[systemd.git] / units / systemd-networkd.service.in

#  SPDX-License-Identifier: LGPL-2.1-or-later
#
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

[Unit]
Description=Network Configuration
Documentation=man:systemd-networkd.service(8)
Documentation=man:org.freedesktop.network1(5)
ConditionCapability=CAP_NET_ADMIN
DefaultDependencies=no
# systemd-udevd.service can be dropped once tuntap is moved to netlink
After=systemd-networkd.socket systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
Before=network.target multi-user.target shutdown.target initrd-switch-root.target
Conflicts=shutdown.target initrd-switch-root.target
Wants=systemd-networkd.socket network.target

[Service]
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
BusName=org.freedesktop.network1
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
DeviceAllow=char-* rw
ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-networkd
ExecReload=networkctl reload
FileDescriptorStoreMax=512
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
ProtectProc=invisible
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectSystem=strict
Restart=on-failure
RestartKillSignal=SIGUSR2
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/netif
RuntimeDirectoryPreserve=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
Type=notify
User=systemd-network
{{SERVICE_WATCHDOG}}

[Install]
WantedBy=multi-user.target
Also=systemd-networkd.socket
Alias=dbus-org.freedesktop.network1.service

# The output from this generator is used by udevd and networkd. Enable it by
# default when enabling systemd-networkd.service.
Also=systemd-network-generator.service

# We want to enable systemd-networkd-wait-online.service whenever this service
# is enabled. systemd-networkd-wait-online.service has
# WantedBy=network-online.target, so enabling it only has an effect if
# network-online.target itself is enabled or pulled in by some other unit.
Also=systemd-networkd-wait-online.service
Commit	Line	Data
a032b68d	1	# SPDX-License-Identifier: LGPL-2.1-or-later
52ad194e	2	#
60f067b4 JS	3	# This file is part of systemd.
	4	#
	5	# systemd is free software; you can redistribute it and/or modify it
	6	# under the terms of the GNU Lesser General Public License as published by
	7	# the Free Software Foundation; either version 2.1 of the License, or
	8	# (at your option) any later version.
	9
	10	[Unit]
67bbd050	11	Description=Network Configuration
60f067b4	12	Documentation=man:systemd-networkd.service(8)
ecfb185f	13	Documentation=man:org.freedesktop.network1(5)
e842803a	14	ConditionCapability=CAP_NET_ADMIN
60f067b4	15	DefaultDependencies=no
2897b343	16	# systemd-udevd.service can be dropped once tuntap is moved to netlink
a032b68d	17	After=systemd-networkd.socket systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
ecfb185f LB	18	Before=network.target multi-user.target shutdown.target initrd-switch-root.target
ecfb185f LB	19	Conflicts=shutdown.target initrd-switch-root.target
a032b68d	20	Wants=systemd-networkd.socket network.target
60f067b4 JS	21
60f067b4 JS	22	[Service]
f5e65279	23	AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
a032b68d	24	BusName=org.freedesktop.network1
6e866b33	25	CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
f2dec872	26	DeviceAllow=char-* rw
8b3d4ff0	27	ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-networkd
3a6ce677	28	ExecReload=networkctl reload
086111aa	29	FileDescriptorStoreMax=512
6e866b33 MB	30	LockPersonality=yes
	31	MemoryDenyWriteExecute=yes
	32	NoNewPrivileges=yes
a032b68d	33	ProtectProc=invisible
a10f5d05	34	ProtectClock=yes
8a584da2	35	ProtectControlGroups=yes
6e866b33	36	ProtectHome=yes
e1f67bc7	37	ProtectKernelLogs=yes
a032b68d	38	ProtectKernelModules=yes
6e866b33 MB	39	ProtectSystem=strict
6e866b33 MB	40	Restart=on-failure
a032b68d	41	RestartKillSignal=SIGUSR2
6e866b33	42	RestartSec=0
ea0999c9	43	RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
6e866b33 MB	44	RestrictNamespaces=yes
6e866b33 MB	45	RestrictRealtime=yes
bb4f798a	46	RestrictSUIDSGID=yes
f5e65279 MB	47	RuntimeDirectory=systemd/netif
f5e65279 MB	48	RuntimeDirectoryPreserve=yes
6e866b33 MB	49	SystemCallArchitectures=native
	50	SystemCallErrorNumber=EPERM
	51	SystemCallFilter=@system-service
	52	Type=notify
	53	User=systemd-network
8b3d4ff0	54	{{SERVICE_WATCHDOG}}
60f067b4 JS	55
60f067b4 JS	56	[Install]
60f067b4	57	WantedBy=multi-user.target
e735f4d4	58	Also=systemd-networkd.socket
81c58355 MB	59	Alias=dbus-org.freedesktop.network1.service
81c58355 MB	60
ea0999c9 MB	61	# The output from this generator is used by udevd and networkd. Enable it by
	62	# default when enabling systemd-networkd.service.
	63	Also=systemd-network-generator.service
	64
81c58355 MB	65	# We want to enable systemd-networkd-wait-online.service whenever this service
	66	# is enabled. systemd-networkd-wait-online.service has
	67	# WantedBy=network-online.target, so enabling it only has an effect if
	68	# network-online.target itself is enabled or pulled in by some other unit.
	69	Also=systemd-networkd-wait-online.service