<para>At boot,
<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
reads configuration files from the above directories to configure
- <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
kernel parameters.</para>
</refsect1>
</example>
<example>
- <title>Disable packet filter on bridged packets (method one)</title>
+ <title>Apply settings available only when a certain module is loaded (method one)</title>
<para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
</para>
- <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
+ <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
+ RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
</programlisting>
<para><filename>/etc/sysctl.d/bridge.conf</filename>:
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>
+
+ <para>This method applies settings when the module is
+ loaded. Please note that, unless the <filename>br_netfilter</filename>
+ module is loaded, bridged packets will not be filtered by
+ Netfilter (starting with kernel 3.18), so simply not loading the
+ module is sufficient to avoid filtering.</para>
</example>
<example>
- <title>Disable packet filter on bridged packets (method two)</title>
+ <title>Apply settings available only when a certain module is loaded (method two)</title>
<para><filename>/etc/modules-load.d/bridge.conf</filename>:
</para>
- <programlisting>bridge</programlisting>
+ <programlisting>br_netfilter</programlisting>
<para><filename>/etc/sysctl.d/bridge.conf</filename>:
</para>
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</programlisting>
+
+ <para>This method forces the module to be always loaded. Please
+ note that, unless the <filename>br_netfilter</filename> module is
+ loaded, bridged packets will not be filtered with Netfilter
+ (starting with kernel 3.18), so simply not loading the module is
+ sufficient to avoid filtering.</para>
</example>
</refsect1>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
projects / thirdparty / systemd.git / blobdiff