feat: Added NetBSD man pages

1 files changed, 2920 insertions, 0 deletions

diff --git a/static/netbsd/man7/sysctl.7 b/static/netbsd/man7/sysctl.7
new file mode 100644
index 00000000..ee306b81
--- /dev/null
+++ b/static/netbsd/man7/sysctl.7
@@ -0,0 +1,2920 @@
+.\"	$NetBSD: sysctl.7,v 1.171 2026/04/23 13:42:57 wiz Exp $
+.\"
+.\" Copyright (c) 1993
+.\"	The Regents of the University of California.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"	@(#)sysctl.3	8.4 (Berkeley) 5/9/95
+.\"
+.Dd April 23, 2026
+.Dt SYSCTL 7
+.Os
+.Sh NAME
+.Nm sysctl
+.Nd system information variables
+.Sh DESCRIPTION
+The
+.Xr sysctl 3
+library function and the
+.Xr sysctl 8
+utility are used to get and set values of system variables, maintained
+by the kernel.
+The variables are organized in a tree and identified by a sequence of
+numbers, conventionally separated by dots with the topmost identifier
+at the left side.
+The numbers have corresponding text names.
+The
+.Xr sysctlnametomib 3
+function or the
+.Fl M
+argument to the
+.Xr sysctl 8
+utility can be used to convert the text representation to the
+numeric one.
+.Pp
+The individual sysctl variables are described below, both the textual
+and numeric form where applicable.
+The textual names can be used as argument to the
+.Xr sysctl 8
+utility and in the file
+.Pa /etc/sysctl.conf .
+The numeric names are usually defined as preprocessor constants and
+are intended for use by programs.
+Every such constant expands to one integer, which identifies the
+sysctl variable relative to the upper level of the tree.
+See the
+.Xr sysctl 3
+manual page for programming examples.
+.Ss Top level names
+The top level names are defined with a
+.Va CTL_
+prefix in
+.In sys/sysctl.h ,
+and are as follows.
+The next and subsequent levels down are found in the include files
+listed here, and described in separate sections below.
+.Bl -column "security" ".Dv CTL_SECURITY" ".In uvm/uvm_param.h" "High kernel limits"
+.It Sy Name  Ta Sy Constant     Ta Sy Next level names Ta Sy Description
+.It kern     Ta Dv CTL_KERN     Ta In sys/sysctl.h     Ta High kernel limits
+.It vm       Ta Dv CTL_VM       Ta In uvm/uvm_param.h  Ta Virtual memory
+.It vfs      Ta Dv CTL_VFS      Ta In sys/mount.h      Ta Filesystem
+.It net      Ta Dv CTL_NET      Ta In sys/socket.h     Ta Networking
+.It debug    Ta Dv CTL_DEBUG    Ta In sys/sysctl.h     Ta Debugging
+.It hw       Ta Dv CTL_HW       Ta In sys/sysctl.h     Ta Generic CPU, I/O
+.It machdep  Ta Dv CTL_MACHDEP  Ta In sys/sysctl.h     Ta Machine dependent
+.It user     Ta Dv CTL_USER     Ta In sys/sysctl.h     Ta User-level
+.It ddb      Ta Dv CTL_DDB      Ta In sys/sysctl.h     Ta In-kernel debugger
+.It proc     Ta Dv CTL_PROC     Ta In sys/sysctl.h     Ta Per-process
+.It vendor   Ta Dv CTL_VENDOR   Ta ?                   Ta Vendor specific
+.It emul     Ta Dv CTL_EMUL     Ta In sys/sysctl.h     Ta Emulation settings
+.It security Ta Dv CTL_SECURITY Ta In sys/sysctl.h     Ta Security settings
+.El
+.Ss The debug.* subtree
+The debugging variables vary from system to system.
+A debugging variable may be added or deleted without need to recompile
+.Nm
+to know about it.
+Each time it runs,
+.Nm
+gets the list of debugging variables from the kernel and
+displays their current values.
+The system defines twenty
+.Vt ( struct ctldebug )
+variables named
+.Dv debug0
+through
+.Dv debug19 .
+They are declared as separate variables so that they can be
+individually initialized at the location of their associated variable.
+The loader prevents multiple use of the same variable by issuing errors
+if a variable is initialized in more than one place.
+For example, to export the variable
+.Va dospecialcheck
+as a debugging variable, the following declaration would be used:
+.Pp
+.Bd -literal -offset indent -compact
+int dospecialcheck = 1;
+struct ctldebug debug5 = { "dospecialcheck", &dospecialcheck };
+.Ed
+.Pp
+Note that the dynamic implementation of
+.Nm
+currently in use largely makes this particular
+.Nm
+interface obsolete.
+See
+.Xr sysctl 8
+.\" and
+.\" .Xr sysctl 9
+for more information.
+.Ss The vfs.* subtree
+A distinguished second level name,
+.Li vfs.generic ( Dv VFS_GENERIC ) ,
+is used to get general information about all file systems.
+It has the following third level identifiers:
+.Bl -tag -width "123456"
+.It Li vfs.generic.maxtypenum ( Dv VFS_MAXTYPENUM )
+The highest valid file system type number.
+.It Li vfs.generic.conf ( Dv VFS_CONF )
+Returns configuration information about the file system type given as a fourth
+level identifier.
+.It Li vfs.generic.usermount ( Dv VFS_USERMOUNT )
+Controls whether users other than the super-user can mount file
+systems.
+Defaults to
+.Li 0 ,
+so only the super-user can mount file systems.
+.Pp
+File systems mounted by unprivileged users must be mounted with the
+.Li nodev
+and
+.Li nosuid
+.Xr mount 8
+options.
+.It Li vfs.generic.magiclinks ( Dv VFS_MAGICLINKS )
+Controls whether expansion of variables is going to be performed on
+pathnames or not.
+Defaults to
+.Li 0 ,
+no variable expansion.
+Variables are of the form
+.Li @name
+and the variables supported are described in
+.Xr symlink 7
+under
+.Dq "MAGIC SYMLINKS" .
+.El
+.Pp
+A second level name for controlling the
+.Xr wapbl 4
+(Write Ahead Physical Block Logging file system journaling)
+capabilities with the following third level identifiers:
+.Bl -tag -width "123456"
+.It Li vfs.wapbl.flush_disk_cache
+Controls whether to attempt to flush the disk cache on each commit.
+It defaults to 1 and it should always be on to ensure integrity
+of file system metadata in the event of a power loss.
+For slow disks, turning it off can improve performance.
+.It Li vfs.wapbl.verbose_commit
+For each transaction log commit, print the number of bytes written
+and the time it took to commit as seconds.nanoseconds.
+.El
+.Pp
+The remaining second level identifiers are the file system names, identified
+by the type number returned by a
+.Xr statvfs 2
+call or from
+.Li vfs.generic.conf .
+.Pp
+The third level identifiers available for each file system
+are given in the header file that defines the mount
+argument structure for that file system.
+.Ss The hw.* subtree
+The string and integer information available for the
+.Li hw
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "hw.machine_arch" "integer" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It hw.alignbytes	integer	no
+.It hw.byteorder	integer	no
+.It hw.cnmagic	string	yes
+.It hw.disknames	string	no
+.It hw.diskstats	struct	no
+.It hw.machine	string	no
+.It hw.machine_arch	string	no
+.It hw.model	string	no
+.It hw.ncpu	integer	no
+.It hw.ncpuonline	integer	no
+.It hw.pagesize	integer	no
+.It hw.physmem	integer	no
+.It hw.physmem64	quad	no
+.It hw.usermem	integer	no
+.It hw.usermem64	quad	no
+.El
+.Bl -tag -width "123456"
+.It Li hw.alignbytes ( Dv HW_ALIGNBYTES )
+Alignment constraint for all possible data types.
+This shows the value
+.Dv ALIGNBYTES
+in
+.In machine/param.h ,
+at the kernel compilation time.
+.It Li hw.byteorder ( Dv HW_BYTEORDER )
+The byteorder (4321, or 1234).
+.It Li hw.cnmagic ( Dv HW_CNMAGIC )
+The console magic key sequence.
+.It Li hw.disknames ( Dv HW_DISKNAMES )
+The list of (space separated) disk device names on the system.
+.It Li hw.iostatnames ( Dv HW_IOSTATNAMES )
+A space separated list of devices that will have I/O statistics
+collected on them.
+.It Li hw.iostats ( Dv HW_IOSTATS )
+Return statistical information on the NFS mounts, disk and tape
+devices on the system.
+An array of
+.Vt struct io_sysctl
+structures is returned,
+whose size depends on the current number of such objects in the system.
+The third level name is the size of the
+.Vt struct io_sysctl .
+The type of object can be determined by examining the
+.Va type
+element of
+.Vt struct io_sysctl .
+Which can be
+.Dv IOSTAT_DISK
+(disk drive),
+.Dv IOSTAT_TAPE
+(tape drive), or
+.Dv IOSTAT_NFS
+(NFS mount).
+.It Li hw.machine ( Dv HW_MACHINE )
+The machine class.
+.It Li hw.machine_arch ( Dv HW_MACHINE_ARCH )
+The machine CPU class.
+.It Li hw.model ( Dv HW_MODEL )
+The machine model.
+.It Li hw.ncpu ( Dv HW_NCPU )
+The number of CPUs configured.
+.It Li hw.ncpuonline ( Dv HW_NCPUONLINE )
+The number of CPUs online.
+.It Li hw.pagesize ( Dv HW_PAGESIZE )
+The software page size.
+.It Li hw.physmem ( Dv HW_PHYSMEM )
+The bytes of physical memory as a 32-bit integer.
+.It Li hw.physmem64 ( Dv HW_PHYSMEM64 )
+The bytes of physical memory as a 64-bit integer.
+.It Li hw.usermem ( Dv HW_USERMEM )
+The bytes of non-kernel memory as a 32-bit integer.
+.It Li hw.usermem64 ( Dv HW_USERMEM64 )
+The bytes of non-kernel memory as a 64-bit integer.
+.El
+.Ss The kern.* subtree
+This subtree includes data generally related to the kernel.
+The string and integer information available for the
+.Li kern
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "kern.posix_reader_writer_locks" \
+"struct kinfo_drivers" "not applicable"
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It kern.aio_listio_max	integer	yes
+.It kern.aio_max	integer	yes
+.It kern.arandom	integer	no
+.It kern.argmax	integer	no
+.It kern.boothowto	integer	no
+.It kern.boottime	struct timespec	no
+.It kern.buildinfo	string	no
+.\".It kern.bufq	node	not applicable
+.It kern.ccpu	integer	no
+.It kern.clockrate	struct clockinfo	no
+.It kern.consdev	integer	no
+.It kern.coredump	node	not applicable
+.It kern.cp_id	struct	no
+.It kern.cp_time	uint64_t[\|]	no
+.It kern.cryptodevallowsoft	integer	yes
+.It kern.defcorename	string	yes
+.It kern.detachall	integer	yes
+.It kern.domainname	string	yes
+.It kern.drivers	struct kinfo_drivers	no
+.It kern.dump_on_panic	integer	yes
+.It kern.expose_address	integer	yes
+.It kern.file	struct file	no
+.It kern.forkfsleep	integer	yes
+.It kern.fscale	integer	no
+.It kern.fsync	integer	no
+.It kern.hardclock_ticks	integer	no
+.It kern.heartbeat.max_period	integer	yes
+.It kern.hostid	integer	yes
+.It kern.hostname	string	yes
+.It kern.iov_max	integer	no
+.It kern.ipc	node	not applicable
+.It kern.job_control	integer	no
+.It kern.labeloffset	integer	no
+.It kern.labelsector	integer	no
+.It kern.login_name_max	integer	no
+.It kern.logsigexit	integer	yes
+.It kern.lwp	struct kinfo_lwp	yes
+.It kern.mapped_files	integer	no
+.It kern.maxfiles	integer	yes
+.It kern.maxlwp	integer	yes
+.It kern.maxpartitions	integer	no
+.It kern.maxphys	integer	no
+.It kern.maxproc	integer	yes
+.It kern.maxptys	integer	yes
+.It kern.maxvnodes	integer	yes
+.It kern.messages	integer	yes
+.It kern.mbuf	node	not applicable
+.It kern.memlock	integer	no
+.It kern.memlock_range	integer	no
+.It kern.memory_protection	integer	no
+.It kern.module	node	not applicable
+.It kern.monotonic_clock	integer	no
+.It kern.mqueue	node	not applicable
+.It kern.msgbuf	integer	no
+.It kern.msgbufsize	integer	no
+.It kern.ngroups	integer	no
+.\".It kern.no_sa_support	integer	yes
+.It kern.ntptime	struct ntptimeval	no
+.It kern.osrelease	string	no
+.It kern.osrevision	integer	no
+.It kern.ostype	string	no
+.\".It kern.panic_now	integer	yes
+.It kern.pipe	node	not applicable
+.It kern.pool	struct pool_sysctl	no
+.\" .It kern.posix	node	not applicable
+.It kern.posix1version	integer	no
+.It kern.posix_aio	integer	no
+.It kern.posix_barriers	integer	no
+.It kern.posix_reader_writer_locks	integer	no
+.\".It kern.posix_sched	integer	yes
+.It kern.posix_semaphores	integer	no
+.It kern.posix_spin_locks	integer	no
+.It kern.posix_threads	integer	no
+.It kern.posix_timers	integer	no
+.It kern.proc	struct kinfo_proc	no
+.It kern.proc2	struct kinfo_proc2	no
+.It kern.proc_args	string	no
+.It kern.profiling	node	not applicable
+.\".It kern.pset	node	not applicable
+.It kern.rawpartition	integer	no
+.It kern.root_device	string	no
+.It kern.root_partition	integer	no
+.It kern.rtc_offset	integer	yes
+.It kern.saved_ids	integer	no
+.It kern.sbmax	integer	yes
+.It kern.sched	node	not applicable
+.It kern.securelevel	integer	raise only
+.It kern.sofixedbuf	boolean	yes
+.It kern.somaxkva	integer	yes
+.It kern.sooptions	integer	yes
+.It kern.synchronized_io	integer	no
+.It kern.timecounter	node	not applicable
+.It kern.timex	struct	no
+.It kern.tkstat	node	not applicable
+.It kern.tty	node	not applicable
+.It kern.urandom	integer	no
+.It kern.usercrypto	integer	yes
+.It kern.userasymcrypto	integer	yes
+.It kern.veriexec	node	not applicable
+.It kern.version	string	no
+.It kern.vnode	struct vnode	no
+.El
+.Bl -tag -width "123456"
+.It Li kern.aio_listio_max
+The maximum number of asynchronous I/O operations in a single list
+I/O call.
