGAINerror to process. Useful to keep heavily
      forking runaway processes in bay. Default zero (no sleep). Maximum is 20
      seconds.
- kern.fscale(- KERN_FSCALE)
- The kernel fixed-point scale factor.
- kern.fsync(- KERN_FSYNC)
- Return 1 if the IEEE Std 1003.1b-1993
      (“POSIX.1b”) File Synchronization Option is available
      on this system, otherwise 0.
- kern.hardclock_ticks(- KERN_HARDCLOCK_TICKS)
- Returns the number of
      hardclock(9) ticks.
- kern.hist
- This variable contains kernel history data if the kernel was configured
      for any of the options UVHMIST,USB_DEBUG,BIOHIST, orSCDEBUG. (See
      options(4) for more
      details.) The third-level names correspond to each available history
      table. The values of the history tables are in an internal format, and can
      be decoded by the vmstat(1)
      utility's-Uand-uoptions; the-loption can be used to see which
      tables are available.
- kern.hostid(- KERN_HOSTID)
- Get or set the host identifier. This is aimed to replace the legacy
      gethostid(3) and
      sethostid(3) system
      calls.
- kern.hostname(- KERN_HOSTNAME)
- Get or set the
      hostname(1).
- kern.iov_max(- KERN_IOV_MAX)
- Return the maximum number of iovec structures that a
      process has available for use with
      preadv(2),
      pwritev(2),
      readv(2),
      recvmsg(2),
      sendmsg(2) and
      writev(2).
- kern.ipc(- KERN_SYSVIPC)
- Return information about the SysV IPC parameters. The third level names
      for the ipc variables are detailed below.
    
      
        | Third level name | Type | Changeable |  
        | kern.ipc.sysvmsg | integer | no |  
        | kern.ipc.sysvsem | integer | no |  
        | kern.ipc.sysvshm | integer | no |  
        | kern.ipc.sysvipc_info | struct | no |  
        | kern.ipc.shmmax | integer | yes |  
        | kern.ipc.shmmni | integer | yes |  
        | kern.ipc.shmseg | integer | yes |  
        | kern.ipc.shmmaxpgs | integer | yes |  
        | kern.ipc.shm_use_phys | integer | yes |  
        | kern.ipc.msgmni | integer | yes |  
        | kern.ipc.msgseg | integer | yes |  
        | kern.ipc.semmni | integer | yes |  
        | kern.ipc.semmns | integer | yes |  
        | kern.ipc.semmnu | integer | yes |  
 
      - kern.ipc.sysvmsg(- KERN_SYSVIPC_MSG)
- Returns 1 if System V style message queue functionality is available
          on this system, otherwise 0.
- kern.ipc.sysvsem(- KERN_SYSVIPC_SEM)
- Returns 1 if System V style semaphore functionality is available on
          this system, otherwise 0.
- kern.ipc.sysvshm(- KERN_SYSVIPC_SHM)
- Returns 1 if System V style share memory functionality is available on
          this system, otherwise 0.
- kern.ipc.sysvipc_info(- KERN_SYSVIPC_INFO)
- Return System V style IPC configuration and run-time information. The
          fourth level name selects the System V style IPC facility.
        
          
            | Fourth level name | Type |  
            | KERN_SYSVIPC_MSG_INFO | struct msg_sysctl_info |  
            | KERN_SYSVIPC_SEM_INFO | struct sem_sysctl_info |  
            | KERN_SYSVIPC_SHM_INFO | struct shm_sysctl_info |  
 
          - KERN_SYSVIPC_MSG_INFO
- Return information on the System V style message facility. The
              msg_sysctl_info structure is defined in
              <sys/msg.h>.
- KERN_SYSVIPC_SEM_INFO
- Return information on the System V style semaphore facility. The
              sem_sysctl_info structure is defined in
              <sys/sem.h>.
- KERN_SYSVIPC_SHM_INFO
- Return information on the System V style shared memory facility.
              The shm_sysctl_info structure is defined in
              <sys/shm.h>.
 
- kern.ipc.shmmax(- KERN_SYSVIPC_SHMMAX)
- Max shared memory segment size in bytes.
- kern.ipc.shmmni(- KERN_SYSVIPC_SHMMNI)
- Max number of shared memory identifiers.
- kern.ipc.shmseg(- KERN_SYSVIPC_SHMSEG)
- Max shared memory segments per process.
- kern.ipc.shmmaxpgs(- KERN_SYSVIPC_SHMMAXPGS)
- Max amount of shared memory in pages.
- kern.ipc.shm_use_phys(- KERN_SYSVIPC_SHMUSEPHYS)
- Locking of shared memory in physical memory. If 0, memory can be
          swapped out, otherwise it will be locked in physical memory.
- kern.ipc.msgmni
- Max number of message queue identifiers.
- kern.ipc.msgseg
- Max number of number of message segments.
- kern.ipc.semmni
- Max number of number of semaphore identifiers.
- kern.ipc.semmns
- Max number of number of semaphores in system.
- kern.ipc.semmnu
- Max number of undo structures in system.
 
- kern.job_control(- KERN_JOB_CONTROL)
- Return 1 if job control is available on this system,
    otherwise 0.
- kern.labeloffset(- KERN_LABELOFFSET)
- The offset within the sector specified by
      KERN_LABELSECTORof the
      disklabel(5).
- kern.labelsector(- KERN_LABELSECTOR)
- The sector number containing the
      disklabel(5).
- kern.login_name_max(- KERN_LOGIN_NAME_MAX)
- The size of the storage required for a login name, in bytes, including the
      terminating NUL.
- kern.logsigexit(- KERN_LOGSIGEXIT)
- If this flag is non-zero, the kernel will
      log(9) all process exits due to
      signals which create a core(5)
      file, and whether the coredump was created.
- kern.mapped_files(- KERN_MAPPED_FILES)
- Returns 1 if the IEEE Std 1003.1b-1993
      (“POSIX.1b”) Memory Mapped Files Option is available
      on this system, otherwise 0.
- kern.maxfiles(- KERN_MAXFILES)
- The maximum number of open files that may be open in the system. This also
      controls the maximum file locks per unprivilegied user enforced by
      fnctl(2) and
      flock(2).
- kern.maxpartitions(- KERN_MAXPARTITIONS)
- The maximum number of partitions allowed per disk.
- kern.maxlwp
- The maximum number of Lightweight Processes (threads) the system allows
      per uid.
- kern.maxphys(- KERN_MAXPHYS)
- Maximum raw I/O transfer size.
- kern.maxproc(- KERN_MAXPROC)
- The maximum number of simultaneous processes the system will allow.
- kern.maxptys(- KERN_MAXPTYS)
- The maximum number of pseudo terminals. This value can be both raised and
      lowered, though it cannot be set lower than number of currently used ptys.
      See also pty(4).
- kern.maxvnodes(- KERN_MAXVNODES)
- The maximum number of vnodes available on the system. This can only be
      raised.
- kern.mbuf(- KERN_MBUF)
- Return information about the mbuf control variables. Mbufs are data
      structures which store network packets and other data structures in the
      networking code, see mbuf(9).
      The third level names for the mbuf variables are detailed below. The
      changeable column shows whether a process with appropriate privilege may
      change the value.
    
      
        | Third level name | Type | Changeable |  
        | kern.mbuf.mblowat | integer | yes |  
        | kern.mbuf.mclbytes | integer | yes |  
        | kern.mbuf.mcllowat | integer | yes |  
        | kern.mbuf.msize | integer | yes |  
        | kern.mbuf.nmbclusters | integer | yes |  
 The variables are as follows: 
      - kern.mbuf.mblowat(- MBUF_MBLOWAT)
- The mbuf low water mark.
- kern.mbuf.mclbytes(- MBUF_MCLBYTES)
- The mbuf cluster size.
- kern.mbuf.mcllowat(- MBUF_MCLLOWAT)
- The mbuf cluster low water mark.
- kern.mbuf.msize(- MBUF_MSIZE)
- The mbuf base size.
- kern.mbuf.nmbclusters(- MBUF_NMBCLUSTERS)
- The limit on the number of mbuf clusters. The variable can only be
          increased, and only increased on machines with direct-mapped pool
          pages.
 
- kern.memlock(- KERN_MEMLOCK)
- Returns 1 if the IEEE Std 1003.1b-1993
      (“POSIX.1b”) Process Memory Locking Option is
      available on this system, otherwise 0.
- kern.memlock_range(- KERN_MEMLOCK_RANGE)
- Returns 1 if the IEEE Std 1003.1b-1993
      (“POSIX.1b”) Range Memory Locking Option is available
      on this system, otherwise 0.
- kern.memory_protection(- KERN_MEMORY_PROTECTION)
- Returns 1 if the IEEE Std 1003.1b-1993
      (“POSIX.1b”) Memory Protection Option is available on
      this system, otherwise 0.
- kern.messages
- Kernel console message verbosity. See
      ⟨sys/reboot.h⟩
    
      
        | Value | Verbosity | sys/reboot.h equivalent |  
        | 0 | Silent | AB_SILENT |  
        | 1 | Quiet | AB_QUIET |  
        | 2 | Normal | AB_NORMAL |  
        | 3 | Verbose | AB_VERBOSE |  
        | 4 | Debug | AB_DEBUG |  
 
- kern.module
- Settings related to kernel modules. The third level names for the settings
      are described below.
    
      
        | Third level name | Type | Changeable |  
        | kern.module.autoload | integer | yes |  
        | kern.module.autotime | integer | yes |  
        | kern.module.verbose | boolean | yes |  
 The variables are as follows: 
      - kern.module.autoload
- A boolean that controls whether kernel modules are loaded
          automatically. See
          module(7) for additional
          details.
- kern.module.autotime
- An integer that controls the delay before an attempt is made to
          automatically unload a module that was auto-loaded. Setting this value
          to zero disables the auto-unload function.
- kern.module.verbose
- A boolean that enables or disables verbose debug messages related to
          kernel modules.
 
