Appendix: Some Useful SYSCTL MIBs
This appendix is a dictionary of some useful sysctl MIBs. The tools for manipulating MIBs are discussed in Chapter 4. (When a MIB is detailed elsewhere in this book, reference is made to the appropriate chapter.) Your system certainly has many more sysctls than these, but the ones described here are the ones I frequently trip over in day−to−day work.
Warning Thoughtless use of sysctls can easily damage or destroy a working system. For example, if you set a limit on resources below the amount being used, you can crash the system in a fairly spectacular manner. Be sure you understand the implications of what you're doing before setting sysctls.
When writing this appendix, I was tempted to only describe sysctls that are safe for new administrators, but doing so would have limited the utility of this section. Instead, I'm asking you to please take the dangers of sysctl fiddling to heart. If you don't understand what a sysctl does, don't play with it!
For example, some sysctls allow you to adjust vnode operations. Attempts to fine−tune vnodes will most probably harm system performance, but there are situations where you will want to do exactly that. Similarly, don't go rummaging through the virtual memory system unless you understand virtual memory! Search the man pages and mailing list archives for further details on individual sysctls before playing with them.
Note Some sysctls are described as "toggles." In this case, a value of 1 means that the sysctl provides the service described. A setting of 0 means that the service is disabled.
Without further ado, here are the sysctls, each followed by a typical value and an explanation of what it does.
...............................................................................................
kern.maxvnodes: 20973
set at: /boot/loader.conf
...............................................................................................
The maximum number of vnodes (virtual filesystem nodes) the system can have open simultaneously.
...............................................................................................
kern.maxproc: 1044
set at: /boot/loader.conf
...............................................................................................
The maximum number of processes that the system can be running at any one time.
...............................................................................................
kern.maxfiles: 2088
set at: runtime
...............................................................................................
495
The maximum number of files that the system can have open at any one time.
...............................................................................................
kern.argmax: 65536
set at: read−only
...............................................................................................
The maximum number of bytes you can use in an argument to execve(2). Basically, this is the maximum number of characters you can use in a single command line. You might run up against this in some unusual circumstances. If you do, please see xargs(1).
...............................................................................................
kern.securelevel: −1
set at: runtime or /etc/rc.conf
...............................................................................................
The current kernel security level. See Chapter 7.
...............................................................................................
kern.maxfilesperproc: 2088 set at: runtime
The maximum number of files any one process can open.
...............................................................................................
kern.maxprocperuid: 1043
set at: runtime
...............................................................................................
The maximum number of processes one user ID can run.
...............................................................................................
kern.dumpdev: /dev/ad0s1b
set at: /etc/rc.conf
...............................................................................................
The name of the swap device where a kernel panic will be dumped, as set by dumpon(8) during the boot process. The swap partition must be larger than or equal to the system's physical memory. We discuss dumping and panics in some detail in Chapter 20.
...............................................................................................
kern.ipc.somaxconn: 128
set at: runtime
...............................................................................................
496
The maximum number of new connections the system can accept at any one time. The default is 128. If you're running a heavily loaded server, kick this up to 512 or even 1024.
...............................................................................................
kern.ipc.maxsockets: 2088
set at: /boot/loader.conf
...............................................................................................
The total number of sockets available on the system.
...............................................................................................
kern.logsigexit: 1
set at: runtime
...............................................................................................
When a program exits abnormally, it usually sends a signal. When this toggle is set, the name of the program and the exiting signal are logged to /var/log/ messages.
...............................................................................................
kern.init_path: /sbin/init:/sbin/oinit:/sbin/init.bak:/stand/sysinstall
set at: /boot/loader.conf
...............................................................................................
Init(8) is the process that actually starts the system. If you've damaged your system (say, during a source upgrade gone very bad), you can use this sysctl to offer another path to an init program. If you're doing this, however, you're probably in very bad shape.
...............................................................................................
kern.module_path: /;/boot/;/modules/
set at: runtime
...............................................................................................
The path where kldload(8) checks for kernel modules.
...............................................................................................
kern.timecounter.method: 0
set at: runtime
...............................................................................................
FreeBSD has two different methods to determine the time since the system booted. One is extremely accurate, but takes more system resources to use. The other is faster, but not as accurate. The difference between the two is measured in milliseconds, but if you're using an application that requires extremely precise timing, those milliseconds can make a difference. Set this sysctl to 1 to use the slow, hyper−accurate method. The default is good enough for almost all applications.
497
...............................................................................................
kern.coredump: 1
set at: runtime
...............................................................................................
This toggle controls kernel core dumps. When set to 1, the kernel will dump the core on a panic. See Chapter 20 to find out what to do with it.
...............................................................................................
kern.quantum: 100000
set at: runtime
...............................................................................................
The maximum number of microseconds a process can run for if other processes are waiting for CPU time. If you're considering changing this, you are probably doing something wrong.
...............................................................................................
kern.filedelay: 30
set at: runtime
...............................................................................................
Controls how often the system synchronizes file data between the vnode buffer cache and the disk. This one is for experienced systems administrators only!
