Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SYSCTL(7)	     BSD Miscellaneous Information Manual	     SYSCTL(7)

NAME
     sysctl -- system information variables

DESCRIPTION
     The sysctl(3) library function and	the sysctl(8) utility are used to get
     and set values of system variables, maintained by the kernel.  The	vari-
     ables are organized in a tree and identified by a sequence	of numbers,
     conventionally separated by dots with the topmost identifier at the left
     side.  The	numbers	have corresponding text	names.	The sysctlnametomib(3)
     function or the -M	argument to the	sysctl(8) utility can be used to con-
     vert the text representation to the numeric one.

     The individual sysctl variables are described below, both the textual and
     numeric form where	applicable.  The textual names can be used as argument
     to	the sysctl(8) utility and in the file /etc/sysctl.conf.	 The numeric
     names are usually defined as preprocessor constants and are intended for
     use by programs.  Every such constant expands to one integer, which iden-
     tifies the	sysctl variable	relative to the	upper level of the tree.  See
     the sysctl(3) manual page for programming examples.

   Top level names
     The top level names are defined with a CTL_ prefix	in <sys/sysctl.h>, and
     are as follows.  The next and subsequent levels down are found in the in-
     clude files listed	here, and described in separate	sections below.

     Name	 Constant	 Next level names     Description
     kern	 CTL_KERN	 <sys/sysctl.h>	      High kernel limits
     vm		 CTL_VM		 <uvm/uvm_param.h>    Virtual memory
     vfs	 CTL_VFS	 <sys/mount.h>	      Filesystem
     net	 CTL_NET	 <sys/socket.h>	      Networking
     debug	 CTL_DEBUG	 <sys/sysctl.h>	      Debugging
     hw		 CTL_HW		 <sys/sysctl.h>	      Generic CPU, I/O
     machdep	 CTL_MACHDEP	 <sys/sysctl.h>	      Machine dependent
     user	 CTL_USER	 <sys/sysctl.h>	      User-level
     ddb	 CTL_DDB	 <sys/sysctl.h>	      In-kernel	debugger
     proc	 CTL_PROC	 <sys/sysctl.h>	      Per-process
     vendor	 CTL_VENDOR	 ?		      Vendor specific
     emul	 CTL_EMUL	 <sys/sysctl.h>	      Emulation	settings
     security	 CTL_SECURITY	 <sys/sysctl.h>	      Security settings

   The debug.* subtree
     The debugging variables vary from system to system.  A debugging variable
     may be added or deleted without need to recompile sysctl to know about
     it.  Each time it runs, sysctl gets the list of debugging variables from
     the kernel	and displays their current values.  The	system defines twenty
     (struct ctldebug) variables named debug0 through debug19.	They are de-
     clared as separate	variables so that they can be individually initialized
     at	the location of	their associated variable.  The	loader prevents	multi-
     ple use of	the same variable by issuing errors if a variable is initial-
     ized in more than one place.  For example,	to export the variable
     dospecialcheck as a debugging variable, the following declaration would
     be	used:

	   int dospecialcheck =	1;
	   struct ctldebug debug5 = { "dospecialcheck",	&dospecialcheck	};

     Note that the dynamic implementation of sysctl currently in use largely
     makes this	particular sysctl interface obsolete.  See sysctl(8) for more
     information.

   The vfs.* subtree
     A distinguished second level name,	vfs.generic (VFS_GENERIC), is used to
     get general information about all file systems.  It has the following
     third level identifiers:

     vfs.generic.maxtypenum (VFS_MAXTYPENUM)
	     The highest valid file system type	number.

     vfs.generic.conf (VFS_CONF)
	     Returns configuration information about the file system type
	     given as a	fourth level identifier.

     vfs.generic.usermount (VFS_USERMOUNT)
	     Determines	if non superuser mounts	are allowed, defaults to 0.

     vfs.generic.magiclinks (VFS_MAGICLINKS)
	     Controls if expansion of variables	is going to be performed on
	     pathnames or not.	Defaults to no variable	expansion, 0.  Vari-
	     ables are of the form @name and the variables supported are de-
	     scribed in	symlink(7) under "MAGIC	SYMLINKS".

     A second level name for controlling the wapbl(4) (Write Ahead Physical
     Block Logging file	system journalling) capabilities with the following
     third level identifiers:

     vfs.wapbl.flush_disk_cache
	     Controls whether to attempt to flush the disk cache on each com-
	     mit.  It defaults to 1 and	it should always be on to ensure in-
	     tegrity of	file system metadata in	the event of a power loss.
	     For slow disks, turning it	off can	improve	performance.

     vfs.wapbl.verbose_commit
	     For each transaction log commit, print the	number of bytes	writ-
	     ten and the time it took to commit	as seconds.nanoseconds.

     The remaining second level	identifiers are	the file system	names, identi-
     fied by the type number returned by a statvfs(2) call or from
     vfs.generic.conf.

     The third level identifiers available for each file system	are given in
     the header	file that defines the mount argument structure for that	file
     system.

   The hw.* subtree
     The string	and integer information	available for the hw level is detailed
     below.  The changeable column shows whether a process with	appropriate
     privilege may change the value.

	   Second level	name  Type	 Changeable
	   hw.alignbytes      integer	 no
	   hw.byteorder	      integer	 no
	   hw.cnmagic	      string	 yes
	   hw.disknames	      string	 no
	   hw.diskstats	      struct	 no
	   hw.machine	      string	 no
	   hw.machine_arch    string	 no
	   hw.model	      string	 no
	   hw.ncpu	      integer	 no
	   hw.ncpuonline      integer	 no
	   hw.pagesize	      integer	 no
	   hw.physmem	      integer	 no
	   hw.physmem64	      quad	 no
	   hw.usermem	      integer	 no
	   hw.usermem64	      quad	 no

     hw.alignbytes (HW_ALIGNBYTES)
	     Alignment constraint for all possible data	types.	This shows the
	     value ALIGNBYTES in <machine/param.h>, at the kernel compilation
	     time.

     hw.byteorder (HW_BYTEORDER)
	     The byteorder (4321, or 1234).

     hw.cnmagic	(HW_CNMAGIC)
	     The console magic key sequence.

     hw.disknames (HW_DISKNAMES)
	     The list of (space	separated) disk	device names on	the system.

     hw.iostatnames (HW_IOSTATNAMES)
	     A space separated list of devices that will have I/O statistics
	     collected on them.

     hw.iostats	(HW_IOSTATS)
	     Return statistical	information on the NFS mounts, disk and	tape
	     devices on	the system.  An	array of struct	io_sysctl structures
	     is	returned, whose	size depends on	the current number of such ob-
	     jects in the system.  The third level name	is the size of the
	     struct io_sysctl.	The type of object can be determined by	exam-
	     ining the type element of struct io_sysctl.  Which	can be
	     IOSTAT_DISK (disk drive), IOSTAT_TAPE (tape drive), or IOSTAT_NFS
	     (NFS mount).

     hw.machine	(HW_MACHINE)
	     The machine class.

     hw.machine_arch (HW_MACHINE_ARCH)
	     The machine CPU class.

     hw.model (HW_MODEL)
	     The machine model.

     hw.ncpu (HW_NCPU)
	     The number	of CPUs	configured.

     hw.ncpuonline (HW_NCPUONLINE)
	     The number	of CPUs	online.

     hw.pagesize (HW_PAGESIZE)
	     The software page size.

     hw.physmem	(HW_PHYSMEM)
	     The bytes of physical memory as a 32-bit integer.

     hw.physmem64 (HW_PHYSMEM64)
	     The bytes of physical memory as a 64-bit integer.

     hw.usermem	(HW_USERMEM)
	     The bytes of non-kernel memory as a 32-bit	integer.

     hw.usermem64 (HW_USERMEM64)
	     The bytes of non-kernel memory as a 64-bit	integer.

   The kern.* subtree
     This subtree includes data	generally related to the kernel.  The string
     and integer information available for the kern level is detailed below.
     The changeable column shows whether a process with	appropriate privilege
     may change	the value.

     Second level name		       Type		       Changeable
     kern.aio_listio_max	       integer		       yes
     kern.aio_max		       integer		       yes
     kern.arandom		       integer		       no
     kern.argmax		       integer		       no
     kern.boothowto		       integer		       no
     kern.boottime		       struct timeval	       no
     kern.buildinfo		       string		       no
     kern.ccpu			       integer		       no
     kern.clockrate		       struct clockinfo	       no
     kern.consdev		       integer		       no
     kern.coredump		       node		       not applicable
     kern.cp_id			       struct		       no
     kern.cp_time		       uint64_t[]	       no
     kern.cryptodevallowsoft	       integer		       yes
     kern.defcorename		       string		       yes
     kern.detachall		       integer		       yes
     kern.domainname		       string		       yes
     kern.drivers		       struct kinfo_drivers    no
     kern.dump_on_panic		       integer		       yes
     kern.file			       struct file	       no
     kern.forkfsleep		       integer		       yes
     kern.fscale		       integer		       no
     kern.fsync			       integer		       no
     kern.hardclock_ticks	       integer		       no
     kern.hostid		       integer		       yes
     kern.hostname		       string		       yes
     kern.iov_max		       integer		       no
     kern.ipc			       node		       not applicable
     kern.job_control		       integer		       no
     kern.labeloffset		       integer		       no
     kern.labelsector		       integer		       no
     kern.login_name_max	       integer		       no
     kern.logsigexit		       integer		       yes
     kern.mapped_files		       integer		       no
     kern.maxfiles		       integer		       yes
     kern.maxlwp		       integer		       yes
     kern.maxpartitions		       integer		       no
     kern.maxphys		       integer		       no
     kern.maxproc		       integer		       yes
     kern.maxptys		       integer		       yes
     kern.maxvnodes		       integer		       yes
     kern.messages		       integer yes
     kern.mbuf			       node		       not applicable
     kern.memlock		       integer		       no
     kern.memlock_range		       integer		       no
     kern.memory_protection	       integer		       no
     kern.module		       node		       not applicable
     kern.monotonic_clock	       integer		       no
     kern.mqueue		       node		       not applicable
     kern.msgbuf		       integer		       no
     kern.msgbufsize		       integer		       no
     kern.ngroups		       integer		       no
     kern.ntptime		       struct ntptimeval       no
     kern.osrelease		       string		       no
     kern.osrevision		       integer		       no
     kern.ostype		       string		       no
     kern.pipe			       node		       not applicable
     kern.pool			       struct pool_sysctl      no
     kern.posix1version		       integer		       no
     kern.posix_aio		       integer		       no
     kern.posix_barriers	       integer		       no
     kern.posix_reader_writer_locks    integer		       no
     kern.posix_semaphores	       integer		       no
     kern.posix_spin_locks	       integer		       no
     kern.posix_threads		       integer		       no
     kern.posix_timers		       integer		       no
     kern.proc			       struct kinfo_proc       no
     kern.proc2			       struct kinfo_proc2      no
     kern.proc_args		       string		       no
     kern.profiling		       node		       not applicable
     kern.rawpartition		       integer		       no
     kern.root_device		       string		       no
     kern.root_partition	       integer		       no
     kern.rtc_offset		       integer		       yes
     kern.saved_ids		       integer		       no
     kern.sbmax			       integer		       yes
     kern.sched			       node		       not applicable
     kern.securelevel		       integer		       raise only
     kern.somaxkva		       integer		       yes
     kern.synchronized_io	       integer		       no
     kern.timecounter		       node		       not applicable
     kern.timex			       struct		       no
     kern.tkstat		       node		       not applicable
     kern.tty			       node		       not applicable
     kern.urandom		       integer		       no
     kern.usercrypto		       integer		       yes
     kern.userasymcrypto	       integer		       yes
     kern.veriexec		       node		       not applicable
     kern.version		       string		       no
     kern.vnode			       struct vnode	       no

     kern.aio_listio_max
	     The maximum number	of asynchronous	I/O operations in a single
	     list I/O call.  Like with all variables related to	aio(3),	the
	     variable may be created and removed dynamically upon loading or
	     unloading the corresponding kernel	module.

     kern.aio_max
	     The maximum number	of asynchronous	I/O operations.

     kern.arandom
	     This variable picks a random number each time it is queried.  The
	     used random number	generator (RNG)	is based on arc4random(3).

     kern.argmax (KERN_ARGMAX)
	     The maximum bytes of argument to execve(2).

     kern.boothowto
	     Flags passed from the boot	loader;	see reboot(2) for the meanings
	     of	the flags.

     kern.boottime (KERN_BOOTTIME)
	     A struct timeval structure	is returned.  This structure contains
	     the time that the system was booted.

     kern.bufq
	     This variable contains information	on the bufq(9) subsystem.
	     Currently,	the only third level name implemented is
	     kern.bufq.strategies which	provides a list	of buffer queue
	     strategies	currently available.

     kern.buildinfo
	     When the kernel is	built, the build environment may optionally
	     provide arbitrary information to be stored	in this	variable.

     kern.ccpu (KERN_CCPU)
	     The scheduler exponential decay value.

     kern.clockrate (KERN_CLOCKRATE)
	     A struct clockinfo	structure is returned.	This structure con-
	     tains the clock, statistics clock and profiling clock frequen-
	     cies, the number of micro-seconds per hz tick, and	the clock skew
	     rate.  Refer to hz(9) for additional details.

     kern.consdev (KERN_CONSDEV)
	     Console device.

     kern.coredump
	     Settings related to set-id	processes coredumps.  By default, set-
	     id	processes do not dump core in situations where other processes
	     would.  The settings in this node allows an administrator to
	     change this behavior.

