Manuál NetBSD
SYSCTL(3) NetBSD Library Functions Manual SYSCTL(3)NAME
sysctl, sysctlbyname, sysctlgetmibinfo, sysctlnametomib — get or set system information
LIBRARY
Standard C Library (libc, −lc)
SYNOPSIS
#include <sys/param.h>
#include <sys/sysctl.h>
int
sysctl(const int *name, u_int namelen, void *oldp, size_t *oldlenp, const void *newp, size_t newlen);
int
sysctlbyname(const char *sname, void *oldp, size_t *oldlenp, void *newp, size_t newlen);
int
sysctlgetmibinfo(const char *sname, int *name, u_int *namelenp, char *cname, size_t *csz, struct sysctlnode **rnode, int v);
int
sysctlnametomib(const char *sname, int *name, size_t *namelenp);
DESCRIPTION
The sysctl function retrieves system information and allows processes with appropriate privileges to set system information. The information available from sysctl consists of integers, strings, and tables. Information may be retrieved and set from the command interface using the sysctl(8) utility.
Unless explicitly noted below, sysctl returns a consistent snapshot of the data requested. Consistency is obtained by locking the destination buffer into memory so that the data may be copied out without blocking. Calls to sysctl are serialized to avoid deadlock.
The state is described using a ‘‘Management Information Base’’ (MIB) style name, listed in name, which is a namelen length array of integers.
The sysctlbyname() function accepts a string representation of a MIB entry and internally maps it to the appropriate numeric MIB representation. Its semantics are otherwise no different from sysctl().
The information is copied into the buffer specified by oldp. The size of the buffer is given by the location specified by oldlenp before the call, and that location gives the amount of data copied after a successful call. If the amount of data available is greater than the size of the buffer supplied, the call supplies as much data as fits in the buffer provided and returns with the error code ENOMEM. If the old value is not desired, oldp and oldlenp should be set to NULL.
The size of the available data can be determined by calling sysctl with a NULL parameter for oldp. The size of the available data will be returned in the location pointed to by oldlenp. For some operations, the amount of space may change often. For these operations, the system attempts to round up so that the returned size is large enough for a call to return the data shortly thereafter.
To set a new value, newp is set to point to a buffer of length newlen from which the requested value is to be taken. If a new value is not to be set, newp should be set to NULL and newlen set to 0.
The sysctlnametomib() function can be used to map the string representation of a MIB entry to the numeric version. The name argument should point to an array of integers large enough to hold the MIB, and namelenp should indicate the number of integer slots available. Following a successful translation, the size_t indicated by namelenp will be changed to show the number of slots consumed.
The sysctlgetmibinfo() function performs name translation similar to sysctlnametomib(), but also canonicalizes the name (or returns the first erroneous token from the string being parsed) into the space indicated by cname and csz. csz should indicate the size of the buffer pointed to by cname and on return, will indicate the size of the returned string including the trailing ‘nul’ character.
The rnode and v arguments to sysctlgetmibinfo() are used to provide a tree for it to parse into, and to get back either a pointer to, or a copy of, the terminal node. If rnode is NULL, sysctlgetmibinfo() uses its own internal tree for parsing, and checks it against the kernel at each call, to make sure that the name-to-number mapping is kept up to date. The v argument is ignored in this case. If rnode is not NULL but the pointer it references is, on a successful return, rnode will be adjusted to point to a copy of the terminal node. The v argument indicates which version of the sysctl node structure the caller wants. The application must later free() this copy. If neither rnode nor the pointer it references are NULL, the pointer is used as the address of a tree over which the parsing is done. In this last case, the tree is not checked against the kernel, no refreshing of the mappings is performed, and the value given by v must agree with the version indicated by the tree. It is recommended that applications always use SYSCTL_VERSION as the value for v, as defined in the include file sys/sysctl.h.
The top level names are defined with a CTL_ prefix in 〈sys/sysctl.h〉, and are as follows. The next and subsequent levels down are found in the include files listed here, and described in separate sections below.
|
Name |
|
|
Next level names |
|
|
Description |
|
|
CTL_KERN |
|
|
sys/sysctl.h |
|
|
High kernel limits |
|
|
CTL_VM |
|
|
uvm/uvm_param.h |
|
|
Virtual memory |
|
|
CTL_VFS |
|
|
sys/mount.h |
|
|
Filesystem |
|
|
CTL_NET |
|
|
sys/socket.h |
|
|
Networking |
|
|
CTL_DEBUG |
|
|
sys/sysctl.h |
|
|
Debugging |
|
|
CTL_HW |
|
|
sys/sysctl.h |
|
|
Generic CPU, I/O |
|
|
CTL_MACHDEP |
|
|
sys/sysctl.h |
|
|
Machine dependent |
|
|
CTL_USER |
|
|
sys/sysctl.h |
|
|
User-level |
|
|
CTL_DDB |
|
|
sys/sysctl.h |
|
|
In-kernel debugger |
|
|
CTL_PROC |
|
|
sys/sysctl.h |
|
|
Per-process |
|
|
CTL_VENDOR |
|
|
? |
|
|
Vendor specific |
|
|
CTL_EMUL |
|
|
sys/sysctl.h |
|
|
Emulation settings |
|
|
CTL_SECURITY |
|
|
sys/sysctl.h |
|
|
Security settings |
For example, the following retrieves the maximum number of processes allowed in the system:
int mib[2], maxproc;
size_t len;
mib[0] = CTL_KERN;
mib[1] = KERN_MAXPROC;
len = sizeof(maxproc);
sysctl(mib, 2, &maxproc, &len, NULL, 0);
To retrieve the standard search path for the system utilities:
int mib[2];
size_t len;
char *p;
mib[0] = CTL_USER;
mib[1] = USER_CS_PATH;
sysctl(mib, 2, NULL, &len, NULL, 0);
p = malloc(len);
sysctl(mib, 2, p, &len, NULL, 0);
CTL_DEBUG
The debugging variables vary from system to system. A debugging variable may be added or deleted without need to recompile sysctl to know about it. Each time it runs, sysctl gets the list of debugging variables from the kernel and displays their current values. The system defines twenty (struct ctldebug) variables named debug0 through debug19. They are declared as separate variables so that they can be individually initialized at the location of their associated variable. The loader prevents multiple use of the same variable by issuing errors if a variable is initialized in more than one place. For example, to export the variable dospecialcheck as a debugging variable, the following declaration would be used:
int dospecialcheck = 1;
struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck
};
Note that the dynamic implementation of sysctl currently in use largely makes this particular sysctl interface obsolete. See sysctl(8) for more information.
CTL_VFS
A distinguished second level name, VFS_GENERIC, is used to get general information about all filesystems. One of its third level identifiers is VFS_MAXTYPENUM that gives the highest valid filesystem type number. Its other third level identifier is VFS_CONF that returns configuration information about the filesystem type given as a fourth level identifier. The remaining second level identifiers are the filesystem type number returned by a statvfs(2) call or from VFS_CONF. The third level identifiers available for each filesystem are given in the header file that defines the mount argument structure for that filesystem.
CTL_HW
The string and integer information available for the CTL_HW level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.
|
Second level name |
|
|
Type |
|
|
Changeable |
|
|
HW_ALIGNBYTES |
|
|
integer |
|
|
no |
|
|
HW_BYTEORDER |
|
|
integer |
|
|
no |
|
|
HW_CNMAGIC |
|
|
string |
|
|
yes |
|
|
HW_DISKNAMES |
|
|
string |
|
|
no |
|
|
HW_DISKSTATS |
|
|
struct |
|
|
no |
|
|
HW_MACHINE |
|
|
string |
|
|
no |
|
|
HW_MACHINE_ARCH |
|
|
string |
|
|
no |
|
|
HW_MODEL |
|
|
string |
|
|
no |
|
|
HW_NCPU |
|
|
integer |
|
|
no |
|
|
HW_PAGESIZE |
|
|
integer |
|
|
no |
|
|
HW_PHYSMEM |
|
|
integer |
|
|
no |
|
|
HW_PHYSMEM64 |
|
|
quad |
|
|
no |
|
|
HW_USERMEM |
|
|
integer |
|
|
no |
|
|
HW_USERMEM64 |
|
|
quad |
|
|
no |
HW_ALIGNBYTES
Alignment constraint for all possible data types. This shows the value ALIGNBYTES in /usr/include/machine/param.h, at the kernel compilation time.
HW_BYTEORDER
The byteorder (4,321, or 1,234).
HW_CNMAGIC
The console magic key sequence.
HW_DISKNAMES
The list of (space separated) disk device and NFS mount names on the system.
HW_IOSTATNAMES
A space separated list of devices that will have I/O statistics collected on them.
HW_IOSTATS
Return statistical information on the NFS mounts, disk and tape devices on the system. An array of struct io_sysctl structures is returned, whose size depends on the current number of such objects in the system. The third level name is the size of the struct io_sysctl. The type of object can be determined by examining the type element of struct io_sysctl. Which can be IOSTAT_DISK (disk drive), IOSTAT_TAPE (tape drive), or IOSTAT_NFS (NFS mount).
HW_MACHINE
The machine class.
HW_MACHINE_ARCH
The machine CPU class.
HW_MODEL
The machine model.
HW_NCPU
The number of CPUs.
HW_PAGESIZE
The software page size.
HW_PHYSMEM
The bytes of physical memory as a 32-bit integer.