...............................................................................................
kern.dirdelay: 29
set at: runtime
...............................................................................................
Controls how often the system synchronizes directory data from the vnode buffer cache to the disk. Again, for experienced systems admins only!
...............................................................................................
kern.metadelay: 28
set at: runtime
...............................................................................................
Controls how often the system synchronizes filesystem metadata from the vnode buffer cache and the disk. Again, this is for experienced systems administrators only!
...............................................................................................
vm.v_free_min: 582
set at: runtime
...............................................................................................
498
The minimum number of pages of cache and free memory that must be available before a process waiting on memory will be awakened.
...............................................................................................
vm.v_free_target: 2513
set at: runtime
...............................................................................................
The total number of pages of free and cache memory that the virtual memory manager tries to keep or exceed.
...............................................................................................
vm.v_free_reserved: 185
set at: runtime
...............................................................................................
If the number of pages of free memory falls below this reserved value, running a process will tell the virtual memory manager to start swapping out memory.
...............................................................................................
vm.v_inactive_target: 3769
set at: runtime
...............................................................................................
The number of pages of memory that the virtual memory system will try to free up when it kicks in.
...............................................................................................
vm.v_cache_min: 2513
set at: runtime
...............................................................................................
The minimum desired size of the virtual memory cache queue.
...............................................................................................
vm.v_cache_max: 5026
set at: runtime
...............................................................................................
The maximum desired size of the virtual memory cache queue.
...............................................................................................
vm.swap_enabled: 1
set at: /boot/loader.conf
...............................................................................................
499
This controls the use of swap space. If set to 0, your system will not swap. If your swap disk is damaged, or if you're running −current and someone broke swapping, you might want to try this.
...............................................................................................
vm.swap_idle_enabled: 0 vm.swap_idle_threshold1: 2 vm.swap_idle_threshold2: 10 set at: runtime
If you're constantly swapping on a large system, setting the swap_idle_enabled sysctl tells the virtual memory manager to pull idle processes into virtual memory more quickly than other processes. The threshold sysctls tell the system how many seconds to wait before considering different sorts of processes idle. The defaults are probably fine; just enabling vm.swap_idle_enabled should do the trick. Do not enable this unless you're having heavy virtual memory use!
...............................................................................................
vfs.vmiodirenable: 1
set at: runtime
...............................................................................................
Allows FFS to use the virtual memory system to cache directory lookups, increasing disk performance. Combined with the directory hashing code and soft updates, this increases disk access by as much as 6000 percent.
...............................................................................................
vfs.usermount: 0
set at: runtime
...............................................................................................
If set, users may mount filesystems. This allows people to use floppy disks and CD−ROMs. The user must own the mount point.
...............................................................................................
net.inet.ip.forwarding: 0
set at: runtime
...............................................................................................
Controls the kernel's ability to forward packets. If you have multiple network cards, you might want your FreeBSD system to act as a gateway, router, or firewall. When set, the system will forward packets internally. You can turn forwarding on and off at will.
...............................................................................................
net.inet.ip.redirect: 1
set at: runtime
...............................................................................................
500
Toggles the ability to send ICMP redirect packets if the system is providing routing services. It has no effect if the system is not performing routing.
...............................................................................................
net.inet.ip.ttl: 64
set at: runtime
...............................................................................................
The maximum number of hops any non−ICMP protocol can take across the network.
...............................................................................................
net.inet.ip.sourceroute: 0
set at: runtime
...............................................................................................
Toggles forwarding of source−routed packets.
...............................................................................................
net.inet.ip.accept_sourceroute: 0
set at: runtime
...............................................................................................
If set to 1, the system will accept source−routed packets aimed at it. If you don't know what source−routing is, just accept my word that this is not usually a good idea.
...............................................................................................
net.inet.ip.fastforwarding: 0
set at: runtime
...............................................................................................
If you're providing routing services, this sysctl greatly accelerates packet throughput. It does so by eliminating most of the sanity checks performed on packets and by completely bypassing any packet−filtering rules.
...............................................................................................
net.inet.icmp.drop_redirect: 0
set at: runtime
...............................................................................................
If set to 1, your system will ignore ICMP redirect packets. These are not commonly used on the public Internet, and only rarely used inside private networks.
...............................................................................................
net.inet.icmp.log_redirect: 0
set at: runtime
...............................................................................................
501
In normal circumstances, your system should never see an ICMP redirect. While they have legitimate administrative uses, if they're in use you'll know. Enabling this sysctl makes the system log any ICMP redirects it receives.
...............................................................................................
net.inet.icmp.bmcastecho: 1
set at: runtime
...............................................................................................
When set, the system will respond to ICMP requests to the broadcast address of a network—the highest−numbered address in the block of IP addresses. This is required for standards compliance, but was such a source of trouble that it's disabled by default now.
...............................................................................................
net.inet.tcp.rfc1323: 1
set at: runtime
...............................................................................................
Enables the window−scaling algorithms described in RFC 1323.
...............................................................................................
net.inet.tcp.rfc1644: 0
set at: runtime
...............................................................................................