+Like with all variables related to
+.Xr aio 3 ,
+the variable may be created and removed dynamically
+upon loading or unloading the corresponding kernel module.
+.It Li kern.aio_max
+The maximum number of asynchronous I/O operations.
+.It Li kern.arandom ( Dv KERN_ARND )
+Returns independent uniformly distributed bytes at random each time, as
+many as requested up to 256, derived from the system entropy pool; see
+.Xr rnd 4 .
+.Pp
+Reading
+.Li kern.arandom
+is equivalent to reading up to 256 bytes at a time from
+.Pa /dev/urandom :
+reading
+.Li kern.arandom
+never blocks, and once the system entropy pool has full entropy, output
+subsequently read from
+.Li kern.arandom
+is fit for use as cryptographic key material.
+For example, the
+.Xr arc4random 3
+library routine uses
+.Li kern.arandom
+internally to seed a cryptographic pseudorandom number generator.
+.It Li kern.argmax ( Dv KERN_ARGMAX )
+The maximum bytes of argument to
+.Xr execve 2 .
+.It Li kern.boothowto
+Flags passed from the boot loader; see
+.Xr reboot 2
+for the meanings of the flags.
+.It Li kern.boottime ( Dv KERN_BOOTTIME )
+A
+.Vt struct timespec
+structure is returned.
+This structure contains the time that the system was booted.
+That time is defined (for this purpose) to be the time at
+which the kernel first started accumulating clock ticks.
+.It Li kern.bufq
+This variable contains information on the
+.Xr bufq 9
+subsystem.
+Currently, the only third level name implemented is
+.Dv kern.bufq.strategies
+which provides a list of buffer queue strategies currently available.
+.It Li kern.buildinfo
+When the kernel is built, the build environment may optionally provide
+arbitrary information to be stored in this variable.
+.It Li kern.ccpu ( Dv KERN_CCPU )
+The scheduler exponential decay value.
+.It Li kern.clockrate ( Dv KERN_CLOCKRATE )
+A
+.Vt struct clockinfo
+structure is returned.
+This structure contains the clock, statistics clock and profiling clock
+frequencies, the number of micro-seconds per hz tick, and the clock
+skew rate.
+Refer to
+.Xr hz 9
+for additional details.
+.It Li kern.consdev ( Dv KERN_CONSDEV )
+Console device.
+.It Li kern.coredump
+Settings related to set-id processes coredumps.
+By default, set-id processes do not dump core in situations where
+other processes would.
+The settings in this node allows an administrator to change this
+behavior.
+.Pp
+The third level name is
+.Dv kern.coredump.setid
+and fourth level variables are described below.
+.Bl -column "kern.coredump.setid.group" "integer" "Changeable" -offset indent
+.It Sy Fourth level name Ta Sy Type Ta Sy Changeable
+.It kern.coredump.setid.dump	integer	yes
+.It kern.coredump.setid.group	integer	yes
+.It kern.coredump.setid.mode	integer	yes
+.It kern.coredump.setid.owner	integer	yes
+.It kern.coredump.setid.path	string	yes
+.El
+.Bl -tag -width "123456"
+.It Li kern.coredump.setid.dump
+If non-zero, set-id processes will dump core.
+.It Li kern.coredump.setid.group
+The group-id for the set-id processes' coredump.
+.It Li kern.coredump.setid.mode
+The mode for the set-id processes' coredump.
+See
+.Xr chmod 1 .
+.It Li kern.coredump.setid.owner
+The user-id that will be used as the owner of the set-id processes'
+coredump.
+.It Li kern.coredump.setid.path
+The path to which set-id processes' coredumps will be saved to.
+Same syntax as kern.defcorename.
+.El
+.It Li kern.cp_id ( Dv KERN_CP_ID )
+Mapping of CPU number to CPU id.
+.It Li kern.cp_time ( Dv KERN_CP_TIME )
+Returns an array of
+.Dv CPUSTATES
+.Vt uint64_t Ns s .
+This array contains the
+number of clock ticks spent in different CPU states.
+On multi-processor systems, the sum across all CPUs is returned unless
+appropriate space is given for one data set for each CPU.
+Data for a specific CPU can also be obtained by adding the number of the
+CPU at the end of the MIB, enlarging it by one.
+.It Li kern.cryptodevallowsoft
+This variable controls userland access to hardware versus software transforms
+in the
+.Xr crypto 4
+system.
+The available values are as follows:
+.Bl -tag -width XX0 -offset indent
+.It Dv < 0
+Always force userlevel requests to use software transforms.
+.It Dv = 0
+If present, use hardware and grant userlevel requests for
+non-accelerated transforms (handling the latter in software).
+.It Dv > 0
+Allow user requests only for transforms which are hardware-accelerated.
+.El
+.It Li kern.defcorename ( Dv KERN_DEFCORENAME )
+Default template for the name of core dump files (see also
+.Li proc.pid.corename
+in the per-process variables
+.Li proc.* ,
+and
+.Xr core 5
+for format of this template).
+The default value is
+.Pa %n.core
+and can be changed with the kernel configuration option
+.Cd options DEFCORENAME
+(see
+.Xr options 4
+).
+.It Li kern.detachall
+Detach all devices at shutdown.
+.It Li kern.domainname ( Dv KERN_DOMAINNAME )
+Get or set the YP domain name.
+.It Li kern.drivers ( Dv KERN_DRIVERS )
+Return an array of
+.Vt struct kinfo_drivers
+that contains the name and major device numbers of all the device drivers
+in the current kernel.
+The
+.Va d_name
+field is always a NUL terminated string.
+The
+.Va d_bmajor
+field will be set to \-1 if the driver doesn't have a block device.
+.It Li kern.expose_address
+Expose kernel addresses in
+.Xr sysctl 3
+calls used by
+.Xr fstat 1
+and
+.Xr sockstat 1 .
+If it is set to
+.Dv 0
+access is not allowed.
+If it is set to
+.Dv 1
+then only processes that have opened
+.Pa /dev/kmem
+can have access.
+If it is set to
+.Dv 2
+every process is allowed.
+Defaults to
+.Dv 0
+for
+.Dv KASLR
+kernels
+and
+.Dv 1
+otherwise.
+Allowing general access renders KASLR ineffective; allowing only kmem
+accessing programs weakens KASLR if those programs can be subverted
+to leak the addresses.
+.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC )
+Perform a crash dump on system
+.Xr panic 9 .
+.It Li kern.file ( Dv KERN_FILE )
+Return the entire file table.
+The returned data consists of a single
+.Vt struct filelist
+followed by an array of
+.Vt struct file ,
+whose size depends on the current number of such objects in the system.
+.It Li kern.forkfsleep ( Dv KERN_FORKFSLEEP )
+If
+.Xr fork 2
+system call fails due to limit on number of processes (either
+the global maxproc limit or user's one), wait for this many
+milliseconds before returning
+.Er EAGAIN
+error to process.
+Useful to keep heavily forking runaway processes in bay.
+Default zero (no sleep).
+Maximum is 20 seconds.
+.It Li kern.fscale ( Dv KERN_FSCALE )
+The kernel fixed-point scale factor.
+.It Li kern.fsync ( Dv KERN_FSYNC )
+Return 1 if the
+.St -p1003.1b-93
+File Synchronization Option is available
+on this system,
+otherwise\ 0.
+.It Li kern.hardclock_ticks ( Dv KERN_HARDCLOCK_TICKS )
+Returns the number of
+.Xr hardclock 9
+ticks.
+.It Li kern.heartbeat.max_period
+Time in seconds since the last
+.Cd options HEARTBEAT
+progress check has passed before it will trigger a panic.
+See
+.Xr options 4 .
+.It Li kern.hist
+This variable contains kernel history data if the kernel was
+configured for any of the options
+.Dv UVMHIST ,
+.Dv USB_DEBUG ,
+.Dv BIOHIST ,
+or
+.Dv SCDEBUG .
+(See
+.Xr options 4
+for more details.)
+The third-level names correspond to each available history table.
+The values of the history tables are in an internal format, and can be
+decoded by the
+.Xr vmstat 1
+utility's
+.Fl U
+and
+.Fl u
+options;
+the
+.Fl l
+option can be used to see which tables are available.
+.It Li kern.hostid ( Dv KERN_HOSTID )
+Get or set the host identifier.
+This is aimed to replace the legacy
+.Xr gethostid 3
+and
+.Xr sethostid 3
+system calls.
+.It Li kern.hostname ( Dv KERN_HOSTNAME )
+Get or set the
+.Xr hostname 1 .
+.It Li kern.iov_max ( Dv KERN_IOV_MAX )
+Return the maximum number of
+.Vt iovec
+structures that a process has available for use with
+.Xr preadv 2 ,
+.Xr pwritev 2 ,
+.Xr readv 2 ,
+.Xr recvmsg 2 ,
+.Xr sendmsg 2
+and
+.Xr writev 2 .
+.It Li kern.ipc ( Dv KERN_SYSVIPC )
+Return information about the SysV IPC parameters.
+The third level names for the ipc variables are detailed below.
+.Bl -column "kern.ipc.shm_use_phys" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.ipc.sysvmsg	integer	no
+.It kern.ipc.sysvsem	integer	no
+.It kern.ipc.sysvshm	integer	no
+.It kern.ipc.sysvipc_info	struct	no
+.It kern.ipc.shmmax	integer	yes
+.It kern.ipc.shmmni	integer	yes
+.It kern.ipc.shmseg	integer	yes
+.It kern.ipc.shmmaxpgs	integer	yes
+.It kern.ipc.shm_use_phys	integer	yes
+.It kern.ipc.msgmni	integer	yes
+.It kern.ipc.msgseg	integer	yes
+.It kern.ipc.semmni	integer	yes
+.It kern.ipc.semmns	integer	yes
+.It kern.ipc.semmnu	integer	yes
+.El
+.Bl -tag -width "123456"
+.It Li kern.ipc.sysvmsg ( Dv KERN_SYSVIPC_MSG )
+Returns 1 if System V style message queue functionality is available
+on this system,
+otherwise\ 0.
+.It Li kern.ipc.sysvsem ( Dv KERN_SYSVIPC_SEM )
+Returns 1 if System V style semaphore functionality is available
+on this system,
+otherwise\ 0.
+.It Li kern.ipc.sysvshm ( Dv KERN_SYSVIPC_SHM )
+Returns 1 if System V style share memory functionality is available
+on this system,
+otherwise\ 0.
+.It Li kern.ipc.sysvipc_info ( Dv KERN_SYSVIPC_INFO )
+Return System V style IPC configuration and run-time information.
+The fourth level name selects the System V style IPC facility.
+.Bl -column "KERN_SYSVIPC_MSG_INFO" "struct shm_sysctl_info" -offset indent
+.It Sy Fourth level name Ta Sy Type
+.It KERN_SYSVIPC_MSG_INFO	struct msg_sysctl_info
+.It KERN_SYSVIPC_SEM_INFO	struct sem_sysctl_info
+.It KERN_SYSVIPC_SHM_INFO	struct shm_sysctl_info
+.El
+.Bl -tag -width "123456"
+.It Li KERN_SYSVIPC_MSG_INFO
+Return information on the System V style message facility.
+The
+.Sy msg_sysctl_info
+structure is defined in
+.In sys/msg.h .
+.It Li KERN_SYSVIPC_SEM_INFO
+Return information on the System V style semaphore facility.
+The
+.Sy sem_sysctl_info
+structure is defined in
+.In sys/sem.h .
+.It Li KERN_SYSVIPC_SHM_INFO
+Return information on the System V style shared memory facility.
+The
+.Sy shm_sysctl_info
+structure is defined in
+.In sys/shm.h .
+.El
+.It Li kern.ipc.shmmax ( Dv KERN_SYSVIPC_SHMMAX )
+Max shared memory segment size in bytes.
+.It Li kern.ipc.shmmni ( Dv KERN_SYSVIPC_SHMMNI )
+Max number of shared memory identifiers.
+.It Li kern.ipc.shmseg ( Dv KERN_SYSVIPC_SHMSEG )
+Max shared memory segments per process.
+.It Li kern.ipc.shmmaxpgs ( Dv KERN_SYSVIPC_SHMMAXPGS )
+Max amount of shared memory in pages.
+.It Li kern.ipc.shm_use_phys ( Dv KERN_SYSVIPC_SHMUSEPHYS )
+Locking of shared memory in physical memory.
+If 0, memory can be swapped
+out, otherwise it will be locked in physical memory.
+.It Li kern.ipc.msgmni
+Max number of message queue identifiers.
+.It Li kern.ipc.msgseg
+Max number of number of message segments.
+.It Li kern.ipc.semmni
+Max number of number of semaphore identifiers.
+.It Li kern.ipc.semmns
+Max number of number of semaphores in system.
+.It Li kern.ipc.semmnu
+Max number of undo structures in system.
+.El
+.It Li kern.job_control ( Dv KERN_JOB_CONTROL )
+Return 1 if job control is available on this system, otherwise\ 0.
+.It Li kern.labeloffset ( Dv KERN_LABELOFFSET )
+The offset within the sector specified by
+.Dv KERN_LABELSECTOR
+of the
+.Xr disklabel 5 .
+.It Li kern.labelsector ( Dv KERN_LABELSECTOR )
+The sector number containing the
+.Xr disklabel 5 .
+.It Li kern.login_name_max ( Dv KERN_LOGIN_NAME_MAX )
+The size of the storage required for a login name, in bytes,
+including the terminating NUL.
+.It Li kern.logsigexit ( Dv KERN_LOGSIGEXIT )
+If this flag is non-zero, the kernel will
+.Xr log 9
+all process exits due to signals which create a
+.Xr core 5
+file, and whether the coredump was created.
+.It Li kern.lwp ( Dv KERN_LWP )
+Returns information about the current light-weight process.
+The
+.Sy kinfo_lwp
+structure is defined in
+.In sys/sysctl.h .
+.It Li kern.mapped_files ( Dv KERN_MAPPED_FILES )
+Returns 1 if the
+.St -p1003.1b-93
+Memory Mapped Files Option is available on this system,
+otherwise\ 0.
