# SPDX-License-Identifier: LGPL-2.1-or-later # # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. [Unit] Description=Network Configuration Documentation=man:systemd-networkd.service(8) Documentation=man:org.freedesktop.network1(5) ConditionCapability=CAP_NET_ADMIN DefaultDependencies=no # systemd-udevd.service can be dropped once tuntap is moved to netlink After=systemd-networkd.socket systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service Before=network.target multi-user.target shutdown.target initrd-switch-root.target Conflicts=shutdown.target initrd-switch-root.target Wants=systemd-networkd.socket network.target systemd-networkd-persistent-storage.service [Service] AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_BPF CAP_SYS_ADMIN BusName=org.freedesktop.network1 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_BPF CAP_SYS_ADMIN DeviceAllow=char-* rw ExecStart={{LIBEXECDIR}}/systemd-networkd FileDescriptorStoreMax=512 ImportCredential=network.wireguard.* LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes ProtectProc=invisible ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectSystem=strict Restart=on-failure RestartKillSignal=SIGUSR2 RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes RuntimeDirectory=systemd/netif RuntimeDirectoryPreserve=yes SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service bpf Type=notify-reload User=systemd-network {{SERVICE_WATCHDOG}} [Install] WantedBy=multi-user.target Also=systemd-networkd.socket Alias=dbus-org.freedesktop.network1.service # The output from this generator is used by udevd and networkd. Enable it by # default when enabling systemd-networkd.service. Also=systemd-network-generator.service # We want to enable systemd-networkd-wait-online.service whenever this service # is enabled. systemd-networkd-wait-online.service has # WantedBy=network-online.target, so enabling it only has an effect if # network-online.target itself is enabled or pulled in by some other unit. Also=systemd-networkd-wait-online.service