Enables Transactional TCP, as described in RFC 1644.
...............................................................................................
net.inet.tcp.sendspace: 16384
net.inet.tcp.recvspace: 16384
set at: runtime
...............................................................................................
The number of bits reserved for send and receive buffers. Whenever a connection is opened, the system sets aside a send and a receive buffer for use by that connection. These values both default to 16384, or 16KB. If you have a small number of high−bandwidth connections, you can increase these sysctl values. 32768 is a decent value in this case. Do not alter this sysctl if you have a large number of connections—you'll increase system load dramatically and kill your performance. These values are vital parts of the NMBCLUSTERS kernel memory calculation; if you increase them, you increase the amount of kernel memory set aside for mbufs. Crank these up too high, and you can panic your kernel during boot.
...............................................................................................
net.inet.tcp.log_in_vain: 0
set at: runtime
...............................................................................................
502
Logs attempts to connect to any TCP port where no program is listening.
...............................................................................................
net.inet.tcp.blackhole: 0
set at: runtime
...............................................................................................
By default, TCP/IP returns an error code when you attempt to connect to a closed port. This shows up as a "connection reset by peer" error. If you set this to 1, attempts to connect to a closed TCP port are dropped, but no error is sent. This slows down ports scans, and can add some semblance of security to your system. It is not a replacement for packet filtering, however!
...............................................................................................
net.inet.tcp.delayed_ack: 1
set at: runtime
...............................................................................................
Tells the system to try to include the TCP connection teardown information on a data packet, rather than sending additional packets to signal the end of the connection.
...............................................................................................
net.inet.tcp.path_mtu_discovery: 1
set at: runtime
...............................................................................................
Enables Path MTU discovery.
...............................................................................................
net.inet.tcp.slowstart_flightsize: 1
set at: runtime
...............................................................................................
Specifies the number of packets that can be sent during the slow−start portion of a TCP transaction across a wide area network.
...............................................................................................
net.inet.tcp.local_slowstart_flightsize: 65535
set at: runtime
...............................................................................................
This is the number of packets that can be sent during the slow−start portion of a TCP transaction across a local network.
...............................................................................................
503
net.inet.tcp.newreno: 1 set at: runtime
...............................................................................................
Toggles RFC2582 connection recovery, also known as the TCP NewReno Algorithm.
...............................................................................................
net.inet.tcp.do_tcpdrain: 1
set at: runtime
...............................................................................................
Tells the system to flush packets from the reassembly queue when it is low on mbufs.
...............................................................................................
net.inet.tcp.always_keepalive: 1
set at: runtime
...............................................................................................
If you set this to 1, old dead connections will eventually be found and killed. It increases the amount of network traffic by a smidgeon, but will clean up many situations that come from having a server up for 30 months straight. If set to 0, connections will remain alive even on unreliable connections. This is a trade−off between long−term stability and short−term convenience.
...............................................................................................
net.inet.udp.log_in_vain: 0
set at: runtime
...............................................................................................
Logs attempts to connect to any UDP port where no program is listening.
...............................................................................................
net.inet.udp.blackhole: 0
set at: runtime
...............................................................................................
By default, TCP/IP returns an error code when you attempt to connect to a closed port. This shows up as a "connection reset by peer" error. If you set this to 1, attempts to connect to a closed UDP port are dropped, but no error is sent. This slows down ports scans, and can add some semblance of security to your system. It is not a replacement for packet filtering, however!
...............................................................................................
hw.ata.ata_dma
set at: /boot/loader.conf
...............................................................................................
504
Controls use of DMA in IDE devices. This is the modern standard. Set this to 0 if your hardware uses PIO instead of DMA. (If you have PIO hardware, you probably know it.)
...............................................................................................
hw.ata.wc
set at: /boot/loader.conf
...............................................................................................
Controls the use of write−caching in IDE drives. Setting it to 1 will improve performance at the cost of data integrity in the case of a system crash.
...............................................................................................
hw.ata.tags: 0
set at: /boot/loader.conf
...............................................................................................
Enables tagged queuing. Only certain IBM hard drives support this. If you have it, it will be clearly marked on the packaging.
...............................................................................................
hw.ata.atapi_dma: 0
set at: /boot/loader.conf
...............................................................................................
Controls the use of the DMA access model in ATAPI devices. Check your hardware manual to see if your hardware supports DMA. ATAPI can have problems with DMA, so this defaults to "off". You can try it, but it might very well hang your system.
...............................................................................................
jail.set_hostname_allowed: 1
set at: runtime
...............................................................................................
Controls whether jail owners can change the hostname of their jails. See Chapter 8.
...............................................................................................
jail.socket_unixiproute_only: 1
set at: runtime
...............................................................................................
Controls whether jail owners can use protocols other than TCP/IP. See Chapter 8.
...............................................................................................
jail.sysvipc_allowed: 0
...............................................................................................
505
Controls whether jail owners can use System V IPC calls. See Chapter 8.
...............................................................................................
compat.linux
set at: read−only
...............................................................................................
These sysctls provide information for the Linux compatibility kernel module. See Chapter 11.
506