git.ipfire.org Git - thirdparty/systemd.git/commit

core: add user and group to NFTSet=

The benefit of using this setting is that user and group IDs, especially dynamic and random
IDs used by DynamicUser=, can be used in firewall configuration easily.

Example:

```
[Service]
NFTSet=user:inet:filter:serviceuser
```

Corresponding NFT rules:

```
table inet filter {
        set serviceuser {
                typeof meta skuid
        }
        chain service_output {
                meta skuid @serviceuser accept
                drop
        }
}
```

```
$ cat /etc/systemd/system/dunft.service
[Service]
DynamicUser=yes
NFTSet=user:inet:filter:serviceuser
ExecStart=/bin/sleep 1000

[Install]
WantedBy=multi-user.target
$ sudo nft list set inet filter serviceuser
table inet filter {
        set serviceuser {
                typeof meta skuid
                elements = { 64864 }
        }
}
$ ps -n --format user,group,pid,command -p `systemctl show dunft.service -P MainPID`
    USER    GROUP     PID COMMAND
   64864    64864   55158 /bin/sleep 1000
```

author	Topi Miettinen <toiwoton@gmail.com>
	Sun, 22 May 2022 12:17:24 +0000 (15:17 +0300)
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>
	Wed, 27 Sep 2023 18:10:11 +0000 (18:10 +0000)
commit	3bb48b19bd0beeaca11712ae4c75d3d8964936af
tree	82f17547afc7bc452b04d2bad89afd2106c3c4ff	tree \| snapshot
parent	dc7d69b3c1eb4aa78a5ba2791c6e146a365c4092	commit \| diff

man/systemd.resource-control.xml		diff \| blob \| blame \| history
src/core/dbus-cgroup.c		diff \| blob \| blame \| history
src/core/unit.c		diff \| blob \| blame \| history
src/shared/bus-unit-util.c		diff \| blob \| blame \| history
src/shared/firewall-util-nft.c		diff \| blob \| blame \| history
src/shared/firewall-util.h		diff \| blob \| blame \| history