	     The third level name is kern.coredump.setid and fourth level
	     variables are described below.

		   Fourth level	name		Type	   Changeable
		   kern.coredump.setid.dump	integer	   yes
		   kern.coredump.setid.group	integer	   yes
		   kern.coredump.setid.mode	integer	   yes
		   kern.coredump.setid.owner	integer	   yes
		   kern.coredump.setid.path	string	   yes

	     kern.coredump.setid.dump
		     If	non-zero, set-id processes will	dump core.

	     kern.coredump.setid.group
		     The group-id for the set-id processes' coredump.

	     kern.coredump.setid.mode
		     The mode for the set-id processes'	coredump.  See
		     chmod(1).

	     kern.coredump.setid.owner
		     The user-id that will be used as the owner	of the set-id
		     processes'	coredump.

	     kern.coredump.setid.path
		     The path to which set-id processes' coredumps will	be
		     saved to.	Same syntax as kern.defcorename.

     kern.cp_id	(KERN_CP_ID)
	     Mapping of	CPU number to CPU id.

     kern.cp_time (KERN_CP_TIME)
	     Returns an	array of CPUSTATES uint64_ts.  This array contains the
	     number of clock ticks spent in different CPU states.  On multi-
	     processor systems,	the sum	across all CPUs	is returned unless ap-
	     propriate space is	given for one data set for each	CPU.  Data for
	     a specific	CPU can	also be	obtained by adding the number of the
	     CPU at the	end of the MIB,	enlarging it by	one.

     kern.cryptodevallowsoft
	     This variable controls userland access to hardware	versus soft-
	     ware transforms in	the crypto(4) system.  The available values
	     are as follows:

		   < 0	Always force userlevel requests	to use software	trans-
			forms.

		   = 0	If present, use	hardware and grant userlevel requests
			for non-accelerated transforms (handling the latter in
			software).

		   > 0	Allow user requests only for transforms	which are
			hardware-accelerated.

     kern.defcorename (KERN_DEFCORENAME)
	     Default template for the name of core dump	files (see also
	     proc.pid.corename in the per-process variables proc.*, and
	     core(5) for format	of this	template).  The	default	value is
	     %n.core and can be	changed	with the kernel	configuration option
	     options DEFCORENAME (see options(4) ).

     kern.detachall
	     Detach all	devices	at shutdown.

     kern.domainname (KERN_DOMAINNAME)
	     Get or set	the YP domain name.

     kern.drivers (KERN_DRIVERS)
	     Return an array of	struct kinfo_drivers that contains the name
	     and major device numbers of all the device	drivers	in the current
	     kernel.  The d_name field is always a NUL terminated string.  The
	     d_bmajor field will be set	to -1 if the driver doesn't have a
	     block device.

     kern.dump_on_panic	(KERN_DUMP_ON_PANIC)
	     Perform a crash dump on system panic(9).

     kern.file (KERN_FILE)
	     Return the	entire file table.  The	returned data consists of a
	     single struct filelist followed by	an array of struct file, whose
	     size depends on the current number	of such	objects	in the system.

     kern.forkfsleep (KERN_FORKFSLEEP)
	     If	fork(2)	system call fails due to limit on number of processes
	     (either the global	maxproc	limit or user's	one), wait for this
	     many milliseconds before returning	EAGAIN error to	process.  Use-
	     ful to keep heavily forking runaway processes in bay.  Default
	     zero (no sleep).  Maximum is 20 seconds.

     kern.fscale (KERN_FSCALE)
	     The kernel	fixed-point scale factor.

     kern.fsync	(KERN_FSYNC)
	     Return 1 if the IEEE Std 1003.1b-1993 ("POSIX.1") File Synchro-
	     nization Option is	available on this system, otherwise 0.

     kern.hardclock_ticks (KERN_HARDCLOCK_TICKS)
	     Returns the number	of hardclock(9)	ticks.

     kern.hist
	     This variable contains kernel history data	if the kernel was con-
	     figured for any of	the options UVHMIST, USB_DEBUG,	BIOHIST, or
	     SCDEBUG.  (See options(4) for more	details.)  The third-level
	     names correspond to each available	history	table.	The values of
	     the history tables	are in an internal format, and can be decoded
	     by	the vmstat(1) utility's	-U and -u options; the -l option can
	     be	used to	see which tables are available.

     kern.hostid (KERN_HOSTID)
	     Get or set	the host identifier.  This is aimed to replace the
	     legacy gethostid(3) and sethostid(3) system calls.

     kern.hostname (KERN_HOSTNAME)
	     Get or set	the hostname(1).

     kern.iov_max (KERN_IOV_MAX)
	     Return the	maximum	number of iovec	structures that	a process has
	     available for use with preadv(2), pwritev(2), readv(2),
	     recvmsg(2), sendmsg(2) and	writev(2).

     kern.ipc (KERN_SYSVIPC)
	     Return information	about the SysV IPC parameters.	The third
	     level names for the ipc variables are detailed below.

		   Third level name	    Type       Changeable
		   kern.ipc.sysvmsg	    integer    no
		   kern.ipc.sysvsem	    integer    no
		   kern.ipc.sysvshm	    integer    no
		   kern.ipc.sysvipc_info    struct     no
		   kern.ipc.shmmax	    integer    yes
		   kern.ipc.shmmni	    integer    yes
		   kern.ipc.shmseg	    integer    yes
		   kern.ipc.shmmaxpgs	    integer    yes
		   kern.ipc.shm_use_phys    integer    yes
		   kern.ipc.msgmni	    integer    yes
		   kern.ipc.msgseg	    integer    yes
		   kern.ipc.semmni	    integer    yes
		   kern.ipc.semmns	    integer    yes
		   kern.ipc.semmnu	    integer    yes

	     kern.ipc.sysvmsg (KERN_SYSVIPC_MSG)
		     Returns 1 if System V style message queue functionality
		     is	available on this system, otherwise 0.

	     kern.ipc.sysvsem (KERN_SYSVIPC_SEM)
		     Returns 1 if System V style semaphore functionality is
		     available on this system, otherwise 0.

	     kern.ipc.sysvshm (KERN_SYSVIPC_SHM)
		     Returns 1 if System V style share memory functionality is
		     available on this system, otherwise 0.

	     kern.ipc.sysvipc_info (KERN_SYSVIPC_INFO)
		     Return System V style IPC configuration and run-time in-
		     formation.	 The fourth level name selects the System V
		     style IPC facility.

			   Fourth level	name	    Type
			   KERN_SYSVIPC_MSG_INFO    struct msg_sysctl_info
			   KERN_SYSVIPC_SEM_INFO    struct sem_sysctl_info
			   KERN_SYSVIPC_SHM_INFO    struct shm_sysctl_info

		     KERN_SYSVIPC_MSG_INFO
			     Return information	on the System V	style message
			     facility.	The msg_sysctl_info structure is de-
			     fined in <sys/msg.h>.

		     KERN_SYSVIPC_SEM_INFO
			     Return information	on the System V	style sema-
			     phore facility.  The sem_sysctl_info structure is
			     defined in	<sys/sem.h>.

		     KERN_SYSVIPC_SHM_INFO
			     Return information	on the System V	style shared
			     memory facility.  The shm_sysctl_info structure
			     is	defined	in <sys/shm.h>.

	     kern.ipc.shmmax (KERN_SYSVIPC_SHMMAX)
		     Max shared	memory segment size in bytes.

	     kern.ipc.shmmni (KERN_SYSVIPC_SHMMNI)
		     Max number	of shared memory identifiers.

	     kern.ipc.shmseg (KERN_SYSVIPC_SHMSEG)
		     Max shared	memory segments	per process.

	     kern.ipc.shmmaxpgs	(KERN_SYSVIPC_SHMMAXPGS)
		     Max amount	of shared memory in pages.

	     kern.ipc.shm_use_phys (KERN_SYSVIPC_SHMUSEPHYS)
		     Locking of	shared memory in physical memory.  If 0, mem-
		     ory can be	swapped	out, otherwise it will be locked in
		     physical memory.

	     kern.ipc.msgmni
		     Max number	of message queue identifiers.

	     kern.ipc.msgseg
		     Max number	of number of message segments.

	     kern.ipc.semmni
		     Max number	of number of semaphore identifiers.

	     kern.ipc.semmns
		     Max number	of number of semaphores	in system.

	     kern.ipc.semmnu
		     Max number	of undo	structures in system.

     kern.job_control (KERN_JOB_CONTROL)
	     Return 1 if job control is	available on this system, otherwise 0.

     kern.labeloffset (KERN_LABELOFFSET)
	     The offset	within the sector specified by KERN_LABELSECTOR	of the
	     disklabel(5).

     kern.labelsector (KERN_LABELSECTOR)
	     The sector	number containing the disklabel(5).

     kern.login_name_max (KERN_LOGIN_NAME_MAX)
	     The size of the storage required for a login name,	in bytes, in-
	     cluding the terminating NUL.

     kern.logsigexit (KERN_LOGSIGEXIT)
	     If	this flag is non-zero, the kernel will log(9) all process ex-
	     its due to	signals	which create a core(5) file, and whether the
	     coredump was created.

     kern.mapped_files (KERN_MAPPED_FILES)
	     Returns 1 if the IEEE Std 1003.1b-1993 ("POSIX.1")	Memory Mapped
	     Files Option is available on this system, otherwise 0.

     kern.maxfiles (KERN_MAXFILES)
	     The maximum number	of open	files that may be open in the system.

     kern.maxpartitions	(KERN_MAXPARTITIONS)
	     The maximum number	of partitions allowed per disk.

     kern.maxlwp
	     The maximum number	of Lightweight Processes (threads) the system
	     allows per	uid.

     kern.maxphys (KERN_MAXPHYS)
	     Maximum raw I/O transfer size.

     kern.maxproc (KERN_MAXPROC)
	     The maximum number	of simultaneous	processes the system will al-
	     low.

     kern.maxptys (KERN_MAXPTYS)
	     The maximum number	of pseudo terminals.  This value can be	both
	     raised and	lowered, though	it cannot be set lower than number of
	     currently used ptys.  See also pty(4).

     kern.maxvnodes (KERN_MAXVNODES)
	     The maximum number	of vnodes available on the system.  This can
	     only be raised.

     kern.mbuf (KERN_MBUF)
	     Return information	about the mbuf control variables.  Mbufs are
	     data structures which store network packets and other data	struc-
	     tures in the networking code, see mbuf(9).	 The third level names
	     for the mbuf variables are	detailed below.	 The changeable	column
	     shows whether a process with appropriate privilege	may change the
	     value.