+.It Li kern.maxfiles ( Dv KERN_MAXFILES )
+The maximum number of open files that may be open in the system.
+This also controls the maximum file locks per unprivileged user
+enforced by
+.Xr fcntl 2
+and
+.Xr flock 2 .
+.It Li kern.maxpartitions ( Dv KERN_MAXPARTITIONS )
+The maximum number of partitions allowed per disk.
+.It Li kern.maxlwp
+The maximum number of Lightweight Processes (threads) the system allows
+per uid.
+.It Li kern.maxphys ( Dv KERN_MAXPHYS )
+Maximum raw I/O transfer size.
+.It Li kern.maxproc ( Dv KERN_MAXPROC )
+The maximum number of simultaneous processes the system will allow.
+.It Li kern.maxptys ( Dv KERN_MAXPTYS )
+The maximum number of pseudo terminals.
+This value can be both raised and lowered, though it cannot
+be set lower than number of currently used ptys.
+See also
+.Xr pty 4 .
+.It Li kern.maxvnodes ( Dv KERN_MAXVNODES )
+The maximum number of vnodes available on the system.
+This cannot be lowered below the number of currently active vnodes.
+.It Li kern.mbuf ( Dv KERN_MBUF )
+Return information about the mbuf control variables.
+Mbufs are data structures which store network packets and other data
+structures in the networking code, see
+.Xr mbuf 9 .
+The third level names for the mbuf variables are detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "kern.mbuf.nmbclusters_limit" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.\" XXX Changeable? really?
+.It kern.mbuf.mblowat	integer	yes
+.It kern.mbuf.mclbytes	integer	yes
+.It kern.mbuf.mcllowat	integer	yes
+.It kern.mbuf.msize	integer	yes
+.It kern.mbuf.nmbclusters	integer	yes
+.It kern.mbuf.nmbclusters_limit	integer	no
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.mbuf.mblowat ( Dv MBUF_MBLOWAT )
+The mbuf low water mark.
+.It Li kern.mbuf.mclbytes ( Dv MBUF_MCLBYTES )
+The mbuf cluster size.
+.It Li kern.mbuf.mcllowat ( Dv MBUF_MCLLOWAT )
+The mbuf cluster low water mark.
+.It Li kern.mbuf.msize ( Dv MBUF_MSIZE )
+The mbuf base size.
+.It Li kern.mbuf.nmbclusters ( Dv MBUF_NMBCLUSTERS )
+The limit on the number of mbuf clusters.
+The variable can only be increased, and only increased on machines with
+direct-mapped pool pages.
+.It Li kern.mbuf.nmbclusters_limit ( Dv MBUF_NMBCLUSTERS_LIMIT )
+The limit of nmbclusters.
+.El
+.It Li kern.memlock ( Dv KERN_MEMLOCK )
+Returns 1 if the
+.St -p1003.1b-93
+Process Memory Locking Option is available on this system,
+otherwise\ 0.
+.It Li kern.memlock_range ( Dv KERN_MEMLOCK_RANGE )
+Returns 1 if the
+.St -p1003.1b-93
+Range Memory Locking Option is available on this system,
+otherwise\ 0.
+.It Li kern.memory_protection ( Dv KERN_MEMORY_PROTECTION )
+Returns 1 if the
+.St -p1003.1b-93
+Memory Protection Option is available on this system,
+otherwise\ 0.
+.It Li kern.messages
+Kernel console message verbosity.
+See
+.Aq Pa sys/reboot.h
+.Bl -column "verbosity" "setting" -offset indent
+.It Sy Value Ta Sy Verbosity Ta Sy sys/reboot.h equivalent
+.It 0 Ta Silent Ta Sy AB_SILENT
+.It 1 Ta Quiet Ta Sy AB_QUIET
+.It 2 Ta Normal Ta Sy AB_NORMAL
+.It 3 Ta Verbose Ta Sy AB_VERBOSE
+.It 4 Ta Debug Ta Sy AB_DEBUG
+.El
+.It Li kern.module
+Settings related to kernel modules.
+The third level names for the settings are described below.
+.Bl -column "kern.module.autounload_unsafe" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.module.autoload	integer	yes
+.It kern.module.autounload_unsafe	integer	yes
+.It kern.module.autotime	integer	yes
+.It kern.module.verbose	boolean	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width 6n
+.It Li kern.module.autoload
+A boolean that controls whether kernel modules are loaded automatically.
+See
+.Xr module 7
+for details.
+.It Li kern.module.autounload_unsafe
+A boolean that controls whether the kernel will autounload modules that
+were automatically loaded and have not been audited for autounload.
+.Pp
+By default, only modules that have been audited will be autounloaded,
+and only if they were autoloaded to begin with.
+.It Li kern.module.autotime
+An integer that controls the delay before an attempt is made to
+automatically unload a module that was auto-loaded.
+Setting this value to zero disables the auto-unload function.
+.It Li kern.module.verbose
+A boolean that enables or disables verbose
+debug messages related to kernel modules.
+.El
+.It Li kern.monotonic_clock ( Dv KERN_MONOTONIC_CLOCK )
+Returns the standard version the implementation of the
+.St -p1003.1b-93
+Monotonic Clock Option conforms to,
+otherwise\ 0.
+.It Li kern.mqueue
+Settings related to POSIX message queues; see
+.Xr mqueue 3 .
+This node is created dynamically when
+the corresponding kernel module is loaded.
+The third level names for the settings are described below.
+.Bl -column "kern.mqueue.mq_max_msgsize" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.mqueue.mq_open_max	integer	yes
+.It kern.mqueue.mq_prio_max	integer	yes
+.It kern.mqueue.mq_max_msgsize	integer	yes
+.It kern.mqueue.mq_def_maxmsg	integer	yes
+.It kern.mqueue.mq_max_maxmsg	integer	yes
+.El
+.Pp
+The variables are:
+.Bl -tag -width "123456"
+.It Li kern.mqueue.mq_open_max
+The maximum number of message queue descriptors any single process can open.
+.It Li kern.mqueue.mq_prio_max
+The maximum priority of a message.
+.It Li kern.mqueue.mq_max_msgsize
+The maximum size of a message in a message queue.
+.It Li kern.mqueue.mq_def_maxmsg
+The default maximum message count.
+.It Li kern.mqueue.mq_max_maxmsg
+The maximum number of messages in a message queue.
+.El
+.It Li kern.msgbuf ( Dv KERN_MSGBUF )
+The kernel message buffer, rotated so that the head of the circular kernel
+message buffer is at the start of the returned data.
+The returned data may contain NUL bytes.
+.It Li kern.msgbufsize ( Dv KERN_MSGBUFSIZE )
+The maximum number of characters that the kernel message buffer can hold.
+.It Li kern.ngroups ( Dv KERN_NGROUPS )
+The maximum number of supplemental groups.
+.\" .It Li kern.no_sa_support
+.\" XXX: Undocumented.
+.It Li kern.ntptime ( Dv KERN_NTPTIME )
+A
+.Vt struct ntptimeval
+structure is returned.
+This structure contains data used by the
+.Xr ntpd 8
+program.
+.It Li kern.osrelease ( Dv KERN_OSRELEASE )
+The system release string.
+.It Li kern.osrevision ( Dv KERN_OSREV )
+The system revision, expressed as an integer.
+.It Li kern.ostype ( Dv KERN_OSTYPE )
+The system type string.
+.\".It Li kern.panic_now
+.\" XXX: Undocumented.
+.It Li kern.pipe ( Dv KERN_PIPE )
+Pipe settings.
+The third level names for the  integer pipe settings is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "kern.pipe.maxbigpipes" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.pipe.kvasiz	integer	yes
+.It kern.pipe.maxbigpipes	integer	yes
+.It kern.pipe.maxkvasz	integer	yes
+.It kern.pipe.limitkva	integer	yes
+.It kern.pipe.nbigpipes	integer	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.pipe.kvasiz ( Dv KERN_PIPE_KVASIZ )
+Amount of kernel memory consumed by pipe buffers.
+.It Li kern.pipe.maxbigpipes ( Dv KERN_PIPE_MAXBIGPIPES )
+Maximum number of
+.Dq big
+pipes.
+.It Li kern.pipe.maxkvasz ( Dv KERN_PIPE_MAXKVASZ )
+Maximum amount of kernel memory to be used for pipes.
+.It Li kern.pipe.limitkva ( Dv KERN_PIPE_LIMITKVA )
+Limit for direct transfers via page loan.
+.It Li kern.pipe.nbigpipes ( Dv KERN_PIPE_NBIGPIPES )
+Number of
+.Dq big
+pipes.
+.El
+.It Li kern.pool
+Provides statistics about the
+.Xr pool 9
+and
+.Xr pool_cache 9
+subsystems.
+.\" XXX: Undocumented .It Li kern.posix ( ? )
+.\"	 This is a node in which the only variable is semmax.
+.It Li kern.posix1version ( Dv KERN_POSIX1 )
+The version of ISO/IEC 9945
+.Pq St -p1003.1
+with which the system attempts to comply.
+.It Li kern.posix_aio
+The version of
+.St -p1003.1
+and its Asynchronous I/O option to which the system attempts to conform.
+.It Li kern.posix_barriers ( Dv KERN_POSIX_BARRIERS )
+The version of
+.St -p1003.1
+and its
+Barriers
+option to which the system attempts to conform,
+otherwise\ 0.
+.It Li kern.posix_reader_writer_locks ( Dv KERN_POSIX_READER_WRITER_LOCKS )
+The version of
+.St -p1003.1
+and its
+Read-Write Locks
+option to which the system attempts to conform,
+otherwise\ 0.
+.\".It Li kern.posix_sched
+.\" XXX: Undocumented.
+.It Li kern.posix_semaphores ( Dv KERN_POSIX_SEMAPHORES )
+The version of
+.St -p1003.1
+and its
+Semaphores
+option to which the system attempts to conform,
+otherwise\ 0.
+.It Li kern.posix_spin_locks ( Dv KERN_POSIX_SPIN_LOCKS )
+The version of
+.St -p1003.1
+and its
+Spin Locks
+option to which the system attempts to conform,
+otherwise\ 0.
+.It Li kern.posix_threads ( Dv KERN_POSIX_THREADS )
+The version of
+.St -p1003.1
+and its
+Threads
+option to which the system attempts to conform,
+otherwise\ 0.
+.It Li kern.posix_timers ( Dv KERN_POSIX_TIMERS )
+The version of
+.St -p1003.1
+and its
+Timers
+option to which the system attempts to conform,
+otherwise\ 0.
+.It Li kern.proc ( Dv KERN_PROC )
+Return the entire process table, or a subset of it.
+An array of
+.Vt struct kinfo_proc
+structures is returned,
+whose size depends on the current number of such objects in the system.
+The third and fourth level numeric names are as follows:
+.Bl -column "KERN_PROC_SESSION" "Fourth level is:" -offset indent
+.It Sy Third level name Ta Sy Fourth level is :
+.It KERN_PROC_ALL	None
+.It KERN_PROC_GID	A group ID
+.It KERN_PROC_PID	A process ID
+.It KERN_PROC_PGRP	A process group
+.It KERN_PROC_RGID	A real group ID
+.It KERN_PROC_RUID	A real user ID
+.It KERN_PROC_SESSION	A session ID
+.It KERN_PROC_TTY	A tty device
+.It KERN_PROC_UID	A user ID
+.El
+.It Li kern.proc2 ( Dv KERN_PROC2 )
+As for
+.Dv KERN_PROC ,
+but an array of
+.Vt struct kinfo_proc2
+structures are returned.
+The fifth level name is the size of the
+.Vt struct kinfo_proc2
+and the sixth level name is the number of structures to return.
+.It Li kern.proc_args ( Dv KERN_PROC_ARGS )
+Return the argv or environment strings (or the number thereof)
+of a process.
+Multiple strings are returned separated by NUL characters.
+The third level name is the process ID.
+The fourth level name is as follows:
+.Bl -column "KERN_PROG_PATHNAME" "The full pathname of the executable" -offset indent
+.It Dv KERN_PROC_ARGV	The argv strings
+.It Dv KERN_PROC_ENV	The environ strings
+.It Dv KERN_PROC_NARGV	The number of argv strings
+.It Dv KERN_PROC_NENV	The number of environ strings
+.It Dv KERN_PROC_PATHNAME	The full pathname of the executable
+.It Dv KERN_PROC_CWD	The current working directory
+.El
+.It Li kern.profiling ( Dv KERN_PROF )
+Return profiling information about the kernel.
+If the kernel is not compiled for profiling,
+attempts to retrieve any of the
+.Dv KERN_PROF
+values will fail with
+.Er EOPNOTSUPP .
+The third level names for the string and integer profiling information
+is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "kern.profiling.gmonparam" "struct gmonparam" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.profiling.count	u_short[\|]	yes
+.It kern.profiling.froms	u_short[\|]	yes
+.It kern.profiling.gmonparam	struct gmonparam	no
+.It kern.profiling.state	integer	yes
+.It kern.profiling.tos	struct tostruct	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.profiling.count ( Dv GPROF_COUNT )
+Array of statistical program counter counts.
+.It Li kern.profiling.froms ( Dv GPROF_FROMS )
+Array indexed by program counter of call-from points.
+.It Li kern.profiling.gmonparams ( Dv GPROF_GMONPARAM )
+Structure giving the sizes of the above arrays.
+.It Li kern.profiling.state ( Dv GPROF_STATE )
+Profiling state.
+If set to
+.Dv GMON_PROF_ON ,
+starts profiling.
+If set to
+.Dv GMON_PROF_OFF ,
+stops profiling.
+.It Li kern.profiling.tos ( Dv GPROF_TOS )
+Array of
+.Vt struct tostruct
+describing destination of calls and their counts.
+.El
+.\" .It Li kern.pset
+.\" XXX: Undocumented.
+.It Li kern.rawpartition ( Dv KERN_RAWPARTITION )
+The raw partition of a disk (a == 0).
+.It Li kern.root_device ( Dv KERN_ROOT_DEVICE )
+The name of the root device (e.g.,
+.Dq wd0 ) .
+.It Li kern.root_partition ( Dv KERN_ROOT_PARTITION )
+The root partition on the root device (a == 0).
+.It Li kern.rtc_offset ( Dv KERN_RTC_OFFSET )
+Return the offset of real time clock from UTC in minutes.