- kern.monotonic_clock(- KERN_MONOTONIC_CLOCK)
- Returns the standard version the implementation of the
      IEEE Std 1003.1b-1993 (“POSIX.1b”)
      Monotonic Clock Option conforms to, otherwise 0.
- kern.mqueue
- Settings related to POSIX message queues; see
      mqueue(3). This node is
      created dynamically when the corresponding kernel module is loaded. The
      third level names for the settings are described below.
    
      
        | Third level name | Type | Changeable |  
        | kern.mqueue.mq_open_max | integer | yes |  
        | kern.mqueue.mq_prio_max | integer | yes |  
        | kern.mqueue.mq_max_msgsize | integer | yes |  
        | kern.mqueue.mq_def_maxmsg | integer | yes |  
        | kern.mqueue.mq_max_maxmsg | integer | yes |  
 The variables are: 
      - kern.mqueue.mq_open_max
- The maximum number of message queue descriptors any single process can
          open.
- kern.mqueue.mq_prio_max
- The maximum priority of a message.
- kern.mqueue.mq_max_msgsize
- The maximum size of a message in a message queue.
- kern.mqueue.mq_def_maxmsg
- The default maximum message count.
- kern.mqueue.mq_max_maxmsg
- The maximum number of messages in a message queue.
 
- kern.msgbuf(- KERN_MSGBUF)
- The kernel message buffer, rotated so that the head of the circular kernel
      message buffer is at the start of the returned data. The returned data may
      contain NUL bytes.
- kern.msgbufsize(- KERN_MSGBUFSIZE)
- The maximum number of characters that the kernel message buffer can
    hold.
- kern.ngroups(- KERN_NGROUPS)
- The maximum number of supplemental groups.
- kern.ntptime(- KERN_NTPTIME)
- A struct ntptimeval structure is returned. This
      structure contains data used by the
      ntpd(8) program.
- kern.osrelease(- KERN_OSRELEASE)
- The system release string.
- kern.osrevision(- KERN_OSREV)
- The system revision string.
- kern.ostype(- KERN_OSTYPE)
- The system type string.
- kern.pipe(- KERN_PIPE)
- Pipe settings. The third level names for the integer pipe settings is
      detailed below. The changeable column shows whether a process with
      appropriate privilege may change the value.
    
      
        | Third level name | Type | Changeable |  
        | kern.pipe.kvasiz | integer | yes |  
        | kern.pipe.maxbigpipes | integer | yes |  
        | kern.pipe.maxkvasz | integer | yes |  
        | kern.pipe.limitkva | integer | yes |  
        | kern.pipe.nbigpipes | integer | yes |  
 The variables are as follows: 
      - kern.pipe.kvasiz(- KERN_PIPE_KVASIZ)
- Amount of kernel memory consumed by pipe buffers.
- kern.pipe.maxbigpipes(- KERN_PIPE_MAXBIGPIPES)
- Maximum number of “big” pipes.
- kern.pipe.maxkvasz(- KERN_PIPE_MAXKVASZ)
- Maximum amount of kernel memory to be used for pipes.
- kern.pipe.limitkva(- KERN_PIPE_LIMITKVA)
- Limit for direct transfers via page loan.
- kern.pipe.nbigpipes(- KERN_PIPE_NBIGPIPES)
- Number of “big” pipes.
 
- kern.pool
- Provides statistics about the
      pool(9) and
      pool_cache(9)
      subsystems.
- kern.posix1version(- KERN_POSIX1)
- The version of ISO/IEC 9945 (IEEE Std 1003.1
      (“POSIX.1”)) with which the system attempts to
      comply.
- kern.posix_aio
- The version of IEEE Std 1003.1
      (“POSIX.1”) and its Asynchronous I/O option to which
      the system attempts to conform.
- kern.posix_barriers(- KERN_POSIX_BARRIERS)
- The version of IEEE Std 1003.1
      (“POSIX.1”) and its Barriers option to which the
      system attempts to conform, otherwise 0.
- kern.posix_reader_writer_locks(- KERN_POSIX_READER_WRITER_LOCKS)
- The version of IEEE Std 1003.1
      (“POSIX.1”) and its Read-Write Locks option to which
      the system attempts to conform, otherwise 0.
- kern.posix_semaphores(- KERN_POSIX_SEMAPHORES)
- The version of IEEE Std 1003.1
      (“POSIX.1”) and its Semaphores option to which the
      system attempts to conform, otherwise 0.
- kern.posix_spin_locks(- KERN_POSIX_SPIN_LOCKS)
- The version of IEEE Std 1003.1
      (“POSIX.1”) and its Spin Locks option to which the
      system attempts to conform, otherwise 0.
- kern.posix_threads(- KERN_POSIX_THREADS)
- The version of IEEE Std 1003.1
      (“POSIX.1”) and its Threads option to which the
      system attempts to conform, otherwise 0.
- kern.posix_timers(- KERN_POSIX_TIMERS)
- The version of IEEE Std 1003.1
      (“POSIX.1”) and its Timers option to which the system
      attempts to conform, otherwise 0.
- kern.proc(- KERN_PROC)
- Return the entire process table, or a subset of it. An array of
      struct kinfo_proc structures is returned, whose size
      depends on the current number of such objects in the system. The third and
      fourth level numeric names are as follows:
    
      
        | Third level name | Fourth level is: |  
        | KERN_PROC_ALL | None |  
        | KERN_PROC_GID | A group ID |  
        | KERN_PROC_PID | A process ID |  
        | KERN_PROC_PGRP | A process group |  
        | KERN_PROC_RGID | A real group ID |  
        | KERN_PROC_RUID | A real user ID |  
        | KERN_PROC_SESSION | A session ID |  
        | KERN_PROC_TTY | A tty device |  
        | KERN_PROC_UID | A user ID |  
 
- kern.proc2(- KERN_PROC2)
- As for KERN_PROC, but an array of
      struct kinfo_proc2 structures are returned. The
      fifth level name is the size of the struct
      kinfo_proc2 and the sixth level name is the number of structures to
      return.
- kern.proc_args(- KERN_PROC_ARGS)
- Return the argv or environment strings (or the number thereof) of a
      process. Multiple strings are returned separated by NUL characters. The
      third level name is the process ID. The fourth level name is as follows:
    
  
- kern.profiling(- KERN_PROF)
- Return profiling information about the kernel. If the kernel is not
      compiled for profiling, attempts to retrieve any of the
      KERN_PROFvalues will fail withEOPNOTSUPP. The third level names for the string
      and integer profiling information is detailed below. The changeable column
      shows whether a process with appropriate privilege may change the value.
      
        | Third level name | Type | Changeable |  
        | kern.profiling.count | u_short[] | yes |  
        | kern.profiling.froms | u_short[] | yes |  
        | kern.profiling.gmonparam | struct gmonparam | no |  
        | kern.profiling.state | integer | yes |  
        | kern.profiling.tos | struct tostruct | yes |  
 The variables are as follows: 
      - kern.profiling.count(- GPROF_COUNT)
- Array of statistical program counter counts.
- kern.profiling.froms(- GPROF_FROMS)
- Array indexed by program counter of call-from points.
- kern.profiling.gmonparams(- GPROF_GMONPARAM)
- Structure giving the sizes of the above arrays.
- kern.profiling.state(- GPROF_STATE)
- Profiling state. If set to GMON_PROF_ON,
          starts profiling. If set toGMON_PROF_OFF,
          stops profiling.
- kern.profiling.tos(- GPROF_TOS)
- Array of struct tostruct describing destination
          of calls and their counts.
 
- kern.rawpartition(- KERN_RAWPARTITION)
- The raw partition of a disk (a == 0).
- kern.root_device(- KERN_ROOT_DEVICE)
- The name of the root device (e.g., “wd0”).
- kern.root_partition(- KERN_ROOT_PARTITION)
- The root partition on the root device (a == 0).
- kern.rtc_offset(- KERN_RTC_OFFSET)
- Return the offset of real time clock from UTC in minutes.
- kern.saved_ids(- KERN_SAVED_IDS)
- Returns 1 if saved set-group and saved set-user ID is available.
- kern.sbmax(- KERN_SBMAX)
- Maximum socket buffer size in bytes.
- kern.securelevel(- KERN_SECURELVL)
- See
      secmodel_securelevel(9).
- kern.sched(- dynamic)
- Influence the scheduling of LWPs, their priorisation and how they are
      distributed on and moved between CPUs.
    
