[thirdparty/systemd.git] / man / sysctl.d.xml

<?xml version="1.0"?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1+ -->
<refentry id="sysctl.d"
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>sysctl.d</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>sysctl.d</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>sysctl.d</refname>
    <refpurpose>Configure kernel parameters at boot</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>/etc/sysctl.d/*.conf</filename></para>
    <para><filename>/run/sysctl.d/*.conf</filename></para>
    <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>At boot,
    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    reads configuration files from the above directories to configure
    <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    kernel parameters.</para>
  </refsect1>

  <refsect1>
    <title>Configuration Format</title>

    <para>The configuration files contain a list of variable
    assignments, separated by newlines. Empty lines and lines whose
    first non-whitespace character is <literal>#</literal> or
    <literal>;</literal> are ignored.</para>

    <para>Note that either <literal>/</literal> or
    <literal>.</literal> may be used as separators within sysctl
    variable names. If the first separator is a slash, remaining
    slashes and dots are left intact. If the first separator is a dot,
    dots and slashes are interchanged.
    <literal>kernel.domainname=foo</literal> and
    <literal>kernel/domainname=foo</literal> are equivalent and will
    cause <literal>foo</literal> to be written to
    <filename>/proc/sys/kernel/domainname</filename>. Either
    <literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
    <literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used
    to refer to
    <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
    </para>

    <para>The settings configured with <filename>sysctl.d</filename>
    files will be applied early on boot. The network
    interface-specific options will also be applied individually for
    each network interface as it shows up in the system. (More
    specifically, <filename>net.ipv4.conf.*</filename>,
    <filename>net.ipv6.conf.*</filename>,
    <filename>net.ipv4.neigh.*</filename> and
    <filename>net.ipv6.neigh.*</filename>).</para>

    <para>Many sysctl parameters only become available when certain
    kernel modules are loaded. Modules are usually loaded on demand,
    e.g. when certain hardware is plugged in or network brought up.
    This means that
    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    which runs during early boot will not configure such parameters if
    they become available after it has run. To set such parameters, it
    is recommended to add an
    <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    rule to set those parameters when they become available.
    Alternatively, a slightly simpler and less efficient option is to
    add the module to
    <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
    causing it to be loaded statically before sysctl settings are
    applied (see example below).</para>
  </refsect1>

  <xi:include href="standard-conf.xml" xpointer="confd" />

  <refsect1>
    <title>Examples</title>
    <example>
      <title>Set kernel YP domain name</title>
      <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
      </para>

      <programlisting>kernel.domainname=example.com</programlisting>
    </example>

    <example>
      <title>Apply settings available only when a certain module is loaded (method one)</title>
      <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
      </para>

      <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
      RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
</programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
      </para>

      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>

      <para>This method applies settings when the module is
      loaded. Please note that, unless the <filename>br_netfilter</filename>
      module is loaded, bridged packets will not be filtered by
      Netfilter (starting with kernel 3.18), so simply not loading the
      module is sufficient to avoid filtering.</para>
    </example>

    <example>
      <title>Apply settings available only when a certain module is loaded (method two)</title>
      <para><filename>/etc/modules-load.d/bridge.conf</filename>:
      </para>

      <programlisting>br_netfilter</programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
      </para>

