3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
5 This file is part of systemd.
7 Copyright 2011 Lennart Poettering
9 systemd is free software; you can redistribute it and/or modify it
10 under the terms of the GNU Lesser General Public License as published by
11 the Free Software Foundation; either version 2.1 of the License, or
12 (at your option) any later version.
14 systemd is distributed in the hope that it will be useful, but
15 WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Lesser General Public License for more details.
19 You should have received a copy of the GNU Lesser General Public License
20 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 <refentry id="sysctl.d">
25 <title>sysctl.d</title>
26 <productname>systemd</productname>
30 <contrib>Developer</contrib>
31 <firstname>Lennart</firstname>
32 <surname>Poettering</surname>
33 <email>lennart@poettering.net</email>
39 <refentrytitle>sysctl.d</refentrytitle>
40 <manvolnum>5</manvolnum>
44 <refname>sysctl.d</refname>
45 <refpurpose>Configure kernel parameters at boot</refpurpose>
49 <para><filename>/etc/sysctl.d/*.conf</filename></para>
50 <para><filename>/run/sysctl.d/*.conf</filename></para>
51 <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
55 <title>Description</title>
58 <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
59 reads configuration files from the above directories
61 <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
62 kernel parameters.</para>
66 <title>Configuration Format</title>
68 <para>The configuration files contain a list of
69 variable assignments, separated by newlines. Empty
70 lines and lines whose first non-whitespace character
71 is <literal>#</literal> or <literal>;</literal> are
74 <para>Each configuration file shall be named in the
75 style of <filename><replaceable>program</replaceable>.conf</filename>.
76 Files in <filename>/etc/</filename> override files
77 with the same name in <filename>/usr/lib/</filename>
78 and <filename>/run/</filename>. Files in
79 <filename>/run/</filename> override files with the same
80 name in <filename>/usr/lib/</filename>. Packages
81 should install their configuration files in
82 <filename>/usr/lib/</filename>. Files in
83 <filename>/etc/</filename> are reserved for the local
84 administrator, who may use this logic to override the
85 configuration files installed by vendor packages. All
86 configuration files are sorted by their filename in
87 lexicographic order, regardless of which of the
88 directories they reside in. If multiple files specify the
89 same variable name, the entry in the file with the
90 lexicographically latest name will be applied. It is
91 recommended to prefix all filenames with a two-digit
92 number and a dash, to simplify the ordering of the
95 <para>Note that either <literal>/</literal> or
96 <literal>.</literal> may be used as separators within
97 sysctl variable names. If the first separator is a
98 slash, remaining slashes and dots are left intact. If
99 the first separator is a dot, dots and slashes are
100 interchanged. <literal>kernel.domainname=foo</literal>
101 and <literal>kernel/domainname=foo</literal> are
102 equivalent and will cause <literal>foo</literal> to
104 <filename>/proc/sys/kernel/domainname</filename>.
106 <literal>net.ipv4.conf.enp3s0/200.forwarding</literal>
108 <literal>net/ipv4/conf/enp3s0.200/forwarding</literal>
109 may be used to refer to
110 <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
113 <para>If the administrator wants to disable a
114 configuration file supplied by the vendor, the
115 recommended way is to place a symlink to
116 <filename>/dev/null</filename> in
117 <filename>/etc/sysctl.d/</filename> bearing the
118 same filename.</para>
120 <para>The settings configured with
121 <filename>sysctl.d</filename> files will be applied
122 early on boot. The network interface-specific options
123 will also be applied individually for each network
124 interface as it shows up in the system. (More
126 <filename>net.ipv4.conf.*</filename>,
127 <filename>net.ipv6.conf.*</filename>,
128 <filename>net.ipv4.neigh.*</filename> and <filename>net.ipv6.neigh.*</filename>).</para>
130 <para>Many sysctl parameters only become available
131 when certain kernel modules are loaded. Modules are
132 usually loaded on demand, e.g. when certain hardware
133 is plugged in or network brought up. This means that
134 <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs
135 during early boot will not configure such parameters
136 if they become available after it has run. To
137 set such parameters, it is recommended to add
138 an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become
139 available. Alternatively, a slightly simpler and
140 less efficient option is to add the module to
141 <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically
142 before sysctl settings are applied (see
143 example below).</para>
147 <title>Examples</title>
149 <title>Set kernel YP domain name</title>
150 <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
153 <programlisting>kernel.domainname=example.com</programlisting>
157 <title>Disable packet filter on bridged packets (method one)</title>
158 <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
161 <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
164 <para><filename>/etc/sysctl.d/bridge.conf</filename>:
167 <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
168 net.bridge.bridge-nf-call-iptables = 0
169 net.bridge.bridge-nf-call-arptables = 0
174 <title>Disable packet filter on bridged packets (method two)</title>
175 <para><filename>/etc/modules-load.d/bridge.conf</filename>:
178 <programlisting>bridge</programlisting>
180 <para><filename>/etc/sysctl.d/bridge.conf</filename>:
183 <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
184 net.bridge.bridge-nf-call-iptables = 0
185 net.bridge.bridge-nf-call-arptables = 0
191 <title>See Also</title>
193 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
194 <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
195 <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
196 <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
197 <citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
198 <citerefentry><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>