HW_PHYSMEM64
The bytes of physical memory as a 64-bit integer.
HW_USERMEM
The bytes of non-kernel memory as a 32-bit integer.
HW_USERMEM64
The bytes of non-kernel memory as a 64-bit integer.
CTL_KERN
The string and integer information available for the CTL_KERN level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. The types of data currently available are process information, system vnodes, the open file entries, routing table entries, virtual memory statistics, load average history, and clock rate information.
Second level name
Type Changeable
KERN_ARGMAX integer no
KERN_AUTONICETIME integer yes
KERN_AUTONICEVAL integer yes
KERN_BOOTTIME struct timeval no
KERN_BUFQ node not applicable
KERN_CCPU integer no
KERN_CLOCKRATE struct clockinfo no
KERN_CONSDEV integer no
KERN_CP_ID struct no
KERN_CP_TIME uint64_t[] no
KERN_DEFCORENAME string yes
KERN_DOMAINNAME string yes
KERN_DRIVERS struct kinfo_drivers no
KERN_FILE struct file no
KERN_FORKFSLEEP integer yes
KERN_FSCALE integer no
KERN_FSYNC integer no
KERN_HARDCLOCK_TICKS integer no
KERN_HOSTID integer yes
KERN_HOSTNAME string yes
KERN_IOV_MAX integer no
KERN_JOB_CONTROL integer no
KERN_LABELOFFSET integer no
KERN_LABELSECTOR integer no
KERN_LOGIN_NAME_MAX integer no
KERN_LOGSIGEXIT integer yes
KERN_MAPPED_FILES integer no
KERN_MAXFILES integer yes
KERN_MAXPARTITIONS integer no
KERN_MAXPHYS integer no
KERN_MAXPROC integer yes
KERN_MAXPTYS integer yes
KERN_MAXVNODES integer yes
KERN_MBUF node not applicable
KERN_MEMLOCK integer no
KERN_MEMLOCK_RANGE integer no
KERN_MEMORY_PROTECTION integer no
KERN_MONOTONIC_CLOCK integer no
KERN_MSGBUF integer no
KERN_MSGBUFSIZE integer no
KERN_NGROUPS integer no
KERN_NTPTIME struct ntptimeval no
KERN_OSRELEASE string no
KERN_OSREV integer no
KERN_OSTYPE string no
KERN_PIPE node not applicable
KERN_POSIX1 integer no
KERN_POSIX_BARRIERS integer no
KERN_POSIX_READER_WRITER_LOCKS integer no
KERN_POSIX_SEMAPHORES integer no
KERN_POSIX_SPIN_LOCKS integer no
KERN_POSIX_THREADS integer no
KERN_POSIX_TIMERS integer no
KERN_PROC struct kinfo_proc no
KERN_PROC2 struct kinfo_proc2 no
KERN_PROC_ARGS string no
KERN_PROF node not applicable
KERN_RAWPARTITION integer no
KERN_ROOT_DEVICE string no
KERN_ROOT_PARTITION integer no
KERN_RTC_OFFSET integer yes
KERN_SAVED_IDS integer no
KERN_SECURELVL integer raise only
KERN_SYNCHRONIZED_IO integer no
KERN_SYSVIPC_INFO node not applicable
KERN_SYSVMSG integer no
KERN_SYSVSEM integer no
KERN_SYSVSHM integer no
KERN_TIMEX struct no
KERN_TKSTAT node not applicable
KERN_URANDOM integer no
KERN_VERIEXEC node not applicable
KERN_VERSION string no
KERN_VNODE struct vnode no
KERN_ARGMAX
The maximum bytes of argument to execve(2).
KERN_AUTONICETIME
The number of seconds of CPU-time a non-root process may accumulate before having its priority lowered from the default to the value of KERN_AUTONICEVAL. If set to 0, automatic lowering of priority is not performed, and if set to −1 all non-root processes are immediately lowered.
KERN_AUTONICEVAL
The priority assigned for automatically niced processes.
KERN_BOOTTIME
A struct timeval structure is returned. This structure contains the time that the system was booted.
KERN_CCPU
The scheduler exponential decay value.
KERN_CLOCKRATE
A struct clockinfo structure is returned. This structure contains the clock, statistics clock and profiling clock frequencies, the number of micro-seconds per hz tick, and the clock skew rate.
KERN_CONSDEV
Console device.
KERN_CP_ID
Mapping of CPU number to CPU id.
KERN_CP_TIME
Returns an array of CPUSTATES uint64_ts. This array contains the number of clock ticks spent in different CPU states. On multi-processor systems, the sum across all CPUs is returned unless appropriate space is given for one data set for each CPU. Data for a specific CPU can also be obtained by adding the number of the CPU at the end of the MIB, enlarging it by one.
KERN_DEFCORENAME
Default template for the name of core dump files (see also PROC_PID_CORENAME in the per-process variables CTL_PROC, and core(5) for format of this template). The default value is %n.core and can be changed with the kernel configuration option options DEFCORENAME (see options(4) ).
KERN_DOMAINNAME
Get or set the YP domain name.
KERN_DUMP_ON_PANIC
Perform a crash dump on system panic.
KERN_DRIVERS
Return an array of struct kinfo_drivers that contains the name and major device numbers of all the device drivers in the current kernel. The d_name field is always a NUL terminated string. The d_bmajor field will be set to −1 if the driver doesn’t have a block device.
KERN_FILE
Return the entire file table. The returned data consists of a single struct filelist followed by an array of struct file, whose size depends on the current number of such objects in the system.
KERN_FORKFSLEEP
If fork(2) system call fails due to limit on number of processes (either the global maxproc limit or user’s one), wait for this many milliseconds before returning EAGAIN error to process. Useful to keep heavily forking runaway processes in bay. Default zero (no sleep). Maximum is 20 seconds.
KERN_FSCALE
The kernel fixed-point scale factor.
KERN_FSYNC
Return 1 if the POSIX 1003.1b File Synchronization Option is available on this system, otherwise 0.
KERN_HARDCLOCK_TICKS
Returns the number of hardclock(9) ticks.
KERN_HOSTID
Get or set the host id.
KERN_HOSTNAME
Get or set the hostname.
KERN_IOV_MAX
Return the maximum number of iovec structures that a process has available for use with preadv(2), pwritev(2), readv(2), recvmsg(2), sendmsg(2) and writev(2).
KERN_JOB_CONTROL
Return 1 if job control is available on this system, otherwise 0.
KERN_LABELOFFSET
The offset within the sector specified by KERN_LABELSECTOR of the disklabel(5).
KERN_LABELSECTOR
The sector number containing the disklabel(5).
KERN_LOGIN_NAME_MAX
The size of the storage required for a login name, in bytes, including the terminating NUL.
KERN_LOGSIGEXIT
If this flag is non-zero, the kernel will log(9) all process exits due to signals which create a core(5) file, and whether the coredump was created.
KERN_MAPPED_FILES
Returns 1 if the POSIX 1003.1b Memory Mapped Files Option is available on this system, otherwise 0.
KERN_MAXFILES
The maximum number of open files that may be open in the system.
KERN_MAXPARTITIONS
The maximum number of partitions allowed per disk.
KERN_MAXPHYS
Maximum raw I/O transfer size.
KERN_MAXPROC
The maximum number of simultaneous processes the system will allow.
KERN_MAXPTYS
The maximum number of pseudo terminals. This value can be both raised and lowered, though it cannot be set lower than number of currently used ptys. See also pty(4).
KERN_MAXVNODES
The maximum number of vnodes available on the system. This can only be raised.
KERN_MBUF
Return information about the mbuf control variables. the third level names for the mbuf variables are detailed below. The changeable column shows whether a process with appropriate privilege may change the value.
Third level name
Type Changeable
MBUF_MBLOWAT integer yes
MBUF_MCLBYTES integer yes
MBUF_MCLLOWAT integer yes
MBUF_MSIZE integer yes
MBUF_NMBCLUSTERS integer yes
The variables are as follows:
MBUF_MBLOWAT
The mbuf low water mark.
MBUF_MCLBYTES
The mbuf cluster size.
MBUF_MCLLOWAT
The mbuf cluster low water mark.
MBUF_MSIZE
The mbuf base size.
MBUF_NMBCLUSTERS
The limit on the number of mbuf clusters. The variable can only be increased, and only increased on machines with direct-mapped pool pages.
KERN_MEMLOCK
Returns 1 if the POSIX 1003.1b Process Memory Locking Option is available on this system, otherwise 0.
KERN_MEMLOCK_RANGE
Returns 1 if the POSIX 1003.1b Range Memory Locking Option is available on this system, otherwise 0.
KERN_MEMORY_PROTECTION
Returns 1 if the POSIX 1003.1b Memory Protection Option is available on this system, otherwise 0.
KERN_MONOTONIC_CLOCK
Returns the standard version the implementation of the POSIX 1003.1b Monotonic Clock Option conforms to, otherwise 0.
KERN_MSGBUF
The kernel message buffer, rotated so that the head of the circular kernel message buffer is returned at the start of the buffer specified by oldp. The returned data may contain NUL bytes.
KERN_MSGBUFSIZE
The maximum number of characters that the kernel message buffer can hold.
KERN_NGROUPS
The maximum number of supplemental groups.
KERN_NTPTIME
A struct ntptimeval structure is returned. This structure contains data used by the ntpd(8) program.