		   Third level name	    Type       Changeable
		   kern.mbuf.mblowat	    integer    yes
		   kern.mbuf.mclbytes	    integer    yes
		   kern.mbuf.mcllowat	    integer    yes
		   kern.mbuf.msize	    integer    yes
		   kern.mbuf.nmbclusters    integer    yes

	     The variables are as follows:

	     kern.mbuf.mblowat (MBUF_MBLOWAT)
		     The mbuf low water	mark.

	     kern.mbuf.mclbytes	(MBUF_MCLBYTES)
		     The mbuf cluster size.

	     kern.mbuf.mcllowat	(MBUF_MCLLOWAT)
		     The mbuf cluster low water	mark.

	     kern.mbuf.msize (MBUF_MSIZE)
		     The mbuf base size.

	     kern.mbuf.nmbclusters (MBUF_NMBCLUSTERS)
		     The limit on the number of	mbuf clusters.	The variable
		     can only be increased, and	only increased on machines
		     with direct-mapped	pool pages.

     kern.memlock (KERN_MEMLOCK)
	     Returns 1 if the IEEE Std 1003.1b-1993 ("POSIX.1")	Process	Memory
	     Locking Option is available on this system, otherwise 0.

     kern.memlock_range	(KERN_MEMLOCK_RANGE)
	     Returns 1 if the IEEE Std 1003.1b-1993 ("POSIX.1")	Range Memory
	     Locking Option is available on this system, otherwise 0.

     kern.memory_protection (KERN_MEMORY_PROTECTION)
	     Returns 1 if the IEEE Std 1003.1b-1993 ("POSIX.1")	Memory Protec-
	     tion Option is available on this system, otherwise	0.

     kern.messages
	     Kernel console message verbosity.	See <sys/reboot.h>

		   Verbosity Setting
		       0 Silent	AB_SILENT
		       1 Quiet AB_QUIET
		       2 Normal	AB_NORMAL
		       3 Verbose AB_VERBOSE
		       4 Debug AB_DEBUG

     kern.module
	     Settings related to kernel	modules.  The third level names	for
	     the settings are described	below.

		   Third level name	   Type	      Changeable
		   kern.module.autoload	   integer    yes
		   kern.module.autotime	   integer    yes
		   kern.module.verbose	   boolean    yes

	     The variables are as follows:

	     kern.module.autoload
		     A boolean that controls whether kernel modules are	loaded
		     automatically.  See module(7) for additional details.

	     kern.module.autotime
		     An	integer	that controls the delay	before an attempt is
		     made to automatically unload a module that	was auto-
		     loaded.  Setting this value to zero disables the auto-un-
		     load function.

	     kern.module.verbose
		     A boolean that enables or disables	verbose	debug messages
		     related to	kernel modules.

     kern.monotonic_clock (KERN_MONOTONIC_CLOCK)
	     Returns the standard version the implementation of	the IEEE Std
	     1003.1b-1993 ("POSIX.1") Monotonic	Clock Option conforms to, oth-
	     erwise 0.

     kern.mqueue
	     Settings related to POSIX message queues; see mqueue(3).  This
	     node is created dynamically when the corresponding	kernel module
	     is	loaded.	 The third level names for the settings	are described
	     below.

		   Third level name		 Type	    Changeable
		   kern.mqueue.mq_open_max	 integer    yes
		   kern.mqueue.mq_prio_max	 integer    yes
		   kern.mqueue.mq_max_msgsize	 integer    yes
		   kern.mqueue.mq_def_maxmsg	 integer    yes
		   kern.mqueue.mq_max_maxmsg	 integer    yes

	     The variables are:

	     kern.mqueue.mq_open_max
		     The maximum number	of message queue descriptors any sin-
		     gle process can open.

	     kern.mqueue.mq_prio_max
		     The maximum priority of a message.

	     kern.mqueue.mq_max_msgsize
		     The maximum size of a message in a	message	queue.

	     kern.mqueue.mq_def_maxmsg
		     The default maximum message count.

	     kern.mqueue.mq_max_maxmsg
		     The maximum number	of messages in a message queue.

     kern.msgbuf (KERN_MSGBUF)
	     The kernel	message	buffer,	rotated	so that	the head of the	circu-
	     lar kernel	message	buffer is at the start of the returned data.
	     The returned data may contain NUL bytes.

     kern.msgbufsize (KERN_MSGBUFSIZE)
	     The maximum number	of characters that the kernel message buffer
	     can hold.

     kern.ngroups (KERN_NGROUPS)
	     The maximum number	of supplemental	groups.

     kern.ntptime (KERN_NTPTIME)
	     A struct ntptimeval structure is returned.	 This structure	con-
	     tains data	used by	the ntpd(8) program.

     kern.osrelease (KERN_OSRELEASE)
	     The system	release	string.

     kern.osrevision (KERN_OSREV)
	     The system	revision string.

     kern.ostype (KERN_OSTYPE)
	     The system	type string.

     kern.pipe (KERN_PIPE)
	     Pipe settings.  The third level names for the  integer pipe set-
	     tings is detailed below.  The changeable column shows whether a
	     process with appropriate privilege	may change the value.

		   Third level name	    Type       Changeable
		   kern.pipe.kvasiz	    integer    yes
		   kern.pipe.maxbigpipes    integer    yes
		   kern.pipe.maxkvasz	    integer    yes
		   kern.pipe.limitkva	    integer    yes
		   kern.pipe.nbigpipes	    integer    yes

	     The variables are as follows:

	     kern.pipe.kvasiz (KERN_PIPE_KVASIZ)
		     Amount of kernel memory consumed by pipe buffers.

	     kern.pipe.maxbigpipes (KERN_PIPE_MAXBIGPIPES)
		     Maximum number of "big" pipes.

	     kern.pipe.maxkvasz	(KERN_PIPE_MAXKVASZ)
		     Maximum amount of kernel memory to	be used	for pipes.

	     kern.pipe.limitkva	(KERN_PIPE_LIMITKVA)
		     Limit for direct transfers	via page loan.

	     kern.pipe.nbigpipes (KERN_PIPE_NBIGPIPES)
		     Number of "big" pipes.

     kern.pool
	     Provides statistics about the pool(9) and pool_cache(9) subsys-
	     tems.

     kern.posix1version	(KERN_POSIX1)
	     The version of ISO/IEC 9945 (IEEE Std 1003.1 ("POSIX.1")) with
	     which the system attempts to comply.

     kern.posix_aio
	     The version of IEEE Std 1003.1 ("POSIX.1")	and its	Asynchronous
	     I/O option	to which the system attempts to	conform.

     kern.posix_barriers (KERN_POSIX_BARRIERS)
	     The version of IEEE Std 1003.1 ("POSIX.1")	and its	Barriers op-
	     tion to which the system attempts to conform, otherwise 0.

     kern.posix_reader_writer_locks (KERN_POSIX_READER_WRITER_LOCKS)
	     The version of IEEE Std 1003.1 ("POSIX.1")	and its	Read-Write
	     Locks option to which the system attempts to conform, other-
	     wise 0.

     kern.posix_semaphores (KERN_POSIX_SEMAPHORES)
	     The version of IEEE Std 1003.1 ("POSIX.1")	and its	Semaphores op-
	     tion to which the system attempts to conform, otherwise 0.

     kern.posix_spin_locks (KERN_POSIX_SPIN_LOCKS)
	     The version of IEEE Std 1003.1 ("POSIX.1")	and its	Spin Locks op-
	     tion to which the system attempts to conform, otherwise 0.

     kern.posix_threads	(KERN_POSIX_THREADS)
	     The version of IEEE Std 1003.1 ("POSIX.1")	and its	Threads	option
	     to	which the system attempts to conform, otherwise	0.

     kern.posix_timers (KERN_POSIX_TIMERS)
	     The version of IEEE Std 1003.1 ("POSIX.1")	and its	Timers option
	     to	which the system attempts to conform, otherwise	0.

     kern.proc (KERN_PROC)
	     Return the	entire process table, or a subset of it.  An array of
	     struct kinfo_proc structures is returned, whose size depends on
	     the current number	of such	objects	in the system.	The third and
	     fourth level numeric names	are as follows:

		   Third level name	Fourth level is:
		   KERN_PROC_ALL	None
		   KERN_PROC_GID	A group	ID
		   KERN_PROC_PID	A process ID
		   KERN_PROC_PGRP	A process group
		   KERN_PROC_RGID	A real group ID
		   KERN_PROC_RUID	A real user ID
		   KERN_PROC_SESSION	A session ID
		   KERN_PROC_TTY	A tty device
		   KERN_PROC_UID	A user ID

     kern.proc2	(KERN_PROC2)
	     As	for KERN_PROC, but an array of struct kinfo_proc2 structures
	     are returned.  The	fifth level name is the	size of	the struct
	     kinfo_proc2 and the sixth level name is the number	of structures
	     to	return.

     kern.proc_args (KERN_PROC_ARGS)
	     Return the	argv or	environment strings (or	the number thereof) of
	     a process.	 Multiple strings are returned separated by NUL	char-
	     acters.  The third	level name is the process ID.  The fourth
	     level name	is as follows:

		   KERN_PROC_ARGV	 The argv strings
		   KERN_PROC_ENV	 The environ strings
		   KERN_PROC_NARGV	 The number of argv strings
		   KERN_PROC_NENV	 The number of environ strings
		   KERN_PROC_PATHNAME	 The full pathname of the executable

     kern.profiling (KERN_PROF)
	     Return profiling information about	the kernel.  If	the kernel is
	     not compiled for profiling, attempts to retrieve any of the
	     KERN_PROF values will fail	with EOPNOTSUPP.  The third level
	     names for the string and integer profiling	information is de-
	     tailed below.  The	changeable column shows	whether	a process with
	     appropriate privilege may change the value.

		   Third level name	       Type		   Changeable
		   kern.profiling.count	       u_short[]	   yes
		   kern.profiling.froms	       u_short[]	   yes
		   kern.profiling.gmonparam    struct gmonparam	   no
		   kern.profiling.state	       integer		   yes
		   kern.profiling.tos	       struct tostruct	   yes

	     The variables are as follows:

	     kern.profiling.count (GPROF_COUNT)
		     Array of statistical program counter counts.

	     kern.profiling.froms (GPROF_FROMS)
		     Array indexed by program counter of call-from points.

	     kern.profiling.gmonparams (GPROF_GMONPARAM)
		     Structure giving the sizes	of the above arrays.

	     kern.profiling.state (GPROF_STATE)
		     Profiling state.  If set to GMON_PROF_ON, starts profil-
		     ing.  If set to GMON_PROF_OFF, stops profiling.

	     kern.profiling.tos	(GPROF_TOS)
		     Array of struct tostruct describing destination of	calls
		     and their counts.

     kern.rawpartition (KERN_RAWPARTITION)
	     The raw partition of a disk (a == 0).

     kern.root_device (KERN_ROOT_DEVICE)
	     The name of the root device (e.g.,	"wd0").

     kern.root_partition (KERN_ROOT_PARTITION)
	     The root partition	on the root device (a == 0).

     kern.rtc_offset (KERN_RTC_OFFSET)
	     Return the	offset of real time clock from UTC in minutes.

     kern.saved_ids (KERN_SAVED_IDS)
	     Returns 1 if saved	set-group and saved set-user ID	is available.

     kern.sbmax	(KERN_SBMAX)
	     Maximum socket buffer size.

     kern.securelevel (KERN_SECURELVL)
	     See secmodel_securelevel(9).

     kern.sched	(dynamic)
	     Influence the scheduling of LWPs, their priorisation and how they
	     are distributed on	and moved between CPUs.

