Sysctl

User-supplied sysctls are best provided via files dropped into /etc/sysctl.d (these files must have a conf extension). Each has a corresponding entry in /proc/sys, assuming procfs is mounted. With or without a mounted procfs, the sysctl command line tool.

There is a sysctl system call, but it has been deprecated since Linux 2.6.24, and its usage is discouraged. FreeBSD supports the system call. Supported sysctls can be enumerated using sysctl -a.

Some favorite sysctls

• kernel.dmesg_restrict=0 allows regular users to see dmesg output
• kernel.nmi_watchdog=0 disables the NMI watchdog, freeing up a performance counter
• kernel.perf_event_paranoid=-1 allow unprivileged access to performance counters
• net.ipv4.ip_forward=1 enable IPv4 packet forwarding
• net.ipv6.conf.all.forwarding=1 enable IPv6 packet forwarding
• net.netfilter.nf_conntrack_acct=1 turn on packet/byte stats in conntrack table
• net.netfilter.nf_conntrack_timestamp=1 turn on timestamps in conntrack table
• net.ipv4.tcp_syncookies=1 enable TCP syncookies (see http://lwn.net/Articles/277146/)
• net.ipv4.conf.default.rp_filter=1, net.ipv4.conf.all.rp_filter=1 enable reverse path filter
• net.core.bpf_jit_enable=1 enables eBPF JIT