KERN_OSRELEASE
The system release string.
KERN_OSREV
The system revision string.
KERN_OSTYPE
The system type string.
KERN_PIPE
Pipe settings. The third level names for the integer pipe settings is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.
Third level name
Type Changeable
KERN_PIPE_KVASIZ integer yes
KERN_PIPE_MAXBIGPIPES integeryes
KERN_PIPE_MAXKVASZ integer yes
KERN_PIPE_LIMITKVA integer yes
KERN_PIPE_NBIGPIPES integer yes
The variables are as follows:
KERN_PIPE_KVASIZ
Amount of kernel memory consumed by pipe buffers.
KERN_PIPE_MAXBIGPIPES
Maximum number of "big" pipes.
KERN_PIPE_MAXKVASZ
Maximum amount of kernel memory to be used for pipes.
KERN_PIPE_LIMITKVA
Limit for direct transfers via page loan.
KERN_PIPE_NBIGPIPES
Number of "big" pipes.
KERN_POSIX1
The version of ISO/IEC 9945 (POSIX 1003.1) with which the system attempts to comply.
KERN_POSIX_BARRIERS
The version of IEEE Std 1003.1 (‘‘POSIX.1’’) and its Barriers option to which the system attempts to conform, otherwise 0.
KERN_POSIX_READER_WRITER_LOCKS
The version of IEEE Std 1003.1 (‘‘POSIX.1’’) and its Read-Write Locks option to which the system attempts to conform, otherwise 0.
KERN_POSIX_SEMAPHORES
The version of IEEE Std 1003.1 (‘‘POSIX.1’’) and its Semaphores option to which the system attempts to conform, otherwise 0.
KERN_POSIX_SPIN_LOCKS
The version of IEEE Std 1003.1 (‘‘POSIX.1’’) and its Spin Locks option to which the system attempts to conform, otherwise 0.
KERN_POSIX_THREADS
The version of IEEE Std 1003.1 (‘‘POSIX.1’’) and its Threads option to which the system attempts to conform, otherwise 0.
KERN_POSIX_TIMERS
The version of IEEE Std 1003.1 (‘‘POSIX.1’’) and its Timers option to which the system attempts to conform, otherwise 0.
KERN_PROC
Return the entire process table, or a subset of it. An array of struct kinfo_proc structures is returned, whose size depends on the current number of such objects in the system. The third and fourth level names are as follows:
Third level name
Fourth level is:
KERN_PROC_ALL None
KERN_PROC_GID A group ID
KERN_PROC_PID A process ID
KERN_PROC_PGRP A process group
KERN_PROC_RGID A real group ID
KERN_PROC_RUID A real user ID
KERN_PROC_SESSION A session ID
KERN_PROC_TTY A tty device
KERN_PROC_UID A user ID
KERN_PROC2
As for KERN_PROC, but an array of struct kinfo_proc2 structures are returned. The fifth level name is the size of the struct kinfo_proc2 and the sixth level name is the number of structures to return.
KERN_PROC_ARGS
Return the argv or environment strings (or the number thereof) of a process. Multiple strings are returned separated by NUL characters. The third level name is the process ID. The fourth level name is as follows:
KERN_PROC_ARGV The argv
strings
KERN_PROC_ENV The environ strings
KERN_PROC_NARGV The number of argv strings
KERN_PROC_NENV The number of environ strings
KERN_PROF
Return profiling information about the kernel. If the kernel is not compiled for profiling, attempts to retrieve any of the KERN_PROF values will fail with EOPNOTSUPP. The third level names for the string and integer profiling information is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.
Third level name
Type Changeable
GPROF_COUNT u_short[] yes
GPROF_FROMS u_short[] yes
GPROF_GMONPARAM struct gmonparam no
GPROF_STATE integer yes
GPROF_TOS struct tostruct yes
The variables are as follows:
GPROF_COUNT
Array of statistical program counter counts.
GPROF_FROMS
Array indexed by program counter of call-from points.
GPROF_GMONPARAM
Structure giving the sizes of the above arrays.
GPROF_STATE
Profiling state. If set to GMON_PROF_ON, starts profiling. If set to GMON_PROF_OFF, stops profiling.
GPROF_TOS
Array of struct tostruct describing destination of calls and their counts.
KERN_RAWPARTITION
The raw partition of a disk (a == 0).
KERN_ROOT_DEVICE
The name of the root device (e.g., ‘‘wd0’’).
KERN_ROOT_PARTITION
The root partition on the root device (a == 0).
KERN_RTC_OFFSET
Return the offset of real time clock from UTC in minutes.
KERN_SAVED_IDS
Returns 1 if saved set-group and saved set-user ID is available.
KERN_SBMAX
Maximum socket buffer size.
KERN_SECURELVL
The system security level. This level may be raised by processes with appropriate privilege. It may only be lowered by process 1.
KERN_SOMAXKVA
Maximum amount of kernel memory to be used for socket buffers.
KERN_SYNCHRONIZED_IO
Returns 1 if the POSIX 1003.1b Synchronized I/O Option is available on this system, otherwise 0.
KERN_SYSVIPC_INFO
Return System V style IPC configuration and run-time information. The third level name selects the System V style IPC facility.
Third level name
Type
KERN_SYSVIPC_MSG_INFO struct msg_sysctl_info
KERN_SYSVIPC_SEM_INFO struct sem_sysctl_info
KERN_SYSVIPC_SHM_INFO struct shm_sysctl_info
KERN_SYSVIPC_MSG_INFO
Return information on the System V style message facility. The msg_sysctl_info structure is defined in 〈sys/msg.h〉.
KERN_SYSVIPC_SEM_INFO
Return information on the System V style semaphore facility. The sem_sysctl_info structure is defined in 〈sys/sem.h〉.
KERN_SYSVIPC_SHM_INFO
Return information on the System V style shared memory facility. The shm_sysctl_info structure is defined in 〈sys/shm.h〉.
KERN_SYSVMSG
Returns 1 if System V style message queue functionality is available on this system, otherwise 0.
KERN_SYSVSEM
Returns 1 if System V style semaphore functionality is available on this system, otherwise 0.
KERN_SYSVSHM
Returns 1 if System V style share memory functionality is available on this system, otherwise 0.
KERN_TIMEX
Not available.
KERN_TKSTAT
Return information about the number of characters sent and received on ttys. The third level names for the tty statistic variables are detailed below. The changeable column shows whether a process with appropriate privilege may change the value.
Third level name
Type Changeable
KERN_TKSTAT_CANCC quad no
KERN_TKSTAT_NIN quad no
KERN_TKSTAT_NOUT quad no
KERN_TKSTAT_RAWCC quad no
The variables are as follows:
KERN_TKSTAT_CANCC
The number of canonical input characters.
KERN_TKSTAT_NIN
The total number of input characters.
KERN_TKSTAT_NOUT
The total number of output characters.
KERN_TKSTAT_RAWCC
The number of raw input characters.
KERN_URND
Random integer value.
KERN_VERIEXEC
Tunings for Verixec. Third level names for the Veriexec variables are detailed below. The changeable column shows whether a process with appropriate privilege may change the value or only raise it. Only the superuser can modify these variables.
Third level name
Type Changeable
VERIEXEC_ALGORITHMS string no
VERIEXEC_COUNT node not applicable
VERIEXEC_STRICT integer raise only
VERIEXEC_VERBOSE integer yes
The variables are as follows:
VERIEXEC_ALGORITHMS
Returns a string with the supported algorithms in Veriexec.
VERIEXEC_COUNT
Sub-nodes are added to this node as new mounts are monitored by Veriexec. Each mount will be under its own tableN node. Under each node there will be three variables, indicating the mount point, the file-system type, and the number of entries.
VERIEXEC_STRICT
Controls the strict level of Veriexec. The strict level defines how Veriexec will treat various situations.
In strict level 0, the system is in learning mode and will only warn about fingerprint mismatches, as well as allow removal of fingerprinted files. It is the only level where fingerprints can be loaded.
In strict level 1, the system is in IDS mode. It will deny access to files with mismatched fingerprints. Write access to monitored files will be permitted, but once modified, further access to them will be denied. Monitored files cannot be removed. If a disk will be opened for raw writing, Veriexec will invalidate all fingerprints on that disk, if it is monitored.
In strict level 2, the system is in IPS mode. It has all effects of strict level 1, plus it will deny write access to monitored files and enforce access type (direct, indirect, file). Execution of non-monitored files is denied. Opening of raw disks for writing will be denied if the disk is monitored. Attempts to write to kernel memory, either via /dev/mem or /dev/kmem, will be denied to protect Veriexec’s internal data-structures.
Strict level 3 operates as lockdown mode. It will have all effects of strict level 2, but it will also prevent access to non-monitored files. Furthermore, it will prevent addition of new files to the system, and allow writing only to files opened before the strict level was raised. All attempts to open a disk for raw writing will be denied.
VERIEXEC_VERBOSE
Controls the verbosity level of Veriexec. If 0, only the minimal indication required will be given about what’s happening - fingerprint mismatches, removal of entries from the tables, modification of a fingerprinted file. If 1, more messages will be printed (ie., when a file with a valid fingerprint is accessed). Verbose level 2 is debug mode.
KERN_VERSION
The system version string.