+.It Li kern.saved_ids ( Dv KERN_SAVED_IDS )
+Returns 1 if saved set-group and saved set-user ID is available.
+.It Li kern.sbmax ( Dv KERN_SBMAX )
+Maximum socket buffer size in bytes.
+.It Li kern.securelevel ( Dv KERN_SECURELVL )
+See
+.Xr secmodel_securelevel 9 .
+.It Li kern.sched ( dynamic )
+Influence the scheduling of LWPs, their prioritisation and how they are
+distributed on and moved between CPUs.
+.Bl -column "kern.sched.balance_period" "integer" "Changeable" -offset indent
+.It Sy Third level name	   Sy Type	 Sy Changeable
+.It kern.sched.cacheht_time	   integer	 yes
+.It kern.sched.balance_period	   integer	 yes
+.It kern.sched.average_weight	   integer	 yes
+.It kern.sched.min_catch	   integer	 yes
+.It kern.sched.timesoftints	   integer	 yes
+.It kern.sched.kpreempt_pri	   integer	 yes
+.It kern.sched.upreempt_pri	   integer	 yes
+.It kern.sched.maxts	   integer	 yes
+.It kern.sched.mints	   integer	 yes
+.It kern.sched.name	   string	 no
+.It kern.sched.rtts	   integer	 no
+.It kern.sched.pri_min	   integer	 no
+.It kern.sched.pri_max	   integer	 no
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.sched.cacheht_time ( dynamic )
+Cache hotness time in which a LWP is kept on one particular CPU
+and not moved to another CPU.
+This reduces the overhead of flushing and reloading caches.
+Defaults to 3ms.
+Needs to be given in
+.Dq hz
+units, see
+.Xr mstohz 9 .
+.It Li kern.sched.balance_period ( dynamic )
+Interval at which the CPU queues are checked for re-balancing.
+Defaults to 300ms.
+Needs to be given in
+.Dq hz
+units, see
+.Xr mstohz 9 .
+.It Li kern.sched.average_weight ( dynamic )
+Can be used to influence how likely LWPs are to be migrated from
+one CPU's queue of LWPs that are ready to run to a different, idle CPU.
+The value gives the percentage for weighting the average count of
+migratable threads from the past against the current number of
+migratable threads.
+A small value gives more weight to the past, a larger values more weight
+on the current situation.
+Defaults to 50 and must be between 0 and 100.
+.It Li kern.sched.min_catch ( dynamic )
+Minimum count of migratable (runnable) threads for catching (stealing)
+from another CPU.
+Defaults to 1 but can be increased to decrease chance of thread
+migration between CPUs.
+.It Li kern.sched.timesoftints ( dynamic )
+Enable tracking of CPU time for soft interrupts
+as part of a LWP's real execution time.
+Set to a non-zero value to enable,
+and see
+.Xr ps 1
+for printing CPU times.
+.It Li kern.sched.kpreempt_pri ( dynamic )
+Minimum priority to trigger kernel preemption.
+.It Li kern.sched.upreempt_pri ( dynamic )
+Minimum priority to trigger user preemption.
+.It Li kern.sched.maxts ( dynamic )
+Scheduler specific maximal time quantum (in milliseconds).
+Must be set to a value larger than
+.Dq mints
+and between 10 and
+.Dq hz
+as given by the
+.Dv kern.clockrate
+sysctl.
+Provided by the M2 scheduler.
+.It Li kern.sched.mints ( dynamic )
+Scheduler specific minimal time quantum (in milliseconds).
+Must be set to a value smaller than
+.Dq maxts
+and between 1 and
+.Dq hz
+as given by the
+.Dq kern.clockrate
+sysctl.
+Provided by the M2 scheduler.
+.It Li kern.sched.name ( dynamic )
+Scheduler name.
+Provided both by the M2 and the 4BSD scheduler.
+.It Li kern.sched.rtts ( dynamic )
+Fixed scheduler specific round-robin time quantum in milliseconds.
+Provided both by the M2 and the 4BSD scheduler.
+.It Li kern.sched.pri_min ( dynamic )
+Minimal POSIX real-time priority.
+See
+.Xr sched 3 .
+.It Li kern.sched.pri_max ( dynamic )
+Maximal POSIX real-time priority.
+See
+.Xr sched 3 .
+.El
+.It Li kern.sofixedbuf ( Dv KERN_SOFIXEDBUF )
+Prevent socket buffer autoscaling when a size is set with
+.Dv SO_SNDBUF
+or
+.Dv SO_RCVBUF .
+.It Li kern.somaxkva ( Dv KERN_SOMAXKVA )
+Maximum amount of kernel memory to be used for socket buffers in bytes.
+.It Li kern.sooptions
+Set the default socket option flags for
+.Xr socket 2
+creation.
+See
+.Xr setsockopt 2
+for a list of supported flags.
+.It Li kern.synchronized_io ( Dv KERN_SYNCHRONIZED_IO )
+Returns 1 if the
+.St -p1003.1b-93
+Synchronized I/O Option is available on this system,
+otherwise\ 0.
+.It Li kern.timecounter ( dynamic )
+Display and control the timecounter source of the system.
+.Bl -column "kern.timecounter.timestepwarnings" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.timecounter.choice	string	no
+.It kern.timecounter.hardware	string	yes
+.It kern.timecounter.timestepwarnings	integer	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.timecounter.choice ( dynamic )
+The list of available timecounters with their quality and frequency.
+.It Li kern.timecounter.hardware ( dynamic )
+The currently selected timecounter source.
+.It Li kern.timecounter.timestepwarnings ( dynamic )
+If non-zero display a message each time the time is stepped.
+.El
+.It Li kern.timex ( Dv KERN_TIMEX )
+Not available.
+.It Li kern.tkstat ( Dv KERN_TKSTAT )
+Return information about the number of characters sent and received
+on ttys.
+The third level names for the tty statistic variables are detailed below.
+The changeable column shows whether a process
+with appropriate privilege may change the value.
+.Bl -column "kern.tkstat.cancc" "quad" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.tkstat.cancc	quad	no
+.It kern.tkstat.nin	quad	no
+.It kern.tkstat.nout	quad	no
+.It kern.tkstat.rawcc	quad	no
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.tkstat.cancc ( Dv KERN_TKSTAT_CANCC )
+The number of canonical input characters.
+.It Li kern.tkstat.nin ( Dv KERN_TKSTAT_NIN )
+The total number of input characters.
+.It Li kern.tkstat.nout ( Dv KERN_TKSTAT_NOUT )
+The total number of output characters.
+.It Li kern.tkstat.rawcc ( Dv KERN_TKSTAT_RAWCC )
+The number of raw input characters.
+.El
+.It Li kern.tty
+The third level names for the tty setup variables are detailed below.
+The changeable column shows whether a process
+with appropriate privilege may change the value.
+.Bl -column "kern.tty.qsize" "int" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.tty.qsize	int	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li kern.tty.qsize
+Control/display the size of the default input and output queues selected
+during tty creation.
+Is converted to a power of two and its range is between
+.Dv 1024
+and
+.Dv 65536 .
+.El
+.It Li kern.uidinfo
+Resource usage for the current user.
+.Bl -column "kern.uidinfo.proccnt" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.uidinfo.proccnt	integer	no
+.It kern.uidinfo.lwpcnt	integer	no
+.It kern.uidinfo.lockcnt	integer	no
+.It kern.uidinfo.semcnt	integer	no
+.It kern.uidinfo.sbsize	integer	no
+.El
+.Bl -tag -width "123456"
+.It Li kern.uidinfo.proccnt
+Returns the number of active processes for the current user.
+.It Li kern.uidinfo.lwpcnt
+Returns the number of active threads for the current user; the first thread
+of each process is not counted.
+.It Li kern.uidinfo.lockcnt
+Number of locks held by the current user.
+.It Li kern.uidinfo.semcnt
+Number of semaphores held by the current user.
+.It Li kern.uidinfo.sbsize
+Number of bytes in socket buffers allocated to the current user.
+.El
+.It Li kern.urandom ( Dv KERN_URND )
+Random integer value.
+.It Li kern.usercrypto
+When enabled, allows userland to
+.Xr open 2
+the
+.Pa /dev/crypto
+special device, used by the
+.Xr crypto 4
+system.
+.It Li kern.userasymcrypto
+Enables or disables the use of software asymmetric crypto support in the
+.Xr crypto 4
+system.
+.It Li kern.veriexec
+Runtime information for
+.Xr veriexec 8 .
+.Bl -column "kern.veriexec.algorithms" "integer" "Changeable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It kern.veriexec.algorithms	string	no
+.It kern.veriexec.count	node	not applicable
+.It kern.veriexec.strict	integer	yes
+.It kern.veriexec.verbose	integer	yes
+.El
+.Bl -tag -width "123456"
+.It Li kern.veriexec.algorithms
+Returns a string with the supported algorithms in Veriexec.
+.It Li kern.veriexec.count
+Sub-nodes are added to this node as new mounts are monitored by Veriexec.
+Each mount will be under its own
+.No tableN
+node.
+Under each node there will be three variables, indicating the mount
+point, the file system type, and the number of entries.
+.It Li kern.veriexec.strict
+Controls the strict level of Veriexec.
+See
+.Xr security 7
+for more information on each level's implications.
+.It Li kern.veriexec.verbose
+Controls the verbosity level of Veriexec.
+If 0, only the minimal
+indication required will be given about what's happening - fingerprint
+mismatches, removal of entries from the tables, modification of a
+fingerprinted file.
+If 1, more messages will be printed (ie., when a file with a valid
+fingerprint is accessed).
+Verbose level 2 is debug mode.
+.El
+.It Li kern.version ( Dv KERN_VERSION )
+The system version string.
+.It Li kern.vnode ( Dv KERN_VNODE )
+Return the entire vnode table.
+Note, the vnode table is not necessarily a consistent snapshot of
+the system.
+The returned data consists of an array whose size depends on the
+current number of such objects in the system.
+Each element of the array contains the kernel address of a vnode
+.Vt struct vnode *
+followed by the vnode itself
+.Vt struct vnode .
+.El
+.Ss The machdep.* subtree
+The set of variables defined is architecture dependent.
+Most architectures define at least the following variables.
+.Bl -column "machdep.booted_kernel" "Type" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It Li machdep.booted_kernel	string	no
+.El
+.\" XXX: Document the above.
+.Ss The net.* subtree
+The string and integer information available for the
+.Li net
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+The second and third levels are typically the protocol family and
+protocol number, though this is not always the case.
+.Bl -column "Second level name" "IPsec key management values" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It net.route	routing messages	no
+.It net.inet	IPv4 values	yes
+.It net.inet6	IPv6 values	yes
+.It net.key	IPsec key management values	yes
+.El
+.Bl -tag -width "123456"
+.It Li net.route ( Dv PF_ROUTE )
+.\" XXX really?
+Return the entire routing table or a subset of it.
+The data is returned as a sequence of routing messages (see
+.Xr route 4
+for the header file, format and meaning).
+The length of each message is contained in the message header.
+.Pp
+The third level name is a protocol number, which is currently always\ 0.
+The fourth level name is an address family, which may be set to 0 to
+select all address families.
+The fifth and sixth level names are as follows:
+.Bl -column "Fifth level name" "Sixth level is:" -offset indent
+.It Sy Fifth level name Ta Sy Sixth level is :
+.It NET_RT_FLAGS	rtflags
+.It NET_RT_DUMP	None
+.It NET_RT_IFLIST	None
+.El
+.It Li net.inet ( Dv PF_INET )
+Get or set various global information about the IPv4
+.Pq Internet Protocol version 4 .
+The third level name is the protocol.
+The fourth level name is the variable name.
+The currently defined protocols and names are:
+.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent
+.It Sy Protocol	Variable Ta Sy Type Ta Sy Changeable
+.It arp	nd_delay	integer	yes
+.It arp	nd_bmaxtries	integer	yes
+.It arp	nd_umaxtries	integer	yes
+.It arp	nd_basereachable	integer	yes
+.It arp	nd_retrans	integer	yes
+.It arp	nd_nud		integer	yes
+.It arp	nd_maxnudhint	integer	yes
+.It arp	log_movements	integer	yes
+.It arp	log_permanent_modify	integer	yes
+.It arp	log_unknown_network	integer	yes
+.It arp	log_wrong_iface	integer	yes
+.It carp	allow	integer	yes
+.It carp	preempt	integer	yes
+.It carp	log	integer	yes
+.It carp	arpbalance	integer	yes
+.It icmp	errppslimit	integer	yes
+.It icmp	maskrepl	integer	yes
+.It icmp	rediraccept	integer	yes
+.It icmp	redirtimeout	integer	yes
+.It icmp	bmcastecho	integer	yes
+.It icmp	dynamic_rt_msg	boolean	yes
+.It ip	allowsrcrt	integer	yes
+.It ip 	anonportalgo.selected	string	yes
+.It ip 	anonportalgo.available	string	yes
+.It ip 	anonportalgo.reserve	struct	yes
+.It ip	anonportmax	integer	yes
+.It ip	anonportmin	integer	yes
+.It ip	checkinterface	integer	yes
+.It ip	dad_count	integer	yes
+.It ip	directed-broadcast	integer	yes
+.It ip	do_loopback_cksum	integer	yes
+.It ip	forwarding	integer	yes
+.It ip	forwsrcrt	integer	yes
+.It ip	gifttl	integer	yes
+.It ip	grettl	integer	yes
+.It ip	hashsize	integer	yes
+.It ip	hostzerobroadcast	integer	yes
+.It ip	lowportmin	integer	yes
+.It ip	lowportmax	integer	yes
+.It ip	maxflows	integer	yes
+.It ip	maxfragpackets	integer	yes
+.It ip	mtudisc	integer	yes
+.It ip	mtudisctimeout	integer	yes
+.It ip	random_id	integer	yes
+.It ip	redirect	integer	yes
+.It ip	subnetsarelocal	integer	yes
+.It ip	ttl	integer	yes
+.It tcp	rfc1323	integer	yes
+.It tcp	sendspace	integer	yes
+.It tcp	recvspace	integer	yes
+.It tcp	mssdflt	integer	yes
+.It tcp	syn_cache_limit	integer	yes
+.It tcp	syn_bucket_limit	integer	yes
+.It tcp	syn_cache_interval	integer	yes
+.It tcp	init_win	integer	yes
+.It tcp	init_win_local	integer	yes
+.It tcp	mss_ifmtu	integer	yes
+.It tcp	win_scale	integer	yes
+.It tcp	timestamps	integer	yes
+.It tcp	cwm	integer	yes
+.It tcp	cwm_burstsize	integer	yes
+.It tcp	ack_on_push	integer	yes
+.It tcp	keepidle	integer	yes
+.It tcp	keepintvl	integer	yes
+.It tcp	keepcnt	integer	yes
+.It tcp	slowhz	integer	no
+.It tcp	keepinit	integer	yes
+.It tcp	log_refused	integer	yes
+.It tcp	rstppslimit	integer	yes
+.It tcp	ident	struct	no
+.It tcp	drop	struct	no
+.It tcp	sack.enable	integer	yes
+.It tcp	sack.globalholes	integer	no
+.It tcp	sack.globalmaxholes	integer	yes
+.It tcp	sack.maxholes	integer	yes
+.It tcp	ecn.enable	integer	yes
+.It tcp	ecn.maxretries	integer	yes
+.It tcp	congctl.selected	string	yes
+.It tcp	congctl.available	string	yes
+.It tcp	abc.enable	integer	yes
+.It tcp	abc.aggressive	integer	yes
+.It udp	checksum	integer	yes
+.It udp	do_loopback_cksum	integer	yes
+.It udp	recvspace	integer	yes
+.It udp	sendspace	integer	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li arp.nd_delay
+The delay in seconds before sending the first probe,
+after it has been decided that the entry is stale.
