1SYSCTL.D(5) sysctl.d SYSCTL.D(5)
2
6 sysctl.d - Configure kernel parameters at boot
7
9 /etc/sysctl.d/*.conf
10 /run/sysctl.d/*.conf
12 /usr/lib/sysctl.d/*.conf
14 key.name.under.proc.sys = some value
16 key/name/under/proc/sys = some value
17 key/middle.part.with.dots/foo = 123
18 key.middle/part/with/dots.foo = 123
19 -key.that.will.not.fail = value
20 key.pattern.*.with.glob = whatever
21 -key.pattern.excluded.with.glob
22 key.pattern.overriden.with.glob = custom
23
25 At boot, systemd-sysctl.service(8) reads configuration files from the
26 above directories to configure sysctl(8) kernel parameters.
27
29 The configuration files contain a list of variable assignments,
30 separated by newlines. Empty lines and lines whose first non-whitespace
31 character is "#" or ";" are ignored.
32 Note that either "/" or "." may be used as separators within sysctl
34 variable names. If the first separator is a slash, remaining slashes
35 and dots are left intact. If the first separator is a dot, dots and
36 slashes are interchanged. "kernel.domainname=foo" and
37 "kernel/domainname=foo" are equivalent and will cause "foo" to be
38 written to /proc/sys/kernel/domainname. Either
39 "net.ipv4.conf.enp3s0/200.forwarding" or
40 "net/ipv4/conf/enp3s0.200/forwarding" may be used to refer to
41 /proc/sys/net/ipv4/conf/enp3s0.200/forwarding. A glob glob(7) pattern
42 may be used to write the same value to all matching keys. Keys for
43 which an explicit pattern exists will be excluded from any glob
44 matching. In addition, a key may be explicitly excluded from being set
45 by any matching glob patterns by specifying the key name prefixed with
46 a "-" character and not followed by "=", see SYNOPSIS.
47 Any access permission errors and attempts to write variables not
49 present on the local system are logged, but do not cause the service to
50 fail. Debug log level is used, which means that the message will not
51 show up at all by default. Moreover, if a variable assignment is
52 prefixed with a single "-" character, any failure to set the variable
53 will be logged at debug level, but will not cause the service to fail.
54 All other errors when setting variables are logged with higher priority
55 and cause the service to return failure at the end (other variables are
56 still processed).
57 The settings configured with sysctl.d files will be applied early on
59 boot. The network interface-specific options will also be applied
60 individually for each network interface as it shows up in the system.
61 (More specifically, net.ipv4.conf.*, net.ipv6.conf.*, net.ipv4.neigh.*
62 and net.ipv6.neigh.*).
63 Many sysctl parameters only become available when certain kernel
65 modules are loaded. Modules are usually loaded on demand, e.g. when
66 certain hardware is plugged in or network brought up. This means that
67 systemd-sysctl.service(8) which runs during early boot will not
68 configure such parameters if they become available after it has run. To
69 set such parameters, it is recommended to add an udev(7) rule to set
70 those parameters when they become available. Alternatively, a slightly
71 simpler and less efficient option is to add the module to modules-
72 load.d(5), causing it to be loaded statically before sysctl settings
73 are applied (see example below).
74
76 Configuration files are read from directories in /etc/, /run/,
77 /usr/local/lib/, and /usr/lib/, in order of precedence, as listed in
78 the SYNOPSIS section above. Files must have the the ".conf" extension.
79 Files in /etc/ override files with the same name in /run/,
80 /usr/local/lib/, and /usr/lib/. Files in /run/ override files with the
81 same name under /usr/.
82 All configuration files are sorted by their filename in lexicographic
84 order, regardless of which of the directories they reside in. If
85 multiple files specify the same option, the entry in the file with the
86 lexicographically latest name will take precedence. Thus, the
87 configuration in a certain file may either be replaced completely (by
88 placing a file with the same name in a directory with higher priority),
89 or individual settings might be changed (by specifying additional
90 settings in a file with a different name that is ordered later).
91 Packages should install their configuration files in /usr/lib/
93 (distribution packages) or /usr/local/lib/ (local installs). Files in
94 /etc/ are reserved for the local administrator, who may use this logic
95 to override the configuration files installed by vendor packages. It is
96 recommended to prefix all filenames with a two-digit number and a dash,
97 to simplify the ordering of the files.
98 If the administrator wants to disable a configuration file supplied by
100 the vendor, the recommended way is to place a symlink to /dev/null in
101 the configuration directory in /etc/, with the same filename as the
102 vendor configuration file. If the vendor configuration file is included
103 in the initrd image, the image has to be regenerated.
104
106 Example 1. Set kernel YP domain name
107 /etc/sysctl.d/domain-name.conf:
109 kernel.domainname=example.com
111 Example 2. Apply settings available only when a certain module is
113 loaded (method one)
114 /etc/udev/rules.d/99-bridge.rules:
116 ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
118 RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
119 /etc/sysctl.d/bridge.conf:
121 net.bridge.bridge-nf-call-ip6tables = 0
123 net.bridge.bridge-nf-call-iptables = 0
124 net.bridge.bridge-nf-call-arptables = 0
125 This method applies settings when the module is loaded. Please note
127 that, unless the br_netfilter module is loaded, bridged packets will
128 not be filtered by Netfilter (starting with kernel 3.18), so simply not
129 loading the module is sufficient to avoid filtering.
130 Example 3. Apply settings available only when a certain module is
132 loaded (method two)
133 /etc/modules-load.d/bridge.conf:
135 br_netfilter
137 /etc/sysctl.d/bridge.conf:
139 net.bridge.bridge-nf-call-ip6tables = 0
141 net.bridge.bridge-nf-call-iptables = 0
142 net.bridge.bridge-nf-call-arptables = 0
143 This method forces the module to be always loaded. Please note that,
145 unless the br_netfilter module is loaded, bridged packets will not be
146 filtered with Netfilter (starting with kernel 3.18), so simply not
147 loading the module is sufficient to avoid filtering.
148 Example 4. Set network routing properties for all interfaces
150 /etc/systemd/20-rp_filter.conf:
152 net.ipv4.conf.default.rp_filter = 2
154 net.ipv4.conf.*.rp_filter = 2
155 -net.ipv4.conf.all.rp_filter
156 net.ipv4.conf.hub0.rp_filter = 1
157 The rp_filter key will be set to "2" for all interfaces, except "hub0".
159 We set net.ipv4.conf.default.rp_filter first, so any interfaces which
160 are added later will get this value (this also covers any interfaces
161 detected while we're running). The glob matches any interfaces which
162 were detected earlier. The glob will also match
163 net.ipv4.conf.all.rp_filter, which we don't want to set at all, so it
164 is explicitly excluded. And "hub0" is excluded from the glob because it
165 has an explicit setting.
166
168 systemd(1), systemd-sysctl.service(8), systemd-delta(1), sysctl(8),
169 sysctl.conf(5), modprobe(8)
170systemd 245 SYSCTL.D(5)