1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00
systemd-stable/test/fuzz/fuzz-unit-file/directives.slice
Topi Miettinen c0548df0a2 core: firewall integration with ControlGroupNFTSet=
New directive `ControlGroupNFTSet=` provides a method for integrating services
into firewall rules with NFT sets.

Example:

```
table inet filter {
...
        set timesyncd {
                type cgroupsv2
        }

        chain ntp_output {
                socket cgroupv2 != @timesyncd counter drop
                accept
        }
...
}
```

/etc/systemd/system/systemd-timesyncd.service.d/override.conf
```
[Service]
ControlGroupNFTSet=inet:filter:timesyncd
```

```
$ sudo nft list set inet filter timesyncd
table inet filter {
        set timesyncd {
                type cgroupsv2
                elements = { "system.slice/systemd-timesyncd.service" }
        }
}
```
2022-06-08 16:12:25 +00:00

60 lines
974 B
SYSTEMD

slice
[Slice]
AllowedCPUs=
AllowedMemoryNodes=
BPFProgram=
BlockIOAccounting=
BlockIODeviceWeight=
BlockIOReadBandwidth=
BlockIOWeight=
BlockIOWriteBandwidth=
ControlGroupNFTSet=
CPUAccounting=
CPUQuota=
CPUQuotaPeriodSec=
CPUShares=
CPUWeight=
DefaultMemoryLow=
DefaultMemoryMin=
Delegate=
DeviceAllow=
DevicePolicy=
DisableControllers=
IOAccounting=
IODeviceLatencyTargetSec=
IODeviceWeight=
IOReadBandwidthMax=
IOReadIOPSMax=
IOWeight=
IOWriteBandwidthMax=
IOWriteIOPSMax=
IPAccounting=
IPAddressAllow=
IPAddressDeny=
IPEgressFilterPath=
IPIngressFilterPath=
ManagedOOMMemoryPressure=
ManagedOOMMemoryPressureLimit=
ManagedOOMPreference=
ManagedOOMSwap=
MemoryAccounting=
MemoryHigh=
MemoryLimit=
MemoryLow=
MemoryMax=
MemoryMin=
MemorySwapMax=
NetClass=
RestrictNetworkInterfaces=
Slice=
SocketBindAllow=
SocketBindDeny=
StartupAllowedCPUs=
StartupAllowedMemoryNodes=
StartupBlockIOWeight=
StartupCPUShares=
StartupCPUWeight=
StartupIOWeight=
TasksAccounting=
TasksMax=