diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-06-14 15:06:27 +0900 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-06-22 22:23:58 +0900 |
| commit | b48ed70c79c6482e1f39b77d16e62043ff5042a5 (patch) | |
| tree | 58245c4075beb60a8558020b647dc67134beb68e /man | |
| parent | 127b26f3d8b589907ed75a34d34ab330995778f9 (diff) | |
| download | systemd-b48ed70c79c6482e1f39b77d16e62043ff5042a5.tar.gz | |
Revert NFTSet feature
This reverts PR #22587 and its follow-up commit. More specifically,
2299b1cae32c1fb8911da0ce26efced68032f4f8 (partially),
e176f855278d5098d3fecc5aa24ba702147d42e0,
ceb46a31a01b3d3d1d6095d857e29ea214a2776b, and
51bb9076ab8c050bebb64db5035852385accda35.
The PR was merged without final approval, and has several issues:
- OSS fuzz reported issues in the conf parser,
- It calls synchrnous netlink call, it should not be especially in PID1,
- The importance of NFTSet for CGroup and DynamicUser may be
questionable, at least, there was no justification PID1 should support
it.
- For networkd, it should be implemented with Request object,
- There is no test for the feature.
Fixes #23711.
Fixes #23717.
Fixes #23719.
Fixes #23720.
Fixes #23721.
Fixes #23759.
Diffstat (limited to 'man')
| -rw-r--r-- | man/org.freedesktop.systemd1.xml | 60 | ||||
| -rw-r--r-- | man/systemd.exec.xml | 34 | ||||
| -rw-r--r-- | man/systemd.network.xml | 64 | ||||
| -rw-r--r-- | man/systemd.resource-control.xml | 29 |
4 files changed, 0 insertions, 187 deletions
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml index b9b5768bf0..7974833554 100644 --- a/man/org.freedesktop.systemd1.xml +++ b/man/org.freedesktop.systemd1.xml @@ -2599,8 +2599,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly (bas) RestrictNetworkInterfaces = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly a(iss) ControlGroupNFTSet = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly as Environment = ['...', ...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(sb) EnvironmentFiles = [...]; @@ -2785,8 +2783,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b DynamicUser = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly a(iss) DynamicUserNFTSet = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b RemoveIPC = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(say) SetCredential = [...]; @@ -3174,8 +3170,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { <!--property RestrictNetworkInterfaces is not documented!--> - <!--property ControlGroupNFTSet is not documented!--> - <!--property EnvironmentFiles is not documented!--> <!--property PassEnvironment is not documented!--> @@ -3334,8 +3328,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { <!--property DynamicUser is not documented!--> - <!--property DynamicUserNFTSet is not documented!--> - <!--property RemoveIPC is not documented!--> <!--property SetCredential is not documented!--> @@ -3758,8 +3750,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/> - <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/> - <variablelist class="dbus-property" generated="True" extra-ref="Environment"/> <variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/> @@ -3944,8 +3934,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/> - <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/> - <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/> <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/> @@ -4499,8 +4487,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly (bas) RestrictNetworkInterfaces = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly a(iss) ControlGroupNFTSet = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly as Environment = ['...', ...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(sb) EnvironmentFiles = [...]; @@ -4685,8 +4671,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b DynamicUser = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly a(iss) DynamicUserNFTSet = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b RemoveIPC = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(say) SetCredential = [...]; @@ -5098,8 +5082,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { <!--property RestrictNetworkInterfaces is not documented!--> - <!--property ControlGroupNFTSet is not documented!--> - <!--property EnvironmentFiles is not documented!--> <!--property PassEnvironment is not documented!--> @@ -5258,8 +5240,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { <!--property DynamicUser is not documented!--> - <!--property DynamicUserNFTSet is not documented!--> - <!--property RemoveIPC is not documented!--> <!--property SetCredential is not documented!--> @@ -5676,8 +5656,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/> - <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/> - <variablelist class="dbus-property" generated="True" extra-ref="Environment"/> <variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/> @@ -5862,8 +5840,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/> - <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/> - <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/> <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/> @@ -6306,8 +6282,6 @@ node /org/freedesktop/systemd1/unit/home_2emount { @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly (bas) RestrictNetworkInterfaces = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly a(iss) ControlGroupNFTSet = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly as Environment = ['...', ...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(sb) EnvironmentFiles = [...]; @@ -6492,8 +6466,6 @@ node /org/freedesktop/systemd1/unit/home_2emount { @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b DynamicUser = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly a(iss) DynamicUserNFTSet = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b RemoveIPC = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(say) SetCredential = [...]; @@ -6833,8 +6805,6 @@ node /org/freedesktop/systemd1/unit/home_2emount { <!