'\" t
.TH "SYSCTL\&.D" "5" "" "systemd 252" "sysctl.d"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
sysctl.d \- Configure kernel parameters at boot
.SH "SYNOPSIS"
.PP
/etc/sysctl\&.d/*\&.conf
.PP
/run/sysctl\&.d/*\&.conf
.PP
/usr/lib/sysctl\&.d/*\&.conf
.sp
.nf
key\&.name\&.under\&.proc\&.sys = some value
key/name/under/proc/sys = some value
key/middle\&.part\&.with\&.dots/foo = 123
key\&.middle/part/with/dots\&.foo = 123
\-key\&.that\&.will\&.not\&.fail = value
key\&.pattern\&.*\&.with\&.glob = whatever
\-key\&.pattern\&.excluded\&.with\&.glob
key\&.pattern\&.overridden\&.with\&.glob = custom
.fi
.SH "DESCRIPTION"
.PP
At boot,
\fBsystemd-sysctl.service\fR(8)
reads configuration files from the above directories to configure
\fBsysctl\fR(8)
kernel parameters\&.
.SH "CONFIGURATION FORMAT"
.PP
The configuration files contain a list of variable assignments, separated by newlines\&. Empty lines and lines whose first non\-whitespace character is
"#"
or
";"
are ignored\&.
.PP
Note that either
"/"
or
"\&."
may be used as separators within sysctl variable names\&. If the first separator is a slash, remaining slashes and dots are left intact\&. If the first separator is a dot, dots and slashes are interchanged\&.
"kernel\&.domainname=foo"
and
"kernel/domainname=foo"
are equivalent and will cause
"foo"
to be written to
/proc/sys/kernel/domainname\&. Either
"net\&.ipv4\&.conf\&.enp3s0/200\&.forwarding"
or
"net/ipv4/conf/enp3s0\&.200/forwarding"
may be used to refer to
/proc/sys/net/ipv4/conf/enp3s0\&.200/forwarding\&. A glob
\fBglob\fR(7)
pattern may be used to write the same value to all matching keys\&. Keys for which an explicit pattern exists will be excluded from any glob matching\&. In addition, a key may be explicitly excluded from being set by any matching glob patterns by specifying the key name prefixed with a
"\-"
character and not followed by
"=", see SYNOPSIS\&.
.PP
Any access permission errors and attempts to write variables not present on the local system are logged at debug level and do not cause the service to fail\&. Other types of errors when setting variables are logged with higher priority and cause the service to return failure at the end (after processing other variables)\&. As an exception, if a variable assignment is prefixed with a single
"\-"
character, failure to set the variable for any reason will be logged at debug level and will not cause the service to fail\&.
.PP
The settings configured with
sysctl\&.d
files will be applied early on boot\&. The network interface\-specific options will also be applied individually for each network interface as it shows up in the system\&. (More specifically,
net\&.ipv4\&.conf\&.*,
net\&.ipv6\&.conf\&.*,
net\&.ipv4\&.neigh\&.*
and
net\&.ipv6\&.neigh\&.*)\&.
.PP
Many sysctl parameters only become available when certain kernel modules are loaded\&. Modules are usually loaded on demand, e\&.g\&. when certain hardware is plugged in or network brought up\&. This means that
\fBsystemd-sysctl.service\fR(8)
which runs during early boot will not configure such parameters if they become available after it has run\&. To set such parameters, it is recommended to add an
\fBudev\fR(7)
rule to set those parameters when they become available\&. Alternatively, a slightly simpler and less efficient option is to add the module to
\fBmodules-load.d\fR(5), causing it to be loaded statically before sysctl settings are applied (see example below)\&.
.SH "CONFIGURATION DIRECTORIES AND PRECEDENCE"
.PP
Configuration files are read from directories in
/etc/,
/run/,
/usr/local/lib/, and
/lib/, in order of precedence, as listed in the SYNOPSIS section above\&. Files must have the
"\&.conf"
extension\&. Files in
/etc/
override files with the same name in
/run/,
/usr/local/lib/, and
/lib/\&. Files in
/run/
override files with the same name under
/usr/\&.
.PP
All configuration files are sorted by their filename in lexicographic order, regardless of which of the directories they reside in\&. If multiple files specify the same option, the entry in the file with the lexicographically latest name will take precedence\&. Thus, the configuration in a certain file may either be replaced completely (by placing a file with the same name in a directory with higher priority), or individual settings might be changed (by specifying additional settings in a file with a different name that is ordered later)\&.
