diff options
author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-06-14 15:06:27 +0900 |
---|---|---|
committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-06-22 22:23:58 +0900 |
commit | b48ed70c79c6482e1f39b77d16e62043ff5042a5 (patch) | |
tree | 58245c4075beb60a8558020b647dc67134beb68e /man/systemd.resource-control.xml | |
parent | 127b26f3d8b589907ed75a34d34ab330995778f9 (diff) | |
download | systemd-b48ed70c79c6482e1f39b77d16e62043ff5042a5.tar.gz |
Revert NFTSet feature
This reverts PR #22587 and its follow-up commit. More specifically,
2299b1cae32c1fb8911da0ce26efced68032f4f8 (partially),
e176f855278d5098d3fecc5aa24ba702147d42e0,
ceb46a31a01b3d3d1d6095d857e29ea214a2776b, and
51bb9076ab8c050bebb64db5035852385accda35.
The PR was merged without final approval, and has several issues:
- OSS fuzz reported issues in the conf parser,
- It calls synchrnous netlink call, it should not be especially in PID1,
- The importance of NFTSet for CGroup and DynamicUser may be
questionable, at least, there was no justification PID1 should support
it.
- For networkd, it should be implemented with Request object,
- There is no test for the feature.
Fixes #23711.
Fixes #23717.
Fixes #23719.
Fixes #23720.
Fixes #23721.
Fixes #23759.
Diffstat (limited to 'man/systemd.resource-control.xml')
-rw-r--r-- | man/systemd.resource-control.xml | 29 |
1 files changed, 0 insertions, 29 deletions
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 23b2d0f390..1397b886c5 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -1173,35 +1173,6 @@ DeviceAllow=/dev/loop-control </para> </listitem> </varlistentry> - <varlistentry> - <term><varname>ControlGroupNFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term> - <listitem> - <para>This setting provides a method for integrating dynamic cgroup IDs into firewall rules with - NFT sets. This option expects a whitespace separated list of NFT set definitions. Each definition - consists of a colon-separated tuple of NFT address family (one of <literal>arp</literal>, - <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>, <literal>ip6</literal>, - or <literal>netdev</literal>), table name and set name. The names of tables and sets must conform - to lexical restrictions of NFT table names. When a control group for a unit is realized, the cgroup - ID will be appended to the NFT sets and it will be be removed when the control group is - removed. Failures to manage the sets will be ignored.</para> - - <para>Example: - <programlisting>[Unit] -ControlGroupNFTSet=inet:filter:my_service -</programlisting> - Corresponding NFT rules: - <programlisting>table inet filter { - set my_service { - type cgroupsv2 - } - chain x { - socket cgroupv2 level 2 @my_service accept - drop - } -}</programlisting> - </para> - </listitem> - </varlistentry> </variablelist> </refsect1> |