Merging upstream version 4.23.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 248 insertions, 17 deletions

diff --git a/upstream/opensuse-tumbleweed/man5/systemd.resource-control.5 b/upstream/opensuse-tumbleweed/man5/systemd.resource-control.5
index 68ae3aaa..fcc40891 100644
--- a/upstream/opensuse-tumbleweed/man5/systemd.resource-control.5
+++ b/upstream/opensuse-tumbleweed/man5/systemd.resource-control.5
@@ -1,5 +1,5 @@
 '\" t
-.TH "SYSTEMD\&.RESOURCE\-CONTROL" "5" "" "systemd 254" "systemd.resource-control"
+.TH "SYSTEMD\&.RESOURCE\-CONTROL" "5" "" "systemd 255" "systemd.resource-control"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -198,6 +198,8 @@ in
 \fBsystemd-system.conf\fR(5)\&.
 .sp
 Under the unified cgroup hierarchy, CPU accounting is available for all units and this setting has no effect\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fICPUWeight=\fR\fI\fIweight\fR\fR, \fIStartupCPUWeight=\fR\fI\fIweight\fR\fR
@@ -253,6 +255,8 @@ controller, the kernel may automatically divide resources based on session\-id g
 \fBsched\fR(7)\&. The effect of this feature is similar to the
 \fBcpu\fR
 controller with no explicit configuration, so users should be careful to not mistake one for the other\&.
+.sp
+Added in version 232\&.
 .RE
 .PP
 \fICPUQuota=\fR
@@ -275,6 +279,8 @@ to an empty value unsets the quota\&.
 Example:
 \fICPUQuota=20%\fR
 ensures that the executed processes will never get more than 20% CPU time on one CPU\&.
+.sp
+Added in version 213\&.
 .RE
 .PP
 \fICPUQuotaPeriodSec=\fR
@@ -301,6 +307,8 @@ and
 Example:
 \fICPUQuotaPeriodSec=10ms\fR
 to request that the CPU quota is measured in periods of 10ms\&.
+.sp
+Added in version 242\&.
 .RE
 .PP
 \fIAllowedCPUs=\fR, \fIStartupAllowedCPUs=\fR
@@ -327,6 +335,8 @@ applies to normal runtime of the system, and if the former is not set also to th
 allows prioritizing specific services at boot\-up and shutdown differently than during normal runtime\&.
 .sp
 This setting is supported only with the unified control group hierarchy\&.
+.sp
+Added in version 244\&.
 .RE
 .SS "Memory Accounting and Control"
 .PP
@@ -340,6 +350,8 @@ Turn on process and kernel memory accounting for this unit\&. Takes a boolean ar
 \fIDefaultMemoryAccounting=\fR
 in
 \fBsystemd-system.conf\fR(5)\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fIMemoryMin=\fR\fI\fIbytes\fR\fR, \fIMemoryLow=\fR\fI\fIbytes\fR\fR, \fIStartupMemoryLow=\fR\fI\fIbytes\fR\fR, \fIDefaultStartupMemoryLow=\fR\fI\fIbytes\fR\fR
@@ -394,6 +406,8 @@ applies to the startup and shutdown phases of the system,
 applies to normal runtime of the system, and if the former is not set also to the startup and shutdown phases\&. Using
 \fIStartupMemoryLow=\fR
 allows prioritizing specific services at boot\-up and shutdown differently than during normal runtime\&.
+.sp
+Added in version 240\&.
 .RE
 .PP
 \fIMemoryHigh=\fR\fI\fIbytes\fR\fR, \fIStartupMemoryHigh=\fR\fI\fIbytes\fR\fR
@@ -420,6 +434,8 @@ applies to the startup and shutdown phases of the system,
 applies to normal runtime of the system, and if the former is not set also to the startup and shutdown phases\&. Using
 \fIStartupMemoryHigh=\fR
 allows prioritizing specific services at boot\-up and shutdown differently than during normal runtime\&.
+.sp
+Added in version 231\&.
 .RE
 .PP
 \fIMemoryMax=\fR\fI\fIbytes\fR\fR, \fIStartupMemoryMax=\fR\fI\fIbytes\fR\fR
@@ -449,6 +465,8 @@ applies to the startup and shutdown phases of the system,
 applies to normal runtime of the system, and if the former is not set also to the startup and shutdown phases\&. Using
 \fIStartupMemoryMax=\fR
 allows prioritizing specific services at boot\-up and shutdown differently than during normal runtime\&.
+.sp
+Added in version 231\&.
 .RE
 .PP
 \fIMemorySwapMax=\fR\fI\fIbytes\fR\fR, \fIStartupMemorySwapMax=\fR\fI\fIbytes\fR\fR
@@ -472,6 +490,8 @@ applies to the startup and shutdown phases of the system,
 applies to normal runtime of the system, and if the former is not set also to the startup and shutdown phases\&. Using
 \fIStartupMemorySwapMax=\fR
 allows prioritizing specific services at boot\-up and shutdown differently than during normal runtime\&.
