[thirdparty/systemd.git] / man / sysctl.d.xml

<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1+ -->
<refentry id="sysctl.d"
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>sysctl.d</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>sysctl.d</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>sysctl.d</refname>
    <refpurpose>Configure kernel parameters at boot</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>/etc/sysctl.d/*.conf</filename></para>
    <para><filename>/run/sysctl.d/*.conf</filename></para>
    <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>At boot,
    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    reads configuration files from the above directories to configure
    <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    kernel parameters.</para>
  </refsect1>

  <refsect1>
    <title>Configuration Format</title>

    <para>The configuration files contain a list of variable
    assignments, separated by newlines. Empty lines and lines whose
    first non-whitespace character is <literal>#</literal> or
    <literal>;</literal> are ignored.</para>

    <para>Note that either <literal>/</literal> or
    <literal>.</literal> may be used as separators within sysctl
    variable names. If the first separator is a slash, remaining
    slashes and dots are left intact. If the first separator is a dot,
    dots and slashes are interchanged.
    <literal>kernel.domainname=foo</literal> and
    <literal>kernel/domainname=foo</literal> are equivalent and will
    cause <literal>foo</literal> to be written to
    <filename>/proc/sys/kernel/domainname</filename>. Either
    <literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
    <literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used
    to refer to
    <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
    </para>

    <para>The settings configured with <filename>sysctl.d</filename>
    files will be applied early on boot. The network
    interface-specific options will also be applied individually for
    each network interface as it shows up in the system. (More
    specifically, <filename>net.ipv4.conf.*</filename>,
    <filename>net.ipv6.conf.*</filename>,
    <filename>net.ipv4.neigh.*</filename> and
    <filename>net.ipv6.neigh.*</filename>).</para>

    <para>Many sysctl parameters only become available when certain
    kernel modules are loaded. Modules are usually loaded on demand,
    e.g. when certain hardware is plugged in or network brought up.
    This means that
    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    which runs during early boot will not configure such parameters if
    they become available after it has run. To set such parameters, it
    is recommended to add an
    <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    rule to set those parameters when they become available.
    Alternatively, a slightly simpler and less efficient option is to
    add the module to
    <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    causing it to be loaded statically before sysctl settings are
    applied (see example below).</para>
  </refsect1>

  <xi:include href="standard-conf.xml" xpointer="confd" />

  <refsect1>
    <title>Examples</title>
    <example>
      <title>Set kernel YP domain name</title>
      <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
      </para>

      <programlisting>kernel.domainname=example.com</programlisting>
    </example>

    <example>
      <title>Apply settings available only when a certain module is loaded (method one)</title>
      <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
      </para>

      <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
      RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
</programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
      </para>

      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>

      <para>This method applies settings when the module is
      loaded. Please note that, unless the <filename>br_netfilter</filename>
      module is loaded, bridged packets will not be filtered by
      Netfilter (starting with kernel 3.18), so simply not loading the
      module is sufficient to avoid filtering.</para>
    </example>

    <example>
      <title>Apply settings available only when a certain module is loaded (method two)</title>
      <para><filename>/etc/modules-load.d/bridge.conf</filename>:
      </para>

      <programlisting>br_netfilter</programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
      </para>