      
        | Third level name | Type | Changeable |  
        | kern.sched.cacheht_time | integer | yes |  
        | kern.sched.balance_period | integer | yes |  
        | kern.sched.average_weight | integer | yes |  
        | kern.sched.min_catch | integer | yes |  
        | kern.sched.timesoftints | integer | yes |  
        | kern.sched.kpreempt_pri | integer | yes |  
        | kern.sched.upreempt_pri | integer | yes |  
        | kern.sched.maxts | integer | yes |  
        | kern.sched.mints | integer | yes |  
        | kern.sched.name | string | no |  
        | kern.sched.rtts | integer | no |  
        | kern.sched.pri_min | integer | no |  
        | kern.sched.pri_max | integer | no |  
 The variables are as follows: 
      - kern.sched.cacheht_time(- dynamic)
- Cache hotness time in which a LWP is kept on one particular CPU and
          not moved to another CPU. This reduces the overhead of flushing and
          reloading caches. Defaults to 3ms. Needs to be given in
          “hz” units, see
          mstohz(9).
- kern.sched.balance_period(- dynamic)
- Interval at which the CPU queues are checked for re-balancing.
          Defaults to 300ms. Needs to be given in “hz” units, see
          mstohz(9).
- kern.sched.average_weight(- dynamic)
- Can be used to influence how likely LWPs are to be migrated from one
          CPU's queue of LWPs that are ready to run to a different, idle CPU.
          The value gives the percentage for weighting the average count of
          migratable threads from the past against the current number of
          migratable threads. A small value gives more weight to the past, a
          larger values more weight on the current situation. Defaults to 50 and
          must be between 0 and 100.
- kern.sched.min_catch(- dynamic)
- Minimum count of migratable (runable) threads for catching (stealing)
          from another CPU. Defaults to 1 but can be increased to decrease
          chance of thread migration between CPUs.
- kern.sched.timesoftints(- dynamic)
- Enable tracking of CPU time for soft interrupts as part of a LWP's
          real execution time. Set to a non-zero value to enable, and see
          ps(1) for printing CPU
          times.
- kern.sched.kpreempt_pri(- dynamic)
- Minimum priority to trigger kernel preemption.
- kern.sched.upreempt_pri(- dynamic)
- Minimum priority to trigger user preemption.
- kern.sched.maxts(- dynamic)
- Scheduler specific maximal time quantum (in milliseconds). Must be set
          to a value larger than “mints” and between 10 and
          “hz” as given by the
          kern.clockratesysctl. Provided by the M2
          scheduler.
- kern.sched.mints(- dynamic)
- Scheduler specific minimal time quantum (in milliseconds). Must be set
          to a value smaller than “maxts” and between 1 and
          “hz” as given by the “kern.clockrate”
          sysctl. Provided by the M2 scheduler.
- kern.sched.name(- dynamic)
- Scheduler name. Provided both by the M2 and the 4BSD scheduler.
- kern.sched.rtts(- dynamic)
- Fixed scheduler specific round-robin time quantum in milliseconds.
          Provided both by the M2 and the 4BSD scheduler.
- kern.sched.pri_min(- dynamic)
- Minimal POSIX real-time priority. See
          sched(3).
- kern.sched.pri_max(- dynamic)
- Maximal POSIX real-time priority. See
          sched(3).
 
- kern.somaxkva(- KERN_SOMAXKVA)
- Maximum amount of kernel memory to be used for socket buffers in
    bytes.
- kern.sooptions
- Set the default socket option flags for
      socket(2) creation. See
      setsockopt(2) for a list
      of supported flags.
- kern.synchronized_io(- KERN_SYNCHRONIZED_IO)
- Returns 1 if the IEEE Std 1003.1b-1993
      (“POSIX.1b”) Synchronized I/O Option is available on
      this system, otherwise 0.
- kern.timecounter(- dynamic)
- Display and control the timecounter source of the system.
    
      
        | Third level name | Type | Changeable |  
        | kern.timecounter.choice | string | no |  
        | kern.timecounter.hardware | string | yes |  
        | kern.timecounter.timestepwarnings | integer | yes |  
 The variables are as follows: 
      - kern.timecounter.choice(- dynamic)
- The list of available timecounters with their quality and
        frequency.
- kern.timecounter.hardware(- dynamic)
- The currently selected timecounter source.
- kern.timecounter.timestepwarnings(- dynamic)
- If non-zero display a message each time the time is stepped.
 
- kern.timex(- KERN_TIMEX)
- Not available.
- kern.tkstat(- KERN_TKSTAT)
- Return information about the number of characters sent and received on
      ttys. The third level names for the tty statistic variables are detailed
      below. The changeable column shows whether a process with appropriate
      privilege may change the value.
    
      
        | Third level name | Type | Changeable |  
        | kern.tkstat.cancc | quad | no |  
        | kern.tkstat.nin | quad | no |  
        | kern.tkstat.nout | quad | no |  
        | kern.tkstat.rawcc | quad | no |  
 The variables are as follows: 
      - kern.tkstat.cancc(- KERN_TKSTAT_CANCC)
- The number of canonical input characters.
- kern.tkstat.nin(- KERN_TKSTAT_NIN)
- The total number of input characters.
- kern.tkstat.nout(- KERN_TKSTAT_NOUT)
- The total number of output characters.
- kern.tkstat.rawcc(- KERN_TKSTAT_RAWCC)
- The number of raw input characters.
 
- kern.tty
- The third level names for the tty setup variables are detailed below. The
      changeable column shows whether a process with appropriate privilege may
      change the value.
    
      
        | Third level name | Type | Changeable |  
        | kern.tty.qsize | int | yes |  
 The variables are as follows: 
      - kern.tty.qsize
- Control/display the size of the default input and output queues
          selected during tty creation. Is converted to a power of two and its
          range is between 1024and65536.
 
- kern.uidinfo
- Resource usage for the current user.
    
      
        | Third level name | Type | Changeable |  
        | kern.uidinfo.proccnt | integer | no |  
        | kern.uidinfo.lwpcnt | integer | no |  
        | kern.uidinfo.lockcnt | integer | no |  
        | kern.uidinfo.semcnt | integer | no |  
        | kern.uidinfo.sbsize | integer | no |  
 
      - kern.uidinfo.proccnt
- Returns the number of active processes for the current user.
- kern.uidinfo.lwpcnt
- Returns the number of active threads for the current user; the first
          thread of each process is not counted.
- kern.uidinfo.lockcnt
- Number of locks held by the current user.
- kern.uidinfo.semcnt
- Number of semaphores held by the current user.
- kern.uidinfo.sbsize
- Number of bytes in socket buffers allocated to the current user.
 
- kern.urandom(- KERN_URND)
- Random integer value.
- kern.usercrypto
- When enabled, allows userland to
      open(2) the
      /dev/crypto special device, used by the
      crypto(4) system.
- kern.userasymcrypto
- Enables or disables the use of software asymmetric crypto support in the
      crypto(4) system.
- kern.veriexec
- Runtime information for
      veriexec(8).
    
      
        | Third level name | Type | Changeable |  
        | kern.veriexec.algorithms | string | no |  
        | kern.veriexec.count | node | not applicable |  
        | kern.veriexec.strict | integer | yes |  
        | kern.veriexec.verbose | integer | yes |  
 
      - kern.veriexec.algorithms
- Returns a string with the supported algorithms in Veriexec.
- kern.veriexec.count
- Sub-nodes are added to this node as new mounts are monitored by
          Veriexec. Each mount will be under its own
          tableN node. Under each node there will be
          three variables, indicating the mount point, the file system type, and
          the number of entries.
- kern.veriexec.strict
- Controls the strict level of Veriexec. See
          security(7) for more
          information on each level's implications.
- kern.veriexec.verbose
- Controls the verbosity level of Veriexec. If 0, only the minimal
          indication required will be given about what's happening - fingerprint
          mismatches, removal of entries from the tables, modification of a
          fingerprinted file. If 1, more messages will be printed (ie., when a
          file with a valid fingerprint is accessed). Verbose level 2 is debug
          mode.
 
- kern.version(- KERN_VERSION)
- The system version string.
- kern.vnode(- KERN_VNODE)
- Return the entire vnode table. Note, the vnode table is not necessarily a
      consistent snapshot of the system. The returned data consists of an array
      whose size depends on the current number of such objects in the system.
      Each element of the array contains the kernel address of a vnode
      struct vnode * followed by the vnode itself
      struct vnode.
The set of variables defined is architecture dependent. Most architectures
  define at least the following variables.
The string and integer information available for thenet
  level is detailed below. The changeable column shows whether a process with
  appropriate privilege may change the value. The second and third levels are
  typically the protocol family and protocol number, though this is not always
  the case.
  
    | Second level name | Type | Changeable | 
  
    | net.route | routing messages | no | 
  
    | net.inet | IPv4 values | yes | 
  
    | net.inet6 | IPv6 values | yes | 
  
    | net.key | IPsec key management values | yes | 
  - net.route(- PF_ROUTE)
- Return the entire routing table or a subset of it. The data is returned as
      a sequence of routing messages (see
      route(4) for the header file,
      format and meaning). The length of each message is contained in the
      message header.
    The third level name is a protocol number, which is currently
        always 0. The fourth level name is an address family, which may
        be set to 0 to select all address families. The fifth and sixth level
        names are as follows: 
      
        | Fifth level name | Sixth level is: |  
        | NET_RT_FLAGS | rtflags |  
        | NET_RT_DUMP | None |  
        | NET_RT_IFLIST | None |  
 