--property RestrictNetworkInterfaces is not documented!--> - <!--property ControlGroupNFTSet is not documented!--> - <!--property EnvironmentFiles is not documented!--> <!--property PassEnvironment is not documented!--> @@ -6993,8 +6963,6 @@ node /org/freedesktop/systemd1/unit/home_2emount { <!--property DynamicUser is not documented!--> - <!--property DynamicUserNFTSet is not documented!--> - <!--property RemoveIPC is not documented!--> <!--property SetCredential is not documented!--> @@ -7329,8 +7297,6 @@ node /org/freedesktop/systemd1/unit/home_2emount { <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/> - <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/> - <variablelist class="dbus-property" generated="True" extra-ref="Environment"/> <variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/> @@ -7515,8 +7481,6 @@ node /org/freedesktop/systemd1/unit/home_2emount { <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/> - <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/> - <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/> <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/> @@ -8086,8 +8050,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly (bas) RestrictNetworkInterfaces = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly a(iss) ControlGroupNFTSet = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly as Environment = ['...', ...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(sb) EnvironmentFiles = [...]; @@ -8272,8 +8234,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b DynamicUser = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly a(iss) DynamicUserNFTSet = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly b RemoveIPC = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly a(say) SetCredential = [...]; @@ -8599,8 +8559,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { <!--property RestrictNetworkInterfaces is not documented!--> - <!--property ControlGroupNFTSet is not documented!--> - <!--property EnvironmentFiles is not documented!--> <!--property PassEnvironment is not documented!--> @@ -8759,8 +8717,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { <!--property DynamicUser is not documented!--> - <!--property DynamicUserNFTSet is not documented!--> - <!--property RemoveIPC is not documented!--> <!--property SetCredential is not documented!--> @@ -9081,8 +9037,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/> - <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/> - <variablelist class="dbus-property" generated="True" extra-ref="Environment"/> <variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/> @@ -9267,8 +9221,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/> - <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/> - <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/> <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/> @@ -9696,8 +9648,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice { readonly a(iiqq) SocketBindDeny = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly (bas) RestrictNetworkInterfaces = ...; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly a(iss) ControlGroupNFTSet = [...]; }; interface org.freedesktop.DBus.Peer { ... }; interface org.freedesktop.DBus.Introspectable { ... }; @@ -9850,8 +9800,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice { <!--property RestrictNetworkInterfaces is not documented!--> - <!--property ControlGroupNFTSet is not documented!--> - <!--Autogenerated cross-references for systemd.directives, do not edit--> <variablelist class="dbus-interface" generated="True" extra-ref="org.freedesktop.systemd1.Unit"/> @@ -10010,8 +9958,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice { <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/> - <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/> - <!--End of Autogenerated section--> <refsect2> @@ -10192,8 +10138,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope { @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly (bas) RestrictNetworkInterfaces = ...; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly a(iss) ControlGroupNFTSet = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly s KillMode = '...'; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly i KillSignal = ...; @@ -10363,8 +10307,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope { <!--property RestrictNetworkInterfaces is not documented!--> - <!--property ControlGroupNFTSet is not documented!--> - <!--property KillMode is not documented!--> <!--property KillSignal is not documented!--> @@ -10551,8 +10493,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope { <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/> - <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/> - <variablelist class="dbus-property" generated="True" extra-ref="KillMode"/> <variablelist class="dbus-property" generated="True" extra-ref="KillSignal"/> diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index c2c36d55e4..e92f615994 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -3164,40 +3164,6 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX </refsect1> <refsect1> - <title>Firewall Integration</title> - <variablelist class='unit-directives'> - - <varlistentry> - <term><varname>DynamicUserNFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term> - <listitem><para>This setting provides a method for integrating <varname>DynamicUser=</varname> - configuration into firewall rules with NFT sets. This option expects a whitespace separated list of - NFT set definitions. Each definition consists of a colon-separated tuple of NFT address family (one - of <literal>arp</literal>, <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>, - <literal>ip6</literal>, or <literal>netdev</literal>), table name and set name. The names of tables - and sets must conform to lexical restrictions of NFT table names. When the unit starts, the user ID - will be appended to the NFT sets and it will be removed when the unit is stopped. Failures to manage - the sets will be ignored.