Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
SYSCTL(2)		  FreeBSD System Calls Manual		     SYSCTL(2)

NAME
     sysctl -- get or set system information

SYNOPSIS
     #include <sys/types.h>
     #include <sys/sysctl.h>

     int
     sysctl(const int *name, u_int namelen, void *oldp,	size_t *oldlenp,
	 void *newp, size_t newlen);

DESCRIPTION
     The sysctl() function retrieves system information	and allows processes
     with appropriate privileges to set	system information.  The information
     available from sysctl() consists of integers, strings, and	tables.	 In-
     formation may be retrieved	and set	using the sysctl(8) utility; the vari-
     able names	used by	this utility are given here in parentheses.

     Unless explicitly noted below, sysctl() returns a consistent snapshot of
     the data requested.  Consistency is obtained by locking the destination
     buffer into memory	so that	the data may be	copied out without blocking.
     Calls to sysctl() are serialized to avoid deadlock.

     The state is described using a "Management	Information Base (MIB)"	style
     name, listed in name, which is a namelen length array of integers.

     The information is	copied into the	buffer specified by oldp.  The size of
     the buffer	is given by the	location specified by oldlenp before the call,
     and that location gives the amount	of data	copied after a successful
     call.  If the amount of data available is greater than the	size of	the
     buffer supplied, the call supplies	as much	data as	fits in	the buffer
     provided and returns with the error code ENOMEM.  If the old value	is not
     desired, oldp and oldlenp should be set to	NULL.

     The size of the available data can	be determined by calling sysctl() with
     a NULL parameter for oldp.	 The size of the available data	will be	re-
     turned in the location pointed to by oldlenp.  For	some operations, the
     amount of space may change	often.	For these operations, the system at-
     tempts to round up	so that	the returned size is large enough for a	call
     to	return the data	shortly	thereafter.

     The terminating NUL character is included in the lengths of string	val-
     ues.

     To	set a new value, newp is set to	point to a buffer of length newlen
     from which	the requested value is to be taken.  If	a new value is not to
     be	set, newp should be set	to NULL	and newlen set to 0.

     The top level names are defined with a CTL_ prefix	in <sys/sysctl.h>, and
     are as follows.  The next and subsequent levels down are found in the in-
     clude files listed	here, and described in separate	sections below.

	   Name		  Next level names	  Description
	   CTL_DDB	  ddb/db_var.h		  Kernel debugger
	   CTL_DEBUG	  sys/sysctl.h		  Debugging
	   CTL_FS	  sys/sysctl.h		  File system
	   CTL_HW	  sys/sysctl.h		  Generic CPU, I/O
	   CTL_KERN	  sys/sysctl.h		  High kernel limits
	   CTL_MACHDEP	  sys/sysctl.h		  Machine dependent
	   CTL_NET	  sys/socket.h		  Networking
	   CTL_VFS	  ufs/ffs/ffs_extern.h	  Virtual file system
	   CTL_VM	  uvm/uvm_param.h	  Virtual memory

     For example, the following	retrieves the maximum number of	processes al-
     lowed in the system:

	   int mib[2], maxproc;
	   size_t len;

	   mib[0] = CTL_KERN;
	   mib[1] = KERN_MAXPROC;
	   len = sizeof(maxproc);
	   if (sysctl(mib, 2, &maxproc,	&len, NULL, 0) == -1)
		   err(1, "sysctl");

   CTL_DDB
     Integer information and settable variables	are available for the CTL_DDB
     level, as described below.	 More information is also available in ddb(4).

	   Second level	name	Type	   Changeable
	   DBCTL_CONSOLE	integer	   yes
	   DBCTL_LOG		integer	   yes
	   DBCTL_MAXLINE	integer	   yes
	   DBCTL_MAXWIDTH	integer	   yes
	   DBCTL_PANIC		integer	   yes
	   DBCTL_RADIX		integer	   yes
	   DBCTL_TABSTOP	integer	   yes
	   DBCTL_TRIGGER	integer	   yes

     DBCTL_CONSOLE (ddb.console)
	     When this variable	is set,	an architecture	dependent magic	key
	     sequence on the console or	a debugger button will permit entry
	     into the kernel debugger.	When running with a securelevel(7)
	     greater than 0, this variable may not be raised.

     DBCTL_LOG (ddb.log)
	     When set, ddb output is also logged in the	kernel message buffer.

     DBCTL_MAXLINE (ddb.max_line)
	     Determines	the number of lines to page in ddb(4).	This variable
	     is	also available as the ddb $lines variable.

     DBCTL_MAXWIDTH (ddb.max_width)
	     Determines	the maximum width of a line in ddb(4).	This variable
	     is	also available as the ddb $maxwidth variable.

     DBCTL_PANIC (ddb.panic)
	     When this variable	is set,	system panics may drop into the	kernel
	     debugger.	When running with a securelevel(7) greater than	0,
	     this variable may not be raised.

     DBCTL_RADIX (ddb.radix)
	     Determines	the default radix or base for non-prefixed numbers en-
	     tered into	ddb(4).	 This variable is also available as the	ddb
	     $radix variable.

     DBCTL_TABSTOP (ddb.tab_stop_width)
	     Width of a	tab stop in ddb(4).  This variable is also available
	     as	the ddb	$tabstops variable.

     DBCTL_TRIGGER (ddb.trigger)
	     When DBCTL_CONSOLE	is set,	writing	to DBCTL_TRIGGER causes	the
	     system to enter ddb(4).  When running with	a securelevel(7)
	     greater than 0, the process writing to this variable must be run-
	     ning on the console in order to enter ddb(4).

   CTL_DEBUG
     The debugging variables vary from system to system.  A debugging variable
     may be added or deleted without need to recompile sysctl()	to know	about
     it.  Each time it runs, sysctl() gets the list of debugging variables
     from the kernel and displays their	current	values.	 The system defines
     twenty struct ctldebug variables named debug0 through debug19.  They are
     declared as separate variables so that they can be	individually initial-
     ized at the location of their associated variable.	 The loader prevents
     multiple use of the same variable by issuing errors if a variable is ini-
     tialized in more than one place.  For example, to export the variable
     dospecialcheck as a debugging variable, the following declaration would
     be	used:

	   int dospecialcheck =	1;
	   struct ctldebug debug5 = { "dospecialcheck",	&dospecialcheck	};

   CTL_FS
     The string	and integer information	available for the CTL_FS level is de-
     tailed below.  The	changeable column shows	whether	a process with appro-
     priate privileges may change the value.

	   Second level	name	Type	   Changeable
	   FS_POSIX_SETUID	integer	   yes

     FS_POSIX_SETUID (fs.posix.setuid)
	     When this variable	is set,	ownership changes on a file will cause
	     the S_ISUID and S_ISGID bits to be	cleared.  When running with a
	     securelevel(7) greater than 0, this variable may not be changed.

   CTL_HW
     The string	and integer information	available for the CTL_HW level is de-
     tailed below.  The	changeable column shows	whether	a process with appro-
     priate privileges may change the value.

	   Second level	name	Type	   Changeable
	   HW_ALLOWPOWERDOWN	integer	   yes
	   HW_BYTEORDER		integer	   no
	   HW_CPUSPEED		integer	   no
	   HW_DISKCOUNT		integer	   no
	   HW_DISKNAMES		string	   no
	   HW_DISKSTATS		struct	   no
	   HW_MACHINE		string	   no
	   HW_MODEL		string	   no
	   HW_NCPU		integer	   no
	   HW_NCPUFOUND		integer	   no
	   HW_NCPUONLINE	integer	   no
	   HW_PAGESIZE		integer	   no
	   HW_PERFPOLICY	string	   yes
	   HW_PHYSMEM		integer	   no
	   HW_PHYSMEM64		int64_t	   no
	   HW_PRODUCT		string	   no
	   HW_SENSORS		node	   not applicable
	   HW_SETPERF		integer	   yes
	   HW_SMT		integer	   yes
	   HW_USERMEM		integer	   no
	   HW_USERMEM64		int64_t	   no
	   HW_UUID		string	   no
	   HW_VENDOR		string	   no
	   HW_VERSION		string	   no

     HW_ALLOWPOWERDOWN (hw.allowpowerdown)
	     Some machines generate an interrupt when the power	button is
	     pressed and a driver can catch that interrupt.  When this vari-
	     able is set, such an event	will cause the system to perform a
	     regular shutdown and power	off the	machine.  When running with a
	     securelevel(7) greater than 0, this variable may not be changed.

     HW_BYTEORDER (hw.byteorder)
	     The byteorder (4321 or 1234).

     HW_CPUSPEED (hw.cpuspeed)
	     The current CPU frequency (in MHz).

     HW_DISKCOUNT (hw.diskcount)
	     The number	of disks currently attached to the system.

     HW_DISKNAMES (hw.disknames)
	     A comma-separated list of disk names.

     HW_DISKSTATS (hw.diskstats)
	     An	array of struct	diskstats structures containing	disk statis-
	     tics.

     HW_MACHINE	(hw.machine)
	     The machine class.

     HW_MODEL (hw.model)
	     The machine model.

     HW_NCPU (hw.ncpu)
	     The number	of CPUs	configured.

     HW_NCPUFOUND (hw.ncpufound)
	     The number	of CPUs	found.

     HW_NCPUONLINE (hw.ncpuonline)
	     The number	of CPUs	online.

     HW_PAGESIZE (hw.pagesize)
	     The software page size.

     HW_PERFPOLICY (hw.perfpolicy)
	     The performance policy for	power management.  Can be one of
	     "manual", "auto", or "high".

     HW_PHYSMEM
	     The total physical	memory,	in bytes.  This	variable is depre-
	     cated; use	HW_PHYSMEM64 instead.

     HW_PHYSMEM64 (hw.physmem)
	     The total physical	memory,	in bytes.

     HW_PRODUCT	(hw.product)
	     The product name of the machine.

     HW_SENSORS	(hw.sensors)
	     Third level comprises an array of struct sensordev	structures
	     containing	information about devices that may attach hardware
	     monitoring	sensors.

	     Third, fourth and fifth levels together comprise an array of
	     struct sensor structures containing snapshot readings of hardware
	     monitoring	sensors.  In such usage, third level indicates the nu-
	     merical representation of the sensor device name to which the
	     sensor is attached	(a device's xname and number are matched with
	     the help of struct	sensordev structure above), fourth level indi-
	     cates sensor type and fifth level is an ordinal sensor number
	     (unique to	the specified sensor type on the specified sensor de-
	     vice).

	     The sensordev and sensor structures and sensor_type enumeration
	     are defined in <sys/sensors.h>.

     HW_SERIALNO (hw.serialno)
	     The serial	number of the machine.

     HW_SETPERF	(hw.setperf)
	     Current CPU performance (percentage).  It is only modifiable if
	     HW_PERFPOLICY is set to "manual".

     HW_SMT (hw.smt)
	     If	set to 1, enable simultaneous multithreading (SMT) on CPUs
	     that support it.  Disabled	by default.

     HW_USERMEM
	     The amount	of available non-kernel	memory in bytes.  This vari-
	     able is deprecated; use HW_USERMEM64 instead.

     HW_USERMEM64 (hw.usermem)
	     The amount	of available non-kernel	memory in bytes.