		   Third level name		 Type	    Changeable
		   kern.sched.cacheht_time	 integer    yes
		   kern.sched.balance_period	 integer    yes
		   kern.sched.average_weight	 integer    yes
		   kern.sched.min_catch		 integer    yes
		   kern.sched.timesoftints	 integer    yes
		   kern.sched.kpreempt_pri	 integer    yes
		   kern.sched.upreempt_pri	 integer    yes
		   kern.sched.maxts		 integer    yes
		   kern.sched.mints		 integer    yes
		   kern.sched.name		 string	    no
		   kern.sched.rtts		 integer    no
		   kern.sched.pri_min		 integer    no
		   kern.sched.pri_max		 integer    no

	     The variables are as follows:

	     kern.sched.cacheht_time (dynamic)
		     Cache hotness time	in which a LWP is kept on one particu-
		     lar CPU and not moved to another CPU.  This reduces the
		     overhead of flushing and reloading	caches.	 Defaults to
		     3ms.  Needs to be given in	"hz" units, see	mstohz(9).

	     kern.sched.balance_period (dynamic)
		     Interval at which the CPU queues are checked for re-bal-
		     ancing.  Defaults to 300ms.  Needs	to be given in "hz"
		     units, see	mstohz(9).

	     kern.sched.average_weight (dynamic)
		     Can be used to influence how likely LWPs are to be	mi-
		     grated from one CPU's queue of LWPs that are ready	to run
		     to	a different, idle CPU.	The value gives	the percentage
		     for weighting the average count of	migratable threads
		     from the past against the current number of migratable
		     threads.  A small value gives more	weight to the past, a
		     larger values more	weight on the current situation.  De-
		     faults to 50 and must be between 0	and 100.

	     kern.sched.min_catch (dynamic)
		     Minimum count of migratable (runable) threads for catch-
		     ing (stealing) from another CPU.  Defaults	to 1 but can
		     be	increased to decrease chance of	thread migration be-
		     tween CPUs.

	     kern.sched.timesoftints (dynamic)
		     Enable tracking of	CPU time for soft interrupts as	part
		     of	a LWP's	real execution time.  Set to a non-zero	value
		     to	enable,	and see	ps(1) for printing CPU times.

	     kern.sched.kpreempt_pri (dynamic)
		     Minimum priority to trigger kernel	preemption.

	     kern.sched.upreempt_pri (dynamic)
		     Minimum priority to trigger user preemption.

	     kern.sched.maxts (dynamic)
		     Scheduler specific	maximal	time quantum (in millisec-
		     onds).  Must be set to a value larger than	"mints"	and
		     between 10	and "hz" as given by the kern.clockrate
		     sysctl.  Provided by the M2 scheduler.

	     kern.sched.mints (dynamic)
		     Scheduler specific	minimal	time quantum (in millisec-
		     onds).  Must be set to a value smaller than "maxts" and
		     between 1 and "hz"	as given by the	"kern.clockrate"
		     sysctl.  Provided by the M2 scheduler.

	     kern.sched.name (dynamic)
		     Scheduler name.  Provided both by the M2 and the 4BSD
		     scheduler.

	     kern.sched.rtts (dynamic)
		     Fixed scheduler specific round-robin time quantum in mil-
		     liseconds.	 Provided both by the M2 and the 4BSD sched-
		     uler.

	     kern.sched.pri_min	(dynamic)
		     Minimal POSIX real-time priority.	See sched(3).

	     kern.sched.pri_max	(dynamic)
		     Maximal POSIX real-time priority.	See sched(3).

     kern.somaxkva (KERN_SOMAXKVA)
	     Maximum amount of kernel memory to	be used	for socket buffers.

     kern.synchronized_io (KERN_SYNCHRONIZED_IO)
	     Returns 1 if the IEEE Std 1003.1b-1993 ("POSIX.1")	Synchronized
	     I/O Option	is available on	this system, otherwise 0.

     kern.timecounter (dynamic)
	     Display and control the timecounter source	of the system.

		   Third level name			Type	   Changeable
		   kern.timecounter.choice		string	   no
		   kern.timecounter.hardware		string	   yes
		   kern.timecounter.timestepwarnings	integer	   yes

	     The variables are as follows:

	     kern.timecounter.choice (dynamic)
		     The list of available timecounters	with their quality and
		     frequency.

	     kern.timecounter.hardware (dynamic)
		     The currently selected timecounter	source.

	     kern.timecounter.timestepwarnings (dynamic)
		     If	non-zero display a message each	time the time is
		     stepped.

     kern.timex	(KERN_TIMEX)
	     Not available.

     kern.tkstat (KERN_TKSTAT)
	     Return information	about the number of characters sent and	re-
	     ceived on ttys.  The third	level names for	the tty	statistic
	     variables are detailed below.  The	changeable column shows
	     whether a process with appropriate	privilege may change the
	     value.

		   Third level name	Type	Changeable
		   kern.tkstat.cancc	quad	no
		   kern.tkstat.nin	quad	no
		   kern.tkstat.nout	quad	no
		   kern.tkstat.rawcc	quad	no

	     The variables are as follows:

	     kern.tkstat.cancc (KERN_TKSTAT_CANCC)
		     The number	of canonical input characters.

	     kern.tkstat.nin (KERN_TKSTAT_NIN)
		     The total number of input characters.

	     kern.tkstat.nout (KERN_TKSTAT_NOUT)
		     The total number of output	characters.

	     kern.tkstat.rawcc (KERN_TKSTAT_RAWCC)
		     The number	of raw input characters.

     kern.tty
	     The third level names for the tty setup variables are detailed
	     below.  The changeable column shows whether a process with	appro-
	     priate privilege may change the value.

		   Third level name  Type   Changeable
		   kern.tty.qsize    int    yes

	     The variables are as follows:

	     kern.tty.qsize
		     Control/display the size of the default input and output
		     queues selected during tty	creation.  Is converted	to a
		     power of two and its range	is between 1024	and 65536.

     kern.uidinfo
	     Resource usage for	the current user.

		   Third level name	   Type	      Changeable
		   kern.uidinfo.proccnt	   integer    no
		   kern.uidinfo.lwpcnt	   integer    no
		   kern.uidinfo.lockcnt	   integer    no
		   kern.uidinfo.sbsize	   integer    no

	     kern.uidinfo.proccnt
		     Returns the number	of active processes for	the current
		     user.

	     kern.uidinfo.lwpcnt
		     Returns the number	of active threads for the current
		     user; the first thread of each process is not counted.

	     kern.uidinfo.lockcnt
		     Number of locks held by the current user.

	     kern.uidinfo.sbsize
		     Number of bytes in	socket buffers allocated to the	cur-
		     rent user.

     kern.urandom (KERN_URND)
	     Random integer value.

     kern.usercrypto
	     When enabled, allows userland to open(2) the /dev/crypto special
	     device, used by the crypto(4) system.

     kern.userasymcrypto
	     Enables or	disables the use of software asymmetric	crypto support
	     in	the crypto(4) system.

     kern.veriexec
	     Runtime information for veriexec(8).

		   Third level name	       Type	  Changeable
		   kern.veriexec.algorithms    string	  no
		   kern.veriexec.count	       node	  not applicable
		   kern.veriexec.strict	       integer	  yes
		   kern.veriexec.verbose       integer	  yes

	     kern.veriexec.algorithms
		     Returns a string with the supported algorithms in Ver-
		     iexec.

	     kern.veriexec.count
		     Sub-nodes are added to this node as new mounts are	moni-
		     tored by Veriexec.	 Each mount will be under its own
		     tableN node.  Under each node there will be three vari-
		     ables, indicating the mount point,	the file system	type,
		     and the number of entries.

	     kern.veriexec.strict
		     Controls the strict level of Veriexec.  See security(7)
		     for more information on each level's implications.

	     kern.veriexec.verbose
		     Controls the verbosity level of Veriexec.	If 0, only the
		     minimal indication	required will be given about what's
		     happening - fingerprint mismatches, removal of entries
		     from the tables, modification of a	fingerprinted file.
		     If	1, more	messages will be printed (ie., when a file
		     with a valid fingerprint is accessed).  Verbose level 2
		     is	debug mode.

     kern.version (KERN_VERSION)
	     The system	version	string.

     kern.vnode	(KERN_VNODE)
	     Return the	entire vnode table.  Note, the vnode table is not nec-
	     essarily a	consistent snapshot of the system.  The	returned data
	     consists of an array whose	size depends on	the current number of
	     such objects in the system.  Each element of the array contains
	     the kernel	address	of a vnode struct vnode	* followed by the vn-
	     ode itself	struct vnode.

   The machdep.* subtree
     The set of	variables defined is architecture dependent.  Most architec-
     tures define at least the following variables.

	   Second level	name	    Type    Changeable
	   machdep.booted_kernel    string  no

   The net.* subtree
     The string	and integer information	available for the net level is de-
     tailed below.  The	changeable column shows	whether	a process with appro-
     priate privilege may change the value.  The second	and third levels are
     typically the protocol family and protocol	number,	though this is not al-
     ways the case.

	   Second level	name	Type			       Changeable
	   net.route		routing	messages	       no
	   net.inet		IPv4 values		       yes
	   net.inet6		IPv6 values		       yes
	   net.key		IPsec key management values    yes

     net.route (PF_ROUTE)
	     Return the	entire routing table or	a subset of it.	 The data is
	     returned as a sequence of routing messages	(see route(4) for the
	     header file, format and meaning).	The length of each message is
	     contained in the message header.

	     The third level name is a protocol	number,	which is currently al-
	     ways 0.  The fourth level name is an address family, which	may be
	     set to 0 to select	all address families.  The fifth and sixth
	     level names are as	follows:

		   Fifth level name    Sixth level is:
		   NET_RT_FLAGS	       rtflags
		   NET_RT_DUMP	       None
		   NET_RT_IFLIST       None

     net.inet (PF_INET)
	     Get or set	various	global information about the IPv4 (Internet
	     Protocol version 4).  The third level name	is the protocol.  The
	     fourth level name is the variable name.  The currently defined
	     protocols and names are:

		   Protocol    Variable			 Type	    Changeable
		   arp	       down			 integer    yes
		   arp	       keep			 integer    yes
		   arp	       log_movements		 integer    yes
		   arp	       log_permanent_modify	 integer    yes
		   arp	       log_unknown_network	 integer    yes
		   arp	       log_wrong_iface		 integer    yes
		   carp	       allow			 integer    yes
		   carp	       preempt			 integer    yes
		   carp	       log			 integer    yes
		   carp	       arpbalance		 integer    yes
		   icmp	       errppslimit		 integer    yes
		   icmp	       maskrepl			 integer    yes
		   icmp	       rediraccept		 integer    yes
		   icmp	       redirtimeout		 integer    yes
		   icmp	       bmcastecho		 integer    yes
		   ip	       allowsrcrt		 integer    yes
		   ip	       anonportalgo.selected	 string	    yes
		   ip	       anonportalgo.available	 string	    yes
		   ip	       anonportalgo.reserve	 struct	    yes
		   ip	       anonportmax		 integer    yes
		   ip	       anonportmin		 integer    yes
		   ip	       checkinterface		 integer    yes
		   ip	       dad_count		 integer    yes
		   ip	       directed-broadcast	 integer    yes
		   ip	       do_loopback_cksum	 integer    yes
		   ip	       forwarding		 integer    yes
		   ip	       forwsrcrt		 integer    yes
		   ip	       gifttl			 integer    yes
		   ip	       grettl			 integer    yes
		   ip	       hashsize			 integer    yes
		   ip	       hostzerobroadcast	 integer    yes
		   ip	       lowportmin		 integer    yes
		   ip	       lowportmax		 integer    yes
		   ip	       maxflows			 integer    yes
		   ip	       maxfragpackets		 integer    yes
		   ip	       mtudisc			 integer    yes
		   ip	       mtudisctimeout		 integer    yes
		   ip	       random_id		 integer    yes
		   ip	       redirect			 integer    yes
		   ip	       subnetsarelocal		 integer    yes
		   ip	       ttl			 integer    yes
		   tcp	       rfc1323			 integer    yes
		   tcp	       sendspace		 integer    yes
		   tcp	       recvspace		 integer    yes
		   tcp	       mssdflt			 integer    yes
		   tcp	       syn_cache_limit		 integer    yes
		   tcp	       syn_bucket_limit		 integer    yes
		   tcp	       syn_cache_interval	 integer    yes
		   tcp	       init_win			 integer    yes
		   tcp	       init_win_local		 integer    yes
		   tcp	       mss_ifmtu		 integer    yes
		   tcp	       win_scale		 integer    yes
		   tcp	       timestamps		 integer    yes
		   tcp	       compat_42		 integer    yes
		   tcp	       cwm			 integer    yes
		   tcp	       cwm_burstsize		 integer    yes
		   tcp	       ack_on_push		 integer    yes
		   tcp	       keepidle			 integer    yes
		   tcp	       keepintvl		 integer    yes
		   tcp	       keepcnt			 integer    yes
		   tcp	       slowhz			 integer    no
		   tcp	       keepinit			 integer    yes
		   tcp	       log_refused		 integer    yes
		   tcp	       rstppslimit		 integer    yes
		   tcp	       ident			 struct	    no
		   tcp	       drop			 struct	    no
		   tcp	       sack.enable		 integer    yes
		   tcp	       sack.globalholes		 integer    no
		   tcp	       sack.globalmaxholes	 integer    yes
		   tcp	       sack.maxholes		 integer    yes
		   tcp	       ecn.enable		 integer    yes
		   tcp	       ecn.maxretries		 integer    yes
		   tcp	       congctl.selected		 string	    yes
		   tcp	       congctl.available	 string	    yes
		   tcp	       abc.enable		 integer    yes
		   tcp	       abc.aggressive		 integer    yes
		   udp	       checksum			 integer    yes
		   udp	       do_loopback_cksum	 integer    yes
		   udp	       recvspace		 integer    yes
		   udp	       sendspace		 integer    yes

