1SYSCTL.D(5)                        sysctl.d                        SYSCTL.D(5)
2
3
4

NAME

6       sysctl.d - Configure kernel parameters at boot
7

SYNOPSIS

9       /etc/sysctl.d/*.conf
10
11       /run/sysctl.d/*.conf
12
13       /usr/lib/sysctl.d/*.conf
14
15       key.name.under.proc.sys = some value
16       key/name/under/proc/sys = some value
17       key/middle.part.with.dots/foo = 123
18       key.middle/part/with/dots.foo = 123
19       -key.that.will.not.fail = value
20       key.pattern.*.with.glob = whatever
21       -key.pattern.excluded.with.glob
22       key.pattern.overridden.with.glob = custom
23

DESCRIPTION

25       At boot, systemd-sysctl.service(8) reads configuration files from the
26       above directories to configure sysctl(8) kernel parameters.
27

CONFIGURATION FORMAT

29       The configuration files contain a list of variable assignments,
30       separated by newlines. Empty lines and lines whose first non-whitespace
31       character is "#" or ";" are ignored.
32
33       Note that either "/" or "."  may be used as separators within sysctl
34       variable names. If the first separator is a slash, remaining slashes
35       and dots are left intact. If the first separator is a dot, dots and
36       slashes are interchanged.  "kernel.domainname=foo" and
37       "kernel/domainname=foo" are equivalent and will cause "foo" to be
38       written to /proc/sys/kernel/domainname. Either
39       "net.ipv4.conf.enp3s0/200.forwarding" or
40       "net/ipv4/conf/enp3s0.200/forwarding" may be used to refer to
41       /proc/sys/net/ipv4/conf/enp3s0.200/forwarding. A glob glob(7) pattern
42       may be used to write the same value to all matching keys. Keys for
43       which an explicit pattern exists will be excluded from any glob
44       matching. In addition, a key may be explicitly excluded from being set
45       by any matching glob patterns by specifying the key name prefixed with
46       a "-" character and not followed by "=", see SYNOPSIS.
47
48       Any access permission errors and attempts to write variables not
49       present on the local system are logged at debug level and do not cause
50       the service to fail. Moreover, if a variable assignment is prefixed
51       with a single "-" character, failure to set the variable for other
52       reasons will be logged at debug level and will not cause the service to
53       fail. In other cases, errors when setting variables are logged with
54       higher priority and cause the service to return failure at the end
55       (after processing other variables).
56
57       The settings configured with sysctl.d files will be applied early on
58       boot. The network interface-specific options will also be applied
59       individually for each network interface as it shows up in the system.
60       (More specifically, net.ipv4.conf.*, net.ipv6.conf.*, net.ipv4.neigh.*
61       and net.ipv6.neigh.*).
62
63       Many sysctl parameters only become available when certain kernel
64       modules are loaded. Modules are usually loaded on demand, e.g. when
65       certain hardware is plugged in or network brought up. This means that
66       systemd-sysctl.service(8) which runs during early boot will not
67       configure such parameters if they become available after it has run. To
68       set such parameters, it is recommended to add an udev(7) rule to set
69       those parameters when they become available. Alternatively, a slightly
70       simpler and less efficient option is to add the module to modules-
71       load.d(5), causing it to be loaded statically before sysctl settings
72       are applied (see example below).
73

CONFIGURATION DIRECTORIES AND PRECEDENCE

75       Configuration files are read from directories in /etc/, /run/,
76       /usr/local/lib/, and /usr/lib/, in order of precedence, as listed in
77       the SYNOPSIS section above. Files must have the ".conf" extension.
78       Files in /etc/ override files with the same name in /run/,
79       /usr/local/lib/, and /usr/lib/. Files in /run/ override files with the
80       same name under /usr/.
81
82       All configuration files are sorted by their filename in lexicographic
83       order, regardless of which of the directories they reside in. If
84       multiple files specify the same option, the entry in the file with the
85       lexicographically latest name will take precedence. Thus, the
86       configuration in a certain file may either be replaced completely (by
87       placing a file with the same name in a directory with higher priority),
88       or individual settings might be changed (by specifying additional
89       settings in a file with a different name that is ordered later).
90
91       Packages should install their configuration files in /usr/lib/
92       (distribution packages) or /usr/local/lib/ (local installs). Files in
93       /etc/ are reserved for the local administrator, who may use this logic
94       to override the configuration files installed by vendor packages. It is
95       recommended to prefix all filenames with a two-digit number and a dash,
96       to simplify the ordering of the files.
97
98       If the administrator wants to disable a configuration file supplied by
99       the vendor, the recommended way is to place a symlink to /dev/null in
100       the configuration directory in /etc/, with the same filename as the
101       vendor configuration file. If the vendor configuration file is included
102       in the initrd image, the image has to be regenerated.
103

EXAMPLES

105       Example 1. Set kernel YP domain name
106
107       /etc/sysctl.d/domain-name.conf:
108
109           kernel.domainname=example.com
110
111       Example 2. Apply settings available only when a certain module is
112       loaded (method one)
113
114       /etc/udev/rules.d/99-bridge.rules:
115
116           ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
117                 RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
118
119       /etc/sysctl.d/bridge.conf:
120
121           net.bridge.bridge-nf-call-ip6tables = 0
122           net.bridge.bridge-nf-call-iptables = 0
123           net.bridge.bridge-nf-call-arptables = 0
124
125       This method applies settings when the module is loaded. Please note
126       that, unless the br_netfilter module is loaded, bridged packets will
127       not be filtered by Netfilter (starting with kernel 3.18), so simply not
128       loading the module is sufficient to avoid filtering.
129
130       Example 3. Apply settings available only when a certain module is
131       loaded (method two)
132
133       /etc/modules-load.d/bridge.conf:
134
135           br_netfilter
136
137       /etc/sysctl.d/bridge.conf:
138
139           net.bridge.bridge-nf-call-ip6tables = 0
140           net.bridge.bridge-nf-call-iptables = 0
141           net.bridge.bridge-nf-call-arptables = 0
142
143       This method forces the module to be always loaded. Please note that,
144       unless the br_netfilter module is loaded, bridged packets will not be
145       filtered with Netfilter (starting with kernel 3.18), so simply not
146       loading the module is sufficient to avoid filtering.
147
148       Example 4. Set network routing properties for all interfaces
149
150       /etc/sysctl.d/20-rp_filter.conf:
151
152           net.ipv4.conf.default.rp_filter = 2
153           net.ipv4.conf.*.rp_filter = 2
154           -net.ipv4.conf.all.rp_filter
155           net.ipv4.conf.hub0.rp_filter = 1
156
157       The rp_filter key will be set to "2" for all interfaces, except "hub0".
158       We set net.ipv4.conf.default.rp_filter first, so any interfaces which
159       are added later will get this value (this also covers any interfaces
160       detected while we're running). The glob matches any interfaces which
161       were detected earlier. The glob will also match
162       net.ipv4.conf.all.rp_filter, which we don't want to set at all, so it
163       is explicitly excluded. And "hub0" is excluded from the glob because it
164       has an explicit setting.
165

SEE ALSO

167       systemd(1), systemd-sysctl.service(8), systemd-delta(1), sysctl(8),
168       sysctl.conf(5), modprobe(8)
169
170
171
172systemd 246                                                        SYSCTL.D(5)
Impressum