1 <?xml version="1.0"?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4 This file is part of systemd.
6 Copyright 2011 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 <refentry id="sysctl.d">
24 <title>sysctl.d</title>
25 <productname>systemd</productname>
29 <contrib>Developer</contrib>
30 <firstname>Lennart</firstname>
31 <surname>Poettering</surname>
32 <email>lennart@poettering.net</email>
38 <refentrytitle>sysctl.d</refentrytitle>
39 <manvolnum>5</manvolnum>
43 <refname>sysctl.d</refname>
44 <refpurpose>Configure kernel parameters at boot</refpurpose>
48 <para><filename>/etc/sysctl.d/*.conf</filename></para>
49 <para><filename>/run/sysctl.d/*.conf</filename></para>
50 <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
54 <title>Description</title>
57 <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
58 reads configuration files from the above directories
60 <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
61 kernel parameters.</para>
65 <title>Configuration Format</title>
67 <para>The configuration files contain a list of
68 variable assignments, separated by newlines. Empty
69 lines and lines whose first non-whitespace character
70 is <literal>#</literal> or <literal>;</literal> are
73 <para>Each configuration file shall be named in the
74 style of <filename><replaceable>program</replaceable>.conf</filename>.
75 Files in <filename>/etc/</filename> override files
76 with the same name in <filename>/usr/lib/</filename>
77 and <filename>/run/</filename>. Files in
78 <filename>/run/</filename> override files with the same
79 name in <filename>/usr/lib/</filename>. Packages
80 should install their configuration files in
81 <filename>/usr/lib/</filename>. Files in
82 <filename>/etc/</filename> are reserved for the local
83 administrator, who may use this logic to override the
84 configuration files installed by vendor packages. All
85 configuration files are sorted by their filename in
86 lexicographic order, regardless of which of the
87 directories they reside in. If multiple files specify the
88 same variable name, the entry in the file with the
89 lexicographically latest name will be applied. It is
90 recommended to prefix all filenames with a two-digit
91 number and a dash, to simplify the ordering of the
94 <para>Note that either <literal>/</literal> or
95 <literal>.</literal> may be used as separators within
96 sysctl variable names. If the first separator is a
97 slash, remaining slashes and dots are left intact. If
98 the first separator is a dot, dots and slashes are
99 interchanged. <literal>kernel.domainname=foo</literal>
100 and <literal>kernel/domainname=foo</literal> are
101 equivalent and will cause <literal>foo</literal> to
103 <filename>/proc/sys/kernel/domainname</filename>.
105 <literal>net.ipv4.conf.enp3s0/200.forwarding</literal>
107 <literal>net/ipv4/conf/enp3s0.200/forwarding</literal>
108 may be used to refer to
109 <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
112 <para>If the administrator wants to disable a
113 configuration file supplied by the vendor, the
114 recommended way is to place a symlink to
115 <filename>/dev/null</filename> in
116 <filename>/etc/sysctl.d/</filename> bearing the
117 same filename.</para>
119 <para>The settings configured with
120 <filename>sysctl.d</filename> files will be applied
121 early on boot. The network interface-specific options
122 will also be applied individually for each network
123 interface as it shows up in the system. (More
125 <filename>net.ipv4.conf.*</filename>,
126 <filename>net.ipv6.conf.*</filename>,
127 <filename>net.ipv4.neigh.*</filename> and <filename>net.ipv6.neigh.*</filename>).</para>
129 <para>Many sysctl parameters only become available
130 when certain kernel modules are loaded. Modules are
131 usually loaded on demand, e.g. when certain hardware
132 is plugged in or network brought up. This means that
133 <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs
134 during early boot will not configure such parameters
135 if they become available after it has run. To
136 set such parameters, it is recommended to add
137 an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become
138 available. Alternatively, a slightly simpler and
139 less efficient option is to add the module to
140 <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically
141 before sysctl settings are applied (see
142 example below).</para>
146 <title>Examples</title>
148 <title>Set kernel YP domain name</title>
149 <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
152 <programlisting>kernel.domainname=example.com</programlisting>
156 <title>Disable packet filter on bridged packets (method one)</title>
157 <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
160 <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
163 <para><filename>/etc/sysctl.d/bridge.conf</filename>:
166 <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
167 net.bridge.bridge-nf-call-iptables = 0
168 net.bridge.bridge-nf-call-arptables = 0
173 <title>Disable packet filter on bridged packets (method two)</title>
174 <para><filename>/etc/modules-load.d/bridge.conf</filename>:
177 <programlisting>bridge</programlisting>
179 <para><filename>/etc/sysctl.d/bridge.conf</filename>:
182 <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
183 net.bridge.bridge-nf-call-iptables = 0
184 net.bridge.bridge-nf-call-arptables = 0
190 <title>See Also</title>
192 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
193 <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
194 <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
195 <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
196 <citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
197 <citerefentry><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>