diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2022-05-22 15:17:24 +0300 |
|---|---|---|
| committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2022-06-08 16:12:25 +0000 |
| commit | 46c3b1ff887e096f89cb1eae9b2567c5dd4272d3 (patch) | |
| tree | f834624ca67c0a8b8dbf586dcbb6b1a3a14045c0 /man/org.freedesktop.systemd1.xml | |
| parent | c0548df0a2f78f3422d77c77c2149d8a7f50d8f6 (diff) | |
| download | systemd-46c3b1ff887e096f89cb1eae9b2567c5dd4272d3.tar.gz | |
core: firewall integration with DynamicUserNFTSet=
New directive `DynamicUserNFTSet=` provides a method for integrating
configuration of dynamic users into firewall rules with NFT sets.
Example:
```
table inet filter {
set u {
typeof meta skuid
}
chain service_output {
meta skuid != @u drop
accept
}
}
```
```
/etc/systemd/system/dunft.service
[Service]
DynamicUser=yes
DynamicUserNFTSet=inet:filter:u
ExecStart=/bin/sleep 1000
[Install]
WantedBy=multi-user.target
```
```
$ sudo nft list set inet filter u
table inet filter {
set u {
typeof meta skuid
elements = { 64864 }
}
}
$ ps -n --format user,group,pid,command -p `pgrep sleep`
USER GROUP PID COMMAND
64864 64864 55158 /bin/sleep 1000
```
Diffstat (limited to 'man/org.freedesktop.systemd1.xml')
| -rw-r--r-- | man/org.freedesktop.systemd1.xml | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml index 6625a74073..b9b5768bf0 100644 --- a/man/org.freedesktop.systemd1.xml +++ b/man/org.freedesktop.systemd1.xml @@ -2785,6 +2785,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b DynamicUser = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") + readonly a(iss) DynamicUserNFTSet = [...]; + @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b RemoveIPC = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(say) SetCredential = [...]; @@ -3332,6 +3334,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { <!--property DynamicUser is not documented!--> + <!--property DynamicUserNFTSet is not documented!--> + <!--property RemoveIPC is not documented!--> <!--property SetCredential is not documented!--> @@ -3940,6 +3944,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/> + <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/> + <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/> <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/> @@ -4679,6 +4685,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b DynamicUser = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") + readonly a(iss) DynamicUserNFTSet = [...]; + @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b RemoveIPC = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(say) SetCredential = [...]; @@ -5250,6 +5258,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { <!--property DynamicUser is not documented!--> + <!--property DynamicUserNFTSet is not documented!--> + <!--property RemoveIPC is not documented!--> <!--property SetCredential is not documented!--> @@ -5852,6 +5862,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/> + <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/> + <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/> <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/> @@ -6480,6 +6492,8 @@ node /org/freedesktop/systemd1/unit/home_2emount { @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b DynamicUser = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") + readonly a(iss) DynamicUserNFTSet = [...]; + @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b RemoveIPC = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(say) SetCredential = [...]; @@ -6979,6 +6993,8 @@ node /org/freedesktop/systemd1/unit/home_2emount { <!--property DynamicUser is not documented!--> + <!--property DynamicUserNFTSet is not documented!--> + <!--property RemoveIPC is not documented!--> <!--property SetCredential is not documented!--> @@ -7499,6 +7515,8 @@ node /org/freedesktop/systemd1/unit/home_2emount { <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/> + <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/> + <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/> <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/> @@ -8254,6 +8272,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b DynamicUser = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") + readonly a(iss) DynamicUserNFTSet = [...]; + @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b RemoveIPC = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(say) SetCredential = [...]; @@ -8739,6 +8759,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { <!--property DynamicUser is not documented!--> + <!--property DynamicUserNFTSet is not documented!--> + <!--property RemoveIPC is not documented!--> <!--property SetCredential is not documented!--> @@ -9245,6 +9267,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/> + <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/> + <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/> <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/> |