      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>

      <para>This method forces the module to be always loaded. Please
      note that, unless the <filename>br_netfilter</filename> module is
      loaded, bridged packets will not be filtered with Netfilter
      (starting with kernel 3.18), so simply not loading the module is
      sufficient to avoid filtering.</para>
    </example>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
3802a3d3	1	<?xml version="1.0"?> <!---nxml--->
3a54a157 ZJS	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3a54a157 ZJS	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
0307f791	4	<!-- SPDX-License-Identifier: LGPL-2.1+ -->
d3fae78f	5	<refentry id="sysctl.d"
798d3a52 ZJS	6	xmlns:xi="http://www.w3.org/2001/XInclude">
	7
	8	<refentryinfo>
	9	<title>sysctl.d</title>
	10	<productname>systemd</productname>
798d3a52 ZJS	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>sysctl.d</refentrytitle>
	15	<manvolnum>5</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>sysctl.d</refname>
	20	<refpurpose>Configure kernel parameters at boot</refpurpose>
	21	</refnamediv>
	22
	23	<refsynopsisdiv>
	24	<para><filename>/etc/sysctl.d/*.conf</filename></para>
	25	<para><filename>/run/sysctl.d/*.conf</filename></para>
	26	<para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
	27	</refsynopsisdiv>
	28
	29	<refsect1>
	30	<title>Description</title>
	31
	32	<para>At boot,
	33	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	34	reads configuration files from the above directories to configure
3ba3a79d	35	<citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52 ZJS	36	kernel parameters.</para>
	37	</refsect1>
	38
	39	<refsect1>
	40	<title>Configuration Format</title>
	41
	42	<para>The configuration files contain a list of variable
	43	assignments, separated by newlines. Empty lines and lines whose
	44	first non-whitespace character is <literal>#</literal> or
	45	<literal>;</literal> are ignored.</para>
	46
	47	<para>Note that either <literal>/</literal> or
	48	<literal>.</literal> may be used as separators within sysctl
	49	variable names. If the first separator is a slash, remaining
	50	slashes and dots are left intact. If the first separator is a dot,
	51	dots and slashes are interchanged.
	52	<literal>kernel.domainname=foo</literal> and
	53	<literal>kernel/domainname=foo</literal> are equivalent and will
	54	cause <literal>foo</literal> to be written to
	55	<filename>/proc/sys/kernel/domainname</filename>. Either
	56	<literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
	57	<literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used
	58	to refer to
	59	<filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
	60	</para>
	61
	62	<para>The settings configured with <filename>sysctl.d</filename>
	63	files will be applied early on boot. The network
	64	interface-specific options will also be applied individually for
	65	each network interface as it shows up in the system. (More
	66	specifically, <filename>net.ipv4.conf.*</filename>,
	67	<filename>net.ipv6.conf.*</filename>,
	68	<filename>net.ipv4.neigh.*</filename> and
	69	<filename>net.ipv6.neigh.*</filename>).</para>
	70
	71	<para>Many sysctl parameters only become available when certain
	72	kernel modules are loaded. Modules are usually loaded on demand,
	73	e.g. when certain hardware is plugged in or network brought up.
	74	This means that
	75	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	76	which runs during early boot will not configure such parameters if
	77	they become available after it has run. To set such parameters, it
	78	is recommended to add an
	79	<citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
	80	rule to set those parameters when they become available.
	81	Alternatively, a slightly simpler and less efficient option is to
	82	add the module to
	83	<citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	84	causing it to be loaded statically before sysctl settings are
	85	applied (see example below).</para>
	86	</refsect1>
	87
	88	<xi:include href="standard-conf.xml" xpointer="confd" />
	89
	90	<refsect1>
	91	<title>Examples</title>
	92	<example>
	93	<title>Set kernel YP domain name</title>
	94	<para><filename>/etc/sysctl.d/domain-name.conf</filename>:
	95	</para>
	96
	97	<programlisting>kernel.domainname=example.com</programlisting>
	98	</example>
	99
100	<example>
9407bc2d	101	<title>Apply settings available only when a certain module is loaded (method one)</title>
798d3a52 ZJS	102	<para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
	103	</para>
	104
9407bc2d ZJS	105	<programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
9407bc2d ZJS	106	RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
71418295 ZJS	107	</programlisting>
71418295 ZJS	108
798d3a52 ZJS	109	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
798d3a52 ZJS	110	</para>
71418295	111
798d3a52	112	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
71418295 ZJS	113	net.bridge.bridge-nf-call-iptables = 0
	114	net.bridge.bridge-nf-call-arptables = 0
	115	</programlisting>
9407bc2d ZJS	116
9407bc2d ZJS	117	<para>This method applies settings when the module is
b938cb90	118	loaded. Please note that, unless the <filename>br_netfilter</filename>
9407bc2d	119	module is loaded, bridged packets will not be filtered by
a8eaaee7 JE	120	Netfilter (starting with kernel 3.18), so simply not loading the
a8eaaee7 JE	121	module is sufficient to avoid filtering.</para>
798d3a52	122	</example>
71418295	123
798d3a52	124	<example>
9407bc2d	125	<title>Apply settings available only when a certain module is loaded (method two)</title>
798d3a52 ZJS	126	<para><filename>/etc/modules-load.d/bridge.conf</filename>:
798d3a52 ZJS	127	</para>
7284335a	128
9407bc2d	129	<programlisting>br_netfilter</programlisting>
7284335a	130
798d3a52 ZJS	131	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
798d3a52 ZJS	132	</para>
c91faef3	133
798d3a52	134	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
7284335a ZJS	135	net.bridge.bridge-nf-call-iptables = 0
	136	net.bridge.bridge-nf-call-arptables = 0
	137	</programlisting>
9407bc2d ZJS	138
9407bc2d ZJS	139	<para>This method forces the module to be always loaded. Please
b938cb90	140	note that, unless the <filename>br_netfilter</filename> module is
a8eaaee7	141	loaded, bridged packets will not be filtered with Netfilter
9407bc2d	142	(starting with kernel 3.18), so simply not loading the module is
a8eaaee7	143	sufficient to avoid filtering.</para>
798d3a52 ZJS	144	</example>
	145	</refsect1>
	146
	147	<refsect1>
	148	<title>See Also</title>
	149	<para>
	150	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	151	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	152	<citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
3ba3a79d ZJS	153	<citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	154	<citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	155	<citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52 ZJS	156	</para>
798d3a52 ZJS	157	</refsect1>
c91faef3 LP	158
c91faef3 LP	159	</refentry>