- net.inet(- PF_INET)
- Get or set various global information about the IPv4 (Internet Protocol
      version 4). The third level name is the protocol. The fourth level name is
      the variable name. The currently defined protocols and names are:
    
      
        | Protocol | Variable | Type | Changeable |  
        | arp | down | integer | yes |  
        | arp | keep | integer | yes |  
        | arp | log_movements | integer | yes |  
        | arp | log_permanent_modify | integer | yes |  
        | arp | log_unknown_network | integer | yes |  
        | arp | log_wrong_iface | integer | yes |  
        | carp | allow | integer | yes |  
        | carp | preempt | integer | yes |  
        | carp | log | integer | yes |  
        | carp | arpbalance | integer | yes |  
        | icmp | errppslimit | integer | yes |  
        | icmp | maskrepl | integer | yes |  
        | icmp | rediraccept | integer | yes |  
        | icmp | redirtimeout | integer | yes |  
        | icmp | bmcastecho | integer | yes |  
        | ip | allowsrcrt | integer | yes |  
        | ip | anonportalgo.selected | string | yes |  
        | ip | anonportalgo.available | string | yes |  
        | ip | anonportalgo.reserve | struct | yes |  
        | ip | anonportmax | integer | yes |  
        | ip | anonportmin | integer | yes |  
        | ip | checkinterface | integer | yes |  
        | ip | dad_count | integer | yes |  
        | ip | directed-broadcast | integer | yes |  
        | ip | do_loopback_cksum | integer | yes |  
        | ip | forwarding | integer | yes |  
        | ip | forwsrcrt | integer | yes |  
        | ip | gifttl | integer | yes |  
        | ip | grettl | integer | yes |  
        | ip | hashsize | integer | yes |  
        | ip | hostzerobroadcast | integer | yes |  
        | ip | lowportmin | integer | yes |  
        | ip | lowportmax | integer | yes |  
        | ip | maxflows | integer | yes |  
        | ip | maxfragpackets | integer | yes |  
        | ip | mtudisc | integer | yes |  
        | ip | mtudisctimeout | integer | yes |  
        | ip | random_id | integer | yes |  
        | ip | redirect | integer | yes |  
        | ip | subnetsarelocal | integer | yes |  
        | ip | ttl | integer | yes |  
        | tcp | rfc1323 | integer | yes |  
        | tcp | sendspace | integer | yes |  
        | tcp | recvspace | integer | yes |  
        | tcp | mssdflt | integer | yes |  
        | tcp | syn_cache_limit | integer | yes |  
        | tcp | syn_bucket_limit | integer | yes |  
        | tcp | syn_cache_interval | integer | yes |  
        | tcp | init_win | integer | yes |  
        | tcp | init_win_local | integer | yes |  
        | tcp | mss_ifmtu | integer | yes |  
        | tcp | win_scale | integer | yes |  
        | tcp | timestamps | integer | yes |  
        | tcp | cwm | integer | yes |  
        | tcp | cwm_burstsize | integer | yes |  
        | tcp | ack_on_push | integer | yes |  
        | tcp | keepidle | integer | yes |  
        | tcp | keepintvl | integer | yes |  
        | tcp | keepcnt | integer | yes |  
        | tcp | slowhz | integer | no |  
        | tcp | keepinit | integer | yes |  
        | tcp | log_refused | integer | yes |  
        | tcp | rstppslimit | integer | yes |  
        | tcp | ident | struct | no |  
        | tcp | drop | struct | no |  
        | tcp | sack.enable | integer | yes |  
        | tcp | sack.globalholes | integer | no |  
        | tcp | sack.globalmaxholes | integer | yes |  
        | tcp | sack.maxholes | integer | yes |  
        | tcp | ecn.enable | integer | yes |  
        | tcp | ecn.maxretries | integer | yes |  
        | tcp | congctl.selected | string | yes |  
        | tcp | congctl.available | string | yes |  
        | tcp | abc.enable | integer | yes |  
        | tcp | abc.aggressive | integer | yes |  
        | udp | checksum | integer | yes |  
        | udp | do_loopback_cksum | integer | yes |  
        | udp | recvspace | integer | yes |  
        | udp | sendspace | integer | yes |  
 The variables are as follows: 
      - arp.down
- Failed ARP entry lifetime.
- arp.keep
- Valid ARP entry lifetime.
- carp.allow
- If set to 0, incoming
          carp(4) packets will not
          be processed. If set to any other value, processing will occur.
          Enabled by default.
- carp.arpbalance
- If set to any value other than 0, the ARP balancing functionality of
          carp(4) is enabled. When
          ARP requests are received for an IP address which is part of any
          virtual host, carp will hash the source IP in the ARP request to
          select one of the virtual hosts from the set of all the virtual hosts
          which have that IP address. The master of that host will respond with
          the correct virtual MAC address. Disabled by default.
- carp.log
- If set to any value other than 0,
          carp(4) will log errors.
          Disabled by default.
- carp.preempt
- If set to 0, carp(4) will
          not attempt to become master if it is receiving advertisements from
          another active master. If set to any other value, carp will become
          master of the virtual host if it believes it can send advertisements
          more frequently than the current master. Disabled by default.
- ip.allowsrcrt
- If set to 1, the host accepts source routed packets.
- ip.anonportalgo.available
- The available RFC 6056 port randomization algorithms.
- ip.anonportalgo.reserve
- A bitmask of ports that will not be used during anonymous or
          privileged port selection.
- ip.anonportalgo.selected
- The currently selected RFC 6056 port randomization algorithm.
- ip.anonportmax
- The highest port number to use for TCP and UDP ephemeral port
          allocation. This cannot be set to less than 1024 or greater than
          65535, and must be greater than
          ip.anonportmin.
- ip.anonportmin
- The lowest port number to use for TCP and UDP ephemeral port
          allocation. This cannot be set to less than 1024 or greater than
          65535.
- ip.checkinterface
- If set to non-zero, the host will reject packets addressed to it that
          arrive on an interface not bound to that address. Currently, this must
          be disabled if NAT is used to translate the destination address to
          another local interface, or if addresses are added to the loopback
          interface instead of the interface where the packets for those packets
          are received.
- ip.dad_count
- The number of arp(4) probes
          sent for Address Conflict Detection. Set to 0 to disable this.
- ip.directed-broadcast
- If set to 1, enables directed broadcast behavior for the host.
- ip.do_loopback_cksum
- Perform IP checksum on loopback.
- ip.forwarding
- If set to 1, enables IP forwarding for the host, meaning that the host
          is acting as a router.
- ip.forwsrcrt
- If set to 1, enables forwarding of source-routed packets for the host.
          This value may only be changed if the kernel security level is less
          than 1.
- ip.gifttl
- The maximum time-to-live (hop count) value for an IPv4 packet
          generated by gif(4) tunnel
          interface.
- ip.grettl
- The maximum time-to-live (hop count) value for an IPv4 packet
          generated by gre(4) tunnel
          interface.
- ip.hashsize
- The size of IPv4 Fast Forward hash table. This value must be a power
          of 2 (64, 256...). A larger hash table size results in fewer
          collisions. Also see ip.maxflows.
- ip.hostzerobroadcast
- All zeroes address is broadcast address.
- ip.lowportmax
- The highest port number to use for TCP and UDP reserved port
          allocation. This cannot be set to less than 0 or greater than 1024,
          and must be greater than ip.lowportmin.
- ip.lowportmin
- The lowest port number to use for TCP and UDP reserved port
          allocation. This cannot be set to less than 0 or greater than 1024,
          and must be smaller than ip.lowportmax.
- ip.maxflows
- IPv4 Fast Forwarding is enabled by default. If set to 0, IPv4 Fast
          Forwarding is disabled. ip.maxflowscontrols
          the maximum amount of flows which can be created. The default value is
          256.
- ip.maxfragpackets
- The maximum number of fragmented packets the node will accept. 0 means
          that the node will not accept any fragmented packets. -1 means that
          the node will accept as many fragmented packets as it receives. The
          flag is provided basically for avoiding possible DoS attacks.
- ip.mtudisc
- If set to 1, enables Path MTU Discovery (RFC 1191). When Path MTU
          Discovery is enabled, the transmitted TCP segment size will be
          determined by the advertised maximum segment size (MSS) from the
          remote end, as constrained by the path MTU. If MTU Discovery is
          disabled, the transmitted segment size will never be greater than
          tcp.mssdflt(the local maximum segment
        size).
- ip.mtudisctimeout
- The number of seconds in which a route added by the Path MTU Discovery
          engine will time out. When the route times out, the Path MTU Discovery
          engine will attempt to probe a larger path MTU.
- ip.random_id
- Assign random ip_id values.
- ip.redirect
- If set to 1, ICMP redirects may be sent by the host. This option is
          ignored unless the host is routing IP packets, and should normally be
          enabled on all systems.
- ip.subnetsarelocal
- If set to 1, subnets are to be considered local addresses.
- ip.ttl
- The maximum time-to-live (hop count) value for an IP packet sourced by
          the system. This value applies to normal transport protocols, not to
          ICMP.
- icmp.errppslimit
- The variable specifies the maximum number of outgoing ICMP error
          messages, per second. ICMP error messages that exceeded the value are
          subject to rate limitation and will not go out from the node. Negative
          value disables rate limitation.
- icmp.maskrepl
- If set to 1, ICMP network mask requests are to be answered.
- icmp.rediraccept
- If set to non-zero, the host will accept ICMP redirect packets. Note
          that routers will never accept ICMP redirect packets, and the variable
          is meaningful on IP hosts only.
- icmp.redirtimeout
- The variable specifies lifetime of routing entries generated by
          incoming ICMP redirect. This defaults to 600 seconds.
- icmp.returndatabytes
- Number of bytes to return in an ICMP error message.
- icmp.bmcastecho
- If set to 1, enables responding to ICMP echo or timestamp request to
          the broadcast address.
- tcp.ack_on_push
- If set to 1, TCP is to immediately transmit an ACK upon reception of a
          packet with PUSH set. This can avoid losing a round trip time in some
          rare situations, but has the caveat of potentially defeating TCP's
          delayed ACK algorithm. Use of this option is generally not
          recommended, but the variable exists in case your configuration really
          needs it.
- tcp.cwm
- If set to 1, enables use of the Hughes/Touch/Heidemann Congestion
          Window Monitoring algorithm. This algorithm prevents line-rate bursts
          of packets that could otherwise occur when data begins flowing on an
          idle TCP connection. These line-rate bursts can contribute to network
          and router congestion. This can be particularly useful on World Wide
          Web servers which support HTTP/1.1, which has lingering
        connections.
- tcp.cwm_burstsize
- The Congestion Window Monitoring allowed burst size, in terms of
          packet count.
- tcp.delack_ticks
- Number of ticks to delay sending an ACK.
- tcp.do_loopback_cksum
- Perform TCP checksum on loopback.
- tcp.init_win
- A value indicating the TCP initial congestion window. The valid range
          is 0 to 10 (maximum specified by RFC6928), with a default of 4
          (approximately 4K per RFC3390).
- tcp.init_win_local
- Like tcp.init_win, but used when communicating
          with hosts on a local network.
- tcp.keepcnt
- Number of keepalive probes sent before declaring a connection dead. If
          set to zero, there is no limit; keepalives will be sent until some
          kind of response is received from the peer.
- tcp.keepidle
- Time a connection must be idle before keepalives are sent (if
          keepalives are enabled for the connection). See also tcp.slowhz.
- tcp.keepintvl
- Time after a keepalive probe is sent until, in the absence of any
          response, another probe is sent. See also tcp.slowhz.
- tcp.log_refused
- If set to 1, refused TCP connections to the host will be logged.
- tcp.keepinit
- Timeout in seconds during connection establishment.
- tcp.mss_ifmtu
- If set to 1, TCP calculates the outgoing maximum segment size based on
          the MTU of the appropriate interface. If set to 0, it is calculated
          based on the greater of the MTU of the interface, and the largest
          (non-loopback) interface MTU on the system.
- tcp.mssdflt
- The default maximum segment size both advertised to the peer and to
          use when either the peer does not advertise a maximum segment size to
          us during connection setup or Path MTU Discovery
          (ip.mtudisc) is disabled. Do not change this
          value unless you really know what you are doing.
- tcp.recvspace
- The default TCP receive buffer size.
- tcp.rfc1323
- If set to 1, enables RFC 1323 extensions to TCP.
- tcp.rstppslimit
- The variable specifies the maximum number of outgoing TCP RST packets,
          per second. TCP RST packet that exceeded the value are subject to rate
          limitation and will not go out from the node. Negative value disables
          rate limitation.
- tcp.ident
- Return the user ID of a connected socket pair. (RFC1413 Identification
          Protocol lookups.)
- tcp.drop
- Drop a TCP socket pair connection.
- tcp.sack.enable
- If set to 1, enables RFC 2018 Selective ACKnowledgement.
- tcp.sack.globalholes
- Global number of TCP SACK holes.
- tcp.sack.globalmaxholes
- Global maximum number of TCP SACK holes.
- tcp.sack.maxholes
- Maximum number of TCP SACK holes allowed per connection.
- tcp.ecn.enable
- If set to 1, enables RFC 3168 Explicit Congestion Notification.
- tcp.ecn.maxretries
- Number of times to retry sending the ECN-setup packet.
- tcp.sendspace
- The default TCP send buffer size.
- tcp.slowhz
- The units for tcp.keepidle and tcp.keepintvl; those variables are in
          ticks of a clock that ticks tcp.slowhz times per second. (That is,
          their values must be divided by the tcp.slowhz value to get times in
          seconds.)
- tcp.syn_bucket_limit
- The maximum number of entries allowed per hash bucket in the TCP
          compressed state engine.
- tcp.syn_cache_limit
- The maximum number of entries allowed in the TCP compressed state
          engine.
- tcp.timestamps
- If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp
          options, used for measuring TCP round trip times, are enabled.
- tcp.win_scale
- If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale
          options, for increasing the TCP window size, are enabled.
- tcp.congctl.available
- The available TCP congestion control algorithms.
- tcp.congctl.selected
- The currently selected TCP congestion control algorithm.
- tcp.abc.enable
- If set to 1, use RFC 3465 Appropriate Byte Counting (ABC). If set to
          0, use traditional Packet Counting.
- tcp.abc.aggressive
- Choose the L parameter found in RFC 3465. L is the maximum cwnd
          increase for an ack during slow start. If set to 1, use L=2*SMSS. If
          set to 0, use L=1*SMSS. It has no effect unless tcp.abc.enable is set
          to 1.
- udp.checksum
- If set to 1, UDP checksums are being computed. Received non-zero UDP
          checksums are always checked. Disabling UDP checksums is strongly
          discouraged.
- udp.recvspace
- The default UDP receive buffer size.
- udp.sendspace
- The default UDP send buffer size.
 For variables net.*.ipsec, please refer to
        ipsec(4). 
- net.inet6(- PF_INET6)
- Get or set various global information about the IPv6 (Internet Protocol
      version 6). The third level name is the protocol. The fourth level name is
      the variable name. The currently defined protocols and names are:
    
