1SYSCTL.D(5) sysctl.d SYSCTL.D(5)
2
6 sysctl.d - Configure kernel parameters at boot
7
9 /etc/sysctl.d/*.conf
10 /run/sysctl.d/*.conf
12 /usr/lib/sysctl.d/*.conf
14 key.name.under.proc.sys = some value
16 key/name/under/proc/sys = some value
17 key/middle.part.with.dots/foo = 123
18 key.middle/part/with/dots.foo = 123
19 -key.that.will.not.fail = value
20 key.pattern.*.with.glob = whatever
21 -key.pattern.excluded.with.glob
22 key.pattern.overridden.with.glob = custom
23
25 At boot, systemd-sysctl.service(8) reads configuration files from the
26 above directories to configure sysctl(8) kernel parameters.
27
29 The configuration files contain a list of variable assignments,
30 separated by newlines. Empty lines and lines whose first non-whitespace
31 character is "#" or ";" are ignored.
32 Note that either "/" or "." may be used as separators within sysctl
34 variable names. If the first separator is a slash, remaining slashes
35 and dots are left intact. If the first separator is a dot, dots and
36 slashes are interchanged. "kernel.domainname=foo" and
37 "kernel/domainname=foo" are equivalent and will cause "foo" to be
38 written to /proc/sys/kernel/domainname. Either
39 "net.ipv4.conf.enp3s0/200.forwarding" or
40 "net/ipv4/conf/enp3s0.200/forwarding" may be used to refer to
41 /proc/sys/net/ipv4/conf/enp3s0.200/forwarding. A glob glob(7) pattern
42 may be used to write the same value to all matching keys. Keys for
43 which an explicit pattern exists will be excluded from any glob
44 matching. In addition, a key may be explicitly excluded from being set
45 by any matching glob patterns by specifying the key name prefixed with
46 a "-" character and not followed by "=", see SYNOPSIS.
47 Any access permission errors and attempts to write variables not
49 present on the local system are logged at debug level and do not cause
50 the service to fail. Other types of errors when setting variables are
51 logged with higher priority and cause the service to return failure at
52 the end (after processing other variables). As an exception, if a
53 variable assignment is prefixed with a single "-" character, failure to
54 set the variable for any reason will be logged at debug level and will
55 not cause the service to fail.
56 The settings configured with sysctl.d files will be applied early on
58 boot. The network interface-specific options will also be applied
59 individually for each network interface as it shows up in the system.
60 (More specifically, net.ipv4.conf.*, net.ipv6.conf.*, net.ipv4.neigh.*
61 and net.ipv6.neigh.*).
62 Many sysctl parameters only become available when certain kernel
64 modules are loaded. Modules are usually loaded on demand, e.g. when
65 certain hardware is plugged in or network brought up. This means that
66 systemd-sysctl.service(8) which runs during early boot will not
67 configure such parameters if they become available after it has run. To
68 set such parameters, it is recommended to add an udev(7) rule to set
69 those parameters when they become available. Alternatively, a slightly
70 simpler and less efficient option is to add the module to modules-
71 load.d(5), causing it to be loaded statically before sysctl settings
72 are applied (see example below).
73
75 Configuration files are read from directories in /etc/, /run/,
76 /usr/local/lib/, and /usr/lib/, in order of precedence, as listed in
77 the SYNOPSIS section above. Files must have the ".conf" extension.
78 Files in /etc/ override files with the same name in /run/,
79 /usr/local/lib/, and /usr/lib/. Files in /run/ override files with the
80 same name under /usr/.
81 All configuration files are sorted by their filename in lexicographic
83 order, regardless of which of the directories they reside in. If
84 multiple files specify the same option, the entry in the file with the
85 lexicographically latest name will take precedence. Thus, the
86 configuration in a certain file may either be replaced completely (by
87 placing a file with the same name in a directory with higher priority),
88 or individual settings might be changed (by specifying additional
89 settings in a file with a different name that is ordered later).
90 Packages should install their configuration files in /usr/lib/
92 (distribution packages) or /usr/local/lib/ (local installs). Files in
93 /etc/ are reserved for the local administrator, who may use this logic
94 to override the configuration files installed by vendor packages. It is
95 recommended to prefix all filenames with a two-digit number and a dash,
96 to simplify the ordering of the files.
97 If the administrator wants to disable a configuration file supplied by
99 the vendor, the recommended way is to place a symlink to /dev/null in
100 the configuration directory in /etc/, with the same filename as the
101 vendor configuration file. If the vendor configuration file is included
102 in the initrd image, the image has to be regenerated.
103
105 Example 1. Set kernel YP domain name
106 /etc/sysctl.d/domain-name.conf:
108 kernel.domainname=example.com
110 Example 2. Apply settings available only when a certain module is
112 loaded (method one)
113 /etc/udev/rules.d/99-bridge.rules:
115 ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
117 RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
118 /etc/sysctl.d/bridge.conf:
120 net.bridge.bridge-nf-call-ip6tables = 0
122 net.bridge.bridge-nf-call-iptables = 0
123 net.bridge.bridge-nf-call-arptables = 0
124 This method applies settings when the module is loaded. Please note
126 that, unless the br_netfilter module is loaded, bridged packets will
127 not be filtered by Netfilter (starting with kernel 3.18), so simply not
128 loading the module is sufficient to avoid filtering.
129 Example 3. Apply settings available only when a certain module is
131 loaded (method two)
132 /etc/modules-load.d/bridge.conf:
134 br_netfilter
136 /etc/sysctl.d/bridge.conf:
138 net.bridge.bridge-nf-call-ip6tables = 0
140 net.bridge.bridge-nf-call-iptables = 0
141 net.bridge.bridge-nf-call-arptables = 0
142 This method forces the module to be always loaded. Please note that,
144 unless the br_netfilter module is loaded, bridged packets will not be
145 filtered with Netfilter (starting with kernel 3.18), so simply not
146 loading the module is sufficient to avoid filtering.
147 Example 4. Set network routing properties for all interfaces
149 /etc/sysctl.d/20-rp_filter.conf:
151 net.ipv4.conf.default.rp_filter = 2
153 net.ipv4.conf.*.rp_filter = 2
154 -net.ipv4.conf.all.rp_filter
155 net.ipv4.conf.hub0.rp_filter = 1
156 The rp_filter key will be set to "2" for all interfaces, except "hub0".
158 We set net.ipv4.conf.default.rp_filter first, so any interfaces which
159 are added later will get this value (this also covers any interfaces
160 detected while we're running). The glob matches any interfaces which
161 were detected earlier. The glob will also match
162 net.ipv4.conf.all.rp_filter, which we don't want to set at all, so it
163 is explicitly excluded. And "hub0" is excluded from the glob because it
164 has an explicit setting.
165
167 systemd(1), systemd-sysctl.service(8), systemd-delta(1), sysctl(8),
168 sysctl.conf(5), modprobe(8)
169systemd 249 SYSCTL.D(5)