KERN_VNODE
Return the entire vnode table. Note, the vnode table is not necessarily a consistent snapshot of the system. The returned data consists of an array whose size depends on the current number of such objects in the system. Each element of the array contains the kernel address of a vnode struct vnode * followed by the vnode itself struct vnode.
kern.coredump.setid
Settings related to set-id processes coredumps. By default, set-id processes do not dump core in situations where other processes would. The settings in this node allows an administrator to change this behavior.
kern.coredump.setid.dump
If non-zero, set-id processes will dump core.
kern.coredump.setid.group
The group-id for the set-id processes’ coredump.
kern.coredump.setid.mode
The mode for the set-id processes’ coredump. See chmod(1).
kern.coredump.setid.owner
The user-id that will be used as the owner of the set-id processes’ coredump.
kern.coredump.setid.path
The path to which set-id processes’ coredumps will be saved to. Same syntax as kern.defcorename.
CTL_MACHDEP
The set of variables defined is architecture dependent. Most architectures define at least the following variables.
Second level name
Type Changeable
CPU_CONSDEV dev_t no
CTL_NET
The string and integer information available for the CTL_NET level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. The second and third levels are typically the protocol family and protocol number, though this is not always the case.
Second level name
Type Changeable
PF_ROUTE routing messages no
PF_INET IPv4 values yes
PF_INET6 IPv6 values yes
PF_KEY IPsec key management valuesyes
PF_ROUTE
Return the entire routing table or a subset of it. The data is returned as a sequence of routing messages (see route(4) for the header file, format and meaning). The length of each message is contained in the message header.
The third level name is a protocol number, which is currently always 0. The fourth level name is an address family, which may be set to 0 to select all address families. The fifth and sixth level names are as follows:
Fifth level name
Sixth level is:
NET_RT_FLAGS rtflags
NET_RT_DUMP None
NET_RT_IFLIST None
PF_INET
Get or set various global information about the IPv4 (Internet Protocol version 4). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are:
Protocol name
Variable name Type Changeable
arp down integer yes
arp keep integer yes
arp prune integer yes
arp refresh integer yes
carp allow integer yes
carp preempt integer yes
carp log integer yes
carp arpbalance integer yes
icmp errppslimit integer yes
icmp maskrepl integer yes
icmp rediraccept integer yes
icmp redirtimeout integer yes
ip allowsrcrt integer yes
ip anonportmax integer yes
ip anonportmin integer yes
ip checkinterface integer yes
ip directed-broadcast integer yes
ip do_loopback_cksum integer yes
ip forwarding integer yes
ip forwsrcrt integer yes
ip gifttl integer yes
ip grettl integer yes
ip hostzerobroadcast integer yes
ip lowportmin integer yes
ip lowportmax integer yes
ip maxflows integer yes
ip maxfragpackets integer yes
ip mtudisc integer yes
ip mtudisctimeout integer yes
ip random_id integer yes
ip redirect integer yes
ip subnetsarelocal integer yes
ip ttl integer yes
tcp rfc1323 integer yes
tcp sendspace integer yes
tcp recvspace integer yes
tcp mssdflt integer yes
tcp syn_cache_limit integer yes
tcp syn_bucket_limit integer yes
tcp syn_cache_interval integer yes
tcp init_win integer yes
tcp init_win_local integer yes
tcp mss_ifmtu integer yes
tcp win_scale integer yes
tcp timestamps integer yes
tcp compat_42 integer yes
tcp cwm integer yes
tcp cwm_burstsize integer yes
tcp ack_on_push integer yes
tcp keepidle integer yes
tcp keepintvl integer yes
tcp keepcnt integer yes
tcp slowhz integer no
tcp log_refused integer yes
tcp rstppslimit integer yes
tcp ident struct no
tcp sack.enable integer yes
tcp sack.globalholes integer no
tcp sack.globalmaxholes integeryes
tcp sack.maxholes integer yes
tcp ecn.enable integer yes
tcp ecn.maxretries integer yes
tcp congctl.selected string yes
tcp congctl.available string yes
udp checksum integer yes
udp do_loopback_cksum integer yes
udp recvspace integer yes
udp sendspace integer yes
The variables are as follows:
arp.down
Failed ARP entry lifetime.
arp.keep
Valid ARP entry lifetime.
arp.prune
ARP cache pruning interval.
arp.refresh
ARP entry refresh interval.
carp.allow
If set to 0, incoming carp(4) packets will not be processed. If set to any other value, processing will occur. Enabled by default.
carp.arpbalance
If set to any value other than 0, the ARP balancing functionality of carp(4) is enabled. When ARP requests are received for an IP address which is part of any virtual host, carp will hash the source IP in the ARP request to select one of the virtual hosts from the set of all the virtual hosts which have that IP address. The master of that host will respond with the correct virtual MAC address. Disabled by default.
carp.log
If set to any value other than 0, carp(4) will log errors. Disabled by default.
carp.preempt
If set to 0, carp(4) will not attempt to become master if it is receiving advertisements from another active master. If set to any other value, carp will become master of the virtual host if it believes it can send advertisements more frequently than the current master. Disabled by default.
ip.allowsrcrt
If set to 1, the host accepts source routed packets.
ip.anonportmax
The highest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535, and must be greater than ip.anonportmin.
ip.anonportmin
The lowest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535.
ip.checkinterface
If set to non-zero, the host will reject packets addressed to it that arrive on an interface not bound to that address. Currently, this must be disabled if ipnat is used to translate the destination address to another local interface, or if addresses are added to the loopback interface instead of the interface where the packets for those packets are received.
ip.directed-broadcast
If set to 1, enables directed broadcast behavior for the host.
ip.do_loopback_cksum
Perform IP checksum on loopback.
ip.forwarding
If set to 1, enables IP forwarding for the host, meaning that the host is acting as a router.
ip.forwsrcrt
If set to 1, enables forwarding of source-routed packets for the host. This value may only be changed if the kernel security level is less than 1.
ip.gifttl
The maximum time-to-live (hop count) value for an IPv4 packet generated by gif(4) tunnel interface.
ip.grettl
The maximum time-to-live (hop count) value for an IPv4 packet generated by gre(4) tunnel interface.
ip.hostzerobroadcast
All zeroes address is broadcast address.
ip.lowportmax
The highest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be greater than ip.lowportmin.
ip.lowportmin
The lowest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be smaller than ip.lowportmax.
ip.maxflows
IP Fast Forwarding is enabled by default. If set to 0, IP Fast Forwarding is disabled. ip.maxflows controls the maximum amount of flows which can be created. The default value is 256.
ip.maxfragpackets
The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any fragmented packets. −1 means that the node will accept as many fragmented packets as it receives. The flag is provided basically for avoiding possible DoS attacks.
ip.mtudisc
If set to 1, enables Path MTU Discovery (RFC 1191). When Path MTU Discovery is enabled, the transmitted TCP segment size will be determined by the advertised maximum segment size (MSS) from the remote end, as constrained by the path MTU. If MTU Discovery is disabled, the transmitted segment size will never be greater than tcp.mssdflt (the local maximum segment size).
ip.mtudisctimeout
The number of seconds in which a route added by the Path MTU Discovery engine will time out. When the route times out, the Path MTU Discovery engine will attempt to probe a larger path MTU.
ip.random_id
Assign random ip_id values.
ip.redirect
If set to 1, ICMP redirects may be sent by the host. This option is ignored unless the host is routing IP packets, and should normally be enabled on all systems.
ip.subnetsarelocal
If set to 1, subnets are to be considered local addresses.
ip.ttl
The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to normal transport protocols, not to ICMP.
icmp.errppslimit
The variable specifies the maximum number of outgoing ICMP error messages, per second. ICMP error messages that exceeded the value are subject to rate limitation and will not go out from the node. Negative value disables rate limitation.
icmp.maskrepl
If set to 1, ICMP network mask requests are to be answered.
icmp.rediraccept
If set to non-zero, the host will accept ICMP redirect packets. Note that routers will never accept ICMP redirect packets, and the variable is meaningful on IP hosts only.
icmp.redirtimeout
The variable specifies lifetime of routing entries generated by incoming ICMP redirect. This defaults to 600 seconds.
icmp.returndatabytes
Number of bytes to return in an ICMP error message.
tcp.ack_on_push
If set to 1, TCP is to immediately transmit an ACK upon reception of a packet with PUSH set. This can avoid losing a round trip time in some rare situations, but has the caveat of potentially defeating TCP’s delayed ACK algorithm. Use of this option is generally not recommended, but the variable exists in case your configuration really needs it.
tcp.compat_42
If set to 1, enables work-arounds for bugs in the 4.2BSD TCP implementation. Use of this option is not recommended, although it may be required in order to communicate with extremely old TCP implementations.
tcp.cwm
If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window Monitoring algorithm. This algorithm prevents line-rate bursts of packets that could otherwise occur when data begins flowing on an idle TCP connection. These line-rate bursts can contribute to network and router congestion. This can be particularly useful on World Wide Web servers which support HTTP/1.1, which has lingering connections.
tcp.cwm_burstsize
The Congestion Window Monitoring allowed burst size, in terms of packet count.
tcp.delack_ticks
Number of ticks to delay sending an ACK.
tcp.do_loopback_cksum
Perform TCP checksum on loopback.
tcp.init_win
A value indicating the TCP initial congestion window. If this value is 0, an auto-tuning algorithm designed to use an initial window of approximately 4K bytes is in use. Otherwise, this value indicates a fixed number of packets.