.PP
Packages should install their configuration files in
/usr/lib/
(distribution packages) or
/usr/local/lib/
(local installs)\&. Files in
/etc/
are reserved for the local administrator, who may use this logic to override the configuration files installed by vendor packages\&. It is recommended to prefix all filenames with a two\-digit number and a dash, to simplify the ordering of the files\&.
.PP
If the administrator wants to disable a configuration file supplied by the vendor, the recommended way is to place a symlink to
/dev/null
in the configuration directory in
/etc/, with the same filename as the vendor configuration file\&. If the vendor configuration file is included in the initrd image, the image has to be regenerated\&.
.SH "EXAMPLES"
.PP
\fBExample\ \&1.\ \&Set kernel YP domain name\fR
.PP
/etc/sysctl\&.d/domain\-name\&.conf:
.sp
.if n \{\
.RS 4
.\}
.nf
kernel\&.domainname=example\&.com
.fi
.if n \{\
.RE
.\}
.PP
\fBExample\ \&2.\ \&Apply settings available only when a certain module is loaded (method one)\fR
.PP
/etc/udev/rules\&.d/99\-bridge\&.rules:
.sp
.if n \{\
.RS 4
.\}
.nf
ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \e
      RUN+="/lib/systemd/systemd\-sysctl \-\-prefix=/net/bridge"
.fi
.if n \{\
.RE
.\}
.PP
/etc/sysctl\&.d/bridge\&.conf:
.sp
.if n \{\
.RS 4
.\}
.nf
net\&.bridge\&.bridge\-nf\-call\-ip6tables = 0
net\&.bridge\&.bridge\-nf\-call\-iptables = 0
net\&.bridge\&.bridge\-nf\-call\-arptables = 0
.fi
.if n \{\
.RE
.\}
.PP
This method applies settings when the module is loaded\&. Please note that, unless the
br_netfilter
module is loaded, bridged packets will not be filtered by Netfilter (starting with kernel 3\&.18), so simply not loading the module is sufficient to avoid filtering\&.
.PP
\fBExample\ \&3.\ \&Apply settings available only when a certain module is loaded (method two)\fR
.PP
/etc/modules\-load\&.d/bridge\&.conf:
.sp
.if n \{\
.RS 4
.\}
.nf
br_netfilter
.fi
.if n \{\
.RE
.\}
.PP
/etc/sysctl\&.d/bridge\&.conf:
.sp
.if n \{\
.RS 4
.\}
.nf
net\&.bridge\&.bridge\-nf\-call\-ip6tables = 0
net\&.bridge\&.bridge\-nf\-call\-iptables = 0
net\&.bridge\&.bridge\-nf\-call\-arptables = 0
.fi
.if n \{\
.RE
.\}
.PP
This method forces the module to be always loaded\&. Please note that, unless the
br_netfilter
module is loaded, bridged packets will not be filtered with Netfilter (starting with kernel 3\&.18), so simply not loading the module is sufficient to avoid filtering\&.
.PP
\fBExample\ \&4.\ \&Set network routing properties for all interfaces\fR
.PP
/etc/sysctl\&.d/20\-rp_filter\&.conf:
.sp
.if n \{\
.RS 4
.\}
.nf
net\&.ipv4\&.conf\&.default\&.rp_filter = 2
net\&.ipv4\&.conf\&.*\&.rp_filter = 2
\-net\&.ipv4\&.conf\&.all\&.rp_filter
net\&.ipv4\&.conf\&.hub0\&.rp_filter = 1
.fi
.if n \{\
.RE
.\}
.PP
The
\fBrp_filter\fR
key will be set to "2" for all interfaces, except "hub0"\&. We set
net\&.ipv4\&.conf\&.default\&.rp_filter
first, so any interfaces which are added
\fIlater\fR
will get this value (this also covers any interfaces detected while we\*(Aqre running)\&. The glob matches any interfaces which were detected
\fIearlier\fR\&. The glob will also match
net\&.ipv4\&.conf\&.all\&.rp_filter, which we don\*(Aqt want to set at all, so it is explicitly excluded\&. And "hub0" is excluded from the glob because it has an explicit setting\&.
.SH "SEE ALSO"
.PP
\fBsystemd\fR(1),
\fBsystemd-sysctl.service\fR(8),
\fBsystemd-delta\fR(1),
\fBsysctl\fR(8),
\fBsysctl.conf\fR(5),
\fBmodprobe\fR(8)