	     The variables are as follows:

	     arp.down
		     Failed ARP	entry lifetime.

	     arp.keep
		     Valid ARP entry lifetime.

	     carp.allow
		     If	set to 0, incoming carp(4) packets will	not be pro-
		     cessed.  If set to	any other value, processing will oc-
		     cur.  Enabled by default.

	     carp.arpbalance
		     If	set to any value other than 0, the ARP balancing func-
		     tionality of carp(4) is enabled.  When ARP	requests are
		     received for an IP	address	which is part of any virtual
		     host, carp	will hash the source IP	in the ARP request to
		     select one	of the virtual hosts from the set of all the
		     virtual hosts which have that IP address.	The master of
		     that host will respond with the correct virtual MAC ad-
		     dress.  Disabled by default.

	     carp.log
		     If	set to any value other than 0, carp(4) will log	er-
		     rors.  Disabled by	default.

	     carp.preempt
		     If	set to 0, carp(4) will not attempt to become master if
		     it	is receiving advertisements from another active	mas-
		     ter.  If set to any other value, carp will	become master
		     of	the virtual host if it believes	it can send advertise-
		     ments more	frequently than	the current master.  Disabled
		     by	default.

	     ip.allowsrcrt
		     If	set to 1, the host accepts source routed packets.

	     ip.anonportalgo.available
		     The available RFC 6056 port randomization algorithms.

	     ip.anonportalgo.reserve
		     A bitmask of ports	that will not be used during anonymous
		     or	privileged port	selection.

	     ip.anonportalgo.selected
		     The currently selected RFC	6056 port randomization	algo-
		     rithm.

	     ip.anonportmax
		     The highest port number to	use for	TCP and	UDP ephemeral
		     port allocation.  This cannot be set to less than 1024 or
		     greater than 65535, and must be greater than
		     ip.anonportmin.

	     ip.anonportmin
		     The lowest	port number to use for TCP and UDP ephemeral
		     port allocation.  This cannot be set to less than 1024 or
		     greater than 65535.

	     ip.checkinterface
		     If	set to non-zero, the host will reject packets ad-
		     dressed to	it that	arrive on an interface not bound to
		     that address.  Currently, this must be disabled if	ipnat
		     is	used to	translate the destination address to another
		     local interface, or if addresses are added	to the loop-
		     back interface instead of the interface where the packets
		     for those packets are received.

	     ip.dad_count
		     The number	of arp(4) probes sent for Address Conflict De-
		     tection.  Set to 0	to disable this.

	     ip.directed-broadcast
		     If	set to 1, enables directed broadcast behavior for the
		     host.

	     ip.do_loopback_cksum
		     Perform IP	checksum on loopback.

	     ip.forwarding
		     If	set to 1, enables IP forwarding	for the	host, meaning
		     that the host is acting as	a router.

	     ip.forwsrcrt
		     If	set to 1, enables forwarding of	source-routed packets
		     for the host.  This value may only	be changed if the ker-
		     nel security level	is less	than 1.

	     ip.gifttl
		     The maximum time-to-live (hop count) value	for an IPv4
		     packet generated by gif(4)	tunnel interface.

	     ip.grettl
		     The maximum time-to-live (hop count) value	for an IPv4
		     packet generated by gre(4)	tunnel interface.

	     ip.hashsize
		     The size of IPv4 Fast Forward hash	table.	This value
		     must be a power of	2 (64, 256...).	 A larger hash table
		     size results in fewer collisions.	Also see ip.maxflows.

	     ip.hostzerobroadcast
		     All zeroes	address	is broadcast address.

	     ip.lowportmax
		     The highest port number to	use for	TCP and	UDP reserved
		     port allocation.  This cannot be set to less than 0 or
		     greater than 1024,	and must be greater than
		     ip.lowportmin.

	     ip.lowportmin
		     The lowest	port number to use for TCP and UDP reserved
		     port allocation.  This cannot be set to less than 0 or
		     greater than 1024,	and must be smaller than
		     ip.lowportmax.

	     ip.maxflows
		     IPv4 Fast Forwarding is enabled by	default.  If set to 0,
		     IPv4 Fast Forwarding is disabled.	ip.maxflows controls
		     the maximum amount	of flows which can be created.	The
		     default value is 256.

	     ip.maxfragpackets
		     The maximum number	of fragmented packets the node will
		     accept.  0	means that the node will not accept any	frag-
		     mented packets.  -1 means that the	node will accept as
		     many fragmented packets as	it receives.  The flag is pro-
		     vided basically for avoiding possible DoS attacks.

	     ip.mtudisc
		     If	set to 1, enables Path MTU Discovery (RFC 1191).  When
		     Path MTU Discovery	is enabled, the	transmitted TCP	seg-
		     ment size will be determined by the advertised maximum
		     segment size (MSS)	from the remote	end, as	constrained by
		     the path MTU.  If MTU Discovery is	disabled, the trans-
		     mitted segment size will never be greater than
		     tcp.mssdflt (the local maximum segment size).

	     ip.mtudisctimeout
		     The number	of seconds in which a route added by the Path
		     MTU Discovery engine will time out.  When the route times
		     out, the Path MTU Discovery engine	will attempt to	probe
		     a larger path MTU.

	     ip.random_id
		     Assign random ip_id values.

	     ip.redirect
		     If	set to 1, ICMP redirects may be	sent by	the host.
		     This option is ignored unless the host is routing IP
		     packets, and should normally be enabled on	all systems.

	     ip.subnetsarelocal
		     If	set to 1, subnets are to be considered local ad-
		     dresses.

	     ip.ttl  The maximum time-to-live (hop count) value	for an IP
		     packet sourced by the system.  This value applies to nor-
		     mal transport protocols, not to ICMP.

	     icmp.errppslimit
		     The variable specifies the	maximum	number of outgoing
		     ICMP error	messages, per second.  ICMP error messages
		     that exceeded the value are subject to rate limitation
		     and will not go out from the node.	 Negative value	dis-
		     ables rate	limitation.

	     icmp.maskrepl
		     If	set to 1, ICMP network mask requests are to be an-
		     swered.

	     icmp.rediraccept
		     If	set to non-zero, the host will accept ICMP redirect
		     packets.  Note that routers will never accept ICMP	redi-
		     rect packets, and the variable is meaningful on IP	hosts
		     only.

	     icmp.redirtimeout
		     The variable specifies lifetime of	routing	entries	gener-
		     ated by incoming ICMP redirect.  This defaults to 600
		     seconds.

	     icmp.returndatabytes
		     Number of bytes to	return in an ICMP error	message.

	     icmp.bmcastecho
		     If	set to 1, enables responding to	ICMP echo or timestamp
		     request to	the broadcast address.

	     tcp.ack_on_push
		     If	set to 1, TCP is to immediately	transmit an ACK	upon
		     reception of a packet with	PUSH set.  This	can avoid los-
		     ing a round trip time in some rare	situations, but	has
		     the caveat	of potentially defeating TCP's delayed ACK al-
		     gorithm.  Use of this option is generally not recom-
		     mended, but the variable exists in	case your configura-
		     tion really needs it.

	     tcp.compat_42
		     If	set to 1, enables work-arounds for bugs	in the 4.2BSD
		     TCP implementation.  Use of this option is	not recom-
		     mended, although it may be	required in order to communi-
		     cate with extremely old TCP implementations.

	     tcp.cwm
		     If	set to 1, enables use of the Hughes/Touch/Heidemann
		     Congestion	Window Monitoring algorithm.  This algorithm
		     prevents line-rate	bursts of packets that could otherwise
		     occur when	data begins flowing on an idle TCP connection.
		     These line-rate bursts can	contribute to network and
		     router congestion.	 This can be particularly useful on
		     World Wide	Web servers which support HTTP/1.1, which has
		     lingering connections.

	     tcp.cwm_burstsize
		     The Congestion Window Monitoring allowed burst size, in
		     terms of packet count.

	     tcp.delack_ticks
		     Number of ticks to	delay sending an ACK.

	     tcp.do_loopback_cksum
		     Perform TCP checksum on loopback.

	     tcp.init_win
		     A value indicating	the TCP	initial	congestion window.
		     The valid range is	0 to 10	(maximum specified by
		     RFC6928), with a default of 4 (approximately 4K per
		     RFC3390).

	     tcp.init_win_local
		     Like tcp.init_win,	but used when communicating with hosts
		     on	a local	network.

	     tcp.keepcnt
		     Number of keepalive probes	sent before declaring a	con-
		     nection dead.  If set to zero, there is no	limit;
		     keepalives	will be	sent until some	kind of	response is
		     received from the peer.

	     tcp.keepidle
		     Time a connection must be idle before keepalives are sent
		     (if keepalives are	enabled	for the	connection).  See also
		     tcp.slowhz.

	     tcp.keepintvl
		     Time after	a keepalive probe is sent until, in the	ab-
		     sence of any response, another probe is sent.  See	also
		     tcp.slowhz.

	     tcp.log_refused
		     If	set to 1, refused TCP connections to the host will be
		     logged.

	     tcp.keepinit
		     Timeout in	seconds	during connection establishment.

	     tcp.mss_ifmtu
		     If	set to 1, TCP calculates the outgoing maximum segment
		     size based	on the MTU of the appropriate interface.  If
		     set to 0, it is calculated	based on the greater of	the
		     MTU of the	interface, and the largest (non-loopback) in-
		     terface MTU on the	system.

	     tcp.mssdflt
		     The default maximum segment size both advertised to the
		     peer and to use when either the peer does not advertise a
		     maximum segment size to us	during connection setup	or
		     Path MTU Discovery	(ip.mtudisc) is	disabled.  Do not
		     change this value unless you really know what you are do-
		     ing.

	     tcp.recvspace
		     The default TCP receive buffer size.

	     tcp.rfc1323
		     If	set to 1, enables RFC 1323 extensions to TCP.

	     tcp.rstppslimit
		     The variable specifies the	maximum	number of outgoing TCP
		     RST packets, per second.  TCP RST packet that exceeded
		     the value are subject to rate limitation and will not go
		     out from the node.	 Negative value	disables rate limita-
		     tion.

	     tcp.ident
		     Return the	user ID	of a connected socket pair.  (RFC1413
		     Identification Protocol lookups.)

	     tcp.drop
		     Drop a TCP	socket pair connection.

	     tcp.sack.enable
		     If	set to 1, enables RFC 2018 Selective ACKnowledgement.

	     tcp.sack.globalholes
		     Global number of TCP SACK holes.

	     tcp.sack.globalmaxholes
		     Global maximum number of TCP SACK holes.

	     tcp.sack.maxholes
		     Maximum number of TCP SACK	holes allowed per connection.

	     tcp.ecn.enable
		     If	set to 1, enables RFC 3168 Explicit Congestion Notifi-
		     cation.

	     tcp.ecn.maxretries
		     Number of times to	retry sending the ECN-setup packet.

	     tcp.sendspace
		     The default TCP send buffer size.

	     tcp.slowhz
		     The units for tcp.keepidle	and tcp.keepintvl; those vari-
		     ables are in ticks	of a clock that	ticks tcp.slowhz times
		     per second.  (That	is, their values must be divided by
		     the tcp.slowhz value to get times in seconds.)

	     tcp.syn_bucket_limit
		     The maximum number	of entries allowed per hash bucket in
		     the TCP compressed	state engine.

	     tcp.syn_cache_limit
		     The maximum number	of entries allowed in the TCP com-
		     pressed state engine.

	     tcp.timestamps
		     If	rfc1323	is enabled, a value of 1 indicates RFC 1323
		     time stamp	options, used for measuring TCP	round trip
		     times, are	enabled.

	     tcp.win_scale
		     If	rfc1323	is enabled, a value of 1 indicates RFC 1323
		     window scale options, for increasing the TCP window size,
		     are enabled.

	     tcp.congctl.available
		     The available TCP congestion control algorithms.

	     tcp.congctl.selected
		     The currently selected TCP	congestion control algorithm.

	     tcp.abc.enable
		     If	set to 1, use RFC 3465 Appropriate Byte	Counting
		     (ABC).  If	set to 0, use traditional Packet Counting.

	     tcp.abc.aggressive
		     Choose the	L parameter found in RFC 3465.	L is the maxi-
		     mum cwnd increase for an ack during slow start.  If set
		     to	1, use L=2*SMSS.  If set to 0, use L=1*SMSS.  It has
		     no	effect unless tcp.abc.enable is	set to 1.

	     udp.checksum
		     If	set to 1, UDP checksums	are being computed.  Received
		     non-zero UDP checksums are	always checked.	 Disabling UDP
		     checksums is strongly discouraged.

	     udp.recvspace
		     The default UDP receive buffer size.

	     udp.sendspace
		     The default UDP send buffer size.