tcp.init_win_local
Like tcp.init_win, but used when communicating with hosts on a local network.
tcp.keepcnt
Number of keepalive probes sent before declaring a connection dead. If set to zero, there is no limit; keepalives will be sent until some kind of response is received from the peer.
tcp.keepidle
Time a connection must be idle before keepalives are sent (if keepalives are enabled for the connection). See also tcp.slowhz.
tcp.keepintvl
Time after a keepalive probe is sent until, in the absence of any response, another probe is sent. See also tcp.slowhz.
tcp.log_refused
If set to 1, refused TCP connections to the host will be logged.
tcp.mss_ifmtu
If set to 1, TCP calculates the outgoing maximum segment size based on the MTU of the appropriate interface. If set to 0, it is calculated based on the greater of the MTU of the interface, and the largest (non-loopback) interface MTU on the system.
tcp.mssdflt
The default maximum segment size both advertised to the peer and to use when either the peer does not advertise a maximum segment size to us during connection setup or Path MTU Discovery (ip.mtudisc) is disabled. Do not change this value unless you really know what you are doing.
tcp.newreno
If set to 1, enables the use of J. Hoe’s NewReno congestion control algorithm. This algorithm improves the start-up behavior of TCP connections.
tcp.recvspace
The default TCP receive buffer size.
tcp.rfc1323
If set to 1, enables RFC 1323 extensions to TCP.
tcp.rstppslimit
The variable specifies the maximum number of outgoing TCP RST packets, per second. TCP RST packet that exceeded the value are subject to rate limitation and will not go out from the node. Negative value disables rate limitation.
tcp.sack.enable
If set to 1, enables RFC 2018 Selective ACKnowledgement.
tcp.sack.globalholes
Global number of TCP SACK holes.
tcp.sack.globalmaxholes
Global maximum number of TCP SACK holes.
tcp.sack.maxholes
Maximum number of TCP SACK holes allowed per connection.
tcp.ecn.enable
If set to 1, enables RFC 3168 Explicit Congestion Notification.
tcp.ecn.maxretries
Number of times to retry sending the ECN-setup packet.
tcp.sendspace
The default TCP send buffer size.
tcp.slowhz
The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks of a clock that ticks tcp.slowhz times per second. (That is, their values must be divided by the tcp.slowhz value to get times in seconds.)
tcp.syn_bucket_limit
The maximum number of entries allowed per hash bucket in the TCP compressed state engine.
tcp.syn_cache_limit
The maximum number of entries allowed in the TCP compressed state engine.
tcp.timestamps
If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options, used for measuring TCP round trip times, are enabled.
tcp.win_scale
If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options, for increasing the TCP window size, are enabled.
tcp.congctl.available
The available TCP congestion control algorithms.
tcp.congctl.selected
The currently selected TCP congestion control algorithm.
udp.checksum
If set to 1, UDP checksums are being computed. Received non-zero UDP checksums are always checked. Disabling UDP checksums is strongly discouraged.
udp.sendspace
The default UDP send buffer size.
udp.recvspace
The default UDP receive buffer size.
For variables net.*.ipsec, please refer to ipsec(4).
PF_INET6
Get or set various global information about the IPv6 (Internet Protocol version 6). The third level name is the protocol. The fourth level name is the variable name. The currently defined protocols and names are:
Protocol name
Variable name Type Changeable
icmp6 errppslimit integer yes
icmp6 mtudisc_hiwat integer yes
icmp6 mtudisc_lowat integer yes
icmp6 nd6_debug integer yes
icmp6 nd6_delay integer yes
icmp6 nd6_maxnudhint integer yes
icmp6 nd6_mmaxtries integer yes
icmp6 nd6_prune integer yes
icmp6 nd6_umaxtries integer yes
icmp6 nd6_useloopback integer yes
icmp6 nodeinfo integer yes
icmp6 rediraccept integer yes
icmp6 redirtimeout integer yes
ip6 accept_rtadv integer yes
ip6 anonportmax integer yes
ip6 anonportmin integer yes
ip6 auto_flowlabel integer yes
ip6 dad_count integer yes
ip6 defmcasthlim integer yes
ip6 forwarding integer yes
ip6 gifhlim integer yes
ip6 hlim integer yes
ip6 hdrnestlimit integer yes
ip6 kame_version string no
ip6 keepfaith integer yes
ip6 log_interval integer yes
ip6 lowportmax integer yes
ip6 lowportmin integer yes
ip6 maxfragpackets integer yes
ip6 maxfrags integer yes
ip6 redirect integer yes
ip6 rr_prune integer yes
ip6 use_deprecated integer yes
ip6 v6only integer yes
udp6 do_loopback_cksum integer yes
udp6 recvspace integer yes
udp6 sendspace integer yes
The variables are as follows:
ip6.accept_rtadv
If set to non-zero, the node will accept ICMPv6 router advertisement packets and autoconfigures address prefixes and default routers. The node must be a host (not a router) for the option to be meaningful.
ip6.anonportmax
The highest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535, and must be greater than ip6.anonportmin.
ip6.anonportmin
The lowest port number to use for TCP and UDP ephemeral port allocation. This cannot be set to less than 1024 or greater than 65535.
ip6.auto_flowlabel
On connected transport protocol packets, fill IPv6 flowlabel field to help intermediate routers to identify packet flows.
ip6.dad_count
The variable configures number of IPv6 DAD (duplicated address detection) probe packets. The packets will be generated when IPv6 interface addresses are configured.
ip6.defmcasthlim
The default hop limit value for an IPv6 multicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. There are APIs to override the value, as documented in ip6(4).
ip6.forwarding
If set to 1, enables IPv6 forwarding for the node, meaning that the node is acting as a router. If set to 0, disables IPv6 forwarding for the node, meaning that the node is acting as a host. IPv6 specification defines node behavior for ‘‘router’’ case and ‘‘host’’ case quite differently, and changing this variable during operation may cause serious trouble. It is recommended to configure the variable at bootstrap time, and bootstrap time only.
ip6.gifhlim
The maximum hop limit value for an IPv6 packet generated by gif(4) tunnel interface.
ip6.hdrnestlimit
The number of IPv6 extension headers permitted on incoming IPv6 packets. If set to 0, the node will accept as many extension headers as possible.
ip6.hlim
The default hop limit value for an IPv6 unicast packet sourced by the node. This value applies to all the transport protocols on top of IPv6. There are APIs to override the value, as documented in ip6(4).
ip6.kame_version
The string identifies the version of KAME IPv6 stack implemented in the kernel.
ip6.keepfaith
If set to non-zero, it enables ‘‘FAITH’’ TCP relay IPv6-to-IPv4 translator code in the kernel. Refer faith(4) and faithd(8) for detail.
ip6.log_interval
The variable controls amount of logs generated by IPv6 packet forwarding engine, by setting interval between log output (in seconds).
ip6.lowportmax
The highest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be greater than ip6.lowportmin.
ip6.lowportmin
The lowest port number to use for TCP and UDP reserved port allocation. This cannot be set to less than 0 or greater than 1024, and must be smaller than ip6.lowportmax.
ip6.maxfragpackets
The maximum number of fragmented packets the node will accept. 0 means that the node will not accept any fragmented packets. −1 means that the node will accept as many fragmented packets as it receives. The flag is provided basically for avoiding possible DoS attacks.
ip6.maxfrags
The maximum number of fragments the node will accept. 0 means that the node will not accept any fragments. −1 means that the node will accept as many fragments as it receives. The flag is provided basically for avoiding possible DoS attacks.
ip6.redirect
If set to 1, ICMPv6 redirects may be sent by the node. This option is ignored unless the node is routing IP packets, and should normally be enabled on all systems.
ip6.rr_prune
The variable specifies interval between IPv6 router renumbering prefix babysitting, in seconds.
ip6.use_deprecated
The variable controls use of deprecated address, specified in RFC 2462 5.5.4.
ip6.v6only
The variable specifies initial value for IPV6_V6ONLY socket option for AF_INET6 socket. Please refer to ip6(4) for detail.
icmp6.errppslimit
The variable specifies the maximum number of outgoing ICMPv6 error messages, per second. ICMPv6 error messages that exceeded the value are subject to rate limitation and will not go out from the node. Negative value disables rate limitation.
icmp6.mtudisc_hiwat
icmp6.mtudisc_lowat
The variables define the maximum number of routing table entries, created due to path MTU discovery (prevents denial-of-service attacks with ICMPv6 too big messages). When IPv6 path MTU discovery happens, we keep path MTU information into the routing table. If the number of routing table entries exceed the value, the kernel will not attempt to keep the path MTU information. icmp6.mtudisc_hiwat is used when we have verified ICMPv6 too big messages. icmp6.mtudisc_lowat is used when we have unverified ICMPv6 too big messages. Verification is performed by using address/port pairs kept in connected pcbs. Negative value disables the upper limit.
icmp6.nd6_debug
If set to non-zero, kernel IPv6 neighbor discovery code will generate debugging messages. The debug outputs are useful to diagnose IPv6 interoperability issues. The flag must be set to 0 for normal operation.
icmp6.nd6_delay
The variable specifies DELAY_FIRST_PROBE_TIME timing constant in IPv6 neighbor discovery specification (RFC 2461), in seconds.
icmp6.nd6_maxnudhint
IPv6 neighbor discovery permits upper layer protocols to supply reachability hints, to avoid unnecessary neighbor discovery exchanges. The variable defines the number of consecutive hints the neighbor discovery layer will take. For example, by setting the variable to 3, neighbor discovery layer will take 3 consecutive hints in maximum. After receiving 3 hints, neighbor discovery layer will perform normal neighbor discovery process.
icmp6.nd6_mmaxtries
The variable specifies MAX_MULTICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 2461).
icmp6.nd6_prune
The variable specifies interval between IPv6 neighbor cache babysitting, in seconds.
icmp6.nd6_umaxtries
The variable specifies MAX_UNICAST_SOLICIT constant in IPv6 neighbor discovery specification (RFC 2461).
icmp6.nd6_useloopback
If set to non-zero, kernel IPv6 stack will use loopback interface for local traffic.
icmp6.nodeinfo
The variable enables responses to ICMPv6 node information queries. If you set the variable to 0, responses will not be generated for ICMPv6 node information queries. Since node information queries can have a security impact, it is possible to fine tune which responses should be answered. Two separate bits can be set.