</para> - - <para>Example: - <programlisting>[Service] -DynamicUserNFTSet=inet:filter:u</programlisting> - Corresponding NFT rules: - <programlisting>table inet filter { - set u { - typeof meta skuid - } - chain service_output { - meta skuid != @u drop - accept - } -}</programlisting> - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1> <title>System V Compatibility</title> <variablelist class='unit-directives'> diff --git a/man/systemd.network.xml b/man/systemd.network.xml index d69e63e6b8..da19d98c46 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -1141,39 +1141,6 @@ NetLabel=system_u:object_r:localnet_peer_t:s0</programlisting> and the reverse operation when the IPv4 address is deconfigured.</para> </listitem> </varlistentry> - - <varlistentry> - <term><varname>IPv4NFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term> - <term><varname>IPv6NFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term> - <listitem> - <para>These settings provide a method for integrating dynamic network configuration into firewall - rules with NFT sets. These options expect a whitespace separated list of NFT set definitions. Each - definition consists of a colon-separated tuple of NFT address family (one of - <literal>arp</literal>, <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>, - <literal>ip6</literal>, or <literal>netdev</literal>), table name and set name. The names of tables - and sets must conform to lexical restrictions of NFT table names. When an interface is configured - with IP addresses, the addresses and subnetwork masks will be appended to the NFT sets. They will - be removed when the interface is deconfigured. Failures to manage the sets will be ignored.</para> - - <para>Example: - <programlisting>[Address] -IPv4NFTSet=netdev:filter:eth_ipv4_address -IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting> - Corresponding NFT rules: - <programlisting>table netdev filter { - set eth_ipv4_address { - type ipv4_addr - flags interval - } - chain eth_ingress { - type filter hook ingress device "eth0" priority filter; policy drop; - ip daddr != @eth_ipv4_address drop - accept - } -}</programlisting> - </para> - </listitem> - </varlistentry> </variablelist> </refsect1> @@ -2122,14 +2089,6 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting> <para>As in [Address] section.</para> </listitem> </varlistentry> - - <varlistentry> - <term><varname>NFTSet=</varname></term> - <listitem> - <para>As in [Address] section. The type in NFT set definition must be - <literal>ipv4_addr</literal>.</para> - </listitem> - </varlistentry> </variablelist> </refsect1> @@ -2249,14 +2208,6 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting> </listitem> </varlistentry> - <varlistentry> - <term><varname>NFTSet=</varname></term> - <listitem> - <para>As in [DHCPv4] section. The type in NFT set definition must be - <literal>ipv6_addr</literal>.</para> - </listitem> - </varlistentry> - <!-- How to communicate with the server --> <varlistentry> @@ -2360,14 +2311,6 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting> <para>As in [Address] section.</para> </listitem> </varlistentry> - - <varlistentry> - <term><varname>NFTSet=</varname></term> - <listitem> - <para>As in [DHCPv6] section. The type in NFT set definition must be - <literal>ipv6_addr</literal>.</para> - </listitem> - </varlistentry> </variablelist> </refsect1> @@ -2632,13 +2575,6 @@ Token=prefixstable:2002:da8:1::</programlisting></para> <para>As in [Address] section.</para> </listitem> </varlistentry> - <varlistentry> - <term><varname>NFTSet=</varname></term> - <listitem> - <para>As in [DHCPv6] section. The type in NFT set definition must be - <literal>ipv6_addr</literal>.</para> - </listitem> - </varlistentry> </variablelist> </refsect1> diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 23b2d0f390..1397b886c5 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -1173,35 +1173,6 @@ DeviceAllow=/dev/loop-control </para> </listitem> </varlistentry> - <varlistentry> - <term><varname>ControlGroupNFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term> - <listitem> - <para>This setting provides a method for integrating dynamic cgroup IDs into firewall rules with - NFT sets. This option expects a whitespace separated list of NFT set definitions. Each definition - consists of a colon-separated tuple of NFT address family (one of <literal>arp</literal>, - <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>, <literal>ip6</literal>, - or <literal>netdev</literal>), table name and set name. The names of tables and sets must conform - to lexical restrictions of NFT table names. When a control group for a unit is realized, the cgroup - ID will be appended to the NFT sets and it will be be removed when the control group is - removed. Failures to manage the sets will be ignored.</para> - - <para>Example: - <programlisting>[Unit] -ControlGroupNFTSet=inet:filter:my_service -</programlisting> - Corresponding NFT rules: - <programlisting>table inet filter { - set my_service { - type cgroupsv2 - } - chain x { - socket cgroupv2 level 2 @my_service accept - drop - } -}</programlisting> - </para> - </listitem> - </varlistentry> </variablelist> </refsect1> |