From b48ed70c79c6482e1f39b77d16e62043ff5042a5 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 14 Jun 2022 15:06:27 +0900
Subject: Revert NFTSet feature

This reverts PR #22587 and its follow-up commit. More specifically,
2299b1cae32c1fb8911da0ce26efced68032f4f8 (partially),
e176f855278d5098d3fecc5aa24ba702147d42e0,
ceb46a31a01b3d3d1d6095d857e29ea214a2776b, and
51bb9076ab8c050bebb64db5035852385accda35.

The PR was merged without final approval, and has several issues:
- OSS fuzz reported issues in the conf parser,
- It calls synchrnous netlink call, it should not be especially in PID1,
- The importance of NFTSet for CGroup and DynamicUser may be
  questionable, at least, there was no justification PID1 should support
  it.
- For networkd, it should be implemented with Request object,
- There is no test for the feature.

Fixes #23711.
Fixes #23717.
Fixes #23719.
Fixes #23720.
Fixes #23721.
Fixes #23759.
---
 man/systemd.resource-control.xml | 29 -----------------------------
 1 file changed, 29 deletions(-)

(limited to 'man/systemd.resource-control.xml')

diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index 23b2d0f390..1397b886c5 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -1173,35 +1173,6 @@ DeviceAllow=/dev/loop-control
           </para>
         </listitem>
       </varlistentry>
-      <varlistentry>
-        <term><varname>ControlGroupNFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
-        <listitem>
-          <para>This setting provides a method for integrating dynamic cgroup IDs into firewall rules with
-          NFT sets. This option expects a whitespace separated list of NFT set definitions. Each definition
-          consists of a colon-separated tuple of NFT address family (one of <literal>arp</literal>,
-          <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>, <literal>ip6</literal>,
-          or <literal>netdev</literal>), table name and set name. The names of tables and sets must conform
-          to lexical restrictions of NFT table names. When a control group for a unit is realized, the cgroup
-          ID will be appended to the NFT sets and it will be be removed when the control group is
-          removed. Failures to manage the sets will be ignored.</para>
-
-          <para>Example:
-          <programlisting>[Unit]
-ControlGroupNFTSet=inet:filter:my_service
-</programlisting>
-          Corresponding NFT rules:
-          <programlisting>table inet filter {
-        set my_service {
-                type cgroupsv2
-        }
-        chain x {
-                socket cgroupv2 level 2 @my_service accept
-                drop
-        }
-}</programlisting>
-          </para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
-- 
cgit v1.2.1