1
Respond to ICMPv6 FQDN queries, e.g. ping6 -w.
2
Respond to ICMPv6 node addresses queries, e.g. ping6 -a.
icmp6.rediraccept
If set to non-zero, the host will accept ICMPv6 redirect packets. Note that IPv6 routers will never accept ICMPv6 redirect packets, and the variable is meaningful on IPv6 hosts (non-router) only.
icmp6.redirtimeout
The variable specifies lifetime of routing entries generated by incoming ICMPv6 redirect.
udp6.do_loopback_cksum
Perform UDP checksum on loopback.
udp6.recvspace
Default UDP receive buffer size.
udp6.sendspace
Default UDP send buffer size.
We reuse net.*.tcp for TCP over IPv6, and therefore we do not have variables net.*.tcp6. Variables net.inet6.udp6 have identical meaning to net.inet.udp. Please refer to PF_INET section above. For variables net.*.ipsec6, please refer to ipsec(4).
PF_KEY
Get or set various global information about the IPsec key management. The third level name is the variable name. The currently defined variable and names are:
Variable name Type
Changeable
debug integer yes
spi_try integer yes
spi_min_value integer yes
spi_max_value integer yes
larval_lifetime integer yes
blockacq_count integer yes
blockacq_lifetime integer yes
esp_keymin integer yes
esp_auth integer yes
ah_keymin integer yes
The variables are as follows:
debug
Turn on debugging message from within the kernel. The value is a bitmap, as defined in /usr/include/netkey/key_debug.h.
spi_try
The number of times the kernel will try to obtain an unique SPI when it generates it from random number generator.
spi_min_value
Minimum SPI value when generating it within the kernel.
spi_max_value
Maximum SPI value when generating it within the kernel.
larval_lifetime
Lifetime for LARVAL SAD entries, in seconds.
blockacq_count
Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message. It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the key management daemon.
blockacq_lifetime
Lifetime of ACQUIRE PF_KEY message.
esp_keymin
Minimum ESP key length, in bits. The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message.
esp_auth
Whether ESP authentication should be used or not. Non-zero value indicates that ESP authentication should be used. The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message.
ah_keymin
Minimum AH key length, in bits, The value is used when the kernel creates proposal payload on ACQUIRE PF_KEY message.
CTL_PROC
The string and integer information available for the CTL_PROC is detailed below. The changeable column shows whether a process with appropriate privilege may change the value. These values are per-process, and as such may change from one process to another. When a process is created, the default values are inherited from its parent. When a set-user-ID or set-group-ID binary is executed, the value of PROC_PID_CORENAME is reset to the system default value. The second level name is either the magic value PROC_CURPROC, which points to the current process, or the PID of the target process.
Third level name
Type Changeable
PROC_PID_CORENAME string yes
PROC_PID_LIMIT node not applicable
PROC_PID_STOPFORK int yes
PROC_PID_STOPEXEC int yes
PROC_PID_STOPEXIT int yes
PROC_PID_CORENAME
The template used for the core dump file name (see core(5) for details). The base name must either be core or end with the suffix ‘‘.core’’ (the super-user may set arbitrary names). By default it points to KERN_DEFCORENAME.
PROC_PID_LIMIT
Return resources limits, as defined for the getrlimit(2) and setrlimit(2) system calls. The fourth level name is one of:
PROC_PID_LIMIT_CPU
The maximum amount of CPU time (in seconds) to be used by each process.
PROC_PID_LIMIT_FSIZE
The largest size (in bytes) file that may be created.
PROC_PID_LIMIT_DATA
The maximum size (in bytes) of the data segment for a process; this defines how far a program may extend its break with the sbrk(2) system call.
PROC_PID_LIMIT_STACK
The maximum size (in bytes) of the stack segment for a process; this defines how far a program’s stack segment may be extended. Stack extension is performed automatically by the system.
PROC_PID_LIMIT_CORE
The largest size (in bytes) core file that may be created.
PROC_PID_LIMIT_RSS
The maximum size (in bytes) to which a process’s resident set size may grow. This imposes a limit on the amount of physical memory to be given to a process; if memory is tight, the system will prefer to take memory from processes that are exceeding their declared resident set size.
PROC_PID_LIMIT_MEMLOCK
The maximum size (in bytes) which a process may lock into memory using the mlock(2) function.
PROC_PID_LIMIT_NPROC
The maximum number of simultaneous processes for this user id.
PROC_PID_LIMIT_NOFILE
The maximum number of open files for this process.
The fifth level name is one of PROC_PID_LIMIT_TYPE_SOFT or PROC_PID_LIMIT_TYPE_HARD, to select respectively the soft or hard limit. Both are of type integer.
PROC_PID_STOPFORK
If non zero, the process’ children will be stopped after fork(2) calls. The children is created in the SSTOP state and is never scheduled for running before being stopped. This feature helps attaching a process with a debugger such as gdb(1) before it had the opportunity to actually do anything.
This value is inherited by the process’s children, and it also apply to emulation specific system calls that fork a new process, such as sproc() or clone().
PROC_PID_STOPEXEC
If non zero, the process will be stopped on next exec(3) call. The process created by exec(3) is created in the SSTOP state and is never scheduled for running before being stopped. This feature helps attaching a process with a debugger such as gdb(1) before it had the opportunity to actually do anything.
This value is inherited by the process’s children.
PROC_PID_STOPEXIT
If non zero, the process will be stopped on when it has cause to exit, either by way of calling exit(3), _exit(2), or by the receipt of a specific signal. The process is stopped before any of its resources or vm space is released allowing examination of the termination state of a process before it disappears. This feature can be used to examine the final conditions of the process’s vmspace via pmap(1) or its resource settings with sysctl(8) before it disappears.
This value is also inherited by the process’s children.
CTL_USER
The string and integer information available for the CTL_USER level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.
Second level name
Type Changeable
USER_BC_BASE_MAX integer no
USER_BC_DIM_MAX integer no
USER_BC_SCALE_MAX integer no
USER_BC_STRING_MAX integer no
USER_COLL_WEIGHTS_MAX integer no
USER_CS_PATH string no
USER_EXPR_NEST_MAX integer no
USER_LINE_MAX integer no
USER_POSIX2_CHAR_TERM integer no
USER_POSIX2_C_BIND integer no
USER_POSIX2_C_DEV integer no
USER_POSIX2_FORT_DEV integer no
USER_POSIX2_FORT_RUN integer no
USER_POSIX2_LOCALEDEF integer no
USER_POSIX2_SW_DEV integer no
USER_POSIX2_UPE integer no
USER_POSIX2_VERSION integer no
USER_RE_DUP_MAX integer no
USER_STREAM_MAX integer no
USER_TZNAME_MAX integer no
USER_ATEXIT_MAX integer no
USER_BC_BASE_MAX
The maximum ibase/obase values in the bc(1) utility.
USER_BC_DIM_MAX
The maximum array size in the bc(1) utility.
USER_BC_SCALE_MAX
The maximum scale value in the bc(1) utility.
USER_BC_STRING_MAX
The maximum string length in the bc(1) utility.
USER_COLL_WEIGHTS_MAX
The maximum number of weights that can be assigned to any entry of the LC_COLLATE order keyword in the locale definition file.
USER_CS_PATH
Return a value for the PATH environment variable that finds all the standard utilities.
USER_EXPR_NEST_MAX
The maximum number of expressions that can be nested within parenthesis by the expr(1) utility.
USER_LINE_MAX
The maximum length in bytes of a text-processing utility’s input line.
USER_POSIX2_CHAR_TERM
Return 1 if the system supports at least one terminal type capable of all operations described in POSIX 1003.2, otherwise 0.
USER_POSIX2_C_BIND
Return 1 if the system’s C-language development facilities support the C-Language Bindings Option, otherwise 0.
USER_POSIX2_C_DEV
Return 1 if the system supports the C-Language Development Utilities Option, otherwise 0.
USER_POSIX2_FORT_DEV
Return 1 if the system supports the FORTRAN Development Utilities Option, otherwise 0.
USER_POSIX2_FORT_RUN
Return 1 if the system supports the FORTRAN Runtime Utilities Option, otherwise 0.
USER_POSIX2_LOCALEDEF
Return 1 if the system supports the creation of locales, otherwise 0.