      
        | Protocol | Variable | Type | Changeable |  
        | icmp6 | errppslimit | integer | yes |  
        | icmp6 | mtudisc_hiwat | integer | yes |  
        | icmp6 | mtudisc_lowat | integer | yes |  
        | icmp6 | nd6_debug | integer | yes |  
        | icmp6 | nd6_delay | integer | yes |  
        | icmp6 | nd6_maxnudhint | integer | yes |  
        | icmp6 | nd6_mmaxtries | integer | yes |  
        | icmp6 | nd6_prune | integer | yes |  
        | icmp6 | nd6_umaxtries | integer | yes |  
        | icmp6 | nd6_useloopback | integer | yes |  
        | icmp6 | nodeinfo | integer | yes |  
        | icmp6 | rediraccept | integer | yes |  
        | icmp6 | redirtimeout | integer | yes |  
        | ip6 | accept_rtadv | integer | yes |  
        | ip6 | addctlpolicy | struct in6_addrpolicy | no |  
        | ip6 | anonportalgo.selected | string | yes |  
        | ip6 | anonportalgo.available | string | yes |  
        | ip6 | anonportalgo.reserve | struct | yes |  
        | ip6 | anonportmax | integer | yes |  
        | ip6 | anonportmin | integer | yes |  
        | ip6 | auto_flowlabel | integer | yes |  
        | ip6 | dad_count | integer | yes |  
        | ip6 | defmcasthlim | integer | yes |  
        | ip6 | forwarding | integer | yes |  
        | ip6 | gifhlim | integer | yes |  
        | ip6 | hashsize | integer | yes |  
        | ip6 | hlim | integer | yes |  
        | ip6 | hdrnestlimit | integer | yes |  
        | ip6 | kame_version | string | no |  
        | ip6 | keepfaith | integer | yes |  
        | ip6 | log_interval | integer | yes |  
        | ip6 | lowportmax | integer | yes |  
        | ip6 | lowportmin | integer | yes |  
        | ip6 | maxdynroutes | integer | yes |  
        | ip6 | maxifprefixes | integer | yes |  
        | ip6 | maxifdefrouters | integer | yes |  
        | ip6 | maxflows | integer | yes |  
        | ip6 | maxfragpackets | integer | yes |  
        | ip6 | maxfrags | integer | yes |  
        | ip6 | neighborgcthresh | integer | yes |  
        | ip6 | redirect | integer | yes |  
        | ip6 | rr_prune | integer | yes |  
        | ip6 | use_deprecated | integer | yes |  
        | ip6 | v6only | integer | yes |  
        | udp6 | do_loopback_cksum | integer | yes |  
        | udp6 | recvspace | integer | yes |  
        | udp6 | sendspace | integer | yes |  
 The variables are as follows: 
      - ip6.accept_rtadv
- If set to non-zero, the node will accept ICMPv6 router advertisement
          packets and autoconfigures address prefixes and default routers. The
          node must be a host (not a router) for the option to be
        meaningful.
- ip6.anonportalgo.available
- The available RFC 6056 port randomization algorithms.
- ip6.anonportalgo.reserve
- A bitmask of ports that will not be used during anonymous or
          privileged port selection.
- ip6.anonportalgo.selected
- The currently selected RFC 6056 port randomization algorithm.
- ip6.anonportmax
- The highest port number to use for TCP and UDP ephemeral port
          allocation. This cannot be set to less than 1024 or greater than
          65535, and must be greater than
          ip6.anonportmin.
- ip6.anonportmin
- The lowest port number to use for TCP and UDP ephemeral port
          allocation. This cannot be set to less than 1024 or greater than
          65535.
- ip6.auto_flowlabel
- On connected transport protocol packets, fill IPv6 flowlabel field to
          help intermediate routers to identify packet flows.
- ip6.dad_count
- The variable configures number of IPv6 DAD (duplicated address
          detection) probe packets. The packets will be generated when IPv6
          interface addresses are configured.
- ip6.defmcasthlim
- The default hop limit value for an IPv6 multicast packet sourced by
          the node. This value applies to all the transport protocols on top of
          IPv6. There are APIs to override the value, as documented in
          ip6(4).
- ip6.forwarding
- If set to 1, enables IPv6 forwarding for the node, meaning that the
          node is acting as a router. If set to 0, disables IPv6 forwarding for
          the node, meaning that the node is acting as a host. IPv6
          specification defines node behavior for “router” case
          and “host” case quite differently, and changing this
          variable during operation may cause serious trouble. It is recommended
          to configure the variable at bootstrap time, and bootstrap time
        only.
- ip6.gifhlim
- The maximum hop limit value for an IPv6 packet generated by
          gif(4) tunnel
        interface.
- ip6.hdrnestlimit
- The number of IPv6 extension headers permitted on incoming IPv6
          packets. If set to 0, the node will accept as many extension headers
          as possible.
- ip6.hashsize
- The size of IPv6 Fast Forward hash table. This value must be a power
          of 2 (64, 256, ...). A larger hash table size results in fewer
          collisions. Also see ip6.maxflows.
- ip6.hlim
- The default hop limit value for an IPv6 unicast packet sourced by the
          node. This value applies to all the transport protocols on top of
          IPv6. There are APIs to override the value, as documented in
          ip6(4).
- ip6.kame_version
- The string identifies the version of KAME IPv6 stack implemented in
          the kernel.
- ip6.keepfaith
- If set to non-zero, it enables “FAITH” TCP relay
          IPv6-to-IPv4 translator code in the kernel. Refer
          faith(4) and
          faithd(8) for
        detail.
- ip6.log_interval
- The variable controls amount of logs generated by IPv6 packet
          forwarding engine, by setting interval between log output (in
          seconds).
- ip6.lowportmax
- The highest port number to use for TCP and UDP reserved port
          allocation. This cannot be set to less than 0 or greater than 1024,
          and must be greater than ip6.lowportmin.
- ip6.lowportmin
- The lowest port number to use for TCP and UDP reserved port
          allocation. This cannot be set to less than 0 or greater than 1024,
          and must be smaller than ip6.lowportmax.
- ip6.maxdynroutes
- Maximum number of routes created by redirect. Set it to negative to
          disable. The default value is 4096.
- ip6.maxifprefixes
- Maximum number of prefixes created by route advertisements per
          interface. Set it to negative to disable. The default value is
        16.
- ip6.maxifdefrouters
        16
- Maximum number of default routers created by route advertisements per
          interface. Set it to negative to disable. The default value is
        16.
- ip6.maxflows
- IPv6 Fast Forwarding is enabled by default. If set to 0, IPv6 Fast
          Forwarding is disabled. ip6.maxflowscontrols
          the maximum amount of flows which can be created. The default value is
          256.
- ip6.maxfragpackets
- The maximum number of fragmented packets the node will accept. 0 means
          that the node will not accept any fragmented packets. -1 means that
          the node will accept as many fragmented packets as it receives. The
          flag is provided basically for avoiding possible DoS attacks.
- ip6.maxfrags
- The maximum number of fragments the node will accept. 0 means that the
          node will not accept any fragments. -1 means that the node will accept
          as many fragments as it receives. The flag is provided basically for
          avoiding possible DoS attacks.
- ip6.neighborgcthresh
- Maximum number of entries in neighbor cache per interface. Set to
          negative to disable. The default value is 2048.
- ip6.redirect
- If set to 1, ICMPv6 redirects may be sent by the node. This option is
          ignored unless the node is routing IP packets, and should normally be
          enabled on all systems.
- ip6.rr_prune
- The variable specifies interval between IPv6 router renumbering prefix
          babysitting, in seconds.
- ip6.use_deprecated
- The variable controls use of deprecated address, specified in RFC 2462
          5.5.4.
- ip6.v6only
- The variable specifies initial value for
          IPV6_V6ONLYsocket option forAF_INET6socket. Please refer to
          ip6(4) for detail.
- icmp6.errppslimit
- The variable specifies the maximum number of outgoing ICMPv6 error
          messages, per second. ICMPv6 error messages that exceeded the value
          are subject to rate limitation and will not go out from the node.
          Negative value disables rate limitation.
- icmp6.mtudisc_hiwat
-  
- icmp6.mtudisc_lowat
- The variables define the maximum number of routing table entries,
          created due to path MTU discovery (prevents denial-of-service attacks
          with ICMPv6 too big messages). When IPv6 path MTU discovery happens,
          we keep path MTU information into the routing table. If the number of
          routing table entries exceed the value, the kernel will not attempt to
          keep the path MTU information.
          icmp6.mtudisc_hiwatis used when we have
          verified ICMPv6 too big messages.icmp6.mtudisc_lowatis used when we have
          unverified ICMPv6 too big messages. Verification is performed by using
          address/port pairs kept in connected pcbs. Negative value disables the
          upper limit.
- icmp6.nd6_debug
- If set to non-zero, kernel IPv6 neighbor discovery code will generate
          debugging messages. The debug outputs are useful to diagnose IPv6
          interoperability issues. The flag must be set to 0 for normal
          operation.
- icmp6.nd6_delay
- The variable specifies DELAY_FIRST_PROBE_TIMEtiming constant in IPv6 neighbor discovery specification (RFC 2461),
          in seconds.
- icmp6.nd6_maxnudhint
- IPv6 neighbor discovery permits upper layer protocols to supply
          reachability hints, to avoid unnecessary neighbor discovery exchanges.
          The variable defines the number of consecutive hints the neighbor
          discovery layer will take. For example, by setting the variable to 3,
          neighbor discovery layer will take 3 consecutive hints in maximum.
          After receiving 3 hints, neighbor discovery layer will perform normal
          neighbor discovery process.
- icmp6.nd6_mmaxtries
- The variable specifies MAX_MULTICAST_SOLICITconstant in IPv6 neighbor discovery specification (RFC 2461).
- icmp6.nd6_prune
- The variable specifies interval between IPv6 neighbor cache
          babysitting, in seconds.
- icmp6.nd6_umaxtries
- The variable specifies MAX_UNICAST_SOLICITconstant in IPv6 neighbor discovery specification (RFC 2461).
- icmp6.nd6_useloopback
- If set to non-zero, kernel IPv6 stack will use loopback interface for
          local traffic.
- icmp6.nodeinfo
- The variable enables responses to ICMPv6 node information queries. If
          you set the variable to 0, responses will not be generated for ICMPv6
          node information queries. Since node information queries can have a
          security impact, it is possible to fine tune which responses should be
          answered. Two separate bits can be set.
        