+.It Li arp.nd_bmaxtries
+The maximum number of broadcasts send to discover the hardware address
+claiming an IP address.
+.It Li arp.nd_umaxtries
+The maximum number of unicasts send to the hardware address to ensure
+it still claims an IP address.
+.It Li arp.nd_basereachable
+The number of milliseconds the ARP entry is considered reachable before
+probing reachability.
+.It Li arp.nd_retrans
+The number of milliseconds between ARP probes.
+.It Li arp.nd_nud
+If set to non-zero, perform Neighbor Unreachability Detection.
+.It Li arp.nd_maxnudhint
+Neighbor discovery permits upper layer protocols to supply reachability
+hints, to avoid unnecessary neighbor discovery exchanges.
+The variable defines the number of consecutive hints the neighbor discovery
+layer will take.
+For example, by setting the variable to 3, neighbor discovery layer
+will take 3 consecutive hints in maximum.
+After receiving 3 hints, neighbor discovery layer will perform
+normal neighbor discovery process.
+.It Li carp.allow
+If set to 0, incoming
+.Xr carp 4
+packets will not be processed.
+If set to any other value, processing will occur.
+Enabled by default.
+.It Li carp.arpbalance
+If set to any value other than 0, the ARP balancing functionality of
+.Xr carp 4
+is enabled.
+When ARP requests are received for an IP address which is part of any virtual
+host, carp will hash the source IP in the ARP request to select one of the
+virtual hosts from the set of all the virtual hosts which have that IP address.
+The master of that host will respond with the correct virtual MAC address.
+Disabled by default.
+.It Li carp.log
+If set to any value other than 0,
+.Xr carp 4
+will log errors.
+Disabled by default.
+.It Li carp.preempt
+If set to 0,
+.Xr carp 4
+will not attempt to become master if it is receiving advertisements from
+another active master.
+If set to any other value, carp will become master of the virtual host if it
+believes it can send advertisements more frequently than the current master.
+Disabled by default.
+.It Li ip.allowsrcrt
+If set to 1, the host accepts source routed packets.
+.It Li ip.anonportalgo.available
+The available RFC 6056 port randomization algorithms.
+.It Li ip.anonportalgo.reserve
+A bitmask of ports that will not be used during anonymous or privileged
+port selection.
+.It Li ip.anonportalgo.selected
+The currently selected RFC 6056 port randomization algorithm; see
+.Xr rfc6056 7
+for details.
+.It Li ip.anonportmax
+The highest port number to use for TCP and UDP ephemeral port allocation.
+This cannot be set to less than 1024 or greater than 65535, and must
+be greater than
+.Li ip.anonportmin .
+.It Li ip.anonportmin
+The lowest port number to use for TCP and UDP ephemeral port allocation.
+This cannot be set to less than 1024 or greater than 65535.
+.It Li ip.checkinterface
+If set to non-zero, the host will reject packets addressed to it
+that arrive on an interface not bound to that address.
+Currently, this must be disabled if NAT is used to translate the
+destination address to another local interface, or if addresses
+are added to the loopback interface instead of the interface where
+the packets for those packets are received.
+.It Li ip.dad_count
+The number of
+.Xr arp 4
+probes sent for Address Conflict Detection.
+Set to 0 to disable this.
+.It Li ip.directed-broadcast
+If set to 1, enables directed broadcast behavior for the host.
+.It Li ip.do_loopback_cksum
+Perform IP checksum on loopback.
+.It Li ip.forwarding
+If set to 1, enables IP forwarding for the host,
+meaning that the host is acting as a router.
+.It Li ip.forwsrcrt
+If set to 1, enables forwarding of source-routed packets for the host.
+This value may only be changed if the kernel security level is less than 1.
+.It Li ip.gifttl
+The maximum time-to-live (hop count) value for an IPv4 packet generated by
+.Xr gif 4
+tunnel interface.
+.It Li ip.grettl
+The maximum time-to-live (hop count) value for an IPv4 packet generated by
+.Xr gre 4
+tunnel interface.
+.It Li ip.hashsize
+The size of IPv4 Fast Forward hash table.
+This value must be a power of 2 (64, 256...).
+A larger hash table size results in fewer collisions.
+Also see
+.Li ip.maxflows .
+.It Li ip.hostzerobroadcast
+All zeroes address is broadcast address.
+.It Li ip.lowportmax
+The highest port number to use for TCP and UDP reserved port allocation.
+This cannot be set to less than 0 or greater than 1024, and must
+be greater than
+.Li ip.lowportmin .
+.It Li ip.lowportmin
+The lowest port number to use for TCP and UDP reserved port allocation.
+This cannot be set to less than 0 or greater than 1024, and must
+be smaller than
+.Li ip.lowportmax .
+.It Li ip.maxflows
+IPv4 Fast Forwarding is enabled by default.
+If set to 0, IPv4 Fast Forwarding is disabled.
+.Li ip.maxflows
+controls the maximum amount of flows which can be created.
+The default value is 256.
+.It Li ip.maxfragpackets
+The maximum number of fragmented packets the node will accept.
+0 means that the node will not accept any fragmented packets.
+\-1 means that the node will accept as many fragmented packets as it receives.
+The flag is provided basically for avoiding possible DoS attacks.
+.It Li ip.mtudisc
+If set to 1, enables Path MTU Discovery (RFC 1191).
+When Path MTU Discovery is enabled, the transmitted TCP segment
+size will be determined by the advertised maximum segment size
+(MSS) from the remote end, as constrained by the path MTU.
+If MTU Discovery is disabled, the transmitted segment size will
+never be greater than
+.Li tcp.mssdflt
+(the local maximum segment size).
+.It Li ip.mtudisctimeout
+The number of seconds in which a route added by the Path MTU
+Discovery engine will time out.
+When the route times out, the Path
+MTU Discovery engine will attempt to probe a larger path MTU.
+.It Li ip.random_id
+Assign random ip_id values.
+.It Li ip.redirect
+If set to 1, ICMP redirects may be sent by the host.
+This option is ignored unless the host is routing IP packets,
+and should normally be enabled on all systems.
+.It Li ip.subnetsarelocal
+If set to 1, subnets are to be considered local addresses.
+.It Li ip.ttl
+The maximum time-to-live (hop count) value for an IP packet sourced by
+the system.
+This value applies to normal transport protocols, not to ICMP.
+.It Li icmp.errppslimit
+The variable specifies the maximum number of outgoing ICMP error messages,
+per second.
+ICMP error messages that exceeded the value are subject to rate limitation
+and will not go out from the node.
+Negative value disables rate limitation.
+.It Li icmp.maskrepl
+If set to 1, ICMP network mask requests are to be answered.
+.It Li icmp.rediraccept
+If set to non-zero, the host will accept ICMP redirect packets.
+Note that routers will never accept ICMP redirect packets,
+and the variable is meaningful on IP hosts only.
+.It Li icmp.redirtimeout
+The variable specifies lifetime of routing entries generated by incoming
+ICMP redirect.
+This defaults to 600 seconds.
+.It Li icmp.returndatabytes
+Number of bytes to return in an ICMP error message.
+.It Li icmp.bmcastecho
+If set to 1, enables responding to ICMP echo or timestamp request to the
+broadcast address.
+.It Li icmp.dynamic_rt_msg
+A boolean that the kernel sends routing message for RTM_DYNAMIC or not.
+If set to true, sends such routing message.
+.It Li tcp.ack_on_push
+If set to 1, TCP is to immediately transmit an ACK upon reception of
+a packet with PUSH set.
+This can avoid losing a round trip time in some rare situations,
+but has the caveat of potentially defeating TCP's delayed ACK algorithm.
+Use of this option is generally not recommended, but
+the variable exists in case your configuration really needs it.
+.It Li tcp.cwm
+If set to 1, enables use of the Hughes/Touch/Heidemann Congestion Window
+Monitoring algorithm.
+This algorithm prevents line-rate bursts of packets that could
+otherwise occur when data begins flowing on an idle TCP connection.
+These line-rate bursts can contribute to network and router congestion.
+This can be particularly useful on World Wide Web servers
+which support HTTP/1.1, which has lingering connections.
+.It Li tcp.cwm_burstsize
+The Congestion Window Monitoring allowed burst size, in terms
+of packet count.
+.It Li tcp.delack_ticks
+Number of ticks to delay sending an ACK.
+.It Li tcp.do_loopback_cksum
+Perform TCP checksum on loopback.
+.It Li tcp.init_win
+A value indicating the TCP initial congestion window.
+The valid range
+is 0 to 10 (maximum specified by RFC6928),
+with a default of 4 (approximately 4K per RFC3390).
+.It Li tcp.init_win_local
+Like
+.Li tcp.init_win ,
+but used when communicating with hosts on a local network.
+.It Li tcp.keepcnt
+Number of keepalive probes sent before declaring a connection dead.
+If set to zero, there is no limit;
+keepalives will be sent until some kind of
+response is received from the peer.
+.It Li tcp.keepidle
+Time a connection must be idle before keepalives are sent (if keepalives
+are enabled for the connection).
+See also tcp.slowhz.
+.It Li tcp.keepintvl
+Time after a keepalive probe is sent until, in the absence of any response,
+another probe is sent.
+See also tcp.slowhz.
+.It Li tcp.log_refused
+If set to 1, refused TCP connections to the host will be logged.
+.It Li tcp.keepinit
+Timeout in seconds during connection establishment.
+.It Li tcp.mss_ifmtu
+If set to 1, TCP calculates the outgoing maximum segment size based on
+the MTU of the appropriate interface.
+If set to 0, it is calculated based on the greater of the MTU of the
+interface, and the largest (non-loopback) interface MTU on the system.
+.It Li tcp.mssdflt
+The default maximum segment size both advertised to the peer
+and to use when either the peer does not advertise a maximum segment size to
+us during connection setup or Path MTU Discovery
+.Li ( ip.mtudisc )
+is disabled.
+Do not change this value unless you really know what you are doing.
+.It Li tcp.recvspace
+The default TCP receive buffer size.
+.It Li tcp.rfc1323
+If set to 1, enables RFC 1323 extensions to TCP.
+.It Li tcp.rstppslimit
+The variable specifies the maximum number of outgoing TCP RST packets,
+per second.
+TCP RST packet that exceeded the value are subject to rate limitation
+and will not go out from the node.
+Negative value disables rate limitation.
+.It Li tcp.ident
+Return the user ID of a connected socket pair.
+(RFC1413 Identification Protocol lookups.)
+.It Li tcp.drop
+Drop a TCP socket pair connection.
+.It Li tcp.sack.enable
+If set to 1, enables RFC 2018 Selective ACKnowledgement.
+.It Li tcp.sack.globalholes
+Global number of TCP SACK holes.
+.It Li tcp.sack.globalmaxholes
+Global maximum number of TCP SACK holes.
+.It Li tcp.sack.maxholes
+Maximum number of TCP SACK holes allowed per connection.
+.It Li tcp.ecn.enable
+If set to 1, enables RFC 3168 Explicit Congestion Notification.
+.It Li tcp.ecn.maxretries
+Number of times to retry sending the ECN-setup packet.
+.It Li tcp.sendspace
+The default TCP send buffer size.
+.It Li tcp.slowhz
+The units for tcp.keepidle and tcp.keepintvl; those variables are in ticks
+of a clock that ticks tcp.slowhz times per second.
+(That is, their values
+must be divided by the tcp.slowhz value to get times in seconds.)
+.It Li tcp.syn_bucket_limit
+The maximum number of entries allowed per hash bucket in the TCP
+compressed state engine.
+.It Li tcp.syn_cache_limit
+The maximum number of entries allowed in the TCP compressed state
+engine.
+.It Li tcp.timestamps
+If rfc1323 is enabled, a value of 1 indicates RFC 1323 time stamp options,
+used for measuring TCP round trip times, are enabled.
+.It Li tcp.win_scale
+If rfc1323 is enabled, a value of 1 indicates RFC 1323 window scale options,
+for increasing the TCP window size, are enabled.
+.It Li tcp.congctl.available
+The available TCP congestion control algorithms.
+.It Li tcp.congctl.selected
+The currently selected TCP congestion control algorithm.
+.It Li tcp.abc.enable
+If set to 1, use RFC 3465 Appropriate Byte Counting (ABC).
+If set to 0, use traditional Packet Counting.
+.It Li tcp.abc.aggressive
+Choose the L parameter found in RFC 3465.
+L is the maximum cwnd increase for an ack during slow start.
+If set to 1, use L=2*SMSS.
+If set to 0, use L=1*SMSS.
+It has no effect unless tcp.abc.enable is set to 1.
+.It Li udp.checksum
+If set to 1, UDP checksums are being computed.
+Received non-zero UDP checksums are always checked.
+Disabling UDP checksums is strongly discouraged.
+.It Li udp.recvspace
+The default UDP receive buffer size.
