diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2015-06-29 20:34:45 -0400 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2015-07-02 09:15:09 -0400 |
| commit | 9407bc2d03b6405754807b6f38c8ca95b4fc1f40 (patch) | |
| tree | 5178a7bc0935e0e622743b94373911ed1ec2a443 /man/sysctl.d.xml | |
| parent | ea539eb65950bea7a9734424e660ef84f6f30e6c (diff) | |
man: update sysctl example about netfilter
It turns out that since kernel 3.18 netfilter on bridged packets
is off anyway, so the example should be reworded (and the module
name updated).
Diffstat (limited to 'man/sysctl.d.xml')
| -rw-r--r-- | man/sysctl.d.xml | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/man/sysctl.d.xml b/man/sysctl.d.xml index 8a131791a5..e5b2bc0ac9 100644 --- a/man/sysctl.d.xml +++ b/man/sysctl.d.xml @@ -123,11 +123,12 @@ </example> <example> - <title>Disable packet filter on bridged packets (method one)</title> + <title>Apply settings available only when a certain module is loaded (method one)</title> <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>: </para> - <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge" + <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \ + RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge" </programlisting> <para><filename>/etc/sysctl.d/bridge.conf</filename>: @@ -137,14 +138,20 @@ net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 </programlisting> + + <para>This method applies settings when the module is + loaded. Please note that unless the <filename>br_netfilter</filename> + module is loaded, bridged packets will not be filtered by + netfilter (starting with kernel 3.18), so simply not loading the + module is suffient to avoid filtering.</para> </example> <example> - <title>Disable packet filter on bridged packets (method two)</title> + <title>Apply settings available only when a certain module is loaded (method two)</title> <para><filename>/etc/modules-load.d/bridge.conf</filename>: </para> - <programlisting>bridge</programlisting> + <programlisting>br_netfilter</programlisting> <para><filename>/etc/sysctl.d/bridge.conf</filename>: </para> @@ -153,6 +160,12 @@ net.bridge.bridge-nf-call-arptables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 </programlisting> + + <para>This method forces the module to be always loaded. Please + note that unless the <filename>br_netfilter</filename> module is + loaded, bridged packets will not be filtered with netfilter + (starting with kernel 3.18), so simply not loading the module is + suffient to avoid filtering.</para> </example> </refsect1> |