mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-23 17:34:00 +03:00
c0548df0a2
New directive `ControlGroupNFTSet=` provides a method for integrating services into firewall rules with NFT sets. Example: ``` table inet filter { ... set timesyncd { type cgroupsv2 } chain ntp_output { socket cgroupv2 != @timesyncd counter drop accept } ... } ``` /etc/systemd/system/systemd-timesyncd.service.d/override.conf ``` [Service] ControlGroupNFTSet=inet:filter:timesyncd ``` ``` $ sudo nft list set inet filter timesyncd table inet filter { set timesyncd { type cgroupsv2 elements = { "system.slice/systemd-timesyncd.service" } } } ```
60 lines
974 B
SYSTEMD
60 lines
974 B
SYSTEMD
slice
|
|
[Slice]
|
|
AllowedCPUs=
|
|
AllowedMemoryNodes=
|
|
BPFProgram=
|
|
BlockIOAccounting=
|
|
BlockIODeviceWeight=
|
|
BlockIOReadBandwidth=
|
|
BlockIOWeight=
|
|
BlockIOWriteBandwidth=
|
|
ControlGroupNFTSet=
|
|
CPUAccounting=
|
|
CPUQuota=
|
|
CPUQuotaPeriodSec=
|
|
CPUShares=
|
|
CPUWeight=
|
|
DefaultMemoryLow=
|
|
DefaultMemoryMin=
|
|
Delegate=
|
|
DeviceAllow=
|
|
DevicePolicy=
|
|
DisableControllers=
|
|
IOAccounting=
|
|
IODeviceLatencyTargetSec=
|
|
IODeviceWeight=
|
|
IOReadBandwidthMax=
|
|
IOReadIOPSMax=
|
|
IOWeight=
|
|
IOWriteBandwidthMax=
|
|
IOWriteIOPSMax=
|
|
IPAccounting=
|
|
IPAddressAllow=
|
|
IPAddressDeny=
|
|
IPEgressFilterPath=
|
|
IPIngressFilterPath=
|
|
ManagedOOMMemoryPressure=
|
|
ManagedOOMMemoryPressureLimit=
|
|
ManagedOOMPreference=
|
|
ManagedOOMSwap=
|
|
MemoryAccounting=
|
|
MemoryHigh=
|
|
MemoryLimit=
|
|
MemoryLow=
|
|
MemoryMax=
|
|
MemoryMin=
|
|
MemorySwapMax=
|
|
NetClass=
|
|
RestrictNetworkInterfaces=
|
|
Slice=
|
|
SocketBindAllow=
|
|
SocketBindDeny=
|
|
StartupAllowedCPUs=
|
|
StartupAllowedMemoryNodes=
|
|
StartupBlockIOWeight=
|
|
StartupCPUShares=
|
|
StartupCPUWeight=
|
|
StartupIOWeight=
|
|
TasksAccounting=
|
|
TasksMax=
|