     HW_UUID (hw.uuid)
	     The universal unique identification number	assigned to the	ma-
	     chine.

     HW_VENDOR (hw.vendor)
	     The vendor	name for this machine.

     HW_VERSION	(hw.version)
	     The version or revision of	this machine.

   CTL_KERN
     The string	and integer information	available for the CTL_KERN level is
     detailed below.  The changeable column shows whether a process with ap-
     propriate privileges may change the value.	 The types of data currently
     available are process information,	system vnodes, the open	file entries,
     routing table entries, virtual memory statistics, load average history,
     and clock rate information.

	   Second level	name		Type			Changeable
	   KERN_ALLOWDT			integer			yes
	   KERN_ALLOWKMEM		integer			yes
	   KERN_ARGMAX			integer			no
	   KERN_AUDIO			node			yes
	   KERN_BOOTTIME		struct timeval		no
	   KERN_CACHEPCT		integer			yes
	   KERN_CCPU			integer			no
	   KERN_CLOCKRATE		struct clockinfo	no
	   KERN_CONSDEV			dev_t			no
	   KERN_CPTIME			long[CPUSTATES]		no
	   KERN_CPTIME2			u_int64_t[CPUSTATES]	no
	   KERN_CPUSTATS		struct cpustats		no
	   KERN_DOMAINNAME		string			yes
	   KERN_FILE			struct kinfo_file	no
	   KERN_FORKSTAT		struct forkstat		no
	   KERN_FSCALE			integer			no
	   KERN_FSYNC			integer			no
	   KERN_GLOBAL_PTRACE		integer			yes
	   KERN_HOSTID			integer			yes
	   KERN_HOSTNAME		string			yes
	   KERN_INTRCNT			node			not applicable
	   KERN_JOB_CONTROL		integer			no
	   KERN_MALLOCSTATS		node			no
	   KERN_MAXCLUSTERS		integer			yes
	   KERN_MAXFILES		integer			yes
	   KERN_MAXLOCKSPERUID		integer			yes
	   KERN_MAXPARTITIONS		integer			no
	   KERN_MAXPROC			integer			yes
	   KERN_MAXTHREAD		integer			yes
	   KERN_MAXVNODES		integer			yes
	   KERN_MBSTAT			struct mbstat		no
	   KERN_MSGBUF			char[]			no
	   KERN_MSGBUFSIZE		integer			no
	   KERN_NCHSTATS		struct nchstats		no
	   KERN_NFILES			integer			no
	   KERN_NGROUPS			integer			no
	   KERN_NOSUIDCOREDUMP		integer			yes
	   KERN_NPROCS			integer			no
	   KERN_NSELCOLL		integer			no
	   KERN_NTHREADS		integer			no
	   KERN_NUMVNODES		integer			no
	   KERN_OSRELEASE		string			no
	   KERN_OSREV			integer			no
	   KERN_OSTYPE			string			no
	   KERN_OSVERSION		string			no
	   KERN_PFSTATUS		struct pf_status	no
	   KERN_POOL_DEBUG		integer			yes
	   KERN_POSIX1			integer			no
	   KERN_PROC			struct kinfo_proc	no
	   KERN_PROC_ARGS		node			not applicable
	   KERN_PROC_CWD		string			not applicable
	   KERN_PROC_NOBROADCASTKILL	node			not applicable
	   KERN_PROC_VMMAP		struct kinfo_vmentry	no
	   KERN_PROF			node			not applicable
	   KERN_RAWPARTITION		integer			no
	   KERN_SAVED_IDS		integer			no
	   KERN_SECURELVL		integer			raise only
	   KERN_SEMINFO			node			not applicable
	   KERN_SHMINFO			node			not applicable
	   KERN_SOMAXCONN		integer			yes
	   KERN_SOMINCONN		integer			yes
	   KERN_SPLASSERT		int			yes
	   KERN_STACKGAPRANDOM		integer			yes
	   KERN_SYSVIPC_INFO		node			not applicable
	   KERN_SYSVMSG			integer			no
	   KERN_SYSVSEM			integer			no
	   KERN_SYSVSHM			integer			no
	   KERN_TIMECOUNTER		node			not applicable
	   KERN_TTY			node			not applicable
	   KERN_TTYCOUNT		integer			no
	   KERN_UTC_OFFSET		integer			yes
	   KERN_VERSION			string			no
	   KERN_VIDEO			node			yes
	   KERN_WATCHDOG		node			not applicable
	   KERN_WITNESS			node			not applicable
	   KERN_WXABORT			integer			yes

     KERN_ALLOWDT (kern.allowdt)
	     Allow userland processes access to	/dev/dt.  When running with a
	     securelevel(7) greater than 0, this variable may not be changed.

     KERN_ALLOWKMEM (kern.allowkmem)
	     Allow userland processes access to	/dev/mem and /dev/kmem.	 When
	     running with a securelevel(7) greater than	0, this	variable may
	     not be changed.

     KERN_ARGMAX (kern.argmax)
	     The maximum number	of bytes allowed among the arguments to
	     execve(2).

     KERN_AUDIO	(kern.audio)
	     Control device-independent	aspects	of the audio(4)	subsystem.
	     Currently,	there is one subnode:

		   Third level name	Type	   Changeable
		   KERN_AUDIO_RECORD	integer	   yes

	     Its meaning is as follows:

	     KERN_AUDIO_RECORD (kern.audio.record)
		     If	set to the default value of 0, recording is muted by
		     default for all audio devices.  Otherwise,	audio record-
		     ing is enabled by default.	 For individual	devices, this
		     setting can be overridden with the	mixerctl(8)
		     record.enable variable.

     KERN_BOOTTIME (kern.boottime)
	     A struct timeval structure	is returned.  This structure contains
	     the time that the system was booted.

     KERN_CACHEPCT (kern.bufcachepercent)
	     The maximum percentage of DMA-reachable physical memory the buf-
	     fer cache may use.

     KERN_CCPU (kern.ccpu)
	     The scheduler exponential decay value.

     KERN_CLOCKRATE (kern.clockrate)
	     A struct clockinfo	structure is returned.	This structure con-
	     tains the hard clock, statistics clock and	profiling clock	fre-
	     quencies, and the number of microseconds per hard clock tick.

     KERN_CONSDEV (kern.consdev)
	     The console device.

     KERN_CPTIME (kern.cp_time)
	     An	array of longs of size CPUSTATES is returned, containing sta-
	     tistics about the number of ticks spent by	the system in inter-
	     rupt processing, user processes (nice(1) or normal), system pro-
	     cessing, lock spinning, or	idling.

     KERN_CPTIME2 (kern.cp_time2)
	     Similar to	KERN_CPTIME, but obtains information from only the
	     single CPU	specified by the third level name given.

     KERN_CPUSTATS
	     A struct cpustats structure is returned.  This structure contains
	     the array described in KERN_CPTIME2 and a bit mask	indicating the
	     status of the CPU specified by the	third level name.

     KERN_DOMAINNAME (kern.domainname)
	     Get or set	the YP domain name.

     KERN_FILE (kern.file)
	     Return the	entire file table, or a	subset of it.  An array	of
	     struct kinfo_file structures is returned, whose size depends on
	     the current number	of selected files in the system.  The third
	     and fourth	level names are	as follows:

		   Third level name    Fourth level is:
		   KERN_FILE_BYFILE    A file type
		   KERN_FILE_BYPID     A process ID
		   KERN_FILE_BYUID     A user ID

	     The fifth level name is the size of the struct kinfo_file and the
	     sixth level name is the number of structures to return.

     KERN_FORKSTAT (kern.forkstat)
	     A struct forkstat structure is returned.  This structure contains
	     information about the number of fork(2), vfork(2),	and __tfork(3)
	     system calls as well as kernel thread creations since system
	     startup, and the number of	pages of virtual memory	involved in
	     each.

     KERN_FSCALE (kern.fscale)
	     The kernel	fixed-point scale factor.

     KERN_FSYNC	(kern.fsync)
	     Return 1 if the File Synchronisation Option is available on this
	     system, otherwise 0.

     KERN_GLOBAL_PTRACE	(kern.global_ptrace)
	     When set to 1, permit ptrace(2) to	attach to any process with the
	     appropriate privileges.  When set to 0, processes may only	attach
	     to	their own descendants.

     KERN_HOSTID (kern.hostid)
	     Get or set	the host ID.

     KERN_HOSTNAME (kern.hostname)
	     Get or set	the hostname.

     KERN_JOB_CONTROL (kern.job_control)
	     Return 1 if job control is	available on this system, otherwise 0.

     KERN_MALLOCSTATS (kern.malloc)
	     Return kernel memory bucket statistics.  The third	level names
	     are detailed below.  There	are no changeable values in this
	     branch.

		   Third level name	    Type
		   KERN_MALLOC_BUCKET	    node
		   KERN_MALLOC_BUCKETS	    string
		   KERN_MALLOC_KMEMNAMES    string
		   KERN_MALLOC_KMEMSTATS    node

	     The variables are as follows:

	     KERN_MALLOC_BUCKET.<size> (kern.malloc.bucket)
		     A node containing the statistics for the memory bucket of
		     the specified size	(in decimal notation, the number of
		     bytes per bucket element, e.g., 16, 32, 128).  Each node
		     returns a struct kmembuckets.

		     If	a value	is specified that does not correspond directly
		     to	a bucket size, the statistics for the closest larger
		     bucket size will be returned instead.

		     Note that bucket sizes are	typically powers of 2.

	     KERN_MALLOC_BUCKETS (kern.malloc.buckets)
		     Return a comma-separated list of the bucket sizes used by
		     the kernel.

	     KERN_MALLOC_KMEMNAMES (kern.malloc.kmemnames)
		     Return a comma-separated list of the names	of the kernel
		     malloc(9) types.

	     KERN_MALLOC_KMEMSTATS (kern.malloc.kmemstat)
		     A node containing the statistics for the memory types of
		     the specified name.  Each node returns a struct
		     kmemstats.

     KERN_MAXCLUSTERS (kern.maxclusters)
	     The maximum number	of mbuf(9) clusters that may be	allocated.

     KERN_MAXFILES (kern.maxfiles)
	     The maximum number	of open	files that may be open in the system.

     KERN_MAXLOCKSPERUID (kern.maxlocksperuid)
	     The maximum number	of file	locks per user;	the default is 1024.

     KERN_MAXPARTITIONS	(kern.maxpartitions)
	     The maximum number	of partitions allowed per disk.

     KERN_MAXPROC (kern.maxproc)
	     The maximum number	of simultaneous	processes the system will al-
	     low.

     KERN_MAXTHREAD (kern.maxthread)
	     The maximum number	of simultaneous	threads	the system will	allow.

     KERN_MAXVNODES (kern.maxvnodes)
	     The maximum number	of vnodes available on the system.

     KERN_MBSTAT (kern.mbstat)
	     A struct mbstat structure is returned, containing statistics on
	     mbuf(9) usage.

     KERN_MSGBUF (kern.msgbuf)
	     Returns a buffer containing kernel	log messages; see dmesg(8).

     KERN_MSGBUFSIZE (kern.msgbufsize)
	     The size of the kernel message buffer.

     KERN_NCHSTATS (kern.nchstats)
	     A struct nchstats structure is returned.  This structure contains
	     information about the filename to inode(5)	mapping	cache.

