1SYSCTL.D(5) sysctl.d SYSCTL.D(5)
2
3
4
6 sysctl.d - Configure kernel parameters at boot
7
9 /etc/sysctl.d/*.conf
10
11 /run/sysctl.d/*.conf
12
13 /usr/lib/sysctl.d/*.conf
14
15 key.name.under.proc.sys = some value
16 key/name/under/proc/sys = some value
17 key/middle.part.with.dots/foo = 123
18 key.middle/part/with/dots.foo = 123
19 -key.that.will.not.fail = value
20 key.pattern.*.with.glob = whatever
21 -key.pattern.excluded.with.glob
22 key.pattern.overridden.with.glob = custom
23
25 At boot, systemd-sysctl.service(8) reads configuration files from the
26 above directories to configure sysctl(8) kernel parameters.
27
29 The configuration files contain a list of variable assignments,
30 separated by newlines. Empty lines and lines whose first non-whitespace
31 character is "#" or ";" are ignored.
32
33 Note that either "/" or "." may be used as separators within sysctl
34 variable names. If the first separator is a slash, remaining slashes
35 and dots are left intact. If the first separator is a dot, dots and
36 slashes are interchanged. "kernel.domainname=foo" and
37 "kernel/domainname=foo" are equivalent and will cause "foo" to be
38 written to /proc/sys/kernel/domainname. Either
39 "net.ipv4.conf.enp3s0/200.forwarding" or
40 "net/ipv4/conf/enp3s0.200/forwarding" may be used to refer to
41 /proc/sys/net/ipv4/conf/enp3s0.200/forwarding. A glob glob(7) pattern
42 may be used to write the same value to all matching keys. Keys for
43 which an explicit pattern exists will be excluded from any glob
44 matching. In addition, a key may be explicitly excluded from being set
45 by any matching glob patterns by specifying the key name prefixed with
46 a "-" character and not followed by "=", see SYNOPSIS.
47
48 Any access permission errors and attempts to write variables not
49 present on the local system are logged at debug level and do not cause
50 the service to fail. Moreover, if a variable assignment is prefixed
51 with a single "-" character, failure to set the variable for other
52 reasons will be logged at debug level and will not cause the service to
53 fail. In other cases, errors when setting variables are logged with
54 higher priority and cause the service to return failure at the end
55 (after processing other variables).
56
57 The settings configured with sysctl.d files will be applied early on
58 boot. The network interface-specific options will also be applied
59 individually for each network interface as it shows up in the system.
60 (More specifically, net.ipv4.conf.*, net.ipv6.conf.*, net.ipv4.neigh.*
61 and net.ipv6.neigh.*).
62
63 Many sysctl parameters only become available when certain kernel
64 modules are loaded. Modules are usually loaded on demand, e.g. when
65 certain hardware is plugged in or network brought up. This means that
66 systemd-sysctl.service(8) which runs during early boot will not
67 configure such parameters if they become available after it has run. To
68 set such parameters, it is recommended to add an udev(7) rule to set
69 those parameters when they become available. Alternatively, a slightly
70 simpler and less efficient option is to add the module to modules-
71 load.d(5), causing it to be loaded statically before sysctl settings
72 are applied (see example below).
73
75 Configuration files are read from directories in /etc/, /run/,
76 /usr/local/lib/, and /usr/lib/, in order of precedence, as listed in
77 the SYNOPSIS section above. Files must have the ".conf" extension.
78 Files in /etc/ override files with the same name in /run/,
79 /usr/local/lib/, and /usr/lib/. Files in /run/ override files with the
80 same name under /usr/.
81
82 All configuration files are sorted by their filename in lexicographic
83 order, regardless of which of the directories they reside in. If
84 multiple files specify the same option, the entry in the file with the
85 lexicographically latest name will take precedence. Thus, the
86 configuration in a certain file may either be replaced completely (by
87 placing a file with the same name in a directory with higher priority),
88 or individual settings might be changed (by specifying additional
89 settings in a file with a different name that is ordered later).
90
91 Packages should install their configuration files in /usr/lib/
92 (distribution packages) or /usr/local/lib/ (local installs). Files in
93 /etc/ are reserved for the local administrator, who may use this logic
94 to override the configuration files installed by vendor packages. It is
95 recommended to prefix all filenames with a two-digit number and a dash,
96 to simplify the ordering of the files.
97
98 If the administrator wants to disable a configuration file supplied by
99 the vendor, the recommended way is to place a symlink to /dev/null in
100 the configuration directory in /etc/, with the same filename as the
101 vendor configuration file. If the vendor configuration file is included
102 in the initrd image, the image has to be regenerated.
103
105 Example 1. Set kernel YP domain name
106
107 /etc/sysctl.d/domain-name.conf:
108
109 kernel.domainname=example.com
110
111 Example 2. Apply settings available only when a certain module is
112 loaded (method one)
113
114 /etc/udev/rules.d/99-bridge.rules:
115
116 ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
117 RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
118
119 /etc/sysctl.d/bridge.conf:
120
121 net.bridge.bridge-nf-call-ip6tables = 0
122 net.bridge.bridge-nf-call-iptables = 0
123 net.bridge.bridge-nf-call-arptables = 0
124
125 This method applies settings when the module is loaded. Please note
126 that, unless the br_netfilter module is loaded, bridged packets will
127 not be filtered by Netfilter (starting with kernel 3.18), so simply not
128 loading the module is sufficient to avoid filtering.
129
130 Example 3. Apply settings available only when a certain module is
131 loaded (method two)
132
133 /etc/modules-load.d/bridge.conf:
134
135 br_netfilter
136
137 /etc/sysctl.d/bridge.conf:
138
139 net.bridge.bridge-nf-call-ip6tables = 0
140 net.bridge.bridge-nf-call-iptables = 0
141 net.bridge.bridge-nf-call-arptables = 0
142
143 This method forces the module to be always loaded. Please note that,
144 unless the br_netfilter module is loaded, bridged packets will not be
145 filtered with Netfilter (starting with kernel 3.18), so simply not
146 loading the module is sufficient to avoid filtering.
147
148 Example 4. Set network routing properties for all interfaces
149
150 /etc/sysctl.d/20-rp_filter.conf:
151
152 net.ipv4.conf.default.rp_filter = 2
153 net.ipv4.conf.*.rp_filter = 2
154 -net.ipv4.conf.all.rp_filter
155 net.ipv4.conf.hub0.rp_filter = 1
156
157 The rp_filter key will be set to "2" for all interfaces, except "hub0".
158 We set net.ipv4.conf.default.rp_filter first, so any interfaces which
159 are added later will get this value (this also covers any interfaces
160 detected while we're running). The glob matches any interfaces which
161 were detected earlier. The glob will also match
162 net.ipv4.conf.all.rp_filter, which we don't want to set at all, so it
163 is explicitly excluded. And "hub0" is excluded from the glob because it
164 has an explicit setting.
165
167 systemd(1), systemd-sysctl.service(8), systemd-delta(1), sysctl(8),
168 sysctl.conf(5), modprobe(8)
169
170
171
172systemd 246 SYSCTL.D(5)