          - 1
- Respond to ICMPv6 FQDN queries, e.g. ping6
              -w.
- 2
- Respond to ICMPv6 node addresses queries, e.g.
              ping6 -a.
 
- icmp6.rediraccept
- If set to non-zero, the host will accept ICMPv6 redirect packets. Note
          that IPv6 routers will never accept ICMPv6 redirect packets, and the
          variable is meaningful on IPv6 hosts (non-router) only.
- icmp6.redirtimeout
- The variable specifies lifetime of routing entries generated by
          incoming ICMPv6 redirect.
- udp6.do_loopback_cksum
- Perform UDP checksum on loopback.
- udp6.recvspace
- Default UDP receive buffer size.
- udp6.sendspace
- Default UDP send buffer size.
 We reuse net.*.tcp for TCP over IPv6, and therefore we do not
        have variables net.*.tcp6. Variables net.inet6.udp6 have identical
        meaning to net.inet.udp. Please refer to PF_INETsection above. For variables net.*.ipsec6, please refer to
        ipsec(4).
 
- net.key(- PF_KEY)
- Get or set various global information about the IPsec key management. The
      third level name is the variable name. The currently defined variable and
      names are:
    
      
        | Variable | Type | Changeable |  
        | debug | integer | yes |  
        | enabled | integer | yes |  
        | used | integer | no |  
        | spi_try | integer | yes |  
        | spi_min_value | integer | yes |  
        | spi_max_value | integer | yes |  
        | larval_lifetime | integer | yes |  
        | blockacq_count | integer | yes |  
        | blockacq_lifetime | integer | yes |  
        | esp_keymin | integer | yes |  
        | esp_auth | integer | yes |  
        | ah_keymin | integer | yes |  
 The variables are as follows:
      - debug
- Turn on debugging message from within the kernel. The value is a
          bitmap, as defined in
          <netipsec/key_debug.h>.
- enabled
- Control processing of IPsec control messages.
        
          - 0
- Never allow IPsec processing
- 1
- Allow IPsec processing when SPD policies are present.
- 2
- Force IPsec processing even when SPD policies are not
            present.
 
- used
- Based on if IPsec is enabled, and SPD rule existence, show if IPsec is
          being used. Note that currently once IPsec is being used, it cannot be
          disabled.
- spi_try
- The number of times the kernel will try to obtain an unique SPI when
          it generates it from random number generator.
- spi_min_value
- Minimum SPI value when generating it within the kernel.
- spi_max_value
- Maximum SPI value when generating it within the kernel.
- larval_lifetime
- Lifetime for LARVAL SAD entries, in seconds.
- blockacq_count
- Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE
          message. It avoids flood of ACQUIRE PF_KEY from being sent from the
          kernel to the key management daemon.
- blockacq_lifetime
- Lifetime of ACQUIRE PF_KEY message.
- esp_keymin
- Minimum ESP key length, in bits. The value is used when the kernel
          creates proposal payload on ACQUIRE PF_KEY message.
- esp_auth
- Whether ESP authentication should be used or not. Non-zero value
          indicates that ESP authentication should be used. The value is used
          when the kernel creates proposal payload on ACQUIRE PF_KEY
        message.
- ah_keymin
- Minimum AH key length, in bits, The value is used when the kernel
          creates proposal payload on ACQUIRE PF_KEY message.
 
- net.local(- PF_LOCAL)
- Get or set various global information about
      AF_LOCALtype sockets. For some variables, the
      third level name is the variable name:
      
        | Variable | Type | Changeable |  
        | inflight | integer | no |  
        | deferred | integer | no |  
 The variables are as follows:
      - inflight
- The number of file descriptors currently passed between processes,
          “in flight”.
- deferred
- The number of file descriptors passed between processes that have been
          deferred for cleanup by a kernel task.
 Other variables are specific to a socket type: 
      
        | Socket Type | Sy Variable | Type | Changeable |  
        | dgram | pcblist | struct | no |  
        | dgram | recvspace | integer | yes |  
        | dgram | sendspace | integer | yes |  
        | seqpacket | pcblist | struct | no |  
        | stream | pcblist | struct | no |  
        | stream | recvspace | integer | yes |  
        | stream | sendspace | integer | yes |  
 The variables are as follows:
      - dgram.pcblist
- The Protocol Control Block list structure for datagram sockets. Parsed
          by netstat(1) or
          sockstat(1).
- dgram.recvspace
- The default datagram receive buffer size.
- dgram.sendspace
- The default datagram send buffer size.
- seqpacket.pcblist
- The Protocol Control Block list structure for Sequential Packet
          sockets. Parsed by
          netstat(1) or
          sockstat(1).
- stream.pcblist
- The Protocol Control Block list structure for stream sockets. Parsed
          by netstat(1) or
          sockstat(1).
- stream.recvspace
- The default stream receive buffer size.
- stream.sendspace
- The default stream send buffer size.
 