+.It Li udp.sendspace
+The default UDP send buffer size.
+.El
+.Pp
+For variables net.*.ipsec, please refer to
+.Xr ipsec 4 .
+.It Li net.inet6 ( Dv PF_INET6 )
+Get or set various global information about the IPv6
+.Pq Internet Protocol version 6 .
+The third level name is the protocol.
+The fourth level name is the variable name.
+The currently defined protocols and names are:
+.Bl -column "Protocol" "anonportalgo.available" "integer" "Changeable" -offset indent
+.It Sy Protocol	Variable Ta Sy Type Ta Sy Changeable
+.It icmp6	errppslimit	integer	yes
+.It icmp6	mtudisc_hiwat	integer	yes
+.It icmp6	mtudisc_lowat	integer	yes
+.It icmp6	nd6_debug	integer	yes
+.It icmp6	nd6_delay	integer	yes
+.It icmp6	nd6_maxnudhint	integer	yes
+.It icmp6	nd6_mmaxtries	integer	yes
+.It icmp6	nd6_gctimer	integer	yes
+.It icmp6	nd6_prune	integer	yes
+.It icmp6	nd6_umaxtries	integer	yes
+.It icmp6	nd6_useloopback	integer	yes
+.It icmp6	nodeinfo	integer	yes
+.It icmp6	rediraccept	integer	yes
+.It icmp6	redirtimeout	integer	yes
+.It icmp6	reflect_pmtu	boolean	yes
+.It icmp6	dynamic_rt_msg	boolean	yes
+.It ip6	accept_rtadv	integer	yes
+.It ip6	addctlpolicy	struct in6_addrpolicy	no
+.It ip6	anonportalgo.selected	string	yes
+.It ip6	anonportalgo.available	string	yes
+.It ip6	anonportalgo.reserve	struct	yes
+.It ip6	anonportmax	integer	yes
+.It ip6	anonportmin	integer	yes
+.It ip6	auto_flowlabel	integer	yes
+.It ip6	dad_count	integer	yes
+.It ip6	defmcasthlim	integer	yes
+.It ip6	forwarding	integer	yes
+.It ip6	gifhlim	integer	yes
+.It ip6	hashsize	integer	yes
+.It ip6	hlim	integer	yes
+.It ip6	hdrnestlimit	integer	yes
+.It ip6	kame_version	string	no
+.It ip6	keepfaith	integer	yes
+.It ip6	log_interval	integer	yes
+.It ip6	lowportmax	integer	yes
+.It ip6	lowportmin	integer	yes
+.It ip6	maxdynroutes	integer	yes
+.It ip6	maxifprefixes	integer	yes
+.It ip6	maxifdefrouters	integer	yes
+.It ip6	maxflows	integer	yes
+.It ip6	maxfragpackets	integer	yes
+.It ip6	maxfrags	integer	yes
+.It ip6	neighborgcthresh	integer	yes
+.It ip6	param_rt_msg	integer	yes
+.It ip6	redirect	integer	yes
+.It ip6	rr_prune	integer	yes
+.It ip6	use_deprecated	integer	yes
+.It ip6	v6only	integer	yes
+.It udp6	do_loopback_cksum	integer	yes
+.It udp6	recvspace	integer	yes
+.It udp6	sendspace	integer	yes
+.El
+.Pp
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li ip6.accept_rtadv
+If set to non-zero, the node will accept ICMPv6 router advertisement packets
+and autoconfigures address prefixes and default routers.
+The node must be a host
+.Pq not a router
+for the option to be meaningful.
+.It Li ip6.anonportalgo.available
+The available RFC 6056 port randomization algorithms.
+.It Li ip6.anonportalgo.reserve
+A bitmask of ports that will not be used during anonymous or privileged
+port selection.
+.It Li ip6.anonportalgo.selected
+The currently selected RFC 6056 port randomization algorithm; see
+.Xr rfc6056 7
+for details.
+.It Li ip6.anonportmax
+The highest port number to use for TCP and UDP ephemeral port allocation.
+This cannot be set to less than 1024 or greater than 65535, and must
+be greater than
+.Li ip6.anonportmin .
+.It Li ip6.anonportmin
+The lowest port number to use for TCP and UDP ephemeral port allocation.
+This cannot be set to less than 1024 or greater than 65535.
+.It Li ip6.auto_flowlabel
+On connected transport protocol packets,
+fill IPv6 flowlabel field to help intermediate routers to identify packet flows.
+.It Li ip6.dad_count
+The variable configures number of IPv6 DAD
+.Pq duplicated address detection
+probe packets.
+The packets will be generated when IPv6 interface addresses are configured.
+.It Li ip6.defmcasthlim
+The default hop limit value for an IPv6 multicast packet sourced by the node.
+This value applies to all the transport protocols on top of IPv6.
+There are APIs to override the value, as documented in
+.Xr ip6 4 .
+.It Li ip6.forwarding
+If set to 1, enables IPv6 forwarding for the node,
+meaning that the node is acting as a router.
+If set to 0, disables IPv6 forwarding for the node,
+meaning that the node is acting as a host.
+IPv6 specification defines node behavior for
+.Dq router
+case and
+.Dq host
+case quite differently, and changing this variable during operation
+may cause serious trouble.
+It is recommended to configure the variable at bootstrap time,
+and bootstrap time only.
+.It Li ip6.gifhlim
+The maximum hop limit value for an IPv6 packet generated by
+.Xr gif 4
+tunnel interface.
+.It Li ip6.hdrnestlimit
+The number of IPv6 extension headers permitted on incoming IPv6 packets.
+If set to 0, the node will accept as many extension headers as possible.
+.It Li ip6.hashsize
+The size of IPv6 Fast Forward hash table.
+This value must be a power of 2 (64, 256, ...).
+A larger hash table size results in fewer collisions.
+Also see
+.Li ip6.maxflows .
+.It Li ip6.hlim
+The default hop limit value for an IPv6 unicast packet sourced by the node.
+This value applies to all the transport protocols on top of IPv6.
+There are APIs to override the value, as documented in
+.Xr ip6 4 .
+.It Li ip6.kame_version
+The string identifies the version of KAME IPv6 stack implemented in the kernel.
+.It Li ip6.keepfaith
+If set to non-zero, it enables
+.Dq FAITH
+TCP relay IPv6-to-IPv4 translator code in the kernel.
+Refer
+.Xr faith 4
+and
+.Xr faithd 8
+for detail.
+.It Li ip6.log_interval
+The variable controls amount of logs generated by IPv6 packet
+forwarding engine, by setting interval between log output
+.Pq in seconds .
+.It Li ip6.lowportmax
+The highest port number to use for TCP and UDP reserved port allocation.
+This cannot be set to less than 0 or greater than 1024, and must
+be greater than
+.Li ip6.lowportmin .
+.It Li ip6.lowportmin
+The lowest port number to use for TCP and UDP reserved port allocation.
+This cannot be set to less than 0 or greater than 1024, and must
+be smaller than
+.Li ip6.lowportmax .
+.It Li ip6.maxdynroutes
+Maximum number of routes created by redirect.
+Set it to negative to disable.
+The default value is 4096.
+.It Li ip6.maxifprefixes
+Maximum number of prefixes created by route advertisements per interface.
+Set it to negative to disable.
+The default value is 16.
+.It Li ip6.maxifdefrouters 16
+Maximum number of default routers created by route advertisements per interface.
+Set it to negative to disable.
+The default value is 16.
+.It Li ip6.maxflows
+IPv6 Fast Forwarding is enabled by default.
+If set to 0, IPv6 Fast Forwarding is disabled.
+.Li ip6.maxflows
+controls the maximum amount of flows which can be created.
+The default value is 256.
+.It Li ip6.maxfragpackets
+The maximum number of fragmented packets the node will accept.
+0 means that the node will not accept any fragmented packets.
+\-1 means that the node will accept as many fragmented packets as it receives.
+The flag is provided basically for avoiding possible DoS attacks.
+.It Li ip6.maxfrags
+The maximum number of fragments the node will accept.
+0 means that the node will not accept any fragments.
+\-1 means that the node will accept as many fragments as it receives.
+The flag is provided basically for avoiding possible DoS attacks.
+.It Li ip6.neighborgcthresh
+Maximum number of entries in neighbor cache per interface.
+Set to negative to disable.
+The default value is 2048.
+.It Li ip6.param_rt_msg
+If set to 0, parameter changing routing message is suppressed.
+If set to 1, parameter changing routing message is sent by RTM_NEWADDR.
+Other values are undefined yet.
+.It Li ip6.redirect
+If set to 1, ICMPv6 redirects may be sent by the node.
+This option is ignored unless the node is routing IP packets,
+and should normally be enabled on all systems.
+.It Li ip6.rr_prune
+The variable specifies interval between IPv6 router renumbering prefix
+babysitting, in seconds.
+.It Li ip6.use_deprecated
+The variable controls use of deprecated address, specified in RFC 2462 5.5.4.
+.It Li ip6.v6only
+The variable specifies initial value for
+.Dv IPV6_V6ONLY
+socket option for
+.Dv AF_INET6
+socket.
+Please refer to
+.Xr ip6 4
+for detail.
+.It Li icmp6.errppslimit
+The variable specifies the maximum number of outgoing ICMPv6 error messages,
+per second.
+ICMPv6 error messages that exceeded the value are subject to rate limitation
+and will not go out from the node.
+Negative value disables rate limitation.
+.It Li icmp6.mtudisc_hiwat
+.It Li icmp6.mtudisc_lowat
+The variables define the maximum number of routing table entries,
+created due to path MTU discovery
+.Pq prevents denial-of-service attacks with ICMPv6 too big messages .
+When IPv6 path MTU discovery happens, we keep path MTU information into
+the routing table.
+If the number of routing table entries exceed the value,
+the kernel will not attempt to keep the path MTU information.
+.Li icmp6.mtudisc_hiwat
+is used when we have verified ICMPv6 too big messages.
+.Li icmp6.mtudisc_lowat
+is used when we have unverified ICMPv6 too big messages.
+Verification is performed by using address/port pairs kept in connected pcbs.
+Negative value disables the upper limit.
+.It Li icmp6.nd6_debug
+If set to non-zero, kernel IPv6 neighbor discovery code will generate
+debugging messages.
+The debug outputs are useful to diagnose IPv6 interoperability issues.
+The flag must be set to 0 for normal operation.
+.It Li icmp6.nd6_delay
+The variable specifies
+.Dv DELAY_FIRST_PROBE_TIME
+timing constant in IPv6 neighbor discovery specification
+.Pq RFC 2461 ,
+in seconds.
+.It Li icmp6.nd6_maxnudhint
+Neighbor discovery permits upper layer protocols to supply reachability
+hints, to avoid unnecessary neighbor discovery exchanges.
+The variable defines the number of consecutive hints the neighbor discovery
+layer will take.
+For example, by setting the variable to 3, neighbor discovery layer
+will take 3 consecutive hints in maximum.
+After receiving 3 hints, neighbor discovery layer will perform
+normal neighbor discovery process.
+.It Li icmp6.nd6_mmaxtries
+The variable specifies
+.Dv MAX_MULTICAST_SOLICIT
+constant in IPv6 neighbor discovery specification
+.Pq RFC 2461 .
+.It Li icmp6.nd6_gctimer
+The duration stale neighbors will be kept for, before being garbage collected,
+in seconds.
+.It Li icmp6.nd6_prune
+The variable specifies interval between IPv6 neighbor cache babysitting,
+in seconds.
+.It Li icmp6.nd6_umaxtries
+The variable specifies
+.Dv MAX_UNICAST_SOLICIT
+constant in IPv6 neighbor discovery specification
+.Pq RFC 2461 .
+.It Li icmp6.nd6_useloopback
+If set to non-zero, kernel IPv6 stack will use loopback interface for
+local traffic.
+.It Li icmp6.nodeinfo
+The variable enables responses to ICMPv6 node information queries.
+If you set the variable to 0, responses will not be generated for
+ICMPv6 node information queries.
+Since node information queries can have a security impact, it is
+possible to fine tune which responses should be answered.
+Two separate bits can be set.
+.Bl -tag -width "12345"
+.It 1
+Respond to ICMPv6 FQDN queries, e.g.
+.Li ping6 -w .
+.It 2
+Respond to ICMPv6 node addresses queries, e.g.
+.Li ping6 -a .
+.El
+.It Li icmp6.rediraccept
+If set to non-zero, the host will accept ICMPv6 redirect packets.
+Note that IPv6 routers will never accept ICMPv6 redirect packets,
+and the variable is meaningful on IPv6 hosts
+.Pq non-router
+only.
+.It Li icmp6.redirtimeout
+The variable specifies lifetime of routing entries generated by incoming
+ICMPv6 redirect.
+.It Li icmp6.reflect_pmtu
+A boolean that icmpv6 reflecting uses path MTU discovery or not.
+When not, icmpv6 reflecting uses IPV6_MINMTU.
+.It Li icmp6.dynamic_rt_msg
+A boolean that the kernel sends routing message for RTM_DYNAMIC or not.
+If set to true, sends such routing message.
+.It Li udp6.do_loopback_cksum
+Perform UDP checksum on loopback.
+.It Li udp6.recvspace
+Default UDP receive buffer size.
+.It Li udp6.sendspace
+Default UDP send buffer size.
+.El
+.Pp
+Variables net.inet6.tcp6.* and net.inet6.udp6.* have identical meanings to
+net.inet.tcp.* and net.inet.udp.*, respectively.
+Please refer to
+.Li PF_INET
+section above.
+For variables net.*.ipsec6, please refer to
+.Xr ipsec 4 .
+.It Li net.key ( Dv PF_KEY )
+Get or set various global information about the IPsec key management.
+The third level name is the variable name.
+The currently defined variable and names are:
+.Bl -column "blockacq_lifetime" "integer" "Changeable" -offset indent
+.It Sy Variable	Type Ta Sy Changeable
+.It debug	integer	yes
+.It enabled	integer	yes
+.It used	integer	no
+.It spi_try	integer	yes
+.It spi_min_value	integer	yes
+.It spi_max_value	integer	yes
+.It larval_lifetime	integer	yes
+.It blockacq_count	integer	yes
+.It blockacq_lifetime	integer	yes
+.It esp_keymin	integer	yes
+.It esp_auth	integer	yes
+.It ah_keymin	integer	yes
+.It allow_different_idtype	boolean	yes
+.El
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li debug
+Turn on debugging message from within the kernel.