     KERN_NFILES (kern.nfiles)
	     Number of open files.

     KERN_NGROUPS (kern.ngroups)
	     The maximum number	of supplemental	groups.

     KERN_NOSUIDCOREDUMP (kern.nosuidcoredump)
	     Whether a process may dump	core after changing user or group ID:

	     value    condition	   dump	core to
	     0	      euid == 0	   current directory
	     1	      never
	     2	      always	   /var/crash
	     3	      depends	   /var/crash/$programname/

     KERN_NPROCS (kern.nprocs)
	     The number	of entries in the kernel process table.

     KERN_NSELCOLL (kern.nselcoll)
	     Number of select(2) collisions.

     KERN_NTHREADS (kern.nthreads)
	     The number	of entries in the kernel thread	table.

     KERN_NUMVNODES (kern.numvnodes)
	     Number of vnodes in use.

     KERN_OSRELEASE (kern.osrelease)
	     The system	release	string.

     KERN_OSREV	(kern.osrevision)
	     The system	revision number.

     KERN_OSTYPE (kern.ostype)
	     The system	type string.

     KERN_OSVERSION (kern.osversion)
	     The kernel	build version.

     KERN_PFSTATUS
	     The struct	pf_status structure.

     KERN_POOL_DEBUG (kern.pool_debug)
	     Modify the	memory pool debug level.  Valid	values are:

		   0	Disable	pool debugging.
		   1	Enable use after free detection.
		   2	In addition to 1, when calling either malloc(9)	or
			pool_get(9) with flags indicating that sleeping	is al-
			lowed then always yield.  Useful to detect potential
			races.

     KERN_POSIX1 (kern.posix1version)
	     The version of ISO/IEC 9945 (POSIX	1003.1)	with which the system
	     attempts to comply.

     KERN_PROC (kern.proc)
	     Return the	entire process table, or a subset of it.  An array of
	     struct kinfo_proc structures is returned, whose size depends on
	     the current number	of selected processes in the system.  The
	     third and fourth level names are as follows:

		   Third level name	Fourth level is:
		   KERN_PROC_ALL	None
		   KERN_PROC_KTHREAD	A kernel thread
		   KERN_PROC_PID	A process ID
		   KERN_PROC_PGRP	A process group
		   KERN_PROC_RUID	A real user ID
		   KERN_PROC_SESSION	A session PID
		   KERN_PROC_TTY	A tty device
		   KERN_PROC_UID	A user ID

	     The fifth level name is the size of the struct kinfo_proc and the
	     sixth level name is the number of structures to return.

     KERN_PROC_ARGS (kern.procargs)
	     Returns the arguments or environment of a process.	 The third
	     level name	is the PID of the process.  The	fourth level name is
	     one of:

		   KERN_PROC_ARGV
		   KERN_PROC_ENV
		   KERN_PROC_NARGV
		   KERN_PROC_NENV

	     KERN_PROC_NARGV and KERN_PROC_NENV	return the number of elements
	     as	an int in the argv or env array.  KERN_PROC_ARGV returns the
	     argv array	and KERN_PROC_ENV returns the environ array.  The buf-
	     fer pointed to by oldp is filled with an array of char pointers
	     followed by the strings themselves.  The last char	pointer	is a
	     NULL pointer.

     KERN_PROC_CWD (kern.proc_cwd)
	     Return the	current	working	directory of a process.	 The third
	     level name	is the target process ID.  A NUL-terminated string is
	     returned.

     KERN_PROC_NOBROADCASTKILL (kern.proc_nobroadcastkill)
	     When set, a process will no longer	be signaled when sending
	     broadcast signals.	 The third level name is the target process
	     ID.

     KERN_PROC_VMMAP (kern.proc_vmmap)
	     Return the	entire process VM map entries.	An array of struct
	     kinfo_vmentry structures is returned, whose size depends on the
	     current number of VM map entries of the selected process.	Itera-
	     tion is possible by setting the base address in the first element
	     of	struct kinfo_vmentry.

     KERN_PROF (kern.profiling)
	     Return profiling information about	the kernel.  If	the kernel is
	     not compiled for profiling, attempts to retrieve any of the
	     KERN_PROF values will fail	with EOPNOTSUPP.  The third level
	     names for the string and integer profiling	information are	de-
	     tailed below.  The	changeable column shows	whether	a process with
	     appropriate privileges may	change the value.

		   Third level name    Type		   Changeable
		   GPROF_COUNT	       u_short[]	   yes
		   GPROF_FROMS	       u_short[]	   yes
		   GPROF_GMONPARAM     struct gmonparam	   no
		   GPROF_STATE	       integer		   yes
		   GPROF_TOS	       struct tostruct	   yes

	     The variables are as follows:

	     GPROF_COUNT
		     Array of statistical program counter counts.

	     GPROF_FROMS
		     Array indexed by program counter of call-from points.

	     GPROF_GMONPARAM
		     Structure giving the sizes	of the above arrays.

	     GPROF_STATE
		     Returns GMON_PROF_ON or GMON_PROF_OFF to show that	pro-
		     filing is running or stopped.

	     GPROF_TOS
		     Array of struct tostruct describing destination of	calls
		     and their counts.

     KERN_RAWPARTITION (kern.rawpartition)
	     The raw partition of a disk (a == 0).

     KERN_SAVED_IDS (kern.saved_ids)
	     Returns 1 if saved	set-group-ID and saved set-user-ID are avail-
	     able.

     KERN_SECURELVL (kern.securelevel)
	     The system	security level.	 This level may	be raised by processes
	     with appropriate privileges.  It may only be lowered by process
	     1.

     KERN_SEMINFO (kern.seminfo)
	     Return the	elements of struct seminfo.  If	the kernel is not com-
	     piled with	System V style semaphore support, attempts to retrieve
	     any of the	KERN_SEMINFO values will fail with EOPNOTSUPP.	The
	     third level names for the elements	of struct seminfo are detailed
	     below.  The changeable column shows whether a process with	appro-
	     priate privileges may change the value.

		   Third level name	  Type	     Changeable
		   KERN_SEMINFO_SEMAEM	  integer    no
		   KERN_SEMINFO_SEMMNI	  integer    yes
		   KERN_SEMINFO_SEMMNS	  integer    yes
		   KERN_SEMINFO_SEMMNU	  integer    yes
		   KERN_SEMINFO_SEMMSL	  integer    yes
		   KERN_SEMINFO_SEMOPM	  integer    yes
		   KERN_SEMINFO_SEMUME	  integer    no
		   KERN_SEMINFO_SEMUSZ	  integer    no
		   KERN_SEMINFO_SEMVMX	  integer    no

	     The variables are as follows:

	     KERN_SEMINFO_SEMAEM (kern.seminfo.semaem)
		     The adjust	on exit	maximum	value.

	     KERN_SEMINFO_SEMMNI (kern.seminfo.semmni)
		     The maximum number	of semaphore identifiers allowed.

	     KERN_SEMINFO_SEMMNS (kern.seminfo.semmns)
		     The maximum number	of semaphores allowed in the system.

	     KERN_SEMINFO_SEMMNU (kern.seminfo.semmnu)
		     The maximum number	of semaphore undo structures allowed
		     in	the system.

	     KERN_SEMINFO_SEMMSL (kern.seminfo.semmsl)
		     The maximum number	of semaphores allowed per ID.

	     KERN_SEMINFO_SEMOPM (kern.seminfo.semopm)
		     The maximum number	of operations per semop(2) call.

	     KERN_SEMINFO_SEMUME (kern.seminfo.semume)
		     The maximum number	of undo	entries	per process.

	     KERN_SEMINFO_SEMUSZ (kern.seminfo.semusz)
		     The size (in bytes) of the	undo structure.

	     KERN_SEMINFO_SEMVMX (kern.seminfo.semvmx)
		     The semaphore maximum value.

     KERN_SHMINFO (kern.shminfo)
	     Return the	elements of struct shminfo.  If	the kernel is not com-
	     piled with	System V style shared memory support, attempts to re-
	     trieve any	of the KERN_SHMINFO values will	fail with EOPNOTSUPP.
	     The third level names for the elements of struct shminfo are de-
	     tailed below.  The	changeable column shows	whether	a process with
	     appropriate privileges may	change the value.

		   Third level name	  Type	     Changeable
		   KERN_SHMINFO_SHMALL	  integer    yes
		   KERN_SHMINFO_SHMMAX	  integer    yes
		   KERN_SHMINFO_SHMMIN	  integer    yes
		   KERN_SHMINFO_SHMMNI	  integer    yes
		   KERN_SHMINFO_SHMSEG	  integer    yes

	     The variables are as follows:

	     KERN_SHMINFO_SHMALL (kern.shminfo.shmall)
		     The maximum amount	of total shared	memory allowed in the
		     system (in	pages).

	     KERN_SHMINFO_SHMMAX (kern.shminfo.shmmax)
		     The maximum shared	memory segment size (in	bytes).

	     KERN_SHMINFO_SHMMIN (kern.shminfo.shmmin)
		     The minimum shared	memory segment size (in	bytes).

	     KERN_SHMINFO_SHMMNI (kern.shminfo.shmmni)
		     The maximum number	of shared memory identifiers in	the
		     system.

	     KERN_SHMINFO_SHMSEG (kern.shminfo.shmseg)
		     The maximum number	of shared memory segments per process.

     KERN_SOMAXCONN (kern.somaxconn)
	     Upper bound on the	number of half-open connections	a process can
	     allow to be associated with a socket, using listen(2).  The de-
	     fault value is 128.

     KERN_SOMINCONN (kern.sominconn)
	     Lower bound on the	number of half-open connections	a process can
	     allow to be associated with a socket, using listen(2).  The de-
	     fault value is 80.

     KERN_SPLASSERT (kern.splassert)
	     Modify the	system interrupt priority level.  Valid	values are:

		   0	Disable	error checking.
		   1	Print a	message	if an error is detected.
		   2	Print a	message	if an error is detected, and a stack
			trace if possible.
		   3	The same as 2, but also	drop into the kernel debugger.

	     Any other value causes a system panic on errors.  See
	     splassert(9) for more information.

     KERN_STACKGAPRANDOM (kern.stackgap_random)
	     Sets the range of the random value	added to the stack pointer on
	     each program execution.  The random value is added	to make	buffer
	     overflow exploitation slightly harder.  The bigger	the number,
	     the harder	it is to brute force this added	protection, but	it
	     also means	bigger waste of	memory.

     KERN_SYSVIPC_INFO (kern.sysvipc_info)
	     Return System V style IPC configuration and run-time information.
	     The third level name selects the System V style IPC facility.

		   Third level name	    Type
		   KERN_SYSVIPC_MSG_INFO    struct msg_sysctl_info
		   KERN_SYSVIPC_SEM_INFO    struct sem_sysctl_info
		   KERN_SYSVIPC_SHM_INFO    struct shm_sysctl_info

	     KERN_SYSVIPC_MSG_INFO
		     Return information	on the System V	style message facil-
		     ity.  The msg_sysctl_info structure is defined in
		     <sys/msg.h>.

	     KERN_SYSVIPC_SEM_INFO
		     Return information	on the System V	style semaphore	facil-
		     ity.  The sem_sysctl_info structure is defined in
		     <sys/sem.h>.

