summaryrefslogtreecommitdiffstats
path: root/man
diff options
context:
space:
mode:
authorYu Watanabe <watanabe.yu+github@gmail.com>2022-06-22 18:33:19 +0200
committerGitHub <noreply@github.com>2022-06-22 18:33:19 +0200
commit46355675f7e0bfc6890d0401180d73eb4621896d (patch)
tree93806de0d8a5151ed613ee322214feec911431ec /man
parentMerge pull request #23806 from keszybz/udevadm-info-pager (diff)
parentRevert "networkd: NetLabel integration" (diff)
downloadsystemd-46355675f7e0bfc6890d0401180d73eb4621896d.tar.xz
systemd-46355675f7e0bfc6890d0401180d73eb4621896d.zip
Merge pull request #23774 from yuwata/netlabel-nftset-follow-ups
network, core: revert NFTSet and NetLabel features
Diffstat (limited to 'man')
-rw-r--r--man/org.freedesktop.systemd1.xml60
-rw-r--r--man/systemd.exec.xml34
-rw-r--r--man/systemd.network.xml118
-rw-r--r--man/systemd.resource-control.xml29
4 files changed, 0 insertions, 241 deletions
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index b9b5768bf0..7974833554 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -2599,8 +2599,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
- readonly a(iss) ControlGroupNFTSet = [...];
- @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly as Environment = ['...', ...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sb) EnvironmentFiles = [...];
@@ -2785,8 +2783,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b DynamicUser = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
- readonly a(iss) DynamicUserNFTSet = [...];
- @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b RemoveIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(say) SetCredential = [...];
@@ -3174,8 +3170,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<!--property RestrictNetworkInterfaces is not documented!-->
- <!--property ControlGroupNFTSet is not documented!-->
-
<!--property EnvironmentFiles is not documented!-->
<!--property PassEnvironment is not documented!-->
@@ -3334,8 +3328,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<!--property DynamicUser is not documented!-->
- <!--property DynamicUserNFTSet is not documented!-->
-
<!--property RemoveIPC is not documented!-->
<!--property SetCredential is not documented!-->
@@ -3758,8 +3750,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
- <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
<variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
<variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@@ -3944,8 +3934,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
- <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
-
<variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@@ -4499,8 +4487,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
- readonly a(iss) ControlGroupNFTSet = [...];
- @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly as Environment = ['...', ...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sb) EnvironmentFiles = [...];
@@ -4685,8 +4671,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b DynamicUser = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
- readonly a(iss) DynamicUserNFTSet = [...];
- @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b RemoveIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(say) SetCredential = [...];
@@ -5098,8 +5082,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<!--property RestrictNetworkInterfaces is not documented!-->
- <!--property ControlGroupNFTSet is not documented!-->
-
<!--property EnvironmentFiles is not documented!-->
<!--property PassEnvironment is not documented!-->
@@ -5258,8 +5240,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<!--property DynamicUser is not documented!-->
- <!--property DynamicUserNFTSet is not documented!-->
-
<!--property RemoveIPC is not documented!-->
<!--property SetCredential is not documented!-->
@@ -5676,8 +5656,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
- <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
<variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
<variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@@ -5862,8 +5840,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
- <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
-
<variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@@ -6306,8 +6282,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
- readonly a(iss) ControlGroupNFTSet = [...];
- @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly as Environment = ['...', ...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sb) EnvironmentFiles = [...];
@@ -6492,8 +6466,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b DynamicUser = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
- readonly a(iss) DynamicUserNFTSet = [...];
- @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b RemoveIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(say) SetCredential = [...];
@@ -6833,8 +6805,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<!--property RestrictNetworkInterfaces is not documented!-->
- <!--property ControlGroupNFTSet is not documented!-->
-
<!--property EnvironmentFiles is not documented!-->
<!--property PassEnvironment is not documented!-->
@@ -6993,8 +6963,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<!--property DynamicUser is not documented!-->
- <!--property DynamicUserNFTSet is not documented!-->
-
<!--property RemoveIPC is not documented!-->
<!--property SetCredential is not documented!-->
@@ -7329,8 +7297,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
- <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
<variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
<variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@@ -7515,8 +7481,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
- <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
-
<variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@@ -8086,8 +8050,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
- readonly a(iss) ControlGroupNFTSet = [...];