+The value is a bitmap, as defined in
+.In netipsec/key_debug.h .
+.It Li enabled
+Control processing of IPsec control messages.
+.Bl -tag -width indent
+.It 0
+Never allow IPsec processing
+.It 1
+Allow IPsec processing when SPD policies are present.
+.It 2
+Force IPsec processing even when SPD policies are not present.
+.El
+.It Li used
+Based on if IPsec is enabled, and SPD rule existence, show if
+IPsec is being used.
+Note that currently once IPsec is being used, it cannot be disabled.
+.It Li spi_try
+The number of times the kernel will try to obtain an unique SPI
+when it generates it from random number generator.
+.It Li spi_min_value
+Minimum SPI value when generating it within the kernel.
+.It Li spi_max_value
+Maximum SPI value when generating it within the kernel.
+.It Li larval_lifetime
+Lifetime for LARVAL SAD entries, in seconds.
+.It Li blockacq_count
+Number of ACQUIRE PF_KEY messages to be blocked after an ACQUIRE message.
+It avoids flood of ACQUIRE PF_KEY from being sent from the kernel to the
+key management daemon.
+.It Li blockacq_lifetime
+Lifetime of ACQUIRE PF_KEY message.
+.It Li esp_keymin
+Minimum ESP key length, in bits.
+The value is used when the kernel creates proposal payload
+on ACQUIRE PF_KEY message.
+.It Li esp_auth
+Whether ESP authentication should be used or not.
+Non-zero value indicates that ESP authentication should be used.
+The value is used when the kernel creates proposal payload
+on ACQUIRE PF_KEY message.
+.It Li ah_keymin
+Minimum AH key length, in bits,
+The value is used when the kernel creates proposal payload
+on ACQUIRE PF_KEY message.
+.It Li allow_different_idtype
+A boolean that allow or disallow different identifier types
+on IDii and IDir.
+Allowing that can improve interconnectivity to some VPN appliances.
+.El
+.It Li net.local ( Dv PF_LOCAL )
+Get or set various global information about
+.Dv AF_LOCAL
+type sockets.
+For some variables, the third level name is the variable name:
+.Bl -column "Variable" "integer" "Changeable" -offset indent
+.It Sy Variable	Type Ta Sy Changeable
+.It inflight	integer	no
+.It deferred	integer	no
+.El
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li inflight
+The number of file descriptors currently passed between processes,
+.Qq in flight .
+.It Li deferred
+The number of file descriptors passed between processes that have been
+deferred for cleanup by a kernel task.
+.El
+.Pp
+Other variables are specific to a socket type:
+.Bl -column "seqpacket" "sendspace" "integer" "Changeable" -offset indent
+.It Sy "Socket Type"  	Sy Variable	Type Ta Sy Changeable
+.It dgram	pcblist	struct	no
+.It dgram	recvspace	integer	yes
+.It dgram	sendspace	integer	yes
+.It seqpacket	pcblist	struct	no
+.It stream	pcblist	struct	no
+.It stream	recvspace	integer	yes
+.It stream	sendspace	integer	yes
+.El
+The variables are as follows:
+.Bl -tag -width "123456"
+.It Li dgram.pcblist
+The Protocol Control Block list structure for datagram sockets.
+Parsed by
+.Xr netstat 1
+or
+.Xr sockstat 1 .
+.It Li dgram.recvspace
+The default datagram receive buffer size.
+.It Li dgram.sendspace
+The default datagram send buffer size.
+.It Li seqpacket.pcblist
+The Protocol Control Block list structure for Sequential Packet sockets.
+Parsed by
+.Xr netstat 1
+or
+.Xr sockstat 1 .
+.It Li stream.pcblist
+The Protocol Control Block list structure for stream sockets.
+Parsed by
+.Xr netstat 1
+or
+.Xr sockstat 1 .
+.It Li stream.recvspace
+The default stream receive buffer size.
+.It Li stream.sendspace
+The default stream send buffer size.
+.El
+.El
+.Ss The proc.* subtree
+The string and integer information available for the
+.Li proc
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+These values are per-process,
+and as such may change from one process to another.
+When a process is created,
+the default values are inherited from its parent.
+When a set-user-ID or set-group-ID binary is executed, the
+value of PROC_PID_CORENAME is reset to the system default value.
+The second level name is either the magic value PROC_CURPROC, which
+points to the current process, or the PID of the target process.
+.Bl -column "proc.pid.corename" "string" "not applicable" -offset indent
+.It Sy Third level name Ta Sy Type Ta Sy Changeable
+.It proc.pid.corename	string	yes
+.It proc.pid.rlimit	node	not applicable
+.It proc.pid.stopfork	int	yes
+.It proc.pid.stopexec	int	yes
+.It proc.pid.stopexit	int	yes
+.It proc.pid.paxflags	int	no
+.El
+.Bl -tag -width "123456"
+.It Li proc.pid.corename ( Dv PROC_PID_CORENAME )
+The template used for the core dump file name (see
+.Xr core 5
+for details).
+The base name must either be
+.Pa core
+or end with the suffix
+.Pa .core
+(the super-user may set arbitrary names).
+By default it points to
+.Dv KERN_DEFCORENAME .
+.It Li proc.pid.rlimit ( Dv PROC_PID_LIMIT )
+Return resources limits, as defined for the
+.Xr getrlimit 2
+and
+.Xr setrlimit 2
+system calls.
+The fourth level name is one of:
+.Bl -tag -width "123456"
+.It Li proc.pid.rlimit.cputime ( Dv PROC_PID_LIMIT_CPU )
+The maximum amount of CPU time (in seconds) to be used by each process.
+.It Li proc.pid.rlimit.filesize ( Dv PROC_PID_LIMIT_FSIZE )
+The largest size (in bytes) file that may be created.
+.It Li proc.pid.rlimit.datasize ( Dv PROC_PID_LIMIT_DATA )
+The maximum size (in bytes) of the data segment for a process;
+this defines how far a program may extend its break with the
+.Xr sbrk 2
+system call.
+.It Li proc.pid.rlimit.stacksize ( Dv PROC_PID_LIMIT_STACK )
+The maximum size (in bytes) of the stack segment for a process;
+this defines how far a program's stack segment may be extended.
+Stack extension is performed automatically by the system.
+.It Li proc.pid.rlimit.coredumpsize ( Dv PROC_PID_LIMIT_CORE )
+The largest size (in bytes)
+.Pa core
+file that may be created.
+.It Li proc.pid.rlimit.memoryuse ( Dv PROC_PID_LIMIT_RSS )
+The maximum size (in bytes) to which a process's resident set size may
+grow.
+This imposes a limit on the amount of physical memory to be given to
+a process; if memory is tight, the system will prefer to take memory
+from processes that are exceeding their declared resident set size.
+.It Li proc.pid.rlimit.memorylocked ( Dv PROC_PID_LIMIT_MEMLOCK )
+The maximum size (in bytes) which a process may lock into memory
+using the
+.Xr mlock 2
+function.
+.It Li proc.pid.rlimit.maxproc ( Dv PROC_PID_LIMIT_NPROC )
+The maximum number of simultaneous processes for this user id.
+.It Li proc.pid.rlimit.descriptors ( Dv PROC_PID_LIMIT_NOFILE )
+The maximum number of open files for this process.
+.It Li proc.pid.rlimit.sbsize ( Dv PROC_PID_LIMIT_SBSIZE )
+The maximum size (in bytes) of the socket buffers
+set by the
+.Xr setsockopt 2
+.Dv SO_RCVBUF
+and
+.Dv SO_SNDBUF
+options.
+.It Li proc.pid.rlimit.vmemoryuse ( Dv PROC_PID_LIMIT_AS )
+The maximum size (in bytes) which a process can obtain.
+.It Li proc.pid.rlimit.maxlwp ( Dv PROC_PID_LIMIT_NTHR )
+The maximum number of threads that cen be created and running at one time in
+the process.
+The first thread of each process is not counted against this.
+.El
+.Pp
+The fifth level name is one of
+.Li soft ( Dv PROC_PID_LIMIT_TYPE_SOFT )
+or
+.Li hard ( Dv PROC_PID_LIMIT_TYPE_HARD ) ,
+to select respectively the soft or hard limit.
+Both are of type integer.
+.It Li proc.pid.stopfork ( Dv PROC_PID_STOPFORK )
+If non zero, the process' children will be stopped after
+.Xr fork 2
+calls.
+The children are created in the SSTOP state and are never scheduled
+for running before being stopped.
+This feature enables attaching to a process with a debugger such as
+.Xr gdb 1
+before the process has the opportunity to actually do anything.
+.Pp
+This value is inherited by the process's children, and it also
+applies to emulation specific system calls that fork a new process, such as
+.Fn sproc
+or
+.Fn clone .
+.It Li proc.pid.stopexec ( Dv PROC_PID_STOPEXEC )
+If non zero, the process will be stopped on the next
+.Xr exec 3
+call.
+The process created by
+.Xr exec 3
+is created in the SSTOP state and is never scheduled for running
+before being stopped.
+This feature enables attaching to a process with a debugger such as
+.Xr gdb 1
+before the process has the opportunity to actually do anything.
+.Pp
+This value is inherited by the process's children.
+.It Li proc.pid.stopexit ( Dv PROC_PID_STOPEXIT )
+If non zero, the process will be stopped when it has cause to exit,
+either by way of calling
+.Xr exit 3 ,
+.Xr _exit 2 ,
+or by the receipt of a specific signal.
+The process is stopped before any of its resources or vm space is
+released allowing examination of the termination state of the process
+before it disappears.
+This feature can be used to examine the final conditions of the
+process's vmspace via
+.Xr pmap 1
+or its resource settings with
+.Xr sysctl 8
+before it disappears.
+.Pp
+This value is also inherited by the process's children.
+.It Li proc.pid.paxflags ( Dv PROC_PID_PAXFLAGS )
+This read-only variable returns the current value of the process's pax
+flags (see
+.Xr paxctl 8 ) .
+.El
+.Ss The user.* subtree ( Dv CTL_USER )
+The string and integer information available for the
+.Li user
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "user.coll_weights_max" "integer" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It user.atexit_max	integer	no
+.It user.bc_base_max	integer	no
+.It user.bc_dim_max	integer	no
+.It user.bc_scale_max	integer	no
+.It user.bc_string_max	integer	no
+.It user.coll_weights_max	integer	no
+.It user.cs_path	string	no
+.It user.expr_nest_max	integer	no
+.It user.line_max	integer	no
+.It user.posix2_c_bind	integer	no
+.It user.posix2_c_dev	integer	no
+.It user.posix2_char_term	integer	no
+.It user.posix2_fort_dev	integer	no
+.It user.posix2_fort_run	integer	no
+.It user.posix2_localedef	integer	no
+.It user.posix2_sw_dev	integer	no
+.It user.posix2_upe	integer	no
+.It user.posix2_version	integer	no
+.It user.re_dup_max	integer	no
+.It user.stream_max	integer	no
+.It user.stream_max	integer	no
+.It user.tzname_max	integer	no
+.El
+.Bl -tag -width "123456"
+.It Li user.atexit_max ( Dv USER_ATEXIT_MAX )
+The maximum number of functions that may be registered with
+.Xr atexit 3 .
+.It Li user.bc_base_max ( Dv USER_BC_BASE_MAX )
+The maximum ibase/obase values in the
+.Xr bc 1
+utility.
+.It Li user.bc_dim_max ( Dv USER_BC_DIM_MAX )
+The maximum array size in the
+.Xr bc 1
+utility.
+.It Li user.bc_scale_max ( Dv USER_BC_SCALE_MAX )
+The maximum scale value in the
+.Xr bc 1
+utility.
+.It Li user.bc_string_max ( Dv USER_BC_STRING_MAX )
+The maximum string length in the
+.Xr bc 1
+utility.
+.It Li user.coll_weights_max ( Dv USER_COLL_WEIGHTS_MAX )
+The maximum number of weights that can be assigned to any entry of
+the LC_COLLATE order keyword in the locale definition file.
+.It Li user.cs_path ( USER_CS_PATH )
+Return a value for the
+.Ev PATH
+environment variable that finds all the standard utilities.
+.It Li user.expr_nest_max ( Dv USER_EXPR_NEST_MAX )
+The maximum number of expressions that can be nested within
+parenthesis by the
+.Xr expr 1
+utility.
+.It Li user.line_max ( Dv USER_LINE_MAX )
+The maximum length in bytes of a text-processing utility's input
+line.
+.It Li user.posix2_char_term ( Dv USER_POSIX2_CHAR_TERM )
+Return 1 if the system supports at least one terminal type capable of
+all operations described in
+.St -p1003.2 ,
+otherwise\ 0.
+.It Li user.posix2_c_bind ( Dv USER_POSIX2_C_BIND )
+Return 1 if the system's C-language development facilities support the
+C-Language Bindings Option, otherwise\ 0.
+.It Li user.posix2_c_dev ( Dv USER_POSIX2_C_DEV )
+Return 1 if the system supports the C-Language Development Utilities Option,
+otherwise\ 0.
+.It Li user.posix2_fort_dev ( Dv USER_POSIX2_FORT_DEV )
+Return 1 if the system supports the FORTRAN Development Utilities Option,
+otherwise\ 0.
+.It Li user.posix2_fort_run ( Dv USER_POSIX2_FORT_RUN )
+Return 1 if the system supports the FORTRAN Runtime Utilities Option,
+otherwise\ 0.
+.It Li user.posix2_localedef ( Dv USER_POSIX2_LOCALEDEF )
+Return 1 if the system supports the creation of locales, otherwise\ 0.
+.It Li user.posix2_sw_dev ( Dv USER_POSIX2_SW_DEV )
+Return 1 if the system supports the Software Development Utilities Option,
+otherwise\ 0.
+.It Li user.posix2_upe ( Dv USER_POSIX2_UPE )
+Return 1 if the system supports the User Portability Utilities Option,
+otherwise\ 0.
+.It Li user.posix2_version ( Dv USER_POSIX2_VERSION )
+The version of
+.St -p1003.2
+with which the system attempts to comply.
+.It Li user.re_dup_max ( Dv USER_RE_DUP_MAX )
+The maximum number of repeated occurrences of a regular expression
+permitted when using interval notation.