	     KERN_SYSVIPC_SHM_INFO
		     Return information	on the System V	style shared memory
		     facility.	The shm_sysctl_info structure is defined in
		     <sys/shm.h>.

     KERN_SYSVMSG (kern.sysvmsg)
	     Returns 1 if System V style message queue functionality is	avail-
	     able on this system, otherwise 0.

     KERN_SYSVSEM (kern.sysvem)
	     Returns 1 if System V style semaphore functionality is available
	     on	this system, otherwise 0.

     KERN_SYSVSHM (kern.sysvshm)
	     Returns 1 if System V style shared	memory functionality is	avail-
	     able on this system, otherwise 0.

     KERN_TIMECOUNTER (kern.timecounter)
	     Return statistics information about the kernel time counter.  The
	     third level names information is detailed below.  The changeable
	     column shows whether a process with appropriate privileges	may
	     change the	value.

		   Third level name			Type	   Changeable
		   KERN_TIMECOUNTER_CHOICE		string	   no
		   KERN_TIMECOUNTER_HARDWARE		string	   yes
		   KERN_TIMECOUNTER_TICK		integer	   no
		   KERN_TIMECOUNTER_TIMESTEPWARNINGS	integer	   yes

	     The variables are as follows:

	     KERN_TIMECOUNTER_CHOICE (kern.timecounter.choice)
		     Get the list of kernel time counter sources and their
		     claimed quality (higher is	better).

	     KERN_TIMECOUNTER_HARDWARE (kern.timecounter.hardware)
		     Get or set	the kernel time	counter	source by name.

	     KERN_TIMECOUNTER_TICK (kern.timecounter.tick)
		     Get the number of times we	have reset the kernel time
		     counter information.

	     KERN_TIMECOUNTER_TIMESTEPWARNINGS
		     (kern.timecounter.timestepwarnings)
		     Get or set	a flag to log a	message	when the kernel	time
		     is	stepped.

     KERN_TTY (kern.tty)
	     Return statistics information about tty input/output.  The	third
	     level names information is	detailed below.	 The changeable	column
	     shows whether a process with appropriate privileges may change
	     the value.

		   Third level name    Type	      Changeable
		   KERN_TTY_INFO       struct itty    no
		   KERN_TTY_TKCANCC    int64_t	      no
		   KERN_TTY_TKNIN      int64_t	      no
		   KERN_TTY_TKNOUT     int64_t	      no
		   KERN_TTY_TKRAWCC    int64_t	      no

	     The variables are as follows:

	     KERN_TTY_INFO (kern.tty.ttyinfo)
		     Returns an	array of struct	itty structures	containing tty
		     statistics.

	     KERN_TTY_TKCANCC (kern.tty.tk_cancc)
		     Returns the number	of input characters in canonical mode.

	     KERN_TTY_TKNIN (kern.tty.tk_nin)
		     Returns the number	of input characters from a tty(4).

	     KERN_TTY_TKNOUT (kern.tty.tk_nout)
		     Returns the number	of output characters on	a tty(4).

	     KERN_TTY_TKRAWCC (kern.tty.tk_rawcc)
		     Returns the number	of input characters in raw mode.

     KERN_TTYCOUNT (kern.ttycount)
	     Number of available tty(4)	devices.

     KERN_UTC_OFFSET (kern.utc_offset)
	     The real-time clock's (RTC) offset	from Coordinated Universal
	     Time (UTC)	expressed as minutes East of UTC+0.  When set, time
	     read from the RTC is adjusted to remove the offset	and time writ-
	     ten to the	RTC is adjusted	to reapply it.	This may simplify
	     multibooting with an operating system that	does not run the RTC
	     in	UTC mode.  When	running	with a securelevel(7) greater than 0,
	     this variable may not be changed.

     KERN_VERSION (kern.version)
	     The system	version	string.

     KERN_VIDEO	(kern.video)
	     Control device-independent	aspects	of the video(4)	subsystem.
	     Currently,	there is one subnode:

		   Third level name	Type	   Changeable
		   KERN_VIDEO_RECORD	integer	   yes

	     Its meaning is as follows:

	     KERN_VIDEO_RECORD (kern.video.record)
		     If	set to the default value of 0, recording is blanked
		     for all video devices.  If	the value is non-zero, video
		     recording is enabled.

     KERN_WATCHDOG (kern.watchdog)
	     Return information	on hardware watchdog timers.  If the kernel
	     does not support a	hardware watchdog timer, attempts to retrieve
	     or	set any	of the KERN_WATCHDOG values will fail with EOPNOTSUPP.

		   Third level name	   Type	      Changeable
		   KERN_WATCHDOG_AUTO	   integer    yes
		   KERN_WATCHDOG_PERIOD	   integer    yes

	     The variables are as follows:

	     KERN_WATCHDOG_AUTO	(kern.watchdog.auto)
		     If	set to 1, the kernel refreshes the watchdog timer pe-
		     riodically.  If set to 0, a userland process must ensure
		     that the watchdog timer gets refreshed by setting the
		     KERN_WATCHDOG_PERIOD variable.

	     KERN_WATCHDOG_PERIOD (kern.watchdog.period)
		     The period	of the watchdog	timer in seconds.  Set to 0 to
		     disable the watchdog timer.

     KERN_WITNESS (kern.witness)
	     Control settings of witness(4).

		   Third level name	     Type	Changeable
		   KERN_WITNESS_LOCKTRACE    integer	yes
		   KERN_WITNESS_WATCH	     integer	yes

	     The variables are as follows:

	     KERN_WITNESS_LOCKTRACE (kern.witness.locktrace)
		     When set, witness(4) saves	a stack	trace on each lock ac-
		     quisition.	 The stack traces of acquired locks can	be
		     viewed using ddb(4).

	     KERN_WITNESS_WATCH	(kern.witness.watch)
		     Control how witness(4) behaves on error.  Valid values
		     are:

			   -1	Disable	witness(4) completely.	System reboot
				is needed to re-enable it.
			   0	Disable	lock order checking.
			   1	Print a	message	if an error is detected.
			   2	Print a	message	if an error is detected, and a
				stack trace if possible.
			   3	The same as 2, but also	drop into the kernel
				debugger.

     KERN_WXABORT (kern.wxabort)
	     Generate an abort,	rather than returning an error,	on W^X viola-
	     tion.

   CTL_MACHDEP
     The set of	variables defined is architecture dependent.  Most architec-
     tures define at least the following variables.

	   Second level	name	Type	 Changeable
	   CPU_CONSDEV		dev_t	 no

     Consult the example file /etc/examples/sysctl.conf	for a non-exhaustive
     list of machdep variables.

   CTL_NET
     The string	and integer information	available for the CTL_NET level	is de-
     tailed below.  The	changeable column shows	whether	a process with appro-
     priate privileges may change the value.

	   Second level	name	Type		    Changeable
	   PF_ROUTE		routing	messages    no
	   PF_INET		IPv4 values	    yes
	   PF_INET6		IPv6 values	    yes
	   PF_KEY		key management	    no
	   PF_MPLS		MPLS values	    yes
	   PF_PIPEX		PIPEX values	    yes

     PF_ROUTE
	     Return the	entire routing table or	a subset of it.	 The data is
	     returned as a sequence of routing messages	(see route(4) for the
	     header file, format, and meaning).	 The length of each message is
	     contained in the message header.

	     The third level name is a protocol	number,	which is currently al-
	     ways 0.  The fourth level name is an address family, which	may be
	     set to 0 to select	all address families.  The fifth and sixth
	     level names are as	follows:

		   Fifth level name    Sixth level is:
		   NET_RT_DUMP	       priority
		   NET_RT_FLAGS	       rtflags
		   NET_RT_IFLIST       None
		   NET_RT_IFNAMES      None
		   NET_RT_STATS	       None
		   NET_RT_TABLE	       rtableid

	     NET_RT_DUMP
		     If	set to 0, show all routes.  If set to any number, show
		     all routes	with that number priority.  If set to a	nega-
		     tive number, show routes that do not have the positive
		     priority value.

	     An	optional seventh level name can	be provided to select the
	     routing table on which to run the operation.  If not provided,
	     the table with ID 0 is used.

     PF_INET
	     Get or set	various	global information about IPv4 (Internet
	     Protocol version 4).  The third level name	is the protocol.  The
	     fourth level name is the variable name.  The currently defined
	     protocols and names are:

	       Protocol	name	Variable
										   name		  Type	       Changeable
	       ah		enable			integer	     yes
	       bpf		bufsize			integer	     yes
	       bpf		maxbufsize		integer	     yes
	       carp		allow			integer	     yes
	       carp		log			integer	     yes
	       carp		preempt			integer	     yes
	       divert		recvspace		integer	     yes
	       divert		sendspace		integer	     yes
	       esp		enable			integer	     yes
	       esp		udpencap		integer	     yes
	       esp		udpencap_port		integer	     yes
	       etherip		allow			integer	     yes
	       gre		allow			integer	     yes
	       gre		wccp			integer	     yes
	       icmp		bmcastecho		integer	     yes
	       icmp		errppslimit		integer	     yes
	       icmp		maskrepl		integer	     yes
	       icmp		rediraccept		integer	     yes
	       icmp		redirtimeout		integer	     yes
	       icmp		stats			structure    no
	       icmp		tstamprepl		integer	     yes
	       ip		arpqueued		integer	     no
	       ip		arpdown			integer	     yes
	       ip		arptimeout		integer	     yes
	       ip		arpq			node	     N/A
	       ip		directed-broadcast	integer	     yes
	       ip		encdebug		integer	     yes
	       ip		forwarding		integer	     yes
	       ip		ipsec-allocs		integer	     yes
	       ip		ipsec-auth-alg		string	     yes
	       ip		ipsec-bytes		integer	     yes
	       ip		ipsec-comp-alg		string	     yes
	       ip		ipsec-enc-alg		string	     yes
	       ip		ipsec-expire-acquire	integer	     yes
	       ip		ipsec-firstuse		integer	     yes
	       ip		ipsec-invalid-life	integer	     yes
	       ip		ipsec-pfs		integer	     yes
	       ip		ipsec-soft-allocs	integer	     yes
	       ip		ipsec-soft-bytes	integer	     yes
	       ip		ipsec-soft-firstuse	integer	     yes
	       ip		ipsec-soft-timeout	integer	     yes
	       ip		ipsec-timeout		integer	     yes
	       ip		maxqueue		integer	     yes
	       ip		mforwarding		integer	     yes
	       ip		mtudisc			integer	     yes
	       ip		mtudisctimeout		integer	     yes
	       ip		multipath		integer	     yes
	       ip		portfirst		integer	     yes
	       ip		porthifirst		integer	     yes
	       ip		porthilast		integer	     yes
	       ip		portlast		integer	     yes
	       ip		redirect		integer	     yes
	       ip		sourceroute		integer	     yes
	       ip		stats			structure    no
	       ip		ttl			integer	     yes
	       ipcomp		enable			integer	     yes
	       ipip		allow			integer	     yes
	       tcp		ackonpush		integer	     yes
	       tcp		always_keepalive	integer	     yes
	       tcp		baddynamic		array	     yes
	       tcp		ecn			integer	     yes
	       tcp		ident			structure    no
	       tcp		keepidle		integer	     yes
	       tcp		keepinittime		integer	     yes
	       tcp		keepintvl		integer	     yes
	       tcp		mssdflt			integer	     yes
	       tcp		reasslimit		integer	     yes
	       tcp		rfc1323			integer	     yes
	       tcp		rfc3390			integer	     yes
	       tcp		rootonly		array	     yes
	       tcp		rstppslimit		integer	     yes
	       tcp		sack			integer	     yes
	       tcp		slowhz			integer	     no
	       tcp		stats			structure    no
	       tcp		synbucketlimit		integer	     yes
	       tcp		syncachelimit		integer	     yes
	       tcp		synhashsize		integer	     yes
	       tcp		synuselimit		integer	     yes
	       udp		baddynamic		array	     yes
	       udp		checksum		integer	     yes
	       udp		recvspace		integer	     yes
	       udp		rootonly		array	     yes
	       udp		sendspace		integer	     yes
	       udp		stats			structure    no

