sysctl.d.xml revision d3fae78fe86f1dfcdb07fd613ccbb3adf547a617
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering This file is part of systemd.
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering Copyright 2011 Lennart Poettering
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering systemd is free software; you can redistribute it and/or modify it
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering under the terms of the GNU Lesser General Public License as published by
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering the Free Software Foundation; either version 2.1 of the License, or
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering (at your option) any later version.
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering systemd is distributed in the hope that it will be useful, but
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering WITHOUT ANY WARRANTY; without even the implied warranty of
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering Lesser General Public License for more details.
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering You should have received a copy of the GNU Lesser General Public License
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering along with systemd; If not, see <http://www.gnu.org/licenses/>.
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering <refentryinfo>
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering </authorgroup>
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering </refentryinfo>
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering <refpurpose>Configure kernel parameters at boot</refpurpose>
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering <refsynopsisdiv>
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering <para><filename>/etc/sysctl.d/*.conf</filename></para>
db1413d7380acacc4e50faf801ca0d401da89764Kay Sievers <para><filename>/run/sysctl.d/*.conf</filename></para>
fc1a2e06a2eab6ca16664adb83b61fe958f00598Lennart Poettering <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering </refsynopsisdiv>
0e25e94ea72ca3db70484014280ddb709840f952Kay Sievers <para>At boot,
9507fe63d91b6d3a5729cff0769f43c2e66427c6Lennart Poettering <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
0e25e94ea72ca3db70484014280ddb709840f952Kay Sievers reads configuration files from the above directories
0e25e94ea72ca3db70484014280ddb709840f952Kay Sievers to configure
0e25e94ea72ca3db70484014280ddb709840f952Kay Sievers <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
0e25e94ea72ca3db70484014280ddb709840f952Kay Sievers kernel parameters.</para>
0e25e94ea72ca3db70484014280ddb709840f952Kay Sievers <para>The configuration files contain a list of
0e25e94ea72ca3db70484014280ddb709840f952Kay Sievers variable assignments, separated by newlines. Empty
0e25e94ea72ca3db70484014280ddb709840f952Kay Sievers lines and lines whose first non-whitespace character
2e573fcf8754fdfe0db0a783b1631ec1679b063aZbigniew Jędrzejewski-Szmek is <literal>#</literal> or <literal>;</literal> are
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <para>Note that either <literal>/</literal> or
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <literal>.</literal> may be used as separators within
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek sysctl variable names. If the first separator is a
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek slash, remaining slashes and dots are left intact. If
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek the first separator is a dot, dots and slashes are
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek interchanged. <literal>kernel.domainname=foo</literal>
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek and <literal>kernel/domainname=foo</literal> are
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek equivalent and will cause <literal>foo</literal> to
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <filename>/proc/sys/kernel/domainname</filename>.
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <literal>net.ipv4.conf.enp3s0/200.forwarding</literal>
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <literal>net/ipv4/conf/enp3s0.200/forwarding</literal>
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek may be used to refer to
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
8f03fd08911016d8bbcad5892b2c07b30a4c2306Lennart Poettering <para>The settings configured with
8f03fd08911016d8bbcad5892b2c07b30a4c2306Lennart Poettering <filename>sysctl.d</filename> files will be applied
8f03fd08911016d8bbcad5892b2c07b30a4c2306Lennart Poettering early on boot. The network interface-specific options
8f03fd08911016d8bbcad5892b2c07b30a4c2306Lennart Poettering will also be applied individually for each network
8f03fd08911016d8bbcad5892b2c07b30a4c2306Lennart Poettering interface as it shows up in the system. (More
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <filename>net.ipv4.neigh.*</filename> and <filename>net.ipv6.neigh.*</filename>).</para>
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <para>Many sysctl parameters only become available
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek when certain kernel modules are loaded. Modules are
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek usually loaded on demand, e.g. when certain hardware
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek is plugged in or network brought up. This means that
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek during early boot will not configure such parameters
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek if they become available after it has run. To
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek set such parameters, it is recommended to add
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek available. Alternatively, a slightly simpler and
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek less efficient option is to add the module to
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek before sysctl settings are applied (see
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek example below).</para>
d3fae78fe86f1dfcdb07fd613ccbb3adf547a617Josh Triplett <xi:include href="standard-conf.xml" xpointer="confd" />
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <title>Set kernel YP domain name</title>
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <programlisting>kernel.domainname=example.com</programlisting>
45df8656ebb1b0559a75993d1508fc61c2d39829Jan Engelhardt <title>Disable packet filter on bridged packets (method one)</title>
a7a0912a36307567043e1939f6065ff54fa8fd66Zbigniew Jędrzejewski-Szmek <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
1b600437bac3c0676cc72f589909c4cbfe38ba10Zbigniew Jędrzejewski-Szmek <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
71418295125c542d3edd1e7251bb0701ef1af89bZbigniew Jędrzejewski-Szmek</programlisting>
71418295125c542d3edd1e7251bb0701ef1af89bZbigniew Jędrzejewski-Szmek <para><filename>/etc/sysctl.d/bridge.conf</filename>:
71418295125c542d3edd1e7251bb0701ef1af89bZbigniew Jędrzejewski-Szmek <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
71418295125c542d3edd1e7251bb0701ef1af89bZbigniew Jędrzejewski-Szmeknet.bridge.bridge-nf-call-iptables = 0
71418295125c542d3edd1e7251bb0701ef1af89bZbigniew Jędrzejewski-Szmeknet.bridge.bridge-nf-call-arptables = 0
71418295125c542d3edd1e7251bb0701ef1af89bZbigniew Jędrzejewski-Szmek</programlisting>
45df8656ebb1b0559a75993d1508fc61c2d39829Jan Engelhardt <title>Disable packet filter on bridged packets (method two)</title>
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <para><filename>/etc/modules-load.d/bridge.conf</filename>:
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <programlisting>bridge</programlisting>
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <para><filename>/etc/sysctl.d/bridge.conf</filename>:
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmeknet.bridge.bridge-nf-call-iptables = 0
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmeknet.bridge.bridge-nf-call-arptables = 0
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek</programlisting>
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
9393a8774c1acd60deea40007061b9ffc783bf7eLennart Poettering <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
9393a8774c1acd60deea40007061b9ffc783bf7eLennart Poettering <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
c91faef3b3facfdf13282aee957af25dd555890bLennart Poettering <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
d4873485cf4fb223598f3b2fcf81e22cc8bb9456Ronny Chevalier <citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
7284335adbb8cb2bc9c11f9e102906da1bf71145Zbigniew Jędrzejewski-Szmek <citerefentry><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>