1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00
Commit Graph

7 Commits

Author SHA1 Message Date
Topi Miettinen
c0548df0a2 core: firewall integration with ControlGroupNFTSet=
New directive `ControlGroupNFTSet=` provides a method for integrating services
into firewall rules with NFT sets.

Example:

```
table inet filter {
...
        set timesyncd {
                type cgroupsv2
        }

        chain ntp_output {
                socket cgroupv2 != @timesyncd counter drop
                accept
        }
...
}
```

/etc/systemd/system/systemd-timesyncd.service.d/override.conf
```
[Service]
ControlGroupNFTSet=inet:filter:timesyncd
```

```
$ sudo nft list set inet filter timesyncd
table inet filter {
        set timesyncd {
                type cgroupsv2
                elements = { "system.slice/systemd-timesyncd.service" }
        }
}
```
2022-06-08 16:12:25 +00:00
Peter Morrow
1b75e5f343 fuzz: list directives in alphabetical order 2021-09-24 14:43:01 +01:00
Peter Morrow
88a56dc8d6 fuzz: add StartupAllowedCPUs and StartupAllowedMemoryNodes to directives
Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
2021-09-15 09:52:12 +01:00
Mauricio Vásquez
4f0c25c794 core: add load fragment implementation for RestrictNetworkInterfaces=
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
2021-08-18 15:55:53 -05:00
Julia Kartseva
7dc1707aab fuzz: add SocketBind{Allow|Deny}= directive 2021-04-26 16:26:28 -07:00
Julia Kartseva
96734772a7 fuzz: add BPFProgram= to directives 2021-04-09 20:28:47 -07:00
Frantisek Sumsal
34fde9f898 test: check if the unit file fuzzer corpora is up to date
This follows a similar pattern we already have in place for
networkd-related directives.
2021-04-05 14:41:05 +01:00