	     The variables are as follows:

	     ah.enable (net.inet.ah.enable)
		     If	set to 1, enable the Authentication Header (AH)	IPsec
		     protocol.	Enabled	by default.  See ipsec(4) for more in-
		     formation.

	     bpf.bufsize (net.bpf.bufsize)
		     The initial size of bpf(4)	buffers.

	     bpf.maxbufsize (net.bpf.maxbufsize)
		     The maximum size a	user may request a bpf(4) buffer to
		     be.

	     carp.allow	(net.inet.carp.allow)
		     If	set to 0, incoming carp(4) packets will	not be pro-
		     cessed.  If set to	any other value, processing will oc-
		     cur.  Enabled by default.

	     carp.log (net.inet.carp.log)
		     Controls the verbosity of carp(4) logging.	 May be	a
		     value between 0 and 7 corresponding with syslog(3)	prior-
		     ities.  The default value is 2.

	     carp.preempt (net.inet.carp.preempt)
		     If	set to 0, carp(4) will not attempt to become master if
		     it	is receiving advertisements from another active	mas-
		     ter.  If set to any other value, carp will	become master
		     of	the virtual host if it believes	it can send advertise-
		     ments more	frequently than	the current master.  Disabled
		     by	default.

	     divert.recvspace (net.inet.divert.recvspace)
		     Returns the default divert	receive	buffer size.

	     divert.sendspace (net.inet.divert.sendspace)
		     Returns the default divert	send buffer size.

	     esp.enable	(net.inet.esp.enable)
		     If	set to 1, enable the Encapsulating Security Payload
		     (ESP) IPsec protocol.  Enabled by default.	 See ipsec(4)
		     for more information.

	     esp.udpencap (net.inet.esp.udpencap)
		     If	set to 1, enable processing of UDP encapsulated	ESP
		     packets.  Enabled by default.

	     esp.udpencap_port (net.inet.udpencap_port)
		     Contains the value	of the UDP port	that triggers decapsu-
		     lation for	incoming UDP encapsulated ESP packets.	The
		     default port is 4500.

	     etherip.allow (net.inet.etherip.allow)
		     If	set to 0, incoming Ethernet-in-IPv4 packets will not
		     be	processed.  If set to any other	value, processing will
		     occur.

	     gre.allow (net.inet.gre.allow)
		     If	set to 0, incoming GRE packets will not	be processed.
		     If	set to any other value,	processing will	occur.

	     gre.wccp (net.inet.gre.wccp)
		     If	set to 0, incoming WCCPv1-style	GRE packets will not
		     be	processed.  If set to any other	value, and gre.allow
		     allows GRE	packet processing, WCCPv1-style	GRE packets
		     will be processed.

	     icmp.bmcastecho (net.inet.icmp.bmcastecho)
		     If	set to 1, respond to ICMP echo requests	destined for
		     broadcast and multicast addresses.	 Note, enabling	this
		     could open	a system to a type of denial of	service	attack
		     called "smurfing",	and is thus not	advised.

	     icmp.errppslimit (net.inet.icmp.errppslimit)
		     This variable specifies the maximum number	of outgoing
		     ICMP error	messages per second.  ICMP error messages ex-
		     ceeding this value	are subject to rate limitation and
		     will not go out from the node.  A negative	value disables
		     rate limitation.

	     icmp.maskrepl (kern.inet.icmp.maskrepl)
		     Returns 1 if ICMP network mask requests are to be an-
		     swered.

	     icmp.rediraccept (kern.inet.icmp.rediraccept)
		     If	set to non-zero, the host will accept ICMP redirect
		     packets.  Note that routers will never accept ICMP	redi-
		     rect packets, and the variable is meaningful on IP	hosts
		     only.

	     icmp.redirtimeout (net.inet.icmp.redrttimeout)
		     This variable specifies the lifetime of routing entries
		     generated by incoming ICMP	redirects.  The	default	time-
		     out is 10 minutes.

	     icmp.stats	(kern.inet.icmp.stats)
		     Returns the ICMP statistics in a struct icmpstat.

	     icmp.tstamprepl (net.inet.icmp.tstamprepl)
		     If	set to 1, reply	to ICMP	timestamp requests.  If	set to
		     0,	ignore timestamp requests.

	     ip.arpqueued (net.inet.ip.arpqueued)
		     Number of packets ARP resolution is holding onto until it
		     gets a MAC	address	for an IP.

	     ip.arpdown	(net.inet.ip.arpdown)
		     Lifetime of unresolved ARP	entries, in seconds.

	     ip.arptimeout (net.inet.ip.arptimeout)
		     Lifetime of resolved ARP entries, in seconds.

	     ip.arpq
		     Fifth level comprises an array of struct ifqueue struc-
		     tures containing information about	ARP queue.  The	fifth
		     level names for the elements of struct ifqueue are	de-
		     tailed below.

			   Fifth level name    Type	  Changeable
			   IFQCTL_DROPS	       integer	  no
			   IFQCTL_LEN	       integer	  no
			   IFQCTL_MAXLEN       integer	  yes

		     The variables are as follows:

		     IFQCTL_DROPS (net.inet.ip.arpq.drops)
			     Returns number of packet dropped.
		     IFQCTL_LEN	(net.inet.ip.arpq.len)
			     Returns the current queue length.
		     IFQCTL_MAXLEN (net.inet.ip.arpq.maxlen)
			     Get or set	the maximum number of queue length.

	     ip.directed-broadcast (net.inet.ip.directed-broadcast)
		     Returns 1 if directed broadcast behavior is enabled for
		     the host.

	     ip.encdebug (net.inet.ip.encdebug)
		     Returns 1 when error message reporting is enabled for the
		     host.  If the kernel has been compiled with the ENCDEBUG
		     option, then debugging information	will also be reported
		     when this variable	is set.

	     ip.forwarding (net.inet.ip.forwarding)
		     If	set to 0, IP forwarding	is disabled.  The IP stack
		     also requires the destination IP address of incoming
		     packets to	match the IP address of	the network interface
		     the packet	is bound to.  If set to	1, IP forwarding is
		     enabled for the host, indicating the host is acting as a
		     router.  If set to	2, IP forwarding is restricted to
		     traffic that has been IPsec encapsulated or decapsulated
		     by	the host.  Enabling packet forwarding (values either 1
		     or	2) relaxes the requirements on incoming	packets, so
		     that its destination address must match just any IP ad-
		     dress bound to the	host.  The default value is 0.

	     ip.ipsec-allocs (net.inet.ip.ipsec-allocs)
		     The number	of IPsec flows that can	use a security associ-
		     ation before it expires.  If set to less than or equal to
		     zero, the security	association will not expire because of
		     this counter.  The	default	value is 0.

	     ip.ipsec-auth-alg (net.inet.ip.ipsec-auth-alg)
		     This is the default authentication	algorithm the kernel
		     will instruct key management daemons to negotiate when
		     establishing security associations	on behalf of the ker-
		     nel.  Such	security associations can occur	as a result of
		     a process having requested	some security level through
		     setsockopt(2), or as a result of dynamic VPN entries.
		     Supported values are hmac-md5, hmac-sha1, and hmac-
		     ripemd160.	 If set	to any other value, it is left to the
		     key management daemons to select an authentication	algo-
		     rithm for the security association.  The default value is
		     hmac-sha1.

	     ip.ipsec-bytes (net.inet.ip.ipsec-bytes)
		     The number	of bytes that will be processed	by a security
		     association before	it expires.  If	set to less than or
		     equal to zero, the	security association will not expire
		     because of	this counter.  The default value is 0.

	     ip.ipsec-comp-alg (net.inet.ip.ipsec-comp-alg)
		     The compression algorithm to use with an IP Compression
		     Association (IPCA).  Possible values are "deflate"	and
		     "lzs".  Note that lzs is only available with hifn(4).
		     See ipsecctl(8) for more information.

	     ip.ipsec-enc-alg (net.inet.ip.ipsec-enc-alg)
		     This is the default encryption algorithm the kernel will
		     instruct key management daemons to	negotiate when estab-
		     lishing security associations on behalf of	the kernel.
		     Such security associations	can occur as a result of a
		     process having requested some security level through
		     setsockopt(2), or as a result of dynamic VPN entries.
		     Supported values are aes, des, 3des, blowfish and
		     cast128.  If set to any other value, it is	left to	the
		     key management daemons to select an encryption algorithm
		     for the security association.  The	default	value is aes.

	     ip.ipsec-expire-acquire (net.inet.ip.ipsec-expire-acquire)
		     How long the kernel should	allow key management to	dynam-
		     ically acquire security associations before re-sending a
		     request.  The default value is 30 seconds.

	     ip.ipsec-firstuse (net.inet.ip.ipsec-firstuse)
		     The number	of seconds after a security association	is
		     first used	before it expires.  If set to less than	or
		     equal to zero, the	security association will not expire
		     because of	this timer.  The default value is 7200 sec-
		     onds.

	     ip.ipsec-invalid-life (net.inet.ip.ipsec-invalid-life)
		     The lifetime of embryonic Security	Associations (SAs that
		     key management daemons have reserved but not fully	estab-
		     lished yet) in seconds.  If set to	less than or equal to
		     zero, embryonic SAs will not expire.  The default value
		     is	60.

	     ip.ipsec-pfs (net.inet.ip.ipsec-pfs)
		     If	set to any non-zero value, the kernel will ask the key
		     management	daemons	to use Perfect Forward Secrecy when
		     establishing IPsec	Security Associations.	Perfect	For-
		     ward Secrecy makes	IPsec Security Associations crypto-
		     graphically distinct from each other, such	that breaking
		     the key for one such SA does not compromise any others.
		     Requiring PFS for every security association signifi-
		     cantly increases the computational	load of	isakmpd(8) ex-
		     changes.  The default value is 1.

	     ip.ipsec-soft-allocs (net.inet.ip.ipsec-soft-allocs)
		     The number	of IPsec flows that can	use a security associ-
		     ation before a message is sent by the kernel to key man-
		     agement for renegotiation of the security association.
		     If	set to less than or equal to zero, no message is sent
		     to	key management.	 The default value is 0.

