sysctl.d.xml revision d4873485cf4fb223598f3b2fcf81e22cc8bb9456
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering<!--*-nxml-*-->
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering This file is part of systemd.
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering Copyright 2011 Lennart Poettering
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering systemd is free software; you can redistribute it and/or modify it
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering under the terms of the GNU Lesser General Public License as published by
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering the Free Software Foundation; either version 2.1 of the License, or
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering (at your option) any later version.
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering systemd is distributed in the hope that it will be useful, but
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering WITHOUT ANY WARRANTY; without even the implied warranty of
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering Lesser General Public License for more details.
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering You should have received a copy of the GNU Lesser General Public License
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering along with systemd; If not, see <http://www.gnu.org/licenses/>.
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering <refentryinfo>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering </authorgroup>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering </refentryinfo>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <refpurpose>Configure kernel parameters at boot</refpurpose>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <refsynopsisdiv>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <para><filename>/etc/sysctl.d/*.conf</filename></para>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <para><filename>/run/sysctl.d/*.conf</filename></para>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering </refsynopsisdiv>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <para>At boot,
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering reads configuration files from the above directories
85a428c69465b047731b6abb5005f01824f1444eLennart Poettering <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
af9792ac7f39354f80e9006c42c2400c5e41c447Lennart Poettering kernel parameters.</para>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <para>The configuration files contain a list of
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering variable assignments, separated by newlines. Empty
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering lines and lines whose first non-whitespace character
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering is <literal>#</literal> or <literal>;</literal> are
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering ignored.</para>
2d62c530d2b4c2730abff715b7342f1402114513Lennart Poettering <para>Each configuration file shall be named in the
6a79c58603ea816a1b4fa1520397b4e138bc1ca0Lennart Poettering style of <filename><replaceable>program</replaceable>.conf</filename>.
6a79c58603ea816a1b4fa1520397b4e138bc1ca0Lennart Poettering Files in <filename>/etc/</filename> override files
2d62c530d2b4c2730abff715b7342f1402114513Lennart Poettering with the same name in <filename>/usr/lib/</filename>
2d62c530d2b4c2730abff715b7342f1402114513Lennart Poettering <filename>/run/</filename> override files with the same
2d62c530d2b4c2730abff715b7342f1402114513Lennart Poettering name in <filename>/usr/lib/</filename>. Packages
6a79c58603ea816a1b4fa1520397b4e138bc1ca0Lennart Poettering should install their configuration files in
6a79c58603ea816a1b4fa1520397b4e138bc1ca0Lennart Poettering <filename>/etc/</filename> are reserved for the local
7e9110a29d90041b0364cb93a84aec9dd72363b6Lennart Poettering administrator, who may use this logic to override the
6a79c58603ea816a1b4fa1520397b4e138bc1ca0Lennart Poettering configuration files installed by vendor packages. All
6a79c58603ea816a1b4fa1520397b4e138bc1ca0Lennart Poettering configuration files are sorted by their filename in
2d62c530d2b4c2730abff715b7342f1402114513Lennart Poettering lexicographic order, regardless of which of the
2d62c530d2b4c2730abff715b7342f1402114513Lennart Poettering directories they reside in. If multiple files specify the
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering same variable name, the entry in the file with the
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering lexicographically latest name will be applied. It is
85a428c69465b047731b6abb5005f01824f1444eLennart Poettering recommended to prefix all filenames with a two-digit
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering number and a dash, to simplify the ordering of the
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering <para>Note that either <literal>/</literal> or
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering <literal>.</literal> may be used as separators within
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering sysctl variable names. If the first separator is a
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering slash, remaining slashes and dots are left intact. If
ed4ba7e4f652150310d062ffbdfefb4521ce1054Lennart Poettering the first separator is a dot, dots and slashes are
ed4ba7e4f652150310d062ffbdfefb4521ce1054Lennart Poettering interchanged. <literal>kernel.domainname=foo</literal>
ed4ba7e4f652150310d062ffbdfefb4521ce1054Lennart Poettering and <literal>kernel/domainname=foo</literal> are
ed4ba7e4f652150310d062ffbdfefb4521ce1054Lennart Poettering equivalent and will cause <literal>foo</literal> to
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering <filename>/proc/sys/kernel/domainname</filename>.
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering <literal>net.ipv4.conf.enp3s0/200.forwarding</literal>
dc3a1b76a6a6f9dfe9b451f534587251b50a0685Lennart Poettering <literal>net/ipv4/conf/enp3s0.200/forwarding</literal>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek may be used to refer to
dc3a1b76a6a6f9dfe9b451f534587251b50a0685Lennart Poettering <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek <para>If the administrator wants to disable a
dc3a1b76a6a6f9dfe9b451f534587251b50a0685Lennart Poettering configuration file supplied by the vendor, the
7801356442578ff6e1c65844eb9e65c819af4660Zbigniew Jędrzejewski-Szmek recommended way is to place a symlink to
af9792ac7f39354f80e9006c42c2400c5e41c447Lennart Poettering <filename>/etc/sysctl.d/</filename> bearing the
dc3a1b76a6a6f9dfe9b451f534587251b50a0685Lennart Poettering same filename.</para>
dc3a1b76a6a6f9dfe9b451f534587251b50a0685Lennart Poettering <para>The settings configured with
dc3a1b76a6a6f9dfe9b451f534587251b50a0685Lennart Poettering <filename>sysctl.d</filename> files will be applied
dc3a1b76a6a6f9dfe9b451f534587251b50a0685Lennart Poettering early on boot. The network interface-specific options
dc3a1b76a6a6f9dfe9b451f534587251b50a0685Lennart Poettering will also be applied individually for each network
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering interface as it shows up in the system. (More
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <filename>net.ipv4.neigh.*</filename> and <filename>net.ipv6.neigh.*</filename>).</para>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <para>Many sysctl parameters only become available
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering when certain kernel modules are loaded. Modules are
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering usually loaded on demand, e.g. when certain hardware
85a428c69465b047731b6abb5005f01824f1444eLennart Poettering is plugged in or network brought up. This means that
85a428c69465b047731b6abb5005f01824f1444eLennart Poettering <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> which runs
85a428c69465b047731b6abb5005f01824f1444eLennart Poettering during early boot will not configure such parameters
85a428c69465b047731b6abb5005f01824f1444eLennart Poettering if they become available after it has run. To
85a428c69465b047731b6abb5005f01824f1444eLennart Poettering set such parameters, it is recommended to add
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering an <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rule to set those parameters when they become
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering available. Alternatively, a slightly simpler and
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering less efficient option is to add the module to
85a428c69465b047731b6abb5005f01824f1444eLennart Poettering <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, causing it to be loaded statically
85a428c69465b047731b6abb5005f01824f1444eLennart Poettering before sysctl settings are applied (see
85a428c69465b047731b6abb5005f01824f1444eLennart Poettering example below).</para>
85a428c69465b047731b6abb5005f01824f1444eLennart Poettering <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <programlisting>kernel.domainname=example.com</programlisting>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <title>Disable packet filter on bridged packets (method one)</title>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
cc3773810855956bad92337cee8fa193584ab62eLennart Poettering <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering</programlisting>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <para><filename>/etc/sysctl.d/bridge.conf</filename>:
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering</programlisting>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <title>Disable packet filter on bridged packets (method two)</title>
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <para><filename>/etc/modules-load.d/bridge.conf</filename>:
23406ce58aa7142e8df3c5c9e5ac34a01e90e3e0Lennart Poettering <para><filename>/etc/sysctl.d/bridge.conf</filename>:
<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,