I have a systemd-networkd network, and I want it to only be accessible from one service, and I want that service to only have access to that network. I tried to read the systemd manpages, and I have found a few options, like BindToDevice, PrivateNetwork=yes and JoinsNamespaceOf=, but none of them seem to do exactly what I need. I’m wondering if it’s possible, or is it just something systemd alone can’t do?
You would need to use the network namespaces – that’s the mechanism that allows isolating the network stacks. I am not sure if it is possible to achieve this entirely using systemd directives. I am running namespaces for different wireguard networks and for all networks there’s usually a helper script that manipulates ip netns when the interface starts (source). I know that wireguard has bits designed specifically for this use-case(start wg adapter in main namespace, move it to the namespace but traffic keeps flowing), but other network mechanisms may need some tweaking - e.g. through bridges.
The services that are confined to the namespace use this directive:
systemd.services.<name>.serviceConfig.NetworknamespacePath = "/run/netns/${wg-namespace-name}";
3 Likes