	     ip.ipsec-soft-bytes (net.inet.ip.ipsec-soft-bytes)
		     The number	of bytes that will be processed	by a security
		     association before	a message is sent by the kernel	to key
		     management	for renegotiation of the security association.
		     If	set to less than or equal to zero, no message is sent
		     to	key management.	 The default value is 0.

	     ip.ipsec-soft-firstuse (net.inet.ip.ipsec-soft-firstuse)
		     The number	of seconds after a security association	is
		     first used	before a message is sent by the	kernel to key
		     management	for renegotiation of the security association.
		     If	set to less than or equal to zero, no message is sent
		     to	key management.	 The default value is 3600 seconds.

	     ip.ipsec-soft-timeout (net.inet.ip.ipsec-soft-timeout)
		     The number	of seconds after a security association	is es-
		     tablished before a	message	is sent	by the kernel to key
		     management	for renegotiation of the security association.
		     If	set to less than or equal to zero, no message is sent
		     to	key management.	 The default value is 80000 seconds.

	     ip.ipsec-timeout (net.inet.ip.ipsec-timeout)
		     The number	of seconds after a security association	is es-
		     tablished before it will expire.  If set to less than or
		     equal to zero, the	security association will not expire
		     because of	this timer.  The default value is 86400	sec-
		     onds.

	     ip.maxqueue (net.inet.ip.maxqueue)
		     Fragment flood protection.	 Sets the maximum number of
		     unassembled IP fragments in the fragment queue.

	     ip.mforwarding (net.inet.ip.mforwarding)
		     If	set to 1, then multicast forwarding is enabled for the
		     host.  The	default	is 0.

	     ip.mtudisc	(net.inet.ip.mtudisc)
		     Returns 1 if Path MTU Discovery is	enabled.

	     ip.mtudisctimeout (net.inet.ip.mtudisctimeout)
		     Number of seconds in which	a route	added by the Path MTU
		     Discovery engine will time	out.  When the route times
		     out, the Path MTU Discovery engine	will attempt to	probe
		     a larger path MTU.

	     ip.multipath (net.inet.ip.multipath)
		     This variable enables multipath routing for IPv4 ad-
		     dresses.  If set to 0, only the first route selected will
		     be	used for a given destination regardless	of how many
		     routes exist in the routing table.

	     ip.portfirst (net.inet.ip.portfirst)
		     Minimum registered	port number for	TCP/UDP	port alloca-
		     tion.  Registered ports can be used by ordinary user pro-
		     cesses or programs	executed by ordinary users.  Cannot be
		     less than 1024 or greater than 49151.  Must be less than
		     ip.portlast.

	     ip.porthifirst (net.inet.ip.porthifirst)
		     Minimum dynamic/private port number for TCP/UDP port al-
		     location.	Dynamic/private	ports can be used by ordinary
		     user processes or programs	executed by ordinary users.
		     Cannot be less than 49152 or greater than 65535.  Must be
		     less than ip.porthilast.

	     ip.porthilast (net.inet.ip.porthilast)
		     Maximum dynamic/private port number for TCP/UDP port al-
		     location.	Dynamic/private	ports can be used by ordinary
		     user processes or programs	executed by ordinary users.
		     Cannot be less than 49152 or greater than 65535.  Must be
		     greater than ip.porthifirst.

	     ip.portlast (net.inet.ip.portlast)
		     Maximum registered	port number for	TCP/UDP	port alloca-
		     tion.  Registered ports can be used by ordinary user pro-
		     cesses or programs	executed by ordinary users.  Cannot be
		     less than 1024 or greater than 49151.  Must be greater
		     than ip.portfirst.

	     ip.redirect (net.inet.ip.redirect)
		     Returns 1 when ICMP redirects may be sent by the host.
		     This option is ignored unless the host is routing IP
		     packets, and should normally be enabled on	all systems.

	     ip.sourceroute (net.inet.ip.sourceroute)
		     Returns 1 when forwarding of source-routed	packets	is en-
		     abled for the host.  When running with a securelevel(7)
		     greater than 0, this variable may not be changed.

	     ip.stats (net.inet.ip.stats)
		     Returns the IP statistics in a struct ipstat.

	     ip.ttl (net.inet.ip.ttl)
		     The maximum time-to-live (hop count) value	for an IP
		     packet sourced by the system.  This value applies to nor-
		     mal transport protocols, not to ICMP.

	     ipcomp.enable (net.inet.ipcomp.enable)
		     Enable the	IPComp protocol.  See ipcomp(4)	for more in-
		     formation.

	     ipip.allow	(net.inet.ipip.allow)
		     If	set to 0, incoming IP-in-IP packets will not be	pro-
		     cessed.  If set to	any other value, processing will oc-
		     cur; furthermore, if set to 2, no checks for spoofing of
		     loopback addresses	will be	done.  This is useful only for
		     debugging purposes, and should never be used in produc-
		     tion systems.

	     tcp.ackonpush (net.inet.tcp.ackonpush)
		     Returns 1 if TCP segments with the	TH_PUSH	flag set are
		     being acknowledged	immediately, otherwise 0.

	     tcp.baddynamic (net.inet.tcp.baddynamic)
		     An	array of in_port_t is returned specifying the bitmask
		     of	TCP ports between 512 and 1023 inclusive that should
		     not be allocated dynamically by the kernel	(i.e., they
		     must be bound specifically	by port	number).

	     tcp.ecn (net.inet.tcp.ecn)
		     Returns 1 if Explicit Congestion Notifications for	TCP
		     are enabled.

	     tcp.ident (net.inet.tcp.ident)
		     A struct tcp_ident_mapping	specifying a local and foreign
		     endpoint of a TCP socket is filled	in with	the effective
		     and real UIDs of the process that owns the	socket.	 If no
		     such socket exists, then the effective and	real UID val-
		     ues are both set to -1.

	     tcp.keepidle (net.inet.tcp.keepidle)
		     If	the socket option SO_KEEPALIVE has been	set on a
		     socket, then this value specifies how much	time a connec-
		     tion needs	to be idle before keepalives are sent.	See
		     also tcp.slowhz.

	     tcp.keepinittime (net.inet.tcp.keepinittime)
		     Time to keep alive	the initial SYN	packet of a TCP	hand-
		     shake.

	     tcp.keepintvl (net.inet.tcp.keepintvl)
		     Time after	a keepalive probe is sent until, in the	ab-
		     sence of any response, another probe is sent.  See	also
		     tcp.slowhz.

	     tcp.always_keepalive (net.inet.tcp.always_keepalive)
		     Act as if the option SO_KEEPALIVE was set on all TCP
		     sockets.

	     tcp.mssdflt (net.inet.tcp.mssdflt)
		     The maximum segment size that is used as default for non-
		     local connections.	 The default value is 512.

	     tcp.reasslimit (net.inet.tcp.reasslimit)
		     The maximum number	of out-of-order	TCP segments the sys-
		     tem will store for	reassembly.

	     tcp.rfc1323 (net.inet.tcp.rfc1323)
		     Returns 1 if RFC 1323 extensions to TCP are enabled.

	     tcp.rfc3390 (net.inet.tcp.rfc3390)
		     Returns 1 if the TCP Initial Window is increased to 4 *
		     MSS or 4380 bytes,	as specified in	RFC 3390.  Returns 2
		     if	the TCP	Initial	Window is increased to 10 * MSS	or
		     14600 bytes, as specified in RFC 6928.

	     tcp.rootonly (net.inet.tcp.rootonly)
		     An	array of in_port_t is returned specifying the bitmask
		     of	TCP ports that can only	be bound by processes with
		     root euid.	 When running with a securelevel(7) greater
		     than 0, this variable may not be changed.

	     tcp.rstppslimit (net.inet.tcp.rstppslimit)
		     This variable specifies the maximum number	of outgoing
		     TCP RST packets per second.  TCP RST packets exceeding
		     this value	are subject to rate limitation and will	not go
		     out from the node.	 A negative value disables rate	limi-
		     tation.

	     tcp.sack (net.inet.tcp.sack)
		     Returns 1 if RFC 2018 Selective Acknowledgements are en-
		     abled.

	     tcp.slowhz	(net.inet.tcp.slowhz)
		     The units for tcp.keepidle	and tcp.keepintvl; those vari-
		     ables are in ticks	of a clock that	ticks tcp.slowhz times
		     per second.  (That	is, their values must be divided by
		     the tcp.slowhz value to get times in seconds.)

	     tcp.stats (net.inet.tcp.stats)
		     Returns the TCP statistics	in a struct tcpstat.

	     tcp.synbucketlimit	(net.inet.tcp.synbucketlimit)
		     The maximum number	of entries allowed per hash bucket in
		     the TCP SYN cache.

	     tcp.syncachelimit (net.inet.tcp.syncachelimit)
		     The maximum number	of entries allowed in the TCP SYN
		     cache.

	     tcp.synhashsize (net.inet.tcp.synhashsize)
		     The number	of buckets in the TCP SYN cache	hash array.
		     After the value is	set, the actual	size changes when the
		     alternative SYN cache becomes empty and both SYN caches
		     are swapped.

	     tcp.synuselimit (net.inet.tcp.synuselimit)
		     The minimum number	of times the hash function for the TCP
		     SYN cache is used before it is reseeded.

	     udp.baddynamic (net.inet.udp.baddynamic)
		     Analogous to tcp.baddynamic but for UDP sockets.

	     udp.checksum (net.inet.udp.checksum)
		     Returns 1 when UDP	checksums are being computed and
		     checked.  Disabling UDP checksums is strongly discour-
		     aged.

	     udp.recvspace (net.inet.udp.recvspace)
		     Returns the default UDP receive buffer size.

	     udp.rootonly (net.inet.udp.rootonly)
		     Analogous to tcp.rootonly but for UDP sockets.

	     udp.sendspace (net.inet.udp.sendspace)
		     Returns the default UDP send buffer size.

	     udp.stats (net.inet.udp.stats)
		     Returns the UDP statistics	in a struct udpstat.

