diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 73b6734ddd..16de3caf5f 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -1149,7 +1149,7 @@ NFTSet=cgroup:inet:filter:my_service user:inet:filter:serviceuser one more restricted, depending on the use case. Note that these settings might not be supported on some systems (for example if eBPF control group - support is not enabled in the underlying kernel or container manager). These settings will fail the service in + support is not enabled in the underlying kernel or container manager). These settings will have no effect in that case. If compatibility with such systems is desired it is hence recommended to attach your filter manually (requires Delegate=yes) instead of using this setting. diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 6d37c03127..64bbcadd8f 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -2204,12 +2204,6 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { if (set_isempty(pids)) return 0; - /* Load any custom firewall BPF programs here once to test if they are existing and actually loadable. - * Fail here early since later errors in the call chain unit_realize_cgroup to cgroup_context_apply are ignored. */ - r = bpf_firewall_load_custom(u); - if (r < 0) - return r; - r = unit_realize_cgroup(u); if (r < 0) return r; diff --git a/src/core/unit.c b/src/core/unit.c index 147bc8f5f2..a4ddf4d91e 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -6005,12 +6005,6 @@ int unit_prepare_exec(Unit *u) { assert(u); - /* Load any custom firewall BPF programs here once to test if they are existing and actually loadable. - * Fail here early since later errors in the call chain unit_realize_cgroup to cgroup_context_apply are ignored. */ - r = bpf_firewall_load_custom(u); - if (r < 0) - return r; - /* Prepares everything so that we can fork of a process for this unit */ r = unit_realize_cgroup(u);