USER_POSIX2_SW_DEV
Return 1 if the system supports the Software Development Utilities Option, otherwise 0.
USER_POSIX2_UPE
Return 1 if the system supports the User Portability Utilities Option, otherwise 0.
USER_POSIX2_VERSION
The version of POSIX 1003.2 with which the system attempts to comply.
USER_RE_DUP_MAX
The maximum number of repeated occurrences of a regular expression permitted when using interval notation.
USER_STREAM_MAX
The minimum maximum number of streams that a process may have open at any one time.
USER_TZNAME_MAX
The minimum maximum number of types supported for the name of a timezone.
USER_ATEXIT_MAX
The maximum number of functions that may be registered with atexit(3).
CTL_VM
The string and integer information available for the CTL_VM level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.
Second level name
Type Changeable
VM_ANONMAX int yes
VM_ANONMIN int yes
VM_BUFCACHE int yes
VM_BUFMEM int no
VM_BUFMEM_HIWATER int yes
VM_BUFMEM_LOWATER int yes
VM_EXECMAX int yes
VM_EXECMIN int yes
VM_FILEMAX int yes
VM_FILEMIN int yes
VM_LOADAVG struct loadavg no
VM_MAXSLP int no
VM_METER struct vmtotal no
VM_NKMEMPAGES int no
VM_USPACE int no
VM_UVMEXP struct uvmexp no
VM_UVMEXP2 struct uvmexp_sysctl no
VM_ANONMAX
The percentage of physical memory which will be reclaimed from other types of memory usage to store anonymous application data.
VM_ANONMIN
The percentage of physical memory which will be always be available for anonymous application data.
VM_BUFCACHE
The percentage of physical memory which will be available for the buffer cache.
VM_BUFMEM
The amount of kernel memory that is being used by the buffer cache.
VM_BUFMEM_LOWATER
The minimum amount of kernel memory to reserve for the buffer cache.
VM_BUFMEM_HIWATER
The maximum amount of kernel memory to be used for the buffer cache.
VM_EXECMAX
The percentage of physical memory which will be reclaimed from other types of memory usage to store cached executable data.
VM_EXECMIN
The percentage of physical memory which will be always be available for cached executable data.
VM_FILEMAX
The percentage of physical memory which will be reclaimed from other types of memory usage to store cached file data.
VM_FILEMIN
The percentage of physical memory which will be always be available for cached file data.
VM_LOADAVG
Return the load average history. The returned data consists of a struct loadavg.
VM_MAXSLP
The value of the maxslp kernel global variable.
VM_METER
Return system wide virtual memory statistics. The returned data consists of a struct vmtotal.
VM_USPACE
The number of bytes allocated for each kernel stack.
VM_UVMEXP
Return system wide virtual memory statistics. The returned data consists of a struct uvmexp.
VM_UVMEXP2
Return system wide virtual memory statistics. The returned data consists of a struct uvmexp_sysctl.
CTL_DDB
The integer information available for the CTL_DDB level is detailed below. The changeable column shows whether a process with appropriate privilege may change the value.
Second level name
Type Changeable
DBCTL_RADIX integer yes
DBCTL_MAXOFF integer yes
DBCTL_LINES integer yes
DBCTL_TABSTOPS integer yes
DBCTL_ONPANIC integer yes
DBCTL_FROMCONSOLE integer yes
DBCTL_RADIX
The input and output radix.
DBCTL_MAXOFF
The maximum symbol offset.
DBCTL_LINES
Number of display lines.
DBCTL_TABSTOPS
Tab width.
DBCTL_ONPANIC
If non-zero, DDB will be entered when the kernel panics.
DBCTL_FROMCONSOLE
If not zero, DDB may be entered by sending a break on a serial console or by a special key sequence on a graphics console.
These MIB nodes are also available as variables from within the DDB. See ddb(4) for more details.
CTL_SECURITY
The security level contains various security-related settings for the system. Available settings are detailed below.
security.curtain
If non-zero, will filter return objects according to the user-id requesting information about them, preventing from users any access to objects they don’t own.
At the moment, it affects ps(1), netstat(1) (for PF_INET, PF_INET6, and PF_UNIX PCBs), and w(1).
security.pax
Settings for PaX -- exploit mitigation features.
security.pax.mprotect.enable
Enable PaX MPROTECT restrictions.
These are mprotect(2) restrictions to better enforce a W^X policy. The value of this knob must be non-zero for PaX MPROTECT to be enabled, even if a process is already marked with P_PAXMPROTECT.
security.pax.mprotect.global
Specifies the default global policy for programs without an explicit enable/disable flag.
When non-zero, all programs will get the PaX MPROTECT restrictions, except those exempted with paxctl(1). Otherwise, all programs will not get the PaX MPROTECT restrictions, except those specifically marked as such with paxctl(1).
CTL_VENDOR
The "vendor" toplevel name is reserved to be used by vendors who wish to have their own private MIB tree. Intended use is to store values under ‘‘vendor.<yourname>.*’’.
DYNAMIC OPERATIONS
Several meta-identifiers are provided to perform operations on the sysctl tree itself, or support alternate means of accessing the data instrumented by the sysctl tree.
Name
Description
CTL_QUERY Retrieve a mapping of names to numbers below a given
node
CTL_CREATE Create a new node
CTL_CREATESYM Create a new node by its kernel symbol
CTL_DESTROY Destroy a node
CTL_DESCRIBE Retrieve node descriptions
The core interface to all of these meta-functions is the structure that the kernel uses to describe the tree internally, as defined in 〈sys/sysctl.h〉 as:
struct sysctlnode {
uint32_t sysctl_flags; /* flags and type */
int32_t sysctl_num; /* mib number */
char sysctl_name[SYSCTL_NAMELEN]; /* node name */
uint32_t sysctl_ver; /* node’s version vs. rest of tree
*/
uint32_t __rsvd;
union {
struct {
uint32_t suc_csize; /* size of child node array */
uint32_t suc_clen; /* number of valid children */
struct sysctlnode* suc_child; /* array of child nodes */
} scu_child;
struct {
void *sud_data; /* pointer to external data */
size_t sud_offset; /* offset to data */
} scu_data;
int32_t scu_alias; /* node this node refers to */
int32_t scu_idata; /* immediate "int" data */
u_quad_t scu_qdata; /* immediate "u_quad_t" data */
} sysctl_un;
size_t _sysctl_size; /* size of instrumented data */
sysctlfn _sysctl_func; /* access helper function */
struct sysctlnode *sysctl_parent; /* parent of this node */
const char *sysctl_desc; /* description of node */
};
#define sysctl_csize
sysctl_un.scu_child.suc_csize
#define sysctl_clen sysctl_un.scu_child.suc_clen
#define sysctl_child sysctl_un.scu_child.suc_child
#define sysctl_data sysctl_un.scu_data.sud_data
#define sysctl_offset sysctl_un.scu_data.sud_offset
#define sysctl_alias sysctl_un.scu_alias
#define sysctl_idata sysctl_un.scu_idata
#define sysctl_qdata sysctl_un.scu_qdata
Querying the tree to discover the name to number mapping permits dynamic discovery of all the data that the tree currently has instrumented. For example, to discover all the nodes below the CTL_VFS node:
struct sysctlnode
query, vfs[128];
int mib[2];
size_t len;
mib[0] = CTL_VFS;
mib[1] = CTL_QUERY;
memset(&query, 0, sizeof(query));
query.sysctl_flags = SYSCTL_VERSION;
len = sizeof(vfs);
sysctl(mib, 2, &vfs[0], &len, &query,
sizeof(query));
Note that a reference to an empty node with sysctl_flags set to SYSCTL_VERSION is passed to sysctl in order to indicate the version that the program is using. All dynamic operations passing nodes into sysctl require that the version be explicitly specified.
Creation and destruction of nodes works by constructing part of a new node description (or a description of the existing node) and invoking CTL_CREATE (or CTL_CREATESYM) or CTL_DESTROY at the parent of the new node, with a pointer to the new node passed via the new and newlen arguments. If valid values for old and oldlenp are passed, a copy of the new node once in the tree will be returned. If the create operation fails because a node with the same name or MIB number exists, a copy of the conflicting node will be returned.
The minimum requirements for creating a node are setting the sysctl_flags to indicate the new node’s type, sysctl_num to either the new node’s number (or CTL_CREATE or CTL_CREATESYM if a dynamically allocated MIB number is acceptable), sysctl_size to the size of the data to be instrumented (which must agree with the given type), and sysctl_name must be set to the new node’s name. Nodes that are not of type ‘‘node’’ must also have some description of the data to be instrumented, which will vary depending on what is to be instrumented.
If existing kernel data is to be covered by this new node, its address should be given in sysctl_data or, if CTL_CREATESYM is used, sysctl_data should be set to a string containing its name from the kernel’s symbol table. If new data is to be instrumented and an initial value is available, the new integer or quad type data should be placed into either sysctl_idata or sysctl_qdata, respectively, along with the SYSCTL_IMMEDIATE flag being set, or sysctl_data should be set to point to a copy of the new data, and the SYSCTL_OWNDATA flag must be set. This latter method is the only way that new string and struct type nodes can be initialized. Invalid kernel addresses are accepted, but any attempt to access those nodes will return an error.