     PF_INET6
	     Get or set	various	global information about IPv6 (Internet
	     Protocol version 6).  The third level name	is the protocol.  The
	     fourth level name is the variable name.  The currently defined
	     protocols and names are:

		   Protocol name    Variable name	 Type	    Changeable
		   icmp6	    errppslimit		 integer    yes
		   icmp6	    mtudisc_hiwat	 integer    yes
		   icmp6	    mtudisc_lowat	 integer    yes
		   icmp6	    nd6_debug		 integer    yes
		   icmp6	    nd6_delay		 integer    yes
		   icmp6	    nd6_maxnudhint	 integer    yes
		   icmp6	    nd6_mmaxtries	 integer    yes
		   icmp6	    nd6_umaxtries	 integer    yes
		   icmp6	    redirtimeout	 integer    yes
		   ip6		    auto_flowlabel	 integer    yes
		   ip6		    dad_count		 integer    yes
		   ip6		    dad_pending		 integer    yes
		   ip6		    defmcasthlim	 integer    yes
		   ip6		    forwarding		 integer    yes
		   ip6		    hdrnestlimit	 integer    yes
		   ip6		    hlim		 integer    yes
		   ip6		    log_interval	 integer    yes
		   ip6		    maxdynroutes	 integer    yes
		   ip6		    maxfragpackets	 integer    yes
		   ip6		    maxfrags		 integer    yes
		   ip6		    mforwarding		 integer    yes
		   ip6		    mtudisctimeout	 integer    yes
		   ip6		    multicast_mtudisc	 integer    yes
		   ip6		    multipath		 integer    yes
		   ip6		    neighborgcthresh	 integer    yes
		   ip6		    redirect		 integer    yes
		   ip6		    soiikey		 uint8_t[IP6_SOIIKEY_LEN]yes
		   ip6		    use_deprecated	 integer    yes

	     The variables are as follows:

	     icmp6.errppslimit (net.inet6.icmp6.errppslimit)
		     This variable specifies the maximum number	of outgoing
		     ICMPv6 error messages per second.	ICMPv6 error messages
		     exceeding this value are subject to rate limitation and
		     will not go out from the node.  A negative	value will
		     disable the rate limitation.

	     icmp6.mtudisc_hiwat (net.inet6.icmp6.mtudisc_hiwat)
	     icmp6.mtudisc_lowat (net.inet6.icmp6.mtudisc_lowat)
		     These variables define the	maximum	number of routing ta-
		     ble entries created due to	path MTU discovery (preventing
		     denial-of-service attacks with ICMPv6 too big messages).
		     After IPv6	path MTU discovery happens, path MTU informa-
		     tion is kept in the routing table.	 If the	number of
		     routing table entries exceeds this	value, the kernel will
		     not attempt to keep the path MTU information.
		     icmp6.mtudisc_hiwat is used when we have verified ICMPv6
		     too big messages.	icmp6.mtudisc_lowat is used when we
		     have unverified ICMPv6 too	big messages.  Verification is
		     performed by using	address/port pairs kept	in connected
		     PCBs.  A negative value disables the upper	limit.

	     icmp6.nd6_debug (net.inet6.icmp6.nd6_debug)
		     If	set to non-zero, IPv6 neighbor discovery will generate
		     debugging messages.  The debug output is useful for diag-
		     nosing IPv6 interoperability issues.  The flag must be
		     set to 0 for normal operation.

	     icmp6.nd6_delay (net.inet6.icmp6.nd6_delay)
		     This variable specifies the DELAY_FIRST_PROBE_TIME	timing
		     constant in IPv6 neighbor discovery specification (RFC
		     4861), in seconds.

	     icmp6.nd6_maxnudhint (net.inet6.icmp6.nd6_maxnudhint)
		     IPv6 neighbor discovery permits upper layer protocols to
		     supply reachability hints,	to avoid unnecessary neighbor
		     discovery exchanges.  This	variable defines the number of
		     consecutive hints the neighbor discovery layer will take.
		     For example, by setting the variable to 3,	neighbor dis-
		     covery will take a	maximum	of 3 consecutive hints.	 After
		     receiving 3 hints,	the neighbor discovery layer will in-
		     stead perform the normal neighbor discovery process.

	     icmp6.nd6_mmaxtries (net.inet6.icmp6.nd6_mmaxtries)
		     This variable specifies the MAX_MULTICAST_SOLICIT con-
		     stant in IPv6 neighbor discovery specification (RFC
		     4861).

	     icmp6.nd6_umaxtries (net.inet6.icmp6.nd6_umaxtries)
		     This variable specifies the MAX_UNICAST_SOLICIT constant
		     in	IPv6 neighbor discovery	specification (RFC 4861).

	     icmp6.redirtimeout	(net.inet6.icmp6.redirtimeout)
		     The variable specifies the	lifetime of routing entries
		     generated by incoming ICMPv6 redirects.

	     ip6.auto_flowlabel	(net.inet6.ip6.auto_flowlabel)
		     On	connected transport protocol packets, fill the IPv6
		     flowlabel field to	help intermediate routers identify
		     packet flows.

	     ip6.dad_count (net.inet6.ip6.dad_count)
		     This variable configures the number of IPv6 DAD
		     (duplicated address detection) probe packets.  These
		     packets are generated when	IPv6 interfaces	are first
		     brought up.

	     ip6.dad_pending (net.inet6.ip6.dad_pending)
		     This variable displays the	number of pending IPv6 DAD
		     (duplicated address detection) before completion.	It is
		     used to make sure that DAD	is completed before
		     netstart(8) is executed.

	     ip6.defmcasthlim (net.inet6.ip6.defmcasthlim)
		     The default hop limit value for an	IPv6 multicast packet
		     sourced by	the node.  This	value applies to all the
		     transport protocols on top	of IPv6.  Methods for overrid-
		     ing this value are	documented in ip6(4).

	     ip6.forwarding (net.inet6.ip6.forwarding)
		     Returns 1 when IPv6 forwarding is enabled for the node,
		     meaning that the node is acting as	a router.  Returns 0
		     when IPv6 forwarding is disabled for the node, meaning
		     that the node is acting as	a host.	 Note that IPv6	de-
		     fines node	behavior for the "router" and "host" cases
		     quite differently,	and changing this variable during op-
		     eration may cause serious trouble.	 Hence,	this variable
		     should only be set	at bootstrap time.  As with IPv4, if
		     forwarding	is disabled then the destination address of
		     incoming packets must match the IP	address	bound to the
		     interface.	 If forwarding is enabled, the check is	re-
		     laxed so that the destination IP address of incoming
		     packets must match	just any address bound to the host.

	     ip6.hdrnestlimit (net.inet6.ip6.hdrnestlimit)
		     The number	of IPv6	extension headers permitted on incom-
		     ing IPv6 packets.	If set to 0, the node will accept as
		     many extension headers as possible.

	     ip6.hlim (net.inet6.ip6.hlim)
		     The default hop limit value for an	IPv6 unicast packet
		     sourced by	the node.  This	value applies to all the
		     transport protocols on top	of IPv6.  Methods for overrid-
		     ing this value are	documented in ip6(4).

	     ip6.log_interval (net.inet6.ip6.log_interval)
		     This variable permits adjusting the amount	of logs	gener-
		     ated by the IPv6 packet forwarding	engine.	 The value in-
		     dicates the number	of seconds of interval which must
		     elapse between log	output.

	     ip6.maxdynroutes (net.inet6.ip6.maxdynroutes)
		     Maximum number of routes created by redirect.  Set	to
		     negative to disable.  The default value is	4096.

	     ip6.maxfragpackets	(net.inet6.ip6.maxfragpackets)
		     The maximum number	of fragmented packets the node will
		     accept.  0	means that the node will not accept any	frag-
		     mented packets.  -1 means that the	node will accept as
		     many fragmented packets as	it receives.  The flag is pro-
		     vided basically for avoiding possible DoS attacks.

	     ip6.maxfrags (net.inet6.ip6.maxfrags)
		     The maximum number	of fragments the node will accept.  0
		     means that	the node will not accept any fragments.	 -1
		     means that	the node will accept as	many fragments as it
		     receives.	The flag is provided basically for avoiding
		     possible DoS attacks.

	     ip6.mforwarding (net.inet6.ip6.mforwarding)
		     If	set to 1, then multicast forwarding is enabled for the
		     host.  The	default	is 0.

	     ip6.multicast_mtudisc (net.inet6.ip6.multicast_mtudisc)
		     This variable controls generation of ICMPv6 Too Big mes-
		     sages when	the machine is performing as an	IPv6 multicast
		     router.  If set to	1, an ICMPv6 Too Big message will be
		     generated for multicast packets which were	too big	to be
		     forwarded.	 If set	to 0, the ICMPv6 Too Big message will
		     be	suppressed.

	     ip6.multipath (net.inet6.ip6.multipath)
		     This variable enables multipath routing for IPv6 ad-
		     dresses.  If set to 0, only the first route selected will
		     be	used for a given destination regardless	of how many
		     routes exist in the routing table.

	     ip6.mtudisctimeout	(net.inet6.ip6.mtudisctimeout)
		     Number of seconds in which	a route	added by the Path MTU
		     Discovery engine will time	out.  When the route times
		     out, the Path MTU Discovery engine	will attempt to	probe
		     a larger path MTU.

	     ip6.neighborgcthresh (net.inet6.ip6.neighborgcthresh)
		     Maximum number of entries in neighbor cache.  Set to neg-
		     ative to disable.	The default value is 2048.

	     ip6.redirect (net.inet6.ip6.redirect)
		     Returns 1 when ICMPv6 redirects may be sent by the	node.
		     This option is ignored unless the node is routing IP
		     packets, and should normally be enabled on	all systems.

	     ip6.soii (net.inet6.ip6.soiikey)
		     This variable configures the secret key for the RFC 7217
		     algorithm to calculate a persistent Semantically Opaque
		     Interface Identifier (SOII) for IPv6 Stateless Address
		     Autoconfiguration (SLAAC) addresses.  It must be
		     IP6_SOIIKEY_LEN bytes long.

	     ip6.use_deprecated	(net.inet6.ip6.use_deprecated)
		     This variable controls the	use of deprecated addresses,
		     specified in RFC 4862 5.5.4.

	     We	reuse net.inet.tcp and net.inet.udp for	TCP/UDP	over IPv6.

     PF_KEY  Return ipsec(4) database dumps.  The second level name is
	     PF_KEY_V2.	 The third level name selects the database as follows:

		   NET_KEY_SADB_DUMP  Security Association database (SADB).
		   NET_KEY_SPD_DUMP   IPsec flow database (SPD).

     PF_MPLS
	     Get or set	global information about MPLS (Multiprotocol Label
	     Switching).

		   Third level name	  Type	     Changeable
		   MPLSCTL_DEFTTL	  integer    yes
		   MPLSCTL_MAPTTL_IP	  integer    yes
		   MPLSCTL_MAPTTL_IP6	  integer    yes

	     MPLSCTL_DEFTTL (net.mpls.ttl)
		     Set or get	the default TTL	value which is used for	MPLS
		     (Shim) Header.  The default is 255.

	     MPLSCTL_MAPTTL_IP (net.mpls.mapttl_ip)
		     If	set to 1 the TTL field is synchronized between the IP
		     header and	the MPLS label stack.  If set to 0 the IP
		     header TTL	is not modified	while passing through MPLS and
		     the MPLS label stack is initialized with the
		     MPLSCTL_DEFTTL.  The default is 1.

	     MPLSCTL_MAPTTL_IP6	(net.mpls.mapttl_ip6)
		     If	set to 1 the TTL field is synchronized between the
		     IPv6 header and the MPLS label stack.  If set to 0	the
		     IPv6 header TTL is	not modified while passing through
		     MPLS and the MPLS label stack is initialized with the
		     MPLSCTL_DEFTTL.  The default is 0.

     PF_PIPEX (net.pipex)
	     Get or set	global information about PIPEX.

	     The currently defined variable names are:

		   Third level name    Type	  Changeable
		   PIPEXCTL_ENABLE     integer	  yes

	     PIPEXCTL_ENABLE
		     If	set to 1, enable PIPEX processing.  The	default	is 0.

   CTL_VFS
     The string	and integer information	available for the CTL_VFS level	is de-
     tailed below.  The	changeable column shows	whether	a process with appro-
     priate privileges may change the value.