	     For variables net.*.ipsec,	please refer to	ipsec(4).

     net.inet6 (PF_INET6)
	     Get or set	various	global information about the IPv6 (Internet
	     Protocol version 6).  The third level name	is the protocol.  The
	     fourth level name is the variable name.  The currently defined
	     protocols and names are:

		   Protocol    Variable			 Type	    Changeable
		   icmp6       errppslimit		 integer    yes
		   icmp6       mtudisc_hiwat		 integer    yes
		   icmp6       mtudisc_lowat		 integer    yes
		   icmp6       nd6_debug		 integer    yes
		   icmp6       nd6_delay		 integer    yes
		   icmp6       nd6_maxnudhint		 integer    yes
		   icmp6       nd6_mmaxtries		 integer    yes
		   icmp6       nd6_prune		 integer    yes
		   icmp6       nd6_umaxtries		 integer    yes
		   icmp6       nd6_useloopback		 integer    yes
		   icmp6       nodeinfo			 integer    yes
		   icmp6       rediraccept		 integer    yes
		   icmp6       redirtimeout		 integer    yes
		   ip6	       accept_rtadv		 integer    yes
		   ip6	       addctlpolicy		 struct
										  in6_addrpolicy    no
		   ip6	       anonportalgo.selected	 string	    yes
		   ip6	       anonportalgo.available	 string	    yes
		   ip6	       anonportalgo.reserve	 struct	    yes
		   ip6	       anonportmax		 integer    yes
		   ip6	       anonportmin		 integer    yes
		   ip6	       auto_flowlabel		 integer    yes
		   ip6	       dad_count		 integer    yes
		   ip6	       defmcasthlim		 integer    yes
		   ip6	       forwarding		 integer    yes
		   ip6	       gifhlim			 integer    yes
		   ip6	       hashsize			 integer    yes
		   ip6	       hlim			 integer    yes
		   ip6	       hdrnestlimit		 integer    yes
		   ip6	       kame_version		 string	    no
		   ip6	       keepfaith		 integer    yes
		   ip6	       log_interval		 integer    yes
		   ip6	       lowportmax		 integer    yes
		   ip6	       lowportmin		 integer    yes
		   ip6	       maxdynroutes		 integer    yes
		   ip6	       maxifprefixes		 integer    yes
		   ip6	       maxifdefrouters		 integer    yes
		   ip6	       maxflows			 integer    yes
		   ip6	       maxfragpackets		 integer    yes
		   ip6	       maxfrags			 integer    yes
		   ip6	       neighborgcthresh		 integer    yes
		   ip6	       redirect			 integer    yes
		   ip6	       rr_prune			 integer    yes
		   ip6	       use_deprecated		 integer    yes
		   ip6	       v6only			 integer    yes
		   udp6	       do_loopback_cksum	 integer    yes
		   udp6	       recvspace		 integer    yes
		   udp6	       sendspace		 integer    yes

	     The variables are as follows:

	     ip6.accept_rtadv
		     If	set to non-zero, the node will accept ICMPv6 router
		     advertisement packets and autoconfigures address prefixes
		     and default routers.  The node must be a host (not	a
		     router) for the option to be meaningful.

	     ip6.anonportalgo.available
		     The available RFC 6056 port randomization algorithms.

	     ip6.anonportalgo.reserve
		     A bitmask of ports	that will not be used during anonymous
		     or	privileged port	selection.

	     ip6.anonportalgo.selected
		     The currently selected RFC	6056 port randomization	algo-
		     rithm.

	     ip6.anonportmax
		     The highest port number to	use for	TCP and	UDP ephemeral
		     port allocation.  This cannot be set to less than 1024 or
		     greater than 65535, and must be greater than
		     ip6.anonportmin.

	     ip6.anonportmin
		     The lowest	port number to use for TCP and UDP ephemeral
		     port allocation.  This cannot be set to less than 1024 or
		     greater than 65535.

	     ip6.auto_flowlabel
		     On	connected transport protocol packets, fill IPv6
		     flowlabel field to	help intermediate routers to identify
		     packet flows.

	     ip6.dad_count
		     The variable configures number of IPv6 DAD	(duplicated
		     address detection)	probe packets.	The packets will be
		     generated when IPv6 interface addresses are configured.

	     ip6.defmcasthlim
		     The default hop limit value for an	IPv6 multicast packet
		     sourced by	the node.  This	value applies to all the
		     transport protocols on top	of IPv6.  There	are APIs to
		     override the value, as documented in ip6(4).

	     ip6.forwarding
		     If	set to 1, enables IPv6 forwarding for the node,	mean-
		     ing that the node is acting as a router.  If set to 0,
		     disables IPv6 forwarding for the node, meaning that the
		     node is acting as a host.	IPv6 specification defines
		     node behavior for "router"	case and "host"	case quite
		     differently, and changing this variable during operation
		     may cause serious trouble.	 It is recommended to config-
		     ure the variable at bootstrap time, and bootstrap time
		     only.

	     ip6.gifhlim
		     The maximum hop limit value for an	IPv6 packet generated
		     by	gif(4) tunnel interface.

	     ip6.hdrnestlimit
		     The number	of IPv6	extension headers permitted on incom-
		     ing IPv6 packets.	If set to 0, the node will accept as
		     many extension headers as possible.

	     ip6.hashsize
		     The size of IPv6 Fast Forward hash	table.	This value
		     must be a power of	2 (64, 256, ...).  A larger hash table
		     size results in fewer collisions.	Also see ip6.maxflows.

	     ip6.hlim
		     The default hop limit value for an	IPv6 unicast packet
		     sourced by	the node.  This	value applies to all the
		     transport protocols on top	of IPv6.  There	are APIs to
		     override the value, as documented in ip6(4).

	     ip6.kame_version
		     The string	identifies the version of KAME IPv6 stack im-
		     plemented in the kernel.

	     ip6.keepfaith
		     If	set to non-zero, it enables "FAITH" TCP	relay IPv6-to-
		     IPv4 translator code in the kernel.  Refer	faith(4) and
		     faithd(8) for detail.

	     ip6.log_interval
		     The variable controls amount of logs generated by IPv6
		     packet forwarding engine, by setting interval between log
		     output (in	seconds).

	     ip6.lowportmax
		     The highest port number to	use for	TCP and	UDP reserved
		     port allocation.  This cannot be set to less than 0 or
		     greater than 1024,	and must be greater than
		     ip6.lowportmin.

	     ip6.lowportmin
		     The lowest	port number to use for TCP and UDP reserved
		     port allocation.  This cannot be set to less than 0 or
		     greater than 1024,	and must be smaller than
		     ip6.lowportmax.

	     ip6.maxdynroutes
		     Maximum number of routes created by redirect.  Set	it to
		     negative to disable.  The default value is	4096.

	     ip6.maxifprefixes
		     Maximum number of prefixes	created	by route advertise-
		     ments per interface.  Set it to negative to disable.  The
		     default value is 16.

	     ip6.maxifdefrouters 16
		     Maximum number of default routers created by route	adver-
		     tisements per interface.  Set it to negative to disable.
		     The default value is 16.

	     ip6.maxflows
		     IPv6 Fast Forwarding is enabled by	default.  If set to 0,
		     IPv6 Fast Forwarding is disabled.	ip6.maxflows controls
		     the maximum amount	of flows which can be created.	The
		     default value is 256.

	     ip6.maxfragpackets
		     The maximum number	of fragmented packets the node will
		     accept.  0	means that the node will not accept any	frag-
		     mented packets.  -1 means that the	node will accept as
		     many fragmented packets as	it receives.  The flag is pro-
		     vided basically for avoiding possible DoS attacks.

	     ip6.maxfrags
		     The maximum number	of fragments the node will accept.  0
		     means that	the node will not accept any fragments.	 -1
		     means that	the node will accept as	many fragments as it
		     receives.	The flag is provided basically for avoiding
		     possible DoS attacks.

	     ip6.neighborgcthresh
		     Maximum number of entries in neighbor cache per inter-
		     face.  Set	to negative to disable.	 The default value is
		     2048.

	     ip6.redirect
		     If	set to 1, ICMPv6 redirects may be sent by the node.
		     This option is ignored unless the node is routing IP
		     packets, and should normally be enabled on	all systems.

	     ip6.rr_prune
		     The variable specifies interval between IPv6 router
		     renumbering prefix	babysitting, in	seconds.

	     ip6.use_deprecated
		     The variable controls use of deprecated address, speci-
		     fied in RFC 2462 5.5.4.

	     ip6.v6only
		     The variable specifies initial value for IPV6_V6ONLY
		     socket option for AF_INET6	socket.	 Please	refer to
		     ip6(4) for	detail.

	     icmp6.errppslimit
		     The variable specifies the	maximum	number of outgoing
		     ICMPv6 error messages, per	second.	 ICMPv6	error messages
		     that exceeded the value are subject to rate limitation
		     and will not go out from the node.	 Negative value	dis-
		     ables rate	limitation.

	     icmp6.mtudisc_hiwat

	     icmp6.mtudisc_lowat
		     The variables define the maximum number of	routing	table
		     entries, created due to path MTU discovery	(prevents
		     denial-of-service attacks with ICMPv6 too big messages).
		     When IPv6 path MTU	discovery happens, we keep path	MTU
		     information into the routing table.  If the number	of
		     routing table entries exceed the value, the kernel	will
		     not attempt to keep the path MTU information.
		     icmp6.mtudisc_hiwat is used when we have verified ICMPv6
		     too big messages.	icmp6.mtudisc_lowat is used when we
		     have unverified ICMPv6 too	big messages.  Verification is
		     performed by using	address/port pairs kept	in connected
		     pcbs.  Negative value disables the	upper limit.

	     icmp6.nd6_debug
		     If	set to non-zero, kernel	IPv6 neighbor discovery	code
		     will generate debugging messages.	The debug outputs are
		     useful to diagnose	IPv6 interoperability issues.  The
		     flag must be set to 0 for normal operation.

	     icmp6.nd6_delay
		     The variable specifies DELAY_FIRST_PROBE_TIME timing con-
		     stant in IPv6 neighbor discovery specification (RFC
		     2461), in seconds.

	     icmp6.nd6_maxnudhint
		     IPv6 neighbor discovery permits upper layer protocols to
		     supply reachability hints,	to avoid unnecessary neighbor
		     discovery exchanges.  The variable	defines	the number of
		     consecutive hints the neighbor discovery layer will take.
		     For example, by setting the variable to 3,	neighbor dis-
		     covery layer will take 3 consecutive hints	in maximum.
		     After receiving 3 hints, neighbor discovery layer will
		     perform normal neighbor discovery process.

	     icmp6.nd6_mmaxtries
		     The variable specifies MAX_MULTICAST_SOLICIT constant in
		     IPv6 neighbor discovery specification (RFC	2461).

	     icmp6.nd6_prune
		     The variable specifies interval between IPv6 neighbor
		     cache babysitting,	in seconds.

	     icmp6.nd6_umaxtries
		     The variable specifies MAX_UNICAST_SOLICIT	constant in
		     IPv6 neighbor discovery specification (RFC	2461).

	     icmp6.nd6_useloopback
		     If	set to non-zero, kernel	IPv6 stack will	use loopback
		     interface for local traffic.

	     icmp6.nodeinfo
		     The variable enables responses to ICMPv6 node information
		     queries.  If you set the variable to 0, responses will
		     not be generated for ICMPv6 node information queries.
		     Since node	information queries can	have a security	im-
		     pact, it is possible to fine tune which responses should
		     be	answered.  Two separate	bits can be set.

