core: firewall integration with DynamicUserNFTSet=

New directive `DynamicUserNFTSet=` provides a method for integrating configuration of dynamic users into firewall rules with NFT sets. Example: ``` table inet filter { set u { typeof meta skuid } chain service_output { meta skuid != @u drop accept } } ``` ``` /etc/systemd/system/dunft.service [Service] DynamicUser=yes DynamicUserNFTSet=inet:filter:u ExecStart=/bin/sleep 1000 [Install] WantedBy=multi-user.target ``` ``` $ sudo nft list set inet filter u table inet filter { set u { typeof meta skuid elements = { 64864 } } } $ ps -n --format user,group,pid,command -p `pgrep sleep` USER GROUP PID COMMAND 64864 64864 55158 /bin/sleep 1000 ```
author: Topi Miettinen <toiwoton@gmail.com> 2022-05-22 15:17:24 +0300
committer: Topi Miettinen <topimiettinen@users.noreply.github.com> 2022-06-08 16:12:25 +0000
commit: 46c3b1ff887e096f89cb1eae9b2567c5dd4272d3 (patch)
tree: f834624ca67c0a8b8dbf586dcbb6b1a3a14045c0 /src/core/load-fragment-gperf.gperf.in
parent: c0548df0a2f78f3422d77c77c2149d8a7f50d8f6 (diff)
download: systemd-46c3b1ff887e096f89cb1eae9b2567c5dd4272d3.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in
index 0db24268d1..facda69d0d 100644
--- a/src/core/load-fragment-gperf.gperf.in
+++ b/src/core/load-fragment-gperf.gperf.in
@@ -32,6 +32,7 @@
 {{type}}.PassEnvironment,                  config_parse_pass_environ,                   0,                                  offsetof({{type}}, exec_context.pass_environment)
 {{type}}.UnsetEnvironment,                 config_parse_unset_environ,                  0,                                  offsetof({{type}}, exec_context.unset_environment)
 {{type}}.DynamicUser,                      config_parse_bool,                           true,                               offsetof({{type}}, exec_context.dynamic_user)
+{{type}}.DynamicUserNFTSet,                config_parse_dynamic_user_nft_set,           0,                                  offsetof({{type}}, exec_context)
 {{type}}.RemoveIPC,                        config_parse_bool,                           0,                                  offsetof({{type}}, exec_context.remove_ipc)
 {{type}}.StandardInput,                    config_parse_exec_input,                     0,                                  offsetof({{type}}, exec_context)
 {{type}}.StandardOutput,                   config_parse_exec_output,                    0,                                  offsetof({{type}}, exec_context)
author	Topi Miettinen <toiwoton@gmail.com>	2022-05-22 15:17:24 +0300
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>	2022-06-08 16:12:25 +0000
commit	46c3b1ff887e096f89cb1eae9b2567c5dd4272d3 (patch)
tree	f834624ca67c0a8b8dbf586dcbb6b1a3a14045c0 /src/core/load-fragment-gperf.gperf.in
parent	c0548df0a2f78f3422d77c77c2149d8a7f50d8f6 (diff)
download	systemd-46c3b1ff887e096f89cb1eae9b2567c5dd4272d3.tar.gz