+.sp
+Added in version 232\&.
 .RE
 .PP
 \fIMemoryZSwapMax=\fR\fI\fIbytes\fR\fR, \fIStartupMemoryZSwapMax=\fR\fI\fIbytes\fR\fR
@@ -497,6 +517,8 @@ applies to the startup and shutdown phases of the system,
 applies to normal runtime of the system, and if the former is not set also to the startup and shutdown phases\&. Using
 \fIStartupMemoryZSwapMax=\fR
 allows prioritizing specific services at boot\-up and shutdown differently than during normal runtime\&.
+.sp
+Added in version 253\&.
 .RE
 .PP
 \fIAllowedMemoryNodes=\fR, \fIStartupAllowedMemoryNodes=\fR
@@ -523,6 +545,8 @@ applies to normal runtime of the system, and if the former is not set also to th
 allows prioritizing specific services at boot\-up and shutdown differently than during normal runtime\&.
 .sp
 This setting is supported only with the unified control group hierarchy\&.
+.sp
+Added in version 244\&.
 .RE
 .SS "Process Accounting and Control"
 .PP
@@ -536,6 +560,8 @@ Turn on task accounting for this unit\&. Takes a boolean argument\&. If enabled,
 \fIDefaultTasksAccounting=\fR
 in
 \fBsystemd-system.conf\fR(5)\&.
+.sp
+Added in version 227\&.
 .RE
 .PP
 \fITasksMax=\fR\fI\fIN\fR\fR
@@ -555,6 +581,8 @@ The system default for this setting may be controlled with
 \fIDefaultTasksMax=\fR
 in
 \fBsystemd-system.conf\fR(5)\&.
+.sp
+Added in version 227\&.
 .RE
 .SS "IO Accounting and Control"
 .PP
@@ -568,6 +596,8 @@ Turn on Block I/O accounting for this unit, if the unified control group hierarc
 \fIDefaultIOAccounting=\fR
 in
 \fBsystemd-system.conf\fR(5)\&.
+.sp
+Added in version 230\&.
 .RE
 .PP
 \fIIOWeight=\fR\fI\fIweight\fR\fR, \fIStartupIOWeight=\fR\fI\fIweight\fR\fR
@@ -586,6 +616,8 @@ While
 applies to the startup and shutdown phases of the system,
 \fIIOWeight=\fR
 applies to the later runtime of the system, and if the former is not set also to the startup and shutdown phases\&. This allows prioritizing specific services at boot\-up and shutdown differently than during runtime\&.
+.sp
+Added in version 230\&.
 .RE
 .PP
 \fIIODeviceWeight=\fR\fI\fIdevice\fR\fR\fI \fR\fI\fIweight\fR\fR
@@ -601,6 +633,8 @@ control group attribute, which defaults to 100\&. Use this option multiple times
 \m[blue]\fBIO Interface Files\fR\m[]\&\s-2\u[8]\d\s+2\&.
 .sp
 The specified device node should reference a block device that has an I/O scheduler associated, i\&.e\&. should not refer to partition or loopback block devices, but to the originating, physical device\&. When a path to a regular file or directory is specified it is attempted to discover the correct originating device backing the file system of the specified path\&. This works correctly only for simpler cases, where the file system is directly placed on a partition or physical block device, or where simple 1:1 encryption using dm\-crypt/LUKS is used\&. This discovery does not cover complex storage and in particular RAID and volume management storage devices\&.
+.sp
+Added in version 230\&.
 .RE
 .PP
 \fIIOReadBandwidthMax=\fR\fI\fIdevice\fR\fR\fI \fR\fI\fIbytes\fR\fR, \fIIOWriteBandwidthMax=\fR\fI\fIdevice\fR\fR\fI \fR\fI\fIbytes\fR\fR
@@ -617,6 +651,8 @@ control group attributes\&. Use this option multiple times to set bandwidth limi
 Similar restrictions on block device discovery as for
 \fIIODeviceWeight=\fR
 apply, see above\&.
+.sp
+Added in version 230\&.
 .RE
 .PP
 \fIIOReadIOPSMax=\fR\fI\fIdevice\fR\fR\fI \fR\fI\fIIOPS\fR\fR, \fIIOWriteIOPSMax=\fR\fI\fIdevice\fR\fR\fI \fR\fI\fIIOPS\fR\fR
@@ -633,6 +669,8 @@ control group attributes\&. Use this option multiple times to set IOPS limits fo
 Similar restrictions on block device discovery as for
 \fIIODeviceWeight=\fR
 apply, see above\&.
+.sp
+Added in version 230\&.