	   Second level	name	Type		    Changeable
	   VFS_GENERIC		VFS generic info    no
	   filesystem #		filesystem info	    no

     VFS_GENERIC
	     This second level identifier requests generic information about
	     the VFS layer.  Within it,	the following third level identifiers
	     exist:

		   Third level name    Type		 Changeable
		   VFS_CONF	       struct vfsconf	 no
		   VFS_MAXTYPENUM      int		 no

     filesystem	#
	     After finding the filesystem dependent vfc_typenum	using
	     VFS_GENERIC with VFS_CONF,	it is possible to access filesystem
	     dependent information.

	     Some filesystems may contain settings.

	     FFS

			Third level name	  Type	     Changeable
			FFS_DIRHASH_DIRSIZE	  integer    yes
			FFS_DIRHASH_MAXMEM	  integer    yes
			FFS_DIRHASH_MEM		  integer    no
			FFS_MAX_SOFTDEPS	  integer    yes
			FFS_SD_BLK_LIMIT_HIT	  integer    yes
			FFS_SD_BLK_LIMIT_PUSH	  integer    yes
			FFS_SD_DIR_ENTRY	  integer    yes
			FFS_SD_DIRECT_BLK_PTRS	  integer    yes
			FFS_SD_INDIR_BLK_PTRS	  integer    yes
			FFS_SD_INO_LIMIT_HIT	  integer    yes
			FFS_SD_INO_LIMIT_PUSH	  integer    yes
			FFS_SD_INODE_BITMAP	  integer    yes
			FFS_SD_SYNC_LIMIT_HIT	  integer    yes
			FFS_SD_TICKDELAY	  integer    yes
			FFS_SD_WORKLIST_PUSH	  integer    yes

		  FFS_DIRHASH_DIRSIZE (vfs.ffs.dirhash_dirsize)
			  The minimum size of a	directory, in bytes, before it
			  is considered	for hashing.

		  FFS_DIRHASH_MAXMEM (vfs.ffs.dirhash_maxmem)
			  The maximum amount of	memory,	in bytes, to be	used
			  for storing directory	hashes.

		  FFS_DIRHASH_MEM (vfs.ffs.dirhash_mem)
			  The amount of	memory currently used by all directory
			  hashes.

		  FFS_MAX_SOFTDEPS (vfs.ffs.max_softdeps)
			  Maximum structures before slowdowns.

		  FFS_SD_BLK_LIMIT_HIT (vfs.ffs.sd_blk_limit_hit)
			  Number of times block	slowdown imposed.

		  FFS_SD_BLK_LIMIT_PUSH	(vfs.ffs.sd_blk_limit_push)
			  Number of times block	limit neared.

		  FFS_SD_DIR_ENTRY (vfs.ffs.sd_dir_entry)
			  Bufs redirtied as dir	entry cannot write.

		  FFS_SD_DIRECT_BLK_PTRS (vfs.ffs.sd_direct_blk_ptrs)
			  Bufs redirtied as direct ptrs	not written.

		  FFS_SD_INDIR_BLK_PTRS	(vfs.ffs.sd_indir_blk_ptrs)
			  Bufs redirtied as indirect ptrs not written.

		  FFS_SD_INO_LIMIT_HIT (vfs.ffs.sd_ino_limit_hit)
			  Number of times inode	limit imposed.

		  FFS_SD_INO_LIMIT_PUSH	(vfs.ffs.sd_ino_limit_push)
			  Number of times inode	limit neared.

		  FFS_SD_INODE_BITMAP (vfs.ffs.sd_inode_bitmap)
			  Bufs redirtied as inode bitmap not written.

		  FFS_SD_SYNC_LIMIT_HIT	(vfs.ffs.sd_sync_limit_hit)
			  Number of synchronous	slowdowns imposed.

		  FFS_SD_TICKDELAY (vfs.ffs.sd_tickdelay)
			  Ticks	to pause during	slowdown.

		  FFS_SD_WORKLIST_PUSH (vfs.ffs.sd_worklist_push)
			  Number of worklist cleanups.

	     NFS

			Third level name    Type	       Changeable
			NFS_NFSSTATS	    struct nfsstats    yes
			NFS_NIOTHREADS	    int		       yes

		  NFS_NIOTHREADS (vfs.nfs.iothreads)
			  The number of	I/O kernel threads for NFS clients.
			  The default is 4; the	maximum	is 20.

	     FUSE

			Third level name       Type    Changeable
			FUSEFS_INFBUFS	       int     no
			FUSEFS_OPENDEVS	       int     no
			FUSEFS_POOL_NBPAGES    int     no
			FUSEFS_WAITFBUFS       int     no

		  FUSEFS_INFBUFS (vfs.fuse.fusefs_fbufs_in)
			  The number of	inbound	fusebufs.

		  FUSEFS_OPENDEVS (vfs.fuse.fusefs_open_devices)
			  The number of	FUSE devices opened.

		  FUSEFS_POOL_NBPAGES (vfs.fuse.fusefs_pool_pages)
			  The number of	pages used for fusebuf memory.

		  FUSEFS_WAITFBUFS (vfs.fuse.fusefs_fbufs_wait)
			  The number of	fusebufs waiting for a response.

   CTL_VM
     The string	and integer information	available for the CTL_VM level is de-
     tailed below.  The	changeable column shows	whether	a process with appro-
     priate privileges may change the value.

	   Second level	name	Type		       Changeable
	   VM_ANONMIN		integer		       yes
	   VM_LOADAVG		struct loadavg	       no
	   VM_MALLOC_CONF	string		       yes
	   VM_MAXSLP		integer		       no
	   VM_METER		struct vmtotal	       no
	   VM_NKMEMPAGES	integer		       no
	   VM_PSSTRINGS		struct psstrings       no
	   VM_SWAPENCRYPT	swap encrypt values    yes
	   VM_USPACE		integer		       no
	   VM_UVMEXP		struct uvmexp	       no
	   VM_VNODEMIN		integer		       yes
	   VM_VTEXTMIN		integer		       yes

     VM_ANONMIN	(vm.anonmin)
	     Percentage	of physical memory available for pages which contain
	     anonymous mapping.

     VM_LOADAVG	(vm.loadavg)
	     Return the	load average history.  The returned data consists of a
	     struct loadavg.

     VM_MALLOC_CONF (vm.malloc_conf)
	     String of option flags for	the malloc(3) family of	functions
	     which will	be applied to all programs starting in the future.
	     The string	contains a maximum of 15 characters.

     VM_MAXSLP (vm.maxslp)
	     The time for a process to be blocked before being swappable, in
	     seconds.

     VM_METER (vm.vmmeter)
	     Return the	system wide virtual memory statistics.	The returned
	     data consists of a	struct vmtotal.

     VM_NKMEMPAGES (vm.nkmempages)
	     Number of pages in	kmem_map.

     VM_PSSTRINGS (vm.psstrings)
	     Returns the address of the	process	struct ps_strings.  The	ps(1)
	     program uses it to	locate the argument and	environment strings.

     VM_SWAPENCRYPT
	     Contains statistics about swap encryption.	 The string and	inte-
	     ger information available for the third level is detailed below.

		   Third level name    Type	  Changeable
		   SWPENC_CREATED      integer	  no
		   SWPENC_DELETED      integer	  no
		   SWPENC_ENABLE       integer	  yes

	     SWPENC_CREATED (vm.swapencrypt.keyscreated)
		     The number	of encryption keys that	have been randomly
		     created.  The swap	partition is divided into sections of
		     normally 512KB.  Each section has its own encryption key.

	     SWPENC_DELETED (vm.swapencrypt.keysdeleted)
		     The number	of encryption keys that	have been deleted,
		     thus effectively erasing the data that has	been encrypted
		     with them.	 Encryption keys are deleted when their	refer-
		     ence counter reaches zero.

	     SWPENC_ENABLE (vm.swapencrypt.enable)
		     Set to 1 to enable	swap encryption	for all	processes.  A
		     0 disables	swap encryption.  Pages	still on swap receive
		     a grandfather clause.  Turning this option	on does	not
		     affect legacy swap	data already on	the disk, but all
		     newly written data	will be	encrypted.  When swap encryp-
		     tion is turned on,	automatic crash(8) dumps are disabled.

     VM_USPACE (vm.uspace)
	     The number	of bytes allocated for each kernel stack.

     VM_UVMEXP (vm.uvmexp)
	     Contains statistics about the UVM memory management system.

     VM_VNODEMIN (vm.vnodemin)
	     Percentage	of physical memory available for pages which contain
	     cached file data.

     VM_VTEXTMIN (vm.vtextmin)
	     Percentage	of physical memory available for pages which contain
	     cached executable data.

RETURN VALUES
     If	the call to sysctl() is	unsuccessful, -1 is returned and errno is set
     appropriately.

FILES
     <sys/sysctl.h>	       top level identifiers and second	level kernel
			       and hardware identifiers
     <sys/socket.h>	       second level network identifiers
     <sys/gmon.h>	       third level profiling identifiers
     <uvm/uvm_param.h>	       second level virtual memory identifiers
     <uvm/uvm_swap_encrypt.h>  third level virtual memory identifiers
     <net/if.h>		       packet input/output queue identifiers
     <net/pipex.h>	       third level PIPEX identifiers
     <netinet/in.h>	       third and fourth	level IPv4/v6 identifiers
     <netinet/ip_divert.h>     fourth level divert identifiers
     <netinet/icmp_var.h>      fourth level ICMP identifiers
     <netinet/icmp6.h>	       fourth level ICMPv6 identifiers
     <netinet/tcp_var.h>       fourth level TCP	identifiers
     <netinet/udp_var.h>       fourth level UDP	identifiers
     <ddb/db_var.h>	       second level ddb	identifiers
     <sys/mount.h>	       second level vfs	identifiers
     <miscfs/fuse/fusefs.h>    third level fusefs identifiers
     <nfs/nfs.h>	       third level NFS identifiers
     <ufs/ffs/ffs_extern.h>    third level FFS identifiers
     <machine/cpu.h>	       second level CPU	identifiers

ERRORS
     The following errors may be reported:

     [EFAULT]		The buffer name, oldp, newp, or	length pointer oldlenp
			contains an invalid address.

     [EINVAL]		The name array is less than two	or greater than
			CTL_MAXNAME.

     [EINVAL]		A non-null newp	pointer	is given and its specified
			length in newlen is too	large or too small.

     [ENOMEM]		The length pointed to by oldlenp is too	short to hold
			the requested value.

     [ENOENT]		The mib	specified does not exist, or exceeds the range
			that is	possible.

     [ENXIO]		If the mib is a	sparsely populated array, this error
			may be returned	instead.

     [ENOTDIR]		The name array specifies an intermediate rather	than
			terminal name.

     [EOPNOTSUPP]	The name array specifies a value that is unknown.

     [EPERM]		An attempt is made to set a read-only value.

     [EPERM]		A process without appropriate privileges attempts to
			set a value.

     [EPERM]		An attempt to change a value protected by the current
			kernel security	level is made.

     [ESRCH]		No process could be found which	corresponds to the
			given process ID.

SEE ALSO
     pathconf(2), sysconf(3), ddb(4), sysctl.conf(5), securelevel(7),
     sysctl(8)

HISTORY
     The sysctl() function first appeared in 4.4BSD.

FreeBSD	13.0		       January 13, 2021			  FreeBSD 13.0

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | FILES | ERRORS | SEE ALSO | HISTORY

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=sysctl&sektion=2&manpath=OpenBSD+6.9>

home | help