1 files changed, 193 insertions, 0 deletions

diff --git a/man/sysctl.d.xml b/man/sysctl.d.xml
new file mode 100644
index 0000000..4d810e6
--- /dev/null
+++ b/man/sysctl.d.xml
@@ -0,0 +1,193 @@
+<?xml version="1.0"?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+<refentry id="sysctl.d"
+    xmlns:xi="http://www.w3.org/2001/XInclude">
+
+  <refentryinfo>
+    <title>sysctl.d</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>sysctl.d</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>sysctl.d</refname>
+    <refpurpose>Configure kernel parameters at boot</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <para><filename>/etc/sysctl.d/*.conf</filename></para>
+    <para><filename>/run/sysctl.d/*.conf</filename></para>
+    <para><filename>/usr/lib/sysctl.d/*.conf</filename></para>
+
+    <programlisting>key.name.under.proc.sys = some value
+key/name/under/proc/sys = some value
+key/middle.part.with.dots/foo = 123
+key.middle/part/with/dots.foo = 123
+-key.that.will.not.fail = value
+key.pattern.*.with.glob = whatever
+-key.pattern.excluded.with.glob
+key.pattern.overridden.with.glob = custom
+</programlisting>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>At boot,
+    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    reads configuration files from the above directories to configure
+    <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    kernel parameters.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Configuration Format</title>
+
+    <para>The configuration files contain a list of variable
+    assignments, separated by newlines. Empty lines and lines whose
+    first non-whitespace character is <literal>#</literal> or
+    <literal>;</literal> are ignored.</para>
+
+    <para>Note that either <literal>/</literal> or <literal>.</literal> may be used as separators within
+    sysctl variable names. If the first separator is a slash, remaining slashes and dots are left intact. If
+    the first separator is a dot, dots and slashes are interchanged.
+    <literal>kernel.domainname=foo</literal> and <literal>kernel/domainname=foo</literal> are equivalent and
+    will cause <literal>foo</literal> to be written to
+    <filename>/proc/sys/kernel/domainname</filename>. Either
+    <literal>net.ipv4.conf.enp3s0/200.forwarding</literal> or
+    <literal>net/ipv4/conf/enp3s0.200/forwarding</literal> may be used to refer to
+    <filename>/proc/sys/net/ipv4/conf/enp3s0.200/forwarding</filename>. A glob
+    <citerefentry project='man-pages'><refentrytitle>glob</refentrytitle><manvolnum>7</manvolnum></citerefentry> pattern may be
+    used to write the same value to all matching keys. Keys for which an explicit pattern exists will be
+    excluded from any glob matching. In addition, a key may be explicitly excluded from being set by any
+    matching glob patterns by specifying the key name prefixed with a <literal>-</literal> character and not
+    followed by <literal>=</literal>, see SYNOPSIS.</para>
+
+    <para>Any access permission errors and attempts to write variables not present on the local system are
+    logged at debug level and do not cause the service to fail. Other types of errors when setting variables
+    are logged with higher priority and cause the service to return failure at the end (after processing
+    other variables). As an exception, if a variable assignment is prefixed with a single
+    <literal>-</literal> character, failure to set the variable for any reason will be logged at debug level
+    and will not cause the service to fail.</para>
+
+    <para>The settings configured with <filename>sysctl.d</filename> files will be applied early on boot. The
+    network interface-specific options will also be applied individually for each network interface as it
+    shows up in the system. (More specifically, <filename>net.ipv4.conf.*</filename>,
+    <filename>net.ipv6.conf.*</filename>, <filename>net.ipv4.neigh.*</filename> and
+    <filename>net.ipv6.neigh.*</filename>).</para>
+
+    <para>Many sysctl parameters only become available when certain
+    kernel modules are loaded. Modules are usually loaded on demand,
+    e.g. when certain hardware is plugged in or network brought up.
+    This means that
+    <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    which runs during early boot will not configure such parameters if
+    they become available after it has run. To set such parameters, it
+    is recommended to add an
+    <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+    rule to set those parameters when they become available.
+    Alternatively, a slightly simpler and less efficient option is to
+    add the module to
+    <citerefentry><refentrytitle>modules-load.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+    causing it to be loaded statically before sysctl settings are
+    applied (see example below).</para>
+  </refsect1>
+
+  <xi:include href="standard-conf.xml" xpointer="confd" />
+
+  <refsect1>
+    <title>Examples</title>
+    <example>
+      <title>Set kernel YP domain name</title>
+      <para><filename>/etc/sysctl.d/domain-name.conf</filename>:
+      </para>
+
+      <programlisting>kernel.domainname=example.com</programlisting>
+    </example>
+
+    <example>
+      <title>Apply settings available only when a certain module is loaded (method one)</title>
+      <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
+      </para>
+
+      <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
+      RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
+</programlisting>
+
+      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
+      </para>
+
+      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-arptables = 0
+</programlisting>
+
+      <para>This method applies settings when the module is
+      loaded. Please note that, unless the <filename>br_netfilter</filename>
+      module is loaded, bridged packets will not be filtered by
+      Netfilter (starting with kernel 3.18), so simply not loading the
+      module is sufficient to avoid filtering.</para>
+    </example>
+
+    <example>
+      <title>Apply settings available only when a certain module is loaded (method two)</title>
+      <para><filename>/etc/modules-load.d/bridge.conf</filename>:
+      </para>
+
+      <programlisting>br_netfilter</programlisting>
+
+      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
+      </para>
+
+      <programlisting>net.bridge.bridge-nf-call-ip6tables = 0
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-arptables = 0
+</programlisting>
+
+      <para>This method forces the module to be always loaded. Please
+      note that, unless the <filename>br_netfilter</filename> module is
+      loaded, bridged packets will not be filtered with Netfilter
+      (starting with kernel 3.18), so simply not loading the module is
+      sufficient to avoid filtering.</para>
+    </example>
+
+    <example>
+      <title>Set network routing properties for all interfaces</title>
+      <para><filename>/etc/sysctl.d/20-rp_filter.conf</filename>:</para>
+
+      <programlisting>net.ipv4.conf.default.rp_filter = 2
+net.ipv4.conf.*.rp_filter = 2
+-net.ipv4.conf.all.rp_filter
+net.ipv4.conf.hub0.rp_filter = 1
+</programlisting>
+
+      <para>The <option>rp_filter</option> key will be set to "2" for all interfaces, except "hub0". We set
+      <filename>net.ipv4.conf.default.rp_filter</filename> first, so any interfaces which are added
+      <emphasis>later</emphasis> will get this value (this also covers any interfaces detected while we're
+      running). The glob matches any interfaces which were detected <emphasis>earlier</emphasis>. The glob
+      will also match <filename>net.ipv4.conf.all.rp_filter</filename>, which we don't want to set at all, so
+      it is explicitly excluded. And "hub0" is excluded from the glob because it has an explicit setting.
+      </para>
+    </example>
+
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+    <para>
+      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>systemd-sysctl.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>systemd-delta</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+      <citerefentry project='man-pages'><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry project='man-pages'><refentrytitle>sysctl.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+      <citerefentry project='man-pages'><refentrytitle>modprobe</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    </para>
+  </refsect1>
+
+</refentry>