The string and integer information available for theproc level is detailed below. The changeable column
  shows whether a process with appropriate privilege may change the value. These
  values are per-process, and as such may change from one process to another.
  When a process is created, the default values are inherited from its parent.
  When a set-user-ID or set-group-ID binary is executed, the value of
  PROC_PID_CORENAME is reset to the system default value. The second level name
  is either the magic value PROC_CURPROC, which points to the current process,
  or the PID of the target process.
  
    | Third level name | Type | Changeable | 
  
    | proc.pid.corename | string | yes | 
  
    | proc.pid.rlimit | node | not applicable | 
  
    | proc.pid.stopfork | int | yes | 
  
    | proc.pid.stopexec | int | yes | 
  
    | proc.pid.stopexit | int | yes | 
  
    | proc.pid.paxflags | int | no | 
  - proc.pid.corename(- PROC_PID_CORENAME)
- The template used for the core dump file name (see
      core(5) for details). The base
      name must either be core or end with the suffix
      .core (the super-user may set arbitrary names). By
      default it points to KERN_DEFCORENAME.
- proc.pid.rlimit(- PROC_PID_LIMIT)
- Return resources limits, as defined for the
      getrlimit(2) and
      setrlimit(2) system
      calls. The fourth level name is one of:
    
      - proc.pid.rlimit.cputime(- PROC_PID_LIMIT_CPU)
- The maximum amount of CPU time (in seconds) to be used by each
          process.
- proc.pid.rlimit.filesize(- PROC_PID_LIMIT_FSIZE)
- The largest size (in bytes) file that may be created.
- proc.pid.rlimit.datasize(- PROC_PID_LIMIT_DATA)
- The maximum size (in bytes) of the data segment for a process; this
          defines how far a program may extend its break with the
          sbrk(2) system call.
- proc.pid.rlimit.stacksize(- PROC_PID_LIMIT_STACK)
- The maximum size (in bytes) of the stack segment for a process; this
          defines how far a program's stack segment may be extended. Stack
          extension is performed automatically by the system.
- proc.pid.rlimit.coredumpsize(- PROC_PID_LIMIT_CORE)
- The largest size (in bytes) core file that may
          be created.
- proc.pid.rlimit.memoryuse(- PROC_PID_LIMIT_RSS)
- The maximum size (in bytes) to which a process's resident set size may
          grow. This imposes a limit on the amount of physical memory to be
          given to a process; if memory is tight, the system will prefer to take
          memory from processes that are exceeding their declared resident set
          size.
- proc.pid.rlimit.memorylocked(- PROC_PID_LIMIT_MEMLOCK)
- The maximum size (in bytes) which a process may lock into memory using
          the mlock(2)
        function.
- proc.pid.rlimit.maxproc(- PROC_PID_LIMIT_NPROC)
- The maximum number of simultaneous processes for this user id.
- proc.pid.rlimit.descriptors(- PROC_PID_LIMIT_NOFILE)
- The maximum number of open files for this process.
- proc.pid.rlimit.sbsize(- PROC_PID_LIMIT_SBSIZE)
- The maximum size (in bytes) of the socket buffers set by the
          setsockopt(2)
          SO_RCVBUFandSO_SNDBUFoptions.
- proc.pid.rlimit.vmemoryuse(- PROC_PID_LIMIT_AS)
- The maximum size (in bytes) which a process can obtain.
- proc.pid.rlimit.maxlwp(- PROC_PID_LIMIT_NTHR)
- The maximum number of threads that cen be created and running at one
          time in the process. The first thread of each process is not counted
          against this.
 The fifth level name is one of soft(PROC_PID_LIMIT_TYPE_SOFT) orhard(PROC_PID_LIMIT_TYPE_HARD), to select
        respectively the soft or hard limit. Both are of type integer.
 
- proc.pid.stopfork(- PROC_PID_STOPFORK)
- If non zero, the process' children will be stopped after
      fork(2) calls. The children
      are created in the SSTOP state and are never scheduled for running before
      being stopped. This feature enables attaching to a process with a debugger
      such as gdb(1) before the
      process has the opportunity to actually do anything.
    This value is inherited by the process's children, and it also
        applies to emulation specific system calls that fork a new process, such
        as sproc() orclone().
 
- proc.pid.stopexec(- PROC_PID_STOPEXEC)
- If non zero, the process will be stopped on the next
      exec(3) call. The process
      created by exec(3) is created
      in the SSTOP state and is never scheduled for running before being
      stopped. This feature enables attaching to a process with a debugger such
      as gdb(1) before the process
      has the opportunity to actually do anything.
    This value is inherited by the process's children. 
- proc.pid.stopexit(- PROC_PID_STOPEXIT)
- If non zero, the process will be stopped when it has cause to exit, either
      by way of calling exit(3),
      _exit(2), or by the receipt
      of a specific signal. The process is stopped before any of its resources
      or vm space is released allowing examination of the termination state of
      the process before it disappears. This feature can be used to examine the
      final conditions of the process's vmspace via
      pmap(1) or its resource
      settings with sysctl(8)
      before it disappears.
    This value is also inherited by the process's children. 
- proc.pid.paxflags(- PROC_PID_PAXFLAGS)
- This read-only variable returns the current value of the process's pax
      flags (see paxctl(8)).
The user.* subtree (CTL_USER)
The string and integer information available for the
  user level is detailed below. The changeable column
  shows whether a process with appropriate privilege may change the value.
  
    | Second level name | Type | Changeable | 
  
    | user.atexit_max | integer | no | 
  
    | user.bc_base_max | integer | no | 
  
    | user.bc_dim_max | integer | no | 
  
    | user.bc_scale_max | integer | no | 
  
    | user.bc_string_max | integer | no | 
  
    | user.coll_weights_max | integer | no | 
  
    | user.cs_path | string | no | 
  
    | user.expr_nest_max | integer | no | 
  
    | user.line_max | integer | no | 
  
    | user.posix2_c_bind | integer | no | 
  
    | user.posix2_c_dev | integer | no | 
  
    | user.posix2_char_term | integer | no | 
  
    | user.posix2_fort_dev | integer | no | 
  
    | user.posix2_fort_run | integer | no | 
  
    | user.posix2_localedef | integer | no | 
  
    | user.posix2_sw_dev | integer | no | 
  
    | user.posix2_upe | integer | no | 
  
    | user.posix2_version | integer | no | 
  
    | user.re_dup_max | integer | no | 
  
    | user.stream_max | integer | no | 
  
    | user.stream_max | integer | no | 
  
    | user.tzname_max | integer | no | 
  - user.atexit_max(- USER_ATEXIT_MAX)
- The maximum number of functions that may be registered with
      atexit(3).
- user.bc_base_max(- USER_BC_BASE_MAX)
- The maximum ibase/obase values in the
      bc(1) utility.
- user.bc_dim_max(- USER_BC_DIM_MAX)
- The maximum array size in the
      bc(1) utility.
- user.bc_scale_max(- USER_BC_SCALE_MAX)
- The maximum scale value in the
      bc(1) utility.
- user.bc_string_max(- USER_BC_STRING_MAX)
- The maximum string length in the
      bc(1) utility.
- user.coll_weights_max(- USER_COLL_WEIGHTS_MAX)
- The maximum number of weights that can be assigned to any entry of the
      LC_COLLATE order keyword in the locale definition file.
- user.cs_path(- USER_CS_PATH)
- Return a value for the PATHenvironment variable
      that finds all the standard utilities.
- user.expr_nest_max(- USER_EXPR_NEST_MAX)
- The maximum number of expressions that can be nested within parenthesis by
      the expr(1) utility.
- user.line_max(- USER_LINE_MAX)
- The maximum length in bytes of a text-processing utility's input
    line.
- user.posix2_char_term(- USER_POSIX2_CHAR_TERM)
- Return 1 if the system supports at least one terminal type capable of all
      operations described in IEEE Std 1003.2
      (“POSIX.2”), otherwise 0.
- user.posix2_c_bind(- USER_POSIX2_C_BIND)
- Return 1 if the system's C-language development facilities support the
      C-Language Bindings Option, otherwise 0.
- user.posix2_c_dev(- USER_POSIX2_C_DEV)
- Return 1 if the system supports the C-Language Development Utilities
      Option, otherwise 0.
- user.posix2_fort_dev(- USER_POSIX2_FORT_DEV)
- Return 1 if the system supports the FORTRAN Development Utilities Option,
      otherwise 0.
- user.posix2_fort_run(- USER_POSIX2_FORT_RUN)
- Return 1 if the system supports the FORTRAN Runtime Utilities Option,
      otherwise 0.
- user.posix2_localedef(- USER_POSIX2_LOCALEDEF)
- Return 1 if the system supports the creation of locales,
      otherwise 0.
- user.posix2_sw_dev(- USER_POSIX2_SW_DEV)
- Return 1 if the system supports the Software Development Utilities Option,
      otherwise 0.
- user.posix2_upe(- USER_POSIX2_UPE)
- Return 1 if the system supports the User Portability Utilities Option,
      otherwise 0.
- user.posix2_version(- USER_POSIX2_VERSION)
- The version of IEEE Std 1003.2
      (“POSIX.2”) with which the system attempts to
    comply.
- user.re_dup_max(- USER_RE_DUP_MAX)
- The maximum number of repeated occurrences of a regular expression
      permitted when using interval notation.
- user.stream_max(- USER_STREAM_MAX)
- The minimum maximum number of streams that a process may have open at any
      one time.
- user.tzname_max(- USER_TZNAME_MAX)
- The minimum maximum number of types supported for the name of a
    timezone.
The vm.* subtree (CTL_VM)
The string and integer information available for the vm
  level is detailed below. The changeable column shows whether a process with
  appropriate privilege may change the value.
  
