<p>In CentOS 7, I was setting some kernel tuning parameters in /etc/sysctl.d conf files. <code>net.ipv4.conf.default.rp_filter = 0</code> is demonstrated below</p>
<p>Initially I had set a parameter in 2-test-profile.conf , however I discovered that the setting was being overridden somewhere. </p>
<pre><code>[root@linuxsvr sysctl.d]# grep -R rp_filter *
2-test-profile1.conf:net.ipv4.conf.default.rp_filter = 0
[root@linuxsvr sysctl.d]# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1
</code></pre>
<p>Even after rebooting it was still not applying the value.</p>
<p>As it turns out, other parameters are set via scripts in /usr/lib/sysctl.d/*.conf<br>
The priority is determined by the prefix number, regardless of where the script is located.</p>
<pre><code>[root@linuxsvr sysctl.d]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
* Applying /etc/sysctl.d/2-test-profile1.conf ...
net.ipv4.conf.default.rp_filter = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/ipv6.conf ...
* Applying /etc/sysctl.conf ...
</code></pre>
<p>This demonstrates that despite applying my parameter early on, a system-wide default is applied in /usr/lib/sysctl.d/50-default.conf. This file is shipped with Linux (included in systemd package). It seems perplexing that the base system defaults would be applied with a priority of 50, as this effectively limits customisations to a priority between 51 and 99. Yes, it is 'possible' to change the priority of the 50-default file, however this is not recommended as you will need to remember to change this everywhere in your environment.</p>
<p>To further demonstrate, if I apply just the <code>2-test-profile1.conf</code> config, it works file</p>
<pre><code>[root@linuxsvr sysctl.d]# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1
[root@linuxsvr sysctl.d]# sysctl -p 2-test-profile1.conf
net.ipv4.conf.default.rp_filter = 0
[root@linuxsvr sysctl.d]# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 0
</code></pre>
<p>Instead, if I change the priority to 52, it now works with an ordinary sysctl run</p>
<pre><code>[root@linuxsvr sysctl.d]# ll
total 12
-rw-r--r-- 1 root root 270 Aug 16 14:59 2-test-profile1.conf
lrwxrwxrwx. 1 root root 14 Aug 13 03:28 99-sysctl.conf -> ../sysctl.conf
-rw-r--r--. 1 root root 89 Aug 13 03:30 ipv6.conf
[root@linuxsvr sysctl.d]# mv 2-test-profile1.conf 52-test-profile1.conf
[root@linuxsvr sysctl.d]# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1
[root@linuxsvr sysctl.d]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/52-test-profile1.conf ...
net.ipv4.conf.default.rp_filter = 0
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/ipv6.conf ...
* Applying /etc/sysctl.conf ...
[root@linuxsvr sysctl.d]# sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 0