1#  SPDX-License-Identifier: LGPL-2.1-or-later
2#
3#  This file is part of systemd.
4#
5#  systemd is free software; you can redistribute it and/or modify it
6#  under the terms of the GNU Lesser General Public License as published by
7#  the Free Software Foundation; either version 2.1 of the License, or
8#  (at your option) any later version.
9
10[Unit]
11Description=Network Configuration
12Documentation=man:systemd-networkd.service(8)
13ConditionCapability=CAP_NET_ADMIN
14DefaultDependencies=no
15# systemd-udevd.service can be dropped once tuntap is moved to netlink
16After=systemd-networkd.socket systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
17Before=network.target multi-user.target shutdown.target
18Conflicts=shutdown.target
19Wants=systemd-networkd.socket network.target
20
21[Service]
22AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
23BusName=org.freedesktop.network1
24CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
25DeviceAllow=char-* rw
26ExecStart=!!{{ROOTLIBEXECDIR}}/systemd-networkd
27ExecReload=networkctl reload
28LockPersonality=yes
29MemoryDenyWriteExecute=yes
30NoNewPrivileges=yes
31ProtectProc=invisible
32ProtectClock=yes
33ProtectControlGroups=yes
34ProtectHome=yes
35ProtectKernelLogs=yes
36ProtectKernelModules=yes
37ProtectSystem=strict
38Restart=on-failure
39RestartKillSignal=SIGUSR2
40RestartSec=0
41RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
42RestrictNamespaces=yes
43RestrictRealtime=yes
44RestrictSUIDSGID=yes
45RuntimeDirectory=systemd/netif
46RuntimeDirectoryPreserve=yes
47SystemCallArchitectures=native
48SystemCallErrorNumber=EPERM
49SystemCallFilter=@system-service
50Type=notify
51User=systemd-network
52{{SERVICE_WATCHDOG}}
53
54[Install]
55WantedBy=multi-user.target
56Also=systemd-networkd.socket
57Alias=dbus-org.freedesktop.network1.service
58
59# The output from this generator is used by udevd and networkd. Enable it by
60# default when enabling systemd-networkd.service.
61Also=systemd-network-generator.service
62
63# We want to enable systemd-networkd-wait-online.service whenever this service
64# is enabled. systemd-networkd-wait-online.service has
65# WantedBy=network-online.target, so enabling it only has an effect if
66# network-online.target itself is enabled or pulled in by some other unit.
67Also=systemd-networkd-wait-online.service
68