    | Second level name | Type | Changeable | 
  
    | vm.anonmax | int | yes | 
  
    | vm.anonmin | int | yes | 
  
    | vm.bufcache | int | yes | 
  
    | vm.bufmem | int | no | 
  
    | vm.bufmem_hiwater | int | yes | 
  
    | vm.bufmem_lowater | int | yes | 
  
    | vm.execmax | int | yes | 
  
    | vm.execmin | int | yes | 
  
    | vm.filemax | int | yes | 
  
    | vm.filemin | int | yes | 
  
    | vm.loadavg | struct loadavg | no | 
  
    | vm.maxslp | int | no | 
  
    | vm.nkmempages | int | no | 
  
    | vm.uspace | int | no | 
  
    | vm.uvmexp | struct uvmexp | no | 
  
    | vm.uvmexp2 | struct uvmexp_sysctl | no | 
  
    | vm.vmmeter | struct vmtotal | no | 
  
    | vm.proc.map | struct kinfo_vmentry | no | 
  
    | vm.guard_size | unsigned int | no | 
  
    | vm.thread_guard_size | unsigned int | yes | 
  - vm.anonmax(- VM_ANONMAX)
- The percentage of physical memory which will be reclaimed from other types
      of memory usage to store anonymous application data.
- vm.anonmin(- VM_ANONMIN)
- The percentage of physical memory which will be always be available for
      anonymous application data.
- vm.bufcache(- VM_BUFCACHE)
- The percentage of physical memory which will be available for the buffer
      cache.
- vm.bufmem(- VM_BUFMEM)
- The amount of kernel memory that is being used by the buffer cache.
- vm.bufmem_lowater(- VM_BUFMEM_LOWATER)
- The minimum amount of kernel memory to reserve for the buffer cache.
- vm.bufmem_hiwater(- VM_BUFMEM_HIWATER)
- The maximum amount of kernel memory to be used for the buffer cache.
- vm.execmax(- VM_EXECMAX)
- The percentage of physical memory which will be reclaimed from other types
      of memory usage to store cached executable data.
- vm.execmin(- VM_EXECMIN)
- The percentage of physical memory which will be always be available for
      cached executable data.
- vm.filemax(- VM_FILEMAX)
- The percentage of physical memory which will be reclaimed from other types
      of memory usage to store cached file data.
- vm.filemin(- VM_FILEMIN)
- The percentage of physical memory which will be always be available for
      cached file data.
- vm.loadavg(- VM_LOADAVG)
- Return the load average history. The returned data consists of a
      struct loadavg.
- vm.maxslp(- VM_MAXSLP)
- The value of the maxslp kernel global variable.
- vm.vmmeter(- VM_METER)
- Return system wide virtual memory statistics. The returned data consists
      of a struct vmtotal.
- vm.user_va0_disable
- A flag which controls whether user processes can map virtual
      address 0.
- vm.proc.map(- VM_PROC)
- The third level is VM_PROC_MAP, the fourth is the
      pid of the process to display the vm object entries for, and the fifth is
      the size of struct kinfo_vmentry. Returns an array
      of struct kinfo_vmentry objects.
- vm.uspace(- VM_USPACE)
- The number of bytes allocated for each kernel stack.
- vm.uvmexp(- VM_UVMEXP)
- Return system wide virtual memory statistics. The returned data consists
      of a struct uvmexp.
- vm.uvmexp2(- VM_UVMEXP2)
- Return system wide virtual memory statistics. The returned data consists
      of a struct uvmexp_sysctl.
- vm.guard_size
- Return system wide guard size for the main thread of a program.
- vm.thread_guard_size
- Return system wide default size for the guard area of all other threads of
      a program.
The ddb.* subtree (CTL_DDB)
The information available for the ddb level is detailed
  below. The changeable column shows whether a process with appropriate
  privilege may change the value.
  
    | Second level name | Type | Changeable | 
  
    | ddb.commandonenter | string | yes | 
  
    | ddb.dumpstack | integer | yes | 
  
    | ddb.fromconsole | integer | yes | 
  
    | ddb.lines | integer | yes | 
  
    | ddb.maxoff | integer | yes | 
  
    | ddb.maxwidth | integer | yes | 
  
    | ddb.onpanic | integer | yes | 
  
    | ddb.panicstackframes | integer | yes | 
  
    | ddb.radix | integer | yes | 
  
    | ddb.tabstops | integer | yes | 
  
    | ddb.tee_msgbuf | integer | yes | 
  - ddb.commandonenter
- If not empty, the string is used as the DDB command to be executed each
      time DDB is entered.
- ddb.dumpstack
- A value of 1 causes a stack trace to be printed on entering ddb from a
      panic. A value of 0 disables this behaviour. The default value is 1.
- ddb.fromconsole(- DDBCTL_FROMCONSOLE)
- If not zero, DDB may be entered by sending a break on a serial console or
      by a special key sequence on a graphics console.
- ddb.lines(- DDBCTL_LINES)
- Number of display lines.
- ddb.maxoff(- DDBCTL_MAXOFF)
- The maximum symbol offset.
- ddb.maxwidth(- DDBCTL_MAXWIDTH)
- The maximum output line width.
- ddb.onpanic(- DDBCTL_ONPANIC)
- If greater than zero, DDB will be entered if the kernel panics. A value of
      1 causes the system to enter DDB on panic. A value of 0 causes the kernel
      to attempt to print a stack trace, then reboot, while a value of -1 means
      neither a stack trace will be printed nor DDB entered.
- ddb.panicstackframes
- Number of stack frames to display on panic. Useful to avoid scrolling away
      the interesting frames on a glass tty. Default value is
      65535(all frames), useful value around10.
- ddb.radix(- DDBCTL_RADIX)
- The input and output radix.
- ddb.tabstops(- DDBCTL_TABSTOPS)
- Tab width.
- ddb.tee_msgbuf
- If not zero, DDB will output also to the kernel message buffer.
Some of these MIB nodes are also available as variables from
    within the debugger. See ddb(4)
    for more details.
The security.* subtree
  (CTL_SECURITY)
The security level contains various security-related
  settings for the system. The available second level names are:
Available settings are detailed below.
  - security.curtain
- If non-zero, will filter return objects according to the user ID
      requesting information about them, preventing users from accessing any
      objects they do not own.
    At the moment, it affects
        ps(1),
        netstat(1) (for
        PF_INET,PF_INET6, andPF_UNIXPCBs), and
        w(1).
 
- security.models
- NetBSD supports pluggable security models. Every
      security model used, whether if loaded as a module or built with the
      system, is required to add an entry to this node with at least one
      element, “name”, indicating the name of the security model.
    In addition to the name, any settings and other information
        private to the security model will be available under this node. See
        secmodel(9) for more
        information. 
- security.pax
- Settings for PaX — exploit mitigation features. For more
      information on any of the PaX features, please see
      paxctl(8) and
      security(7). The available
      third and fourth level names are:
    
    
      - security.pax.aslr.enabled
- Enable PaX ASLR (Address Space Layout Randomization).
        The value of this knob must be non-zero for PaX ASLR to be
            enabled, even if a program is set to explicit enable. 
- security.pax.aslr.global
- Specifies the default global policy for programs without an explicit
          enable/disable flag.
        When non-zero, all programs will get PaX ASLR, except
            those exempted with
            paxctl(8). Otherwise,
            all programs will not get PaX ASLR, except those specifically marked
            as such with
            paxctl(8). 
- security.pax.mprotect.enabled
- Enable PaX MPROTECT restrictions.
        These are
            mprotect(2)
            restrictions to better enforce a W^X policy. The value of this knob
            must be non-zero for PaX MPROTECT to be enabled, even if a program
            is set to explicit enable. 
- security.pax.mprotect.global
- Specifies the default global policy for programs without an explicit
          enable/disable flag.
        When non-zero, all programs will get the PaX MPROTECT
            restrictions, except those exempted with
            paxctl(8). Otherwise,
            all programs will not get the PaX MPROTECT restrictions, except
            those specifically marked as such with
            paxctl(8). 
- security.pax.mprotect.ptrace
- This variable allows
          ptrace(2) to override
          PaX MPROTECT permissions. It can have the following values:
        
          - 0
- Does not let override any permissions.
- 1
- Disables PaX MPROTECT from processes that start executing while
              traced (default).
- 2
- Bypasses PaX MPROTECT for all processes being traced.
 
- security.pax.segvguard.enabled
- Enable PaX Segvguard.
        PaX Segvguard can detect and prevent certain exploitation
            attempts, where an attacker may try for example to brute-force
            function return addresses of respawning daemons. Note: The NetBSD
            interface and implementation of the Segvguard is still experimental,
            and may change in future releases. 
- security.pax.segvguard.expiry_timeout
- If the max number was not reached within this timeout (in seconds),
          the entry will expire.
- security.pax.segvguard.global
- Specifies the default global policy for programs without an explicit
          enable/disable flag.
        When non-zero, all programs will get the PaX Segvguard,
            except those exempted with
            paxctl(8). Otherwise,
            no program will get the PaX Segvguard restrictions, except those
            specifically marked as such with
            paxctl(8). 
- security.pax.segvguard.max_crashes
- The maximum number of segfaults a program can receive before
          suspension.
- security.pax.segvguard.suspend_timeout
- Number of seconds to suspend a user from running a faulting program
          when the limit was exceeded.
 
The vendor.* subtree (CTL_VENDOR)
The vendor toplevel name is reserved to be used by
  vendors who wish to have their own private MIB tree. Intended use is to store
  values under “vendor.<yourname>.*”.
The sysctl variables first appeared in
  4.4BSD.