		     1	    Respond to ICMPv6 FQDN queries, e.g.  ping6	-w.

		     2	    Respond to ICMPv6 node addresses queries, e.g.
			    ping6 -a.

	     icmp6.rediraccept
		     If	set to non-zero, the host will accept ICMPv6 redirect
		     packets.  Note that IPv6 routers will never accept	ICMPv6
		     redirect packets, and the variable	is meaningful on IPv6
		     hosts (non-router)	only.

	     icmp6.redirtimeout
		     The variable specifies lifetime of	routing	entries	gener-
		     ated by incoming ICMPv6 redirect.

	     udp6.do_loopback_cksum
		     Perform UDP checksum on loopback.

	     udp6.recvspace
		     Default UDP receive buffer	size.

	     udp6.sendspace
		     Default UDP send buffer size.

	     We	reuse net.*.tcp	for TCP	over IPv6, and therefore we do not
	     have variables net.*.tcp6.	 Variables net.inet6.udp6 have identi-
	     cal meaning to net.inet.udp.  Please refer	to PF_INET section
	     above.  For variables net.*.ipsec6, please	refer to ipsec(4).

     net.key (PF_KEY)
	     Get or set	various	global information about the IPsec key manage-
	     ment.  The	third level name is the	variable name.	The currently
	     defined variable and names	are:

		   Variable		Type	   Changeable
		   debug		integer	   yes
		   enabled		integer	   yes
		   used			integer	   no
		   spi_try		integer	   yes
		   spi_min_value	integer	   yes
		   spi_max_value	integer	   yes
		   larval_lifetime	integer	   yes
		   blockacq_count	integer	   yes
		   blockacq_lifetime	integer	   yes
		   esp_keymin		integer	   yes
		   esp_auth		integer	   yes
		   ah_keymin		integer	   yes

	     The variables are as follows:

	     debug   Turn on debugging message from within the kernel.	The
		     value is a	bitmap,	as defined in <netkey/key_debug.h>.

	     enabled
		     Control processing	of IPsec control messages.

		     0	     Never allow IPsec processing

		     1	     Allow IPsec processing when SPD policies are
			     present.

		     2	     Force IPsec processing even when SPD policies are
			     not present.

	     used    Based on if IPsec is enabled, and SPD rule	existance,
		     show if IPsec is being used.  Note	that currently once
		     IPsec is being used, it cannot be disabled.

	     spi_try
		     The number	of times the kernel will try to	obtain an
		     unique SPI	when it	generates it from random number	gener-
		     ator.

	     spi_min_value
		     Minimum SPI value when generating it within the kernel.

	     spi_max_value
		     Maximum SPI value when generating it within the kernel.

	     larval_lifetime
		     Lifetime for LARVAL SAD entries, in seconds.

	     blockacq_count
		     Number of ACQUIRE PF_KEY messages to be blocked after an
		     ACQUIRE message.  It avoids flood of ACQUIRE PF_KEY from
		     being sent	from the kernel	to the key management daemon.

	     blockacq_lifetime
		     Lifetime of ACQUIRE PF_KEY	message.

	     esp_keymin
		     Minimum ESP key length, in	bits.  The value is used when
		     the kernel	creates	proposal payload on ACQUIRE PF_KEY
		     message.

	     esp_auth
		     Whether ESP authentication	should be used or not.	Non-
		     zero value	indicates that ESP authentication should be
		     used.  The	value is used when the kernel creates proposal
		     payload on	ACQUIRE	PF_KEY message.

	     ah_keymin
		     Minimum AH	key length, in bits, The value is used when
		     the kernel	creates	proposal payload on ACQUIRE PF_KEY
		     message.

   The proc.* subtree
     The string	and integer information	available for the proc level is	de-
     tailed below.  The	changeable column shows	whether	a process with appro-
     priate privilege may change the value.  These values are per-process, and
     as	such may change	from one process to another.  When a process is	cre-
     ated, the default values are inherited from its parent.  When a set-user-
     ID	or set-group-ID	binary is executed, the	value of PROC_PID_CORENAME is
     reset to the system default value.	 The second level name is either the
     magic value PROC_CURPROC, which points to the current process, or the PID
     of	the target process.

	   Third level name	Type	  Changeable
	   proc.pid.corename	string	  yes
	   proc.pid.rlimit	node	  not applicable
	   proc.pid.stopfork	int	  yes
	   proc.pid.stopexec	int	  yes
	   proc.pid.stopexit	int	  yes
	   proc.pid.paxflags	int	  no

     proc.pid.corename (PROC_PID_CORENAME)
	     The template used for the core dump file name (see	core(5)	for
	     details).	The base name must either be core or end with the suf-
	     fix .core (the super-user may set arbitrary names).  By default
	     it	points to KERN_DEFCORENAME.

     proc.pid.rlimit (PROC_PID_LIMIT)
	     Return resources limits, as defined for the getrlimit(2) and
	     setrlimit(2) system calls.	 The fourth level name is one of:

	     proc.pid.rlimit.cputime (PROC_PID_LIMIT_CPU)
		     The maximum amount	of CPU time (in	seconds) to be used by
		     each process.

	     proc.pid.rlimit.filesize (PROC_PID_LIMIT_FSIZE)
		     The largest size (in bytes) file that may be created.

	     proc.pid.rlimit.datasize (PROC_PID_LIMIT_DATA)
		     The maximum size (in bytes) of the	data segment for a
		     process; this defines how far a program may extend	its
		     break with	the sbrk(2) system call.

	     proc.pid.rlimit.stacksize (PROC_PID_LIMIT_STACK)
		     The maximum size (in bytes) of the	stack segment for a
		     process; this defines how far a program's stack segment
		     may be extended.  Stack extension is performed automati-
		     cally by the system.

	     proc.pid.rlimit.coredumpsize (PROC_PID_LIMIT_CORE)
		     The largest size (in bytes) core file that	may be cre-
		     ated.

	     proc.pid.rlimit.memoryuse (PROC_PID_LIMIT_RSS)
		     The maximum size (in bytes) to which a process's resident
		     set size may grow.	 This imposes a	limit on the amount of
		     physical memory to	be given to a process; if memory is
		     tight, the	system will prefer to take memory from pro-
		     cesses that are exceeding their declared resident set
		     size.

	     proc.pid.rlimit.memorylocked (PROC_PID_LIMIT_MEMLOCK)
		     The maximum size (in bytes) which a process may lock into
		     memory using the mlock(2) function.

	     proc.pid.rlimit.maxproc (PROC_PID_LIMIT_NPROC)
		     The maximum number	of simultaneous	processes for this
		     user id.

	     proc.pid.rlimit.descriptors (PROC_PID_LIMIT_NOFILE)
		     The maximum number	of open	files for this process.

	     proc.pid.rlimit.sbsize (PROC_PID_LIMIT_SBSIZE)
		     The maximum size (in bytes) of the	socket buffers set by
		     the setsockopt(2) SO_RCVBUF and SO_SNDBUF options.

	     proc.pid.rlimit.vmemoryuse	(PROC_PID_LIMIT_AS)
		     The maximum size (in bytes) which a process can obtain.

	     proc.pid.rlimit.maxlwp (PROC_PID_LIMIT_NTHR)
		     The maximum number	of threads that	cen be created and
		     running at	one time in the	process.  The first thread of
		     each process is not counted against this.

	     The fifth level name is one of soft (PROC_PID_LIMIT_TYPE_SOFT) or
	     hard (PROC_PID_LIMIT_TYPE_HARD), to select	respectively the soft
	     or	hard limit.  Both are of type integer.

     proc.pid.stopfork (PROC_PID_STOPFORK)
	     If	non zero, the process' children	will be	stopped	after fork(2)
	     calls.  The children are created in the SSTOP state and are never
	     scheduled for running before being	stopped.  This feature enables
	     attaching to a process with a debugger such as gdb(1) before the
	     process has the opportunity to actually do	anything.

	     This value	is inherited by	the process's children,	and it also
	     applies to	emulation specific system calls	that fork a new
	     process, such as sproc() or clone().

     proc.pid.stopexec (PROC_PID_STOPEXEC)
	     If	non zero, the process will be stopped on the next exec(3)
	     call.  The	process	created	by exec(3) is created in the SSTOP
	     state and is never	scheduled for running before being stopped.
	     This feature enables attaching to a process with a	debugger such
	     as	gdb(1) before the process has the opportunity to actually do
	     anything.

	     This value	is inherited by	the process's children.

     proc.pid.stopexit (PROC_PID_STOPEXIT)
	     If	non zero, the process will be stopped when it has cause	to
	     exit, either by way of calling exit(3), _exit(2), or by the re-
	     ceipt of a	specific signal.  The process is stopped before	any of
	     its resources or vm space is released allowing examination	of the
	     termination state of the process before it	disappears.  This fea-
	     ture can be used to examine the final conditions of the process's
	     vmspace via pmap(1) or its	resource settings with sysctl(8) be-
	     fore it disappears.

	     This value	is also	inherited by the process's children.

     proc.pid.paxflags (PROC_PID_PAXFLAGS)
	     This read-only variable returns the current value of the
	     process's pax flags (see paxctl(8)).

   The user.* subtree (CTL_USER)
     The string	and integer information	available for the user level is	de-
     tailed below.  The	changeable column shows	whether	a process with appro-
     priate privilege may change the value.

	   Second level	name	    Type       Changeable
	   user.atexit_max	    integer    no
	   user.bc_base_max	    integer    no
	   user.bc_dim_max	    integer    no
	   user.bc_scale_max	    integer    no
	   user.bc_string_max	    integer    no
	   user.coll_weights_max    integer    no
	   user.cs_path		    string     no
	   user.expr_nest_max	    integer    no
	   user.line_max	    integer    no
	   user.posix2_c_bind	    integer    no
	   user.posix2_c_dev	    integer    no
	   user.posix2_char_term    integer    no
	   user.posix2_fort_dev	    integer    no
	   user.posix2_fort_run	    integer    no
	   user.posix2_localedef    integer    no
	   user.posix2_sw_dev	    integer    no
	   user.posix2_upe	    integer    no
	   user.posix2_version	    integer    no
	   user.re_dup_max	    integer    no
	   user.stream_max	    integer    no
	   user.stream_max	    integer    no
	   user.tzname_max	    integer    no

     user.atexit_max (USER_ATEXIT_MAX)
	     The maximum number	of functions that may be registered with
	     atexit(3).

     user.bc_base_max (USER_BC_BASE_MAX)
	     The maximum ibase/obase values in the bc(1) utility.

     user.bc_dim_max (USER_BC_DIM_MAX)
	     The maximum array size in the bc(1) utility.

     user.bc_scale_max (USER_BC_SCALE_MAX)
	     The maximum scale value in	the bc(1) utility.

     user.bc_string_max	(USER_BC_STRING_MAX)
	     The maximum string	length in the bc(1) utility.

     user.coll_weights_max (USER_COLL_WEIGHTS_MAX)
	     The maximum number	of weights that	can be assigned	to any entry
	     of	the LC_COLLATE order keyword in	the locale definition file.

     user.cs_path (USER_CS_PATH)
	     Return a value for	the PATH environment variable that finds all
	     the standard utilities.

     user.expr_nest_max	(USER_EXPR_NEST_MAX)
	     The maximum number	of expressions that can	be nested within
	     parenthesis by the	expr(1)	utility.

     user.line_max (USER_LINE_MAX)
	     The maximum length	in bytes of a text-processing utility's	input
	     line.

     user.posix2_char_term (USER_POSIX2_CHAR_TERM)
	     Return 1 if the system supports at	least one terminal type	capa-
	     ble of all	operations described in	IEEE Std 1003.2	("POSIX.2"),
	     otherwise 0.

     user.posix2_c_bind	(USER_POSIX2_C_BIND)
	     Return 1 if the system's C-language development facilities	sup-
	     port the C-Language Bindings Option, otherwise 0.

     user.posix2_c_dev (USER_POSIX2_C_DEV)
	     Return 1 if the system supports the C-Language Development	Utili-
	     ties Option, otherwise 0.

     user.posix2_fort_dev (USER_POSIX2_FORT_DEV)
	     Return 1 if the system supports the FORTRAN Development Utilities
	     Option, otherwise 0.

     user.posix2_fort_run (USER_POSIX2_FORT_RUN)
	     Return 1 if the system supports the FORTRAN Runtime Utilities Op-
	     tion, otherwise 0.

     user.posix2_localedef (USER_POSIX2_LOCALEDEF)
	     Return 1 if the system supports the creation of locales, other-
	     wise 0.

     user.posix2_sw_dev	(USER_POSIX2_SW_DEV)
	     Return 1 if the system supports the Software Development Utili-
	     ties Option, otherwise 0.

     user.posix2_upe (USER_POSIX2_UPE)
	     Return 1 if the system supports the User Portability Utilities
	     Option, otherwise 0.

     user.posix2_version (USER_POSIX2_VERSION)
	     The version of IEEE Std 1003.2 ("POSIX.2")	with which the system
	     attempts to comply.

     user.re_dup_max (USER_RE_DUP_MAX)
	     The maximum number	of repeated occurrences	of a regular expres-
	     sion permitted when using interval	notation.

     user.stream_max (USER_STREAM_MAX)
	     The minimum maximum number	of streams that	a process may have
	     open at any one time.

     user.tzname_max (USER_TZNAME_MAX)
	     The minimum maximum number	of types supported for the name	of a
	     timezone.