+.It Li user.stream_max ( Dv USER_STREAM_MAX )
+The minimum maximum number of streams that a process may have open
+at any one time.
+.It Li user.tzname_max ( Dv USER_TZNAME_MAX )
+The minimum maximum number of types supported for the name of a
+timezone.
+.El
+.Ss The vm.* subtree ( Dv CTL_VM )
+The string and integer information available for the
+.Li vm
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "Second level name" "struct uvmexp_sysctl" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It vm.anonmax	int	yes
+.It vm.anonmin	int	yes
+.It vm.bufcache	int	yes
+.It vm.bufmem	int	no
+.It vm.bufmem_hiwater	int	yes
+.It vm.bufmem_lowater	int	yes
+.It vm.execmax	int	yes
+.It vm.execmin	int	yes
+.It vm.filemax	int	yes
+.It vm.filemin	int	yes
+.It vm.loadavg	struct loadavg	no
+.It vm.maxslp	int	no
+.It vm.nkmempages	int	no
+.It vm.uspace	int	no
+.It vm.uvmexp	struct uvmexp	no
+.It vm.uvmexp2	struct uvmexp_sysctl	no
+.It vm.vmmeter	struct vmtotal	no
+.It vm.proc.map	struct kinfo_vmentry	no
+.It vm.guard_size	unsigned int	no
+.It vm.thread_guard_size	unsigned int	yes
+.It vm.swap_encrypt	bool	yes
+.El
+.Bl -tag -width "123456"
+.It Li vm.anonmax ( Dv VM_ANONMAX )
+The percentage of physical memory which will be reclaimed
+from other types of memory usage to store anonymous application data.
+.It Li vm.anonmin ( Dv VM_ANONMIN )
+The percentage of physical memory which will be always be available for
+anonymous application data.
+.It Li vm.bufcache ( Dv VM_BUFCACHE )
+The percentage of physical memory which will be available
+for the buffer cache.
+.It Li vm.bufmem ( Dv VM_BUFMEM )
+The amount of kernel memory that is being used by the buffer cache.
+.It Li vm.bufmem_lowater ( Dv VM_BUFMEM_LOWATER )
+The minimum amount of kernel memory to reserve for the
+buffer cache.
+.It Li vm.bufmem_hiwater ( Dv VM_BUFMEM_HIWATER )
+The maximum amount of kernel memory to be used for the
+buffer cache.
+.It Li vm.execmax ( Dv VM_EXECMAX )
+The percentage of physical memory which will be reclaimed
+from other types of memory usage to store cached executable data.
+.It Li vm.execmin ( Dv VM_EXECMIN )
+The percentage of physical memory which will be always be available for
+cached executable data.
+.It Li vm.filemax ( Dv VM_FILEMAX )
+The percentage of physical memory which will be reclaimed
+from other types of memory usage to store cached file data.
+.It Li vm.filemin ( Dv VM_FILEMIN )
+The percentage of physical memory which will be always be available for
+cached file data.
+.It Li vm.loadavg ( Dv VM_LOADAVG )
+Return the load average history.
+The returned data consists of a
+.Vt struct loadavg .
+.It Li vm.maxslp ( Dv VM_MAXSLP )
+The value of the maxslp kernel global variable.
+.It Li vm.vmmeter ( Dv VM_METER )
+Return system wide virtual memory statistics.
+The returned data consists of a
+.Vt struct vmtotal .
+.It vm.user_va0_disable
+A flag which controls whether user processes can map virtual address\ 0.
+.It Li vm.proc.map ( Dv VM_PROC )
+The third level is
+.Dv VM_PROC_MAP ,
+the fourth is the pid of the process to display the vm object entries for, and
+the fifth is the size of
+.Vt struct kinfo_vmentry .
+Returns an array of
+.Vt struct kinfo_vmentry
+objects.
+.It Li vm.ubc_direct Bq Sy "EXPERIMENTAL" Ns No , default off
+Use direct map for UBC I/O, avoiding need to map and unmap buffer memory.
+Speeds up operation for fast I/O devices like NVMe, especially
+on multi-CPU systems.
+Only available on some architectures.
+.It Li vm.uspace ( Dv VM_USPACE )
+The number of bytes allocated for each kernel stack.
+.It Li vm.uvmexp ( Dv VM_UVMEXP )
+Return system wide virtual memory statistics.
+The returned data consists of a
+.Vt struct uvmexp .
+.It Li vm.uvmexp2 ( Dv VM_UVMEXP2 )
+Return system wide virtual memory statistics.
+The returned data consists of a
+.Vt struct uvmexp_sysctl .
+.It Li vm.guard_size ( Dv VM_GUARD_SIZE )
+Return system wide guard size for the main thread of a program.
+.It Li vm.thread_guard_size ( Dv VM_THREAD_GUARD_SIZE )
+Return system wide default size for the guard area of all other threads
+of a program.
+.It Li vm.swap_encrypt
+If true, encrypt data while swapped out to disk.
+.Pp
+Each swap device maintains an independent AES-256 key, generated when
+the first page is swapped to that device.
+Each page is swapped independently using AES-CBC, with an
+initialization vector chosen by the encryption under the AES-256 key of
+the little-endian swap slot number padded to 128 bits with zeros.
+(This is essentially the
+.Xr cgd 4
+.Sq encblkno1
+method.)
+.Pp
+Changes to
+.Li vm.swap_encrypt
+only affect pages of swap newly written out.
+To force encrypting or decrypting all existing swap, or to rekey
+previously encrypted swap, you can remove the swap devices and re-add
+them with
+.Xr swapctl 8 ,
+with the caveat that whatever pages were already written to disk
+unencrypted or encrypted with a compromised key may still be written to
+disk afterward.
+.El
+.Ss The ddb.* subtree ( Dv CTL_DDB )
+The information available for the
+.Li ddb
+level is detailed below.
+The changeable column shows whether a process with appropriate
+privilege may change the value.
+.Bl -column "Second level name" "integer" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It ddb.commandonenter	string	yes
+.It ddb.dumpstack 	integer	yes
+.It ddb.fromconsole	integer	yes
+.It ddb.lines	integer	yes
+.It ddb.maxoff	integer	yes
+.It ddb.maxwidth	integer	yes
+.It ddb.onpanic	integer	yes
+.It ddb.panicstackframes	integer	yes
+.It ddb.radix	integer	yes
+.It ddb.tabstops	integer	yes
+.It ddb.tee_msgbuf	integer	yes
+.El
+.Bl -tag -width "123456"
+.It Li ddb.commandonenter
+If not empty, the string is used as the DDB command to be executed each time
+DDB is entered.
+.It Li ddb.dumpstack
+A value of 1 causes a stack trace to be printed on entering ddb from a panic.
+A value of 0 disables this behaviour.
+The default value is 1.
+.It Li ddb.fromconsole ( Dv DDBCTL_FROMCONSOLE )
+If not zero, DDB may be entered by sending a break on a serial
+console or by a special key sequence on a graphics console.
+.It Li ddb.lines ( Dv DDBCTL_LINES )
+Number of display lines.
+.It Li ddb.maxoff ( Dv DDBCTL_MAXOFF )
+The maximum symbol offset.
+.It Li ddb.maxwidth ( Dv DDBCTL_MAXWIDTH )
+The maximum output line width.
+.It Li ddb.onpanic ( Dv DDBCTL_ONPANIC )
+If greater than zero, DDB will be entered if the kernel panics.
+A value of 1 causes the system to enter DDB on panic.
+A value of 0 causes the kernel to attempt to print a stack trace, then
+reboot, while a value of \-1 means neither a stack trace will be printed
+nor DDB entered.
+.It Li ddb.panicstackframes
+Number of stack frames to display on panic.
+Useful to avoid scrolling away the interesting frames on a glass tty.
+Default value is
+.Dv 65535
+(all frames), useful value around
+.Dv 10 .
+.It Li ddb.radix ( Dv DDBCTL_RADIX )
+The input and output radix.
+.It Li ddb.tabstops ( Dv DDBCTL_TABSTOPS )
+Tab width.
+.It Li ddb.tee_msgbuf
+If not zero, DDB will output also to the kernel message buffer.
+.El
+.Pp
+Some of these MIB
+nodes are also available as variables from within the debugger.
+See
+.Xr ddb 4
+for more details.
+.Ss The security.* subtree ( Dv CTL_SECURITY )
+The
+.Li security
+level contains various security-related settings for
+the system.
+The available second level names are:
+.Bl -column "Second level name" "integer" "Changeable" -offset indent
+.It Sy Second level name Ta Sy Type Ta Sy Changeable
+.It Li security.curtain	integer	yes
+.It Li security.models	node	not applicable
+.It Li security.pax	node	not applicable
+.El
+.Pp
+Available settings are detailed below.
+.Bl -tag -width "123456"
+.It Li security.curtain
+If non-zero, will filter return objects according to the user ID
+requesting information about them, preventing users from
+accessing any objects they do not own.
+.Pp
+At the moment, it affects
+.Xr ps 1 ,
+.Xr netstat 1
+(for
+.Dv PF_INET ,
+.Dv PF_INET6 ,
+and
+.Dv PF_UNIX
+PCBs), and
+.Xr w 1 .
+.It Li security.models
+.Nx
+supports pluggable security models.
+Every security model used, whether if loaded as a module or built with the system,
+is required to add an entry to this node with at least one element,
+.Dq name ,
+indicating the name of the security model.
+.Pp
+In addition to the name, any settings and other information private to the
+security model will be available under this node.
+See
+.Xr secmodel 9
+for more information.
+.It Li security.pax
+Settings for PaX \(em exploit mitigation features.
+For more information on any of the PaX features, please see
+.Xr paxctl 8
+and
+.Xr security 7 .
+The available third and fourth level names are:
+.Bl -column "security.pax.segvguard.suspend_timeout" "integer" "Changeable" \
+-offset 2n
+.It Sy Third and fourth level names Ta Sy Type Ta Sy Changeable
+.It Li security.pax.aslr.enabled	integer	yes
+.\".It Li security.pax.aslr.exec_len	integer	yes
+.It Li security.pax.aslr.global	integer	yes
+.\".It Li security.pax.aslr.mmap_len	integer	yes
+.\".It Li security.pax.aslr.stack_len	integer	yes
+.It Li security.pax.mprotect.enabled	integer	yes
+.It Li security.pax.mprotect.global	integer	yes
+.It Li security.pax.mprotect.ptrace	integer	yes
+.It Li security.pax.segvguard.enabled	integer	yes
+.It Li security.pax.segvguard.expiry_timeout	integer	yes
+.It Li security.pax.segvguard.global	integer	yes
+.It Li security.pax.segvguard.max_crashes	integer	yes
+.It Li security.pax.segvguard.suspend_timeout	integer	yes
+.El
+.Bl -tag -width "123456"
+.It Li security.pax.aslr.enabled
+Enable PaX ASLR (Address Space Layout Randomization).
+.Pp
+The value of this
+knob must be non-zero for PaX ASLR to be enabled, even if a program is set to
+explicit enable.
+.\".It Li security.pax.aslr.exec_len
+.\" XXX: Undocumented.
+.It Li security.pax.aslr.global
+Specifies the default global policy for programs without an
+explicit enable/disable flag.
+.Pp
+When non-zero, all programs will get PaX ASLR, except those exempted with
+.Xr paxctl 8 .
+Otherwise, all programs will not get PaX ASLR, except those specifically
+marked as such with
+.Xr paxctl 8 .
+.\".It Li security.pax.aslr.mmap_len
+.\" XXX: Undocumented.
+.\" .It Li security.pax.aslr.stack_len
+.\" XXX: Undocumented.
+.It Li security.pax.mprotect.enabled
+Enable PaX MPROTECT restrictions.
+.Pp
+These are
+.Xr mprotect 2
+restrictions to better enforce a W^X policy.
+The value of this
+knob must be non-zero for PaX MPROTECT to be enabled, even if a
+program is set to explicit enable.
+.It Li security.pax.mprotect.global
+Specifies the default global policy for programs without an
+explicit enable/disable flag.
+.Pp
+When non-zero, all programs will get the PaX MPROTECT restrictions,
+except those exempted with
+.Xr paxctl 8 .
+Otherwise, all programs will not get the PaX MPROTECT restrictions,
+except those specifically marked as such with
+.Xr paxctl 8 .
+.It Li security.pax.mprotect.ptrace
+This variable allows
+.Xr ptrace 2
+to override PaX MPROTECT permissions.
+It can have the following values:
+.Bl -tag -width XX -compact
+.It 0
+Does not let override any permissions.
+.It 1
+Disables PaX MPROTECT from processes that start executing while traced (default).
+.It 2
+Bypasses PaX MPROTECT for all processes being traced.
+.El
+.It Li security.pax.segvguard.enabled
+Enable PaX Segvguard.
+.Pp
+PaX Segvguard can detect and prevent certain exploitation attempts, where
+an attacker may try for example to brute-force function return addresses
+of respawning daemons.
+.Pp
+.Em Note :
+The
+.Nx
+interface and implementation of the Segvguard is still experimental, and may
+change in future releases.
+.It Li security.pax.segvguard.expiry_timeout
+If the max number was not reached within this timeout (in seconds), the entry
+will expire.
+.It Li security.pax.segvguard.global
+Specifies the default global policy for programs without an
+explicit enable/disable flag.
+.Pp
+When non-zero, all programs will get the PaX Segvguard,
+except those exempted with
+.Xr paxctl 8 .
+Otherwise, no program will get the PaX Segvguard restrictions,
+except those specifically marked as such with
+.Xr paxctl 8 .
+.It Li security.pax.segvguard.max_crashes
+The maximum number of segfaults a program can receive before suspension.
+.It Li security.pax.segvguard.suspend_timeout
+Number of seconds to suspend a user from running a faulting program when the
+limit was exceeded.
+.El
+.El
+.Ss The vendor.* subtree ( Dv CTL_VENDOR )
+The
+.Li vendor
+toplevel name is reserved to be used by vendors who wish to
+have their own private MIB tree.
+Intended use is to store values under
+.Dq vendor.<yourname>.* .
+.Sh SEE ALSO
+.Xr sysctl 3 ,
+.Xr ipsec 4 ,
+.Xr tcp 4 ,
+.Xr security 7 ,
+.Xr sysctl 8
+.Sh HISTORY
+The
+.Nm
+variables first appeared in
+.Bx 4.4 .