 .RE
 .PP
 \fIIODeviceLatencyTargetSec=\fR\fI\fIdevice\fR\fR\fI \fR\fI\fItarget\fR\fR
@@ -654,6 +692,8 @@ These settings are supported only if the unified control group hierarchy is used
 Similar restrictions on block device discovery as for
 \fIIODeviceWeight=\fR
 apply, see above\&.
+.sp
+Added in version 240\&.
 .RE
 .SS "Network Accounting and Control"
 .PP
@@ -667,6 +707,10 @@ The system default for this setting may be controlled with
 \fIDefaultIPAccounting=\fR
 in
 \fBsystemd-system.conf\fR(5)\&.
+.sp
+Note that this functionality is currently only available for system services, not for per\-user services\&.
+.sp
+Added in version 235\&.
 .RE
 .PP
 \fIIPAddressAllow=\fR\fI\fIADDRESS[/PREFIXLENGTH]\&...\fR\fR, \fIIPAddressDeny=\fR\fI\fIADDRESS[/PREFIXLENGTH]\&...\fR\fR
@@ -791,13 +835,15 @@ Note that these settings might not be supported on some systems (for example if
 This option cannot be bypassed by prefixing
 "+"
 to the executable path in the service unit, as it applies to the whole control group\&.
+.sp
+Added in version 235\&.
 .RE
 .PP
 \fISocketBindAllow=\fR\fI\fIbind\-rule\fR\fR, \fISocketBindDeny=\fR\fI\fIbind\-rule\fR\fR
 .RS 4
-Allow or deny binding a socket address to a socket by matching it with the
-\fIbind\-rule\fR
-and applying a corresponding action if there is a match\&.
+Configures restrictions on the ability of unit processes to invoke
+\fBbind\fR(2)
+on a socket\&. Both allow and deny rules may defined that restrict which addresses a socket may be bound to\&.
 .sp
 \fIbind\-rule\fR
 describes socket properties such as
@@ -926,6 +972,11 @@ and
 \fBcgroup/bind6\fR
 cgroup\-bpf hooks\&.
 .sp
+Note that these settings apply to any
+\fBbind\fR(2)
+system call invocation by the unit processes, regardless in which network namespace they are placed\&. Or in other words: changing the network namespace is not a suitable mechanism for escaping these restrictions on
+\fBbind()\fR\&.
+.sp
 Examples:
 .sp
 .if n \{\
@@ -975,6 +1026,8 @@ SocketBindDeny=any
 This option cannot be bypassed by prefixing
 "+"
 to the executable path in the service unit, as it applies to the whole control group\&.
+.sp
+Added in version 249\&.
 .RE
 .PP
 \fIRestrictNetworkInterfaces=\fR
@@ -1035,6 +1088,122 @@ Programs in the unit will be only able to use the eth2 network interface\&.
 This option cannot be bypassed by prefixing
 "+"
 to the executable path in the service unit, as it applies to the whole control group\&.
+.sp
+Added in version 250\&.
+.RE
+.PP
+\fINFTSet=\fR\fIfamily\fR:\fItable\fR:\fIset\fR
+.RS 4
+This setting provides a method for integrating dynamic cgroup, user and group IDs into firewall rules with
+\m[blue]\fBNFT\fR\m[]\&\s-2\u[9]\d\s+2
+sets\&. The benefit of using this setting is to be able to use the IDs as selectors in firewall rules easily and this in turn allows more fine grained filtering\&. NFT rules for cgroup matching use numeric cgroup IDs, which change every time a service is restarted, making them hard to use in systemd environment otherwise\&. Dynamic and random IDs used by
+\fIDynamicUser=\fR
+can be also integrated with this setting\&.
+.sp
+This option expects a whitespace separated list of NFT set definitions\&. Each definition consists of a colon\-separated tuple of source type (one of
+"cgroup",
+"user"
+or
+"group"), NFT address family (one of
+"arp",
+"bridge",
+"inet",
+"ip",
+"ip6", or
+"netdev"), table name and set name\&. The names of tables and sets must conform to lexical restrictions of NFT table names\&. The type of the element used in the NFT filter must match the type implied by the directive ("cgroup",
+"user"
+or
+"group") as shown in the table below\&. When a control group or a unit is realized, the corresponding ID will be appended to the NFT sets and it will be be removed when the control group or unit is removed\&.
+\fBsystemd\fR
+only inserts elements to (or removes from) the sets, so the related NFT rules, tables and sets must be prepared elsewhere in advance\&. Failures to manage the sets will be ignored\&.
+.sp
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.br
+.B Table\ \&2.\ \&Defined \fIsource type\fR values
+.TS
+allbox tab(:);
+lB lB lB.
+T{
+Source type
+T}:T{
+Description
+T}:T{
+Corresponding NFT type name
+T}
+.T&
+l l l
+l l l
+l l l.