      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>

      <para>This method forces the module to be always loaded. Please
      note that, unless the <filename>br_netfilter</filename> module is
      loaded, bridged packets will not be filtered with Netfilter
      (starting with kernel 3.18), so simply not loading the module is
      sufficient to avoid filtering.</para>
    </example>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
3802a3d3	1	<?xml version="1.0"?> <!---nxml--->
12b42c76	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
0307f791	3	<!-- SPDX-License-Identifier: LGPL-2.1+ -->
d3fae78f	4	<refentry id="sysctl.d"
798d3a52 ZJS	5	xmlns:xi="http://www.w3.org/2001/XInclude">
	6
	7	<refentryinfo>
	8	<title>sysctl.d</title>
	9	<productname>systemd</productname>
798d3a52 ZJS	10	</refentryinfo>
	11
	12	<refmeta>
	13	<refentrytitle>sysctl.d</refentrytitle>
	14	<manvolnum>5</manvolnum>
	15	</refmeta>
	16
	17	<refnamediv>
	18	<refname>sysctl.d</refname>
	19	<refpurpose>Configure kernel parameters at boot</refpurpose>
	20	</refnamediv>
	21
	22	<refsynopsisdiv>
	23	<para><filename>/etc/sysctl.d/*.conf</filename></para>
	24	<para><filename>/run/sysctl.d/*.conf</filename></para>
	25	<para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
	26	</refsynopsisdiv>
	27
	28	<refsect1>
	29	<title>Description</title>
	30
	31	<para>At boot,
	32	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	33	reads configuration files from the above directories to configure
3ba3a79d	34	<citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52 ZJS	35	kernel parameters.</para>
	36	</refsect1>
	37
	38	<refsect1>
	39	<title>Configuration Format</title>
	40
	41	<para>The configuration files contain a list of variable
	42	assignments, separated by newlines. Empty lines and lines whose
	43	first non-whitespace character is <literal>#</literal> or
	44	<literal>;</literal> are ignored.</para>
	45
	46	<para>Note that either <literal>/</literal> or
	47	<literal>.</literal> may be used as separators within sysctl
	48	variable names. If the first separator is a slash, remaining
	49	slashes and dots are left intact. If the first separator is a dot,
	50	dots and slashes are interchanged.
	51	<literal>kernel.domainname=foo</literal> and
	52	<literal>kernel/domainname=foo</literal> are equivalent and will
	53	cause <literal>foo</literal> to be written to
	54	<filename>/proc/sys/kernel/domainname</filename>. Either
	55	<literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
	56	<literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used
	57	to refer to
	58	<filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>.
	59	</para>
	60
	61	<para>The settings configured with <filename>sysctl.d</filename>
	62	files will be applied early on boot. The network
	63	interface-specific options will also be applied individually for
	64	each network interface as it shows up in the system. (More
	65	specifically, <filename>net.ipv4.conf.*</filename>,
	66	<filename>net.ipv6.conf.*</filename>,
	67	<filename>net.ipv4.neigh.*</filename> and
	68	<filename>net.ipv6.neigh.*</filename>).</para>
	69
	70	<para>Many sysctl parameters only become available when certain
	71	kernel modules are loaded. Modules are usually loaded on demand,
	72	e.g. when certain hardware is plugged in or network brought up.
	73	This means that
	74	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	75	which runs during early boot will not configure such parameters if
	76	they become available after it has run. To set such parameters, it
	77	is recommended to add an
	78	<citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
	79	rule to set those parameters when they become available.
	80	Alternatively, a slightly simpler and less efficient option is to
	81	add the module to
	82	<citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	83	causing it to be loaded statically before sysctl settings are
	84	applied (see example below).</para>
	85	</refsect1>
	86
	87	<xi:include href="standard-conf.xml" xpointer="confd" />
	88
	89	<refsect1>
	90	<title>Examples</title>
	91	<example>
	92	<title>Set kernel YP domain name</title>
	93	<para><filename>/etc/sysctl.d/domain-name.conf</filename>:
	94	</para>
	95
	96	<programlisting>kernel.domainname=example.com</programlisting>
	97	</example>
	98
99	<example>
9407bc2d	100	<title>Apply settings available only when a certain module is loaded (method one)</title>
798d3a52 ZJS	101	<para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
	102	</para>
	103
9407bc2d ZJS	104	<programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
9407bc2d ZJS	105	RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
71418295 ZJS	106	</programlisting>
71418295 ZJS	107
798d3a52 ZJS	108	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
798d3a52 ZJS	109	</para>
71418295	110
798d3a52	111	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
71418295 ZJS	112	net.bridge.bridge-nf-call-iptables = 0
	113	net.bridge.bridge-nf-call-arptables = 0
	114	</programlisting>
9407bc2d ZJS	115
9407bc2d ZJS	116	<para>This method applies settings when the module is
b938cb90	117	loaded. Please note that, unless the <filename>br_netfilter</filename>
9407bc2d	118	module is loaded, bridged packets will not be filtered by
a8eaaee7 JE	119	Netfilter (starting with kernel 3.18), so simply not loading the
a8eaaee7 JE	120	module is sufficient to avoid filtering.</para>
798d3a52	121	</example>
71418295	122
798d3a52	123	<example>
9407bc2d	124	<title>Apply settings available only when a certain module is loaded (method two)</title>
798d3a52 ZJS	125	<para><filename>/etc/modules-load.d/bridge.conf</filename>:
798d3a52 ZJS	126	</para>
7284335a	127
9407bc2d	128	<programlisting>br_netfilter</programlisting>
7284335a	129
798d3a52 ZJS	130	<para><filename>/etc/sysctl.d/bridge.conf</filename>:
798d3a52 ZJS	131	</para>
c91faef3	132
798d3a52	133	<programlisting>net.bridge.bridge-nf-call-ip6tables = 0
7284335a ZJS	134	net.bridge.bridge-nf-call-iptables = 0
	135	net.bridge.bridge-nf-call-arptables = 0
	136	</programlisting>
9407bc2d ZJS	137
9407bc2d ZJS	138	<para>This method forces the module to be always loaded. Please
b938cb90	139	note that, unless the <filename>br_netfilter</filename> module is
a8eaaee7	140	loaded, bridged packets will not be filtered with Netfilter
9407bc2d	141	(starting with kernel 3.18), so simply not loading the module is
a8eaaee7	142	sufficient to avoid filtering.</para>
798d3a52 ZJS	143	</example>
	144	</refsect1>
	145
	146	<refsect1>
	147	<title>See Also</title>
	148	<para>
	149	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	150	<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	151	<citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
3ba3a79d ZJS	152	<citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	153	<citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	154	<citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
798d3a52 ZJS	155	</para>
798d3a52 ZJS	156	</refsect1>
c91faef3 LP	157
c91faef3 LP	158	</refentry>