   The vm.* subtree (CTL_VM)
     The string	and integer information	available for the vm level is detailed
     below.  The changeable column shows whether a process with	appropriate
     privilege may change the value.

	   Second level	name	Type			Changeable
	   vm.anonmax		int			yes
	   vm.anonmin		int			yes
	   vm.bufcache		int			yes
	   vm.bufmem		int			no
	   vm.bufmem_hiwater	int			yes
	   vm.bufmem_lowater	int			yes
	   vm.execmax		int			yes
	   vm.execmin		int			yes
	   vm.filemax		int			yes
	   vm.filemin		int			yes
	   vm.loadavg		struct loadavg		no
	   vm.maxslp		int			no
	   vm.nkmempages	int			no
	   vm.uspace		int			no
	   vm.uvmexp		struct uvmexp		no
	   vm.uvmexp2		struct uvmexp_sysctl	no
	   vm.vmmeter		struct vmtotal		no
	   vm.proc.map		struct kinfo_vmentry	no
	   vm.guard_size	unsigned int		no
	   vm.thread_guard_size	unsigned int		yes

     vm.anonmax	(VM_ANONMAX)
	     The percentage of physical	memory which will be reclaimed from
	     other types of memory usage to store anonymous application	data.

     vm.anonmin	(VM_ANONMIN)
	     The percentage of physical	memory which will be always be avail-
	     able for anonymous	application data.

     vm.bufcache (VM_BUFCACHE)
	     The percentage of physical	memory which will be available for the
	     buffer cache.

     vm.bufmem (VM_BUFMEM)
	     The amount	of kernel memory that is being used by the buffer
	     cache.

     vm.bufmem_lowater (VM_BUFMEM_LOWATER)
	     The minimum amount	of kernel memory to reserve for	the buffer
	     cache.

     vm.bufmem_hiwater (VM_BUFMEM_HIWATER)
	     The maximum amount	of kernel memory to be used for	the buffer
	     cache.

     vm.execmax	(VM_EXECMAX)
	     The percentage of physical	memory which will be reclaimed from
	     other types of memory usage to store cached executable data.

     vm.execmin	(VM_EXECMIN)
	     The percentage of physical	memory which will be always be avail-
	     able for cached executable	data.

     vm.filemax	(VM_FILEMAX)
	     The percentage of physical	memory which will be reclaimed from
	     other types of memory usage to store cached file data.

     vm.filemin	(VM_FILEMIN)
	     The percentage of physical	memory which will be always be avail-
	     able for cached file data.

     vm.loadavg	(VM_LOADAVG)
	     Return the	load average history.  The returned data consists of a
	     struct loadavg.

     vm.maxslp (VM_MAXSLP)
	     The value of the maxslp kernel global variable.

     vm.vmmeter	(VM_METER)
	     Return system wide	virtual	memory statistics.  The	returned data
	     consists of a struct vmtotal.

     vm.user_va0_disable
	     A flag which controls whether user	processes can map virtual ad-
	     dress 0.

     vm.proc.map (VM_PROC)
	     The third level is	the fourth is the pid of the process to	dis-
	     play the vm object	entries	for, and the fifth is the size of
	     struct kinfo_vmentry.  Returns an array of	struct kinfo_vmentry
	     objects.

     vm.uspace (VM_USPACE)
	     The number	of bytes allocated for each kernel stack.

     vm.uvmexp (VM_UVMEXP)
	     Return system wide	virtual	memory statistics.  The	returned data
	     consists of a struct uvmexp.

     vm.uvmexp2	(VM_UVMEXP2)
	     Return system wide	virtual	memory statistics.  The	returned data
	     consists of a struct uvmexp_sysctl.

     vm.guard_size
	     Return system wide	guard size for the main	thread of a program.

     vm.thread_guard_size
	     Return system wide	default	size for the guard area	of all other
	     threads of	a program.

   The ddb.* subtree (CTL_DDB)
     The information available for the ddb level is detailed below.  The
     changeable	column shows whether a process with appropriate	privilege may
     change the	value.

	   Second level	name	Type	   Changeable
	   ddb.commandonenter	string	   yes
	   ddb.fromconsole	integer	   yes
	   ddb.lines		integer	   yes
	   ddb.maxoff		integer	   yes
	   ddb.maxwidth		integer	   yes
	   ddb.onpanic		integer	   yes
	   ddb.radix		integer	   yes
	   ddb.tabstops		integer	   yes
	   ddb.tee_msgbuf	integer	   yes

     ddb.commandonenter
	     If	not empty, the string is used as the DDB command to be exe-
	     cuted each	time DDB is entered.

     ddb.fromconsole (DDBCTL_FROMCONSOLE)
	     If	not zero, DDB may be entered by	sending	a break	on a serial
	     console or	by a special key sequence on a graphics	console.

     ddb.lines (DDBCTL_LINES)
	     Number of display lines.

     ddb.maxoff	(DDBCTL_MAXOFF)
	     The maximum symbol	offset.

     ddb.maxwidth (DDBCTL_MAXWIDTH)
	     The maximum output	line width.

     ddb.onpanic (DDBCTL_ONPANIC)
	     If	greater	than zero, DDB will be entered if the kernel panics.
	     A value of	1 causes the system to enter DDB on panic, while a
	     value of 2	causes the kernel to attempt to	print out a stack
	     trace before entering DDB.	 A value of 0 causes the kernel	to at-
	     tempt to print a stack trace, then	reboot,	while a	value of -1
	     means neither a stack trace will be printed nor DDB entered.

     ddb.radix (DDBCTL_RADIX)
	     The input and output radix.

     ddb.tabstops (DDBCTL_TABSTOPS)
	     Tab width.

     ddb.tee_msgbuf
	     If	not zero, DDB will output also to the kernel message buffer.

     Some of these MIB nodes are also available	as variables from within the
     debugger.	See ddb(4) for more details.

   The security.* subtree (CTL_SECURITY)
     The security level	contains various security-related settings for the
     system.  The available second level names are:

	   Second level	name	Type	   Changeable
	   security.curtain	integer	   yes
	   security.models	node	   not applicable
	   security.pax		node	   not applicable

     Available settings	are detailed below.

     security.curtain
	     If	non-zero, will filter return objects according to the user ID
	     requesting	information about them,	preventing users from access-
	     ing any objects they do not own.

	     At	the moment, it affects ps(1), netstat(1) (for PF_INET,
	     PF_INET6, and PF_UNIX PCBs), and w(1).

     security.models
	     NetBSD supports pluggable security	models.	 Every security	model
	     used, whether if loaded as	a module or built with the system, is
	     required to add an	entry to this node with	at least one element,
	     "name", indicating	the name of the	security model.

	     In	addition to the	name, any settings and other information pri-
	     vate to the security model	will be	available under	this node.
	     See secmodel(9) for more information.

     security.pax
	     Settings for PaX -- exploit mitigation features.  For more	infor-
	     mation on any of the PaX features,	please see paxctl(8) and
	     security(7).  The available third and fourth level	names are:

	       Third and fourth	level names		 Type	    Changeable
	       security.pax.aslr.enabled		 integer    yes
	       security.pax.aslr.global			 integer    yes
	       security.pax.mprotect.enabled		 integer    yes
	       security.pax.mprotect.global		 integer    yes
	       security.pax.mprotect.ptrace		 integer    yes
	       security.pax.segvguard.enabled		 integer    yes
	       security.pax.segvguard.expiry_timeout	 integer    yes
	       security.pax.segvguard.global		 integer    yes
	       security.pax.segvguard.max_crashes	 integer    yes
	       security.pax.segvguard.suspend_timeout	 integer    yes

	     security.pax.aslr.enabled
		     Enable PaX	ASLR (Address Space Layout Randomization).

		     The value of this knob must be non-zero for PaX ASLR to
		     be	enabled, even if a program is set to explicit enable.

	     security.pax.aslr.global
		     Specifies the default global policy for programs without
		     an	explicit enable/disable	flag.

		     When non-zero, all	programs will get PaX ASLR, except
		     those exempted with paxctl(8).  Otherwise,	all programs
		     will not get PaX ASLR, except those specifically marked
		     as	such with paxctl(8).

	     security.pax.mprotect.enabled
		     Enable PaX	MPROTECT restrictions.

		     These are mprotect(2) restrictions	to better enforce a
		     W^X policy.  The value of this knob must be non-zero for
		     PaX MPROTECT to be	enabled, even if a program is set to
		     explicit enable.

	     security.pax.mprotect.global
		     Specifies the default global policy for programs without
		     an	explicit enable/disable	flag.

		     When non-zero, all	programs will get the PaX MPROTECT re-
		     strictions, except	those exempted with paxctl(8).	Other-
		     wise, all programs	will not get the PaX MPROTECT restric-
		     tions, except those specifically marked as	such with
		     paxctl(8).

	     security.pax.mprotect.ptrace
		     This variable allows ptrace(2) to override	PaX MPROTECT
		     permissions.  It can have the following values:
		     0	 Does not let override any permissions.
		     1	 Disables PaX MPROTECT from processes that start exe-
			 cuting	while traced (default).
		     2	 Bypasses PaX MPROTECT for all processes being traced.

	     security.pax.segvguard.enabled
		     Enable PaX	Segvguard.

		     PaX Segvguard can detect and prevent certain exploitation
		     attempts, where an	attacker may try for example to	brute-
		     force function return addresses of	respawning daemons.

		     Note: The NetBSD interface	and implementation of the
		     Segvguard is still	experimental, and may change in	future
		     releases.

	     security.pax.segvguard.expiry_timeout
		     If	the max	number was not reached within this timeout (in
		     seconds), the entry will expire.

	     security.pax.segvguard.global
		     Specifies the default global policy for programs without
		     an	explicit enable/disable	flag.

		     When non-zero, all	programs will get the PaX Segvguard,
		     except those exempted with	paxctl(8).  Otherwise, no pro-
		     gram will get the PaX Segvguard restrictions, except
		     those specifically	marked as such with paxctl(8).

	     security.pax.segvguard.max_crashes
		     The maximum number	of segfaults a program can receive be-
		     fore suspension.

	     security.pax.segvguard.suspend_timeout
		     Number of seconds to suspend a user from running a	fault-
		     ing program when the limit	was exceeded.

   The vendor.*	subtree	(CTL_VENDOR)
     The vendor	toplevel name is reserved to be	used by	vendors	who wish to
     have their	own private MIB	tree.  Intended	use is to store	values under
     "vendor.<yourname>.*".

SEE ALSO
     sysctl(3),	ipsec(4), tcp(4), security(7), sysctl(8)

HISTORY
     The sysctl	variables first	appeared in 4.4BSD.

BSD			       February	22, 2018			   BSD

NAME | DESCRIPTION | SEE ALSO | HISTORY

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=sysctl&sektion=7&manpath=NetBSD+8.0>

home | help