+T{
+"cgroup"
+T}:T{
+control group ID
+T}:T{
+"cgroupsv2"
+T}
+T{
+"user"
+T}:T{
+user ID
+T}:T{
+"meta skuid"
+T}
+T{
+"group"
+T}:T{
+group ID
+T}:T{
+"meta skgid"
+T}
+.TE
+.sp 1
+If the firewall rules are reinstalled so that the contents of NFT sets are destroyed, command
+\fBsystemctl daemon\-reload\fR
+can be used to refill the sets\&.
+.sp
+Example:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+[Unit]
+NFTSet=cgroup:inet:filter:my_service user:inet:filter:serviceuser
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Corresponding NFT rules:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+table inet filter {
+        set my_service {
+                type cgroupsv2
+        }
+        set serviceuser {
+                typeof meta skuid
+        }
+        chain x {
+                socket cgroupv2 level 2 @my_service accept
+                drop
+        }
+        chain y {
+                meta skuid @serviceuser accept
+                drop
+        }
+}
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+Added in version 255\&.
 .RE
 .SS "BPF Programs"
 .PP
@@ -1071,6 +1240,8 @@ Note that for socket\-activated services, the IP filter programs configured on t
 .sp
 Note that these settings might not be supported on some systems (for example if eBPF control group support is not enabled in the underlying kernel or container manager)\&. These settings will fail the service in that case\&. If compatibility with such systems is desired it is hence recommended to attach your filter manually (requires
 \fIDelegate=\fR\fByes\fR) instead of using this setting\&.
+.sp
+Added in version 243\&.
 .RE
 .PP
 \fIBPFProgram=\fR\fI\fItype\fR\fR\fI:\fR\fI\fIprogram\-path\fR\fR
@@ -1078,11 +1249,11 @@ Note that these settings might not be supported on some systems (for example if
 \fIBPFProgram=\fR
 allows attaching custom BPF programs to the cgroup of a unit\&. (This generalizes the functionality exposed via
 \fIIPEgressFilterPath=\fR
-and and
+and
 \fIIPIngressFilterPath=\fR
 for other hooks\&.) Cgroup\-bpf hooks in the form of BPF programs loaded to the BPF filesystem are attached with cgroup\-bpf attach flags determined by the unit\&. For details about attachment types and flags see
-\m[blue]\fBbpf\&.h\fR\m[]\&\s-2\u[9]\d\s+2\&. Also refer to the general
-\m[blue]\fBBPF documentation\fR\m[]\&\s-2\u[10]\d\s+2\&.
+\m[blue]\fBbpf\&.h\fR\m[]\&\s-2\u[10]\d\s+2\&. Also refer to the general
+\m[blue]\fBBPF documentation\fR\m[]\&\s-2\u[11]\d\s+2\&.
 .sp
 The specification of BPF program consists of a pair of BPF program type and program path in the file system, with
 ":"
@@ -1090,7 +1261,8 @@ as the separator:
 \fItype\fR:\fIprogram\-path\fR\&.
 .sp
 The BPF program type is equivalent to the BPF attach type used in
-\fBbpftool\fR\&. It may be one of
+\fBbpftool\fR(8)
+It may be one of
 \fBegress\fR,
 \fBingress\fR,
 \fBsock_create\fR,
@@ -1107,7 +1279,7 @@ The BPF program type is equivalent to the BPF attach type used in
 \fBsysctl\fR,
 \fBrecvmsg4\fR,
 \fBrecvmsg6\fR,
-\fBgetsockopt\fR,
+\fBgetsockopt\fR, or
 \fBsetsockopt\fR\&.
 .sp
 The specified program path must be an absolute path referencing a BPF program inode in the bpffs file system (which generally means it must begin with
@@ -1153,6 +1325,8 @@ BPFProgram=bind6:/sys/fs/bpf/sock\-addr\-hook
 .if n \{\
 .RE
 .\}
+.sp
+Added in version 249\&.
 .RE
 .SS "Device Access"
 .PP
@@ -1226,6 +1400,8 @@ DeviceAllow=/dev/loop\-control
 This option cannot be bypassed by prefixing
 "+"
 to the executable path in the service unit, as it applies to the whole control group\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fIDevicePolicy=auto|closed|strict\fR
@@ -1235,6 +1411,8 @@ Control the policy for allowing device access:
 \fBstrict\fR
 .RS 4
 means to only allow types of access that are explicitly specified\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fBclosed\fR
@@ -1245,6 +1423,8 @@ in addition, allows access to standard pseudo devices including
 /dev/full,
 /dev/random, and
 /dev/urandom\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fBauto\fR
@@ -1252,11 +1432,15 @@ in addition, allows access to standard pseudo devices including
 in addition, allows access to