- @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly as Environment = ['...', ...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sb) EnvironmentFiles = [...];
@@ -8272,8 +8234,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b DynamicUser = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
- readonly a(iss) DynamicUserNFTSet = [...];
- @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b RemoveIPC = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(say) SetCredential = [...];
@@ -8599,8 +8559,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<!--property RestrictNetworkInterfaces is not documented!-->
- <!--property ControlGroupNFTSet is not documented!-->
-
<!--property EnvironmentFiles is not documented!-->
<!--property PassEnvironment is not documented!-->
@@ -8759,8 +8717,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<!--property DynamicUser is not documented!-->
- <!--property DynamicUserNFTSet is not documented!-->
-
<!--property RemoveIPC is not documented!-->
<!--property SetCredential is not documented!-->
@@ -9081,8 +9037,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
- <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
<variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
<variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@@ -9267,8 +9221,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
- <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
-
<variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
<variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@@ -9696,8 +9648,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
readonly a(iiqq) SocketBindDeny = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
- @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
- readonly a(iss) ControlGroupNFTSet = [...];
};
interface org.freedesktop.DBus.Peer { ... };
interface org.freedesktop.DBus.Introspectable { ... };
@@ -9850,8 +9800,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
<!--property RestrictNetworkInterfaces is not documented!-->
- <!--property ControlGroupNFTSet is not documented!-->
-
<!--Autogenerated cross-references for systemd.directives, do not edit-->
<variablelist class="dbus-interface" generated="True" extra-ref="org.freedesktop.systemd1.Unit"/>
@@ -10010,8 +9958,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
- <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
<!--End of Autogenerated section-->
<refsect2>
@@ -10192,8 +10138,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
readonly (bas) RestrictNetworkInterfaces = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
- readonly a(iss) ControlGroupNFTSet = [...];
- @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s KillMode = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly i KillSignal = ...;
@@ -10363,8 +10307,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
<!--property RestrictNetworkInterfaces is not documented!-->
- <!--property ControlGroupNFTSet is not documented!-->
-
<!--property KillMode is not documented!-->
<!--property KillSignal is not documented!-->
@@ -10551,8 +10493,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
<variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
- <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
<variablelist class="dbus-property" generated="True" extra-ref="KillMode"/>
<variablelist class="dbus-property" generated="True" extra-ref="KillSignal"/>
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index c2c36d55e4..e92f615994 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -3164,40 +3164,6 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
</refsect1>
<refsect1>
- <title>Firewall Integration</title>
- <variablelist class='unit-directives'>
-
- <varlistentry>
- <term><varname>DynamicUserNFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
- <listitem><para>This setting provides a method for integrating <varname>DynamicUser=</varname>
- configuration into firewall rules with NFT sets. This option expects a whitespace separated list of
- NFT set definitions. Each definition consists of a colon-separated tuple of NFT address family (one
- of <literal>arp</literal>, <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>,
- <literal>ip6</literal>, or <literal>netdev</literal>), table name and set name. The names of tables
- and sets must conform to lexical restrictions of NFT table names. When the unit starts, the user ID
- will be appended to the NFT sets and it will be removed when the unit is stopped. Failures to manage
- the sets will be ignored.</para>
-
- <para>Example:
- <programlisting>[Service]
-DynamicUserNFTSet=inet:filter:u</programlisting>
- Corresponding NFT rules:
- <programlisting>table inet filter {
- set u {
- typeof meta skuid
- }
- chain service_output {
- meta skuid != @u drop
- accept
- }
-}</programlisting>
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1>
<title>System V Compatibility</title>
<variablelist class='unit-directives'>
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index d69e63e6b8..c2ce1b1d69 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -1109,71 +1109,6 @@ Table=1234</programlisting></para>
Defaults to <literal>no</literal>.</para>
</listitem>
</varlistentry>
-
- <varlistentry>
- <term><varname>NetLabel=</varname><replaceable>label</replaceable></term>
- <listitem>
-
- <para>This setting provides a method for integrating dynamic network configuration into Linux
- NetLabel subsystem rules, used by Linux security modules (LSMs) for network access control. The
- option expects a whitespace separated list of NetLabel labels. The labels must conform to lexical
- restrictions of LSM labels. When an interface is configured with IP addresses, the addresses and
- subnetwork masks will be appended to the NetLabel Fallback Peer Labeling rules. They will be
- removed when the interface is deconfigured. Failures to manage the labels will be ignored.</para>
-
- <para>Warning: Once labeling is enabled for network traffic, a lot of LSM access control points in