The sysctl_csize, sysctl_clen, sysctl_child, sysctl_parent, and sysctl_alias members are used by the kernel to link the tree together and must be NULL or 0. Nodes created in this manner cannot have helper functions, so sysctl_func must also be NULL. If the sysctl_ver member is non-zero, it must match either the version of the parent or the version at the root of the MIB or an error is returned. This can be used to ensure that nodes are only added or removed from a known state of the tree. Note: It may not be possible to determine the version at the root of the tree.
This example creates a new subtree and adds a node to it that controls the audiodebug kernel variable, thereby making it tunable at at any time, without needing to use ddb(4) or kvm(3) to alter the kernel’s memory directly.
struct sysctlnode
node;
int mib[2];
size_t len;
|
mib[0] = CTL_CREATE; |
/* create at top-level */ |
len = sizeof(node);
memset(&node, 0, len);
node.sysctl_flags =
SYSCTL_VERSION|CTLFLAG_READWRITE|CTLTYPE_NODE;
snprintf(node.sysctl_name, sizeof(node.sysctl_name), "local");
|
node.sysctl_num = CTL_CREATE; |
/* request dynamic MIB number */ |
sysctl(&mib[0], 1, &node, &len, &node, len);
|
mib[0] = node.sysctl_num; |
/* use new MIB number */ |
||||
|
mib[1] = CTL_CREATESYM; |
/* create at second level */ |
len = sizeof(node);
memset(&node, 0, len);
node.sysctl_flags =
SYSCTL_VERSION|CTLFLAG_READWRITE|CTLTYPE_INT;
snprintf(node.sysctl_name, sizeof(node.sysctl_name),
"audiodebug");
node.sysctl_num = CTL_CREATE;
node.sysctl_data = "audiodebug"; /* kernel symbol to be used */
sysctl(&mib[0], 2, NULL, NULL, &node, len);
The process for deleting nodes is similar, but less data needs to be supplied. Only the sysctl_num field needs to be filled in; almost all other fields must be left blank. The sysctl_name and/or sysctl_ver fields can be filled in with the name and version of the existing node as additional checks on what will be deleted. If all the given data fail to match any node, nothing will be deleted. If valid values for old and oldlenp are supplied and a node is deleted, a copy of what was in the MIB tree will be returned.
This sample code shows the deletion of the two nodes created in the above example:
int mib[2];
len = sizeof(node);
memset(&node, 0, len);
node.sysctl_flags = SYSCTL_VERSION;
|
mib[0] = 3214; |
/* assumed number for "local" */ |
mib[1] = CTL_DESTROY;
|
node.sysctl_num = 3215; |
/* assumed number for "audiodebug" */ |
sysctl(&mib[0], 2, NULL, NULL, &node, len);
mib[0] = CTL_DESTROY;
|
node.sysctl_num = 3214; |
/* now deleting "local" */ |
sysctl(&mib[0], 1, NULL, NULL, &node, len);
Descriptions of each of the nodes can also be retrieved, if they are available. Descriptions can be retrieved in bulk at each level or on a per-node basis. The layout of the buffer into which the descriptions are returned is a series of variable length structures, each of which describes its own size. The length indicated includes the terminating ‘nul’ character. Nodes that have no description or where the description is not available are indicated by an empty string. The descr_ver will match the sysctl_ver value for a given node, so that descriptions for nodes whose number have been recycled can be detected and ignored or discarded.
struct sysctldesc {
int32_t descr_num; /* mib number of node */
uint32_t descr_ver; /* version of node */
uint32_t descr_len; /* length of description string */
char descr_str[1]; /* not really 1...see above */
};
The NEXT_DESCR() macro can be used to skip to the next description in the retrieved list.
struct sysctlnode
desc;
struct sysctldesc *d;
char buf[1024];
int mib[2];
size_t len;
/* retrieve kern-level
descriptions */
mib[0] = CTL_KERN;
mib[1] = CTL_DESCRIBE;
d = (struct sysctldesc *)&buf[0];
len = sizeof(buf);
sysctl(mib, 2, d, &len, NULL, 0);
while ((caddr_t)d < (caddr_t)&buf[len]) {
|
printf("node %d: %.*s\n", d->descr_num, d->descr_len, |
|
|
d->descr_str); |
|
|
d = NEXT_DESCR(d); |
}
/* retrieve description
for kern.securelevel */
memset(&desc, 0, sizeof(desc));
desc.sysctl_flags = SYSCTL_VERSION;
desc.sysctl_num = KERN_SECURELEVEL;
d = (struct sysctldesc *)&buf[0];
len = sizeof(buf);
sysctl(mib, 2, d, &len, &desc, sizeof(desc));
printf("kern.securelevel: %.*s\n", d->descr_len,
d->descr_str);
Descriptions can also be set as follows, subject to the following rules:
•
The kernel securelevel is at zero or lower
•
The caller has super-user privileges
•
The node does not currently have a description
•
The node is not marked as ‘‘permanent’’
struct sysctlnode
desc;
int mib[2];
/* presuming the given
top-level node was just added... */
mib[0] = 3214; /* mib numbers taken from previous examples */
mib[1] = CTL_DESCRIBE;
memset(&desc, 0, sizeof(desc));
desc.sysctl_flags = SYSCTL_VERSION;
desc.sysctl_num = 3215;
desc.sysctl_desc = "audio debug control knob";
sysctl(mib, 2, NULL, NULL, &desc, sizeof(desc));
Upon successfully setting a description, the new description will be returned in the space indicated by the oldp and oldlenp arguments.
The sysctl_flags field in the struct sysctlnode contains the sysctl version, node type information, and a number of flags. The macros SYSCTL_VERS(), SYSCTL_TYPE(), and SYSCTL_FLAGS() can be used to access the different fields. Valid flags are:
|
Name |
Description |
|
|
CTLFLAG_READONLY |
Node is read-only |
|
|
CTLFLAG_READONLY1 |
Node becomes read-only at securelevel 1 |
|
|
CTLFLAG_READONLY2 |
Node becomes read-only at securelevel 2 |
|
|
CTLFLAG_READWRITE |
Node is writable by the superuser |
|
|
CTLFLAG_ANYWRITE |
Node is writable by anyone |
|
|
CTLFLAG_PRIVATE |
Node is readable only by the superuser |
|
|
CTLFLAG_PERMANENT |
Node cannot be removed (cannot be set by processes) |
|
|
CTLFLAG_OWNDATA |
Node owns data and does not instrument existing data |
|
|
CTLFLAG_IMMEDIATE |
Node contains instrumented data and does not instrument existing data |
|
|
CTLFLAG_HEX |
Node’s contents should be displayed in a hexadecimal form |
|
|
CTLFLAG_ROOT |
Node is the root of a tree (cannot be set at any time) |
|
|
CTLFLAG_ANYNUMBER |
Node matches any MIB number (cannot be set by processes) |
|
|
CTLFLAG_HIDDEN |
Node not displayed by default |
|
|
CTLFLAG_ALIAS |
Node refers to a sibling node (cannot be set by processes) |
|
|
CTLFLAG_OWNDESC |
Node owns its own description string space |
RETURN VALUES
If the call to sysctl is successful, the number of bytes copied out is returned. Otherwise −1 is returned and errno is set appropriately.
FILES
〈sys/sysctl.h〉
definitions for top level identifiers, second level kernel and hardware identifiers, and user level identifiers
〈sys/socket.h〉
definitions for second level network identifiers
〈sys/gmon.h〉
definitions for third level profiling identifiers
〈uvm/uvm_param.h〉
definitions for second level virtual memory identifiers
〈netinet/in.h〉
definitions for third level IPv4/v6 identifiers and fourth level IPv4/v6 identifiers
〈netinet/icmp_var.h〉
definitions for fourth level ICMP identifiers
〈netinet/icmp6.h〉
definitions for fourth level ICMPv6 identifiers
〈netinet/tcp_var.h〉
definitions for fourth level TCP identifiers
〈netinet/udp_var.h〉
definitions for fourth level UDP identifiers
〈netinet6/udp6_var.h〉
definitions for fourth level IPv6 UDP identifiers
〈netinet6/ipsec.h〉
definitions for fourth level IPsec identifiers
〈netkey/key_var.h〉
definitions for third level PF_KEY identifiers
〈machine/cpu.h〉
definitions for second level machdep identifiers
ERRORS
The following errors may be reported:
[EFAULT]
The buffer name, oldp, newp, or length pointer oldlenp contains an invalid address, or the requested value is temporarily unavailable.
[EINVAL]
The name array is zero or greater than CTL_MAXNAME.
[EINVAL]
A non-null newp is given and its specified length in newlen is too large or too small, or the given value is not acceptable for the given node.
[ENOMEM]
The length pointed to by oldlenp is too short to hold the requested value.
[EISDIR]
The name array specifies an intermediate rather than terminal name.
[ENOTDIR]
The name array specifies a node below a node that addresses data.
[ENOENT]
The name array specifies a node that does not exist in the tree.
[ENOENT]
An attempt was made to destroy a node that does not exist, or to create or destroy a node below a node that does not exist.
[ENOTEMPTY]
An attempt was made to destroy a node that still has children.
[EOPNOTSUPP]
The name array specifies a value that is unknown or a meta-operation was attempted that the requested node does not support.
[EPERM]
An attempt is made to set a read-only value.
[EPERM]
A process without appropriate privilege attempts to set a value or to create or destroy a node.
[EPERM]
An attempt to change a value protected by the current kernel security level is made.