diff options
Diffstat (limited to 'man/systemd.resource-control.xml')
-rw-r--r-- | man/systemd.resource-control.xml | 29 |
1 files changed, 0 insertions, 29 deletions
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 23b2d0f390..1397b886c5 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -1173,35 +1173,6 @@ DeviceAllow=/dev/loop-control </para> </listitem> </varlistentry> - <varlistentry> - <term><varname>ControlGroupNFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term> - <listitem> - <para>This setting provides a method for integrating dynamic cgroup IDs into firewall rules with - NFT sets. This option expects a whitespace separated list of NFT set definitions. Each definition - consists of a colon-separated tuple of NFT address family (one of <literal>arp</literal>, - <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>, <literal>ip6</literal>, - or <literal>netdev</literal>), table name and set name. The names of tables and sets must conform - to lexical restrictions of NFT table names. When a control group for a unit is realized, the cgroup - ID will be appended to the NFT sets and it will be be removed when the control group is - removed. Failures to manage the sets will be ignored.</para> - - <para>Example: - <programlisting>[Unit] -ControlGroupNFTSet=inet:filter:my_service -</programlisting> - Corresponding NFT rules: - <programlisting>table inet filter { - set my_service { - type cgroupsv2 - } - chain x { - socket cgroupv2 level 2 @my_service accept - drop - } -}</programlisting> - </para> - </listitem> - </varlistentry> </variablelist> </refsect1> |