- Linux networking stack go from dormant to active. It is easy for someone not familiar with the LSM
- per-packet access controls to get into a situation where for example remote connectivity is
- broken. Also note that additional configuration with <citerefentry
- project='man-pages'><refentrytitle>netlabelctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- is needed.</para>
-
- <para>Example:
- <programlisting>[Address]
-NetLabel=system_u:object_r:localnet_peer_t:s0</programlisting>
-
- With the example rules applying for interface <literal>eth0</literal>, when the interface is
- configured with an IPv4 address of 10.0.0.0/8, <command>systemd-networkd</command> performs the
- equivalent of <command>netlabelctl</command> operation
-
- <programlisting>netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0</programlisting>
-
- and the reverse operation when the IPv4 address is deconfigured.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>IPv4NFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
- <term><varname>IPv6NFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
- <listitem>
- <para>These settings provide a method for integrating dynamic network configuration into firewall
- rules with NFT sets. These options expect a whitespace separated list of NFT set definitions. Each
- definition consists of a colon-separated tuple of NFT address family (one of
- <literal>arp</literal>, <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>,
- <literal>ip6</literal>, or <literal>netdev</literal>), table name and set name. The names of tables
- and sets must conform to lexical restrictions of NFT table names. When an interface is configured
- with IP addresses, the addresses and subnetwork masks will be appended to the NFT sets. They will
- be removed when the interface is deconfigured. Failures to manage the sets will be ignored.</para>
-
- <para>Example:
- <programlisting>[Address]
-IPv4NFTSet=netdev:filter:eth_ipv4_address
-IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
- Corresponding NFT rules:
- <programlisting>table netdev filter {
- set eth_ipv4_address {
- type ipv4_addr
- flags interval
- }
- chain eth_ingress {
- type filter hook ingress device "eth0" priority filter; policy drop;
- ip daddr != @eth_ipv4_address drop
- accept
- }
-}</programlisting>
- </para>
- </listitem>
- </varlistentry>
</variablelist>
</refsect1>
@@ -2115,21 +2050,6 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
<ulink url="https://tools.ietf.org/html/rfc5227">RFC 5227</ulink>. Defaults to false.</para>
</listitem>
</varlistentry>
-
- <varlistentry>
- <term><varname>NetLabel=</varname></term>
- <listitem>
- <para>As in [Address] section.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>NFTSet=</varname></term>
- <listitem>
- <para>As in [Address] section. The type in NFT set definition must be
- <literal>ipv4_addr</literal>.</para>
- </listitem>
- </varlistentry>
</variablelist>
</refsect1>
@@ -2243,20 +2163,11 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
<term><varname>UseNTP=</varname></term>
<term><varname>UseHostname=</varname></term>
<term><varname>UseDomains=</varname></term>
- <term><varname>NetLabel=</varname></term>
<listitem>
<para>As in the [DHCPv4] section.</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term><varname>NFTSet=</varname></term>
- <listitem>
- <para>As in [DHCPv4] section. The type in NFT set definition must be
- <literal>ipv6_addr</literal>.</para>
- </listitem>
- </varlistentry>
-
<!-- How to communicate with the server -->
<varlistentry>
@@ -2353,21 +2264,6 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
</para>
</listitem>
</varlistentry>
-
- <varlistentry>
- <term><varname>NetLabel=</varname></term>
- <listitem>
- <para>As in [Address] section.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><varname>NFTSet=</varname></term>
- <listitem>
- <para>As in [DHCPv6] section. The type in NFT set definition must be
- <literal>ipv6_addr</literal>.</para>
- </listitem>
- </varlistentry>
</variablelist>
</refsect1>
@@ -2625,20 +2521,6 @@ Token=prefixstable:2002:da8:1::</programlisting></para>
specified. Defaults to true.</para>
</listitem>
</varlistentry>
-
- <varlistentry>
- <term><varname>NetLabel=</varname></term>
- <listitem>
- <para>As in [Address] section.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>NFTSet=</varname></term>
- <listitem>
- <para>As in [DHCPv6] section. The type in NFT set definition must be
- <literal>ipv6_addr</literal>.</para>
- </listitem>
- </varlistentry>
</variablelist>
</refsect1>
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index 23b2d0f390..1397b886c5 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -1173,35 +1173,6 @@ DeviceAllow=/dev/loop-control
</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term><varname>ControlGroupNFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
- <listitem>
- <para>This setting provides a method for integrating dynamic cgroup IDs into firewall rules with
- NFT sets. This option expects a whitespace separated list of NFT set definitions. Each definition
- consists of a colon-separated tuple of NFT address family (one of <literal>arp</literal>,
- <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>, <literal>ip6</literal>,
- or <literal>netdev</literal>), table name and set name. The names of tables and sets must conform
- to lexical restrictions of NFT table names. When a control group for a unit is realized, the cgroup
- ID will be appended to the NFT sets and it will be be removed when the control group is
- removed. Failures to manage the sets will be ignored.</para>
-
- <para>Example:
- <programlisting>[Unit]
-ControlGroupNFTSet=inet:filter:my_service
-</programlisting>
- Corresponding NFT rules:
- <programlisting>table inet filter {
- set my_service {
- type cgroupsv2
- }
- chain x {
- socket cgroupv2 level 2 @my_service accept
- drop
- }
-}</programlisting>
- </para>
- </listitem>
- </varlistentry>
</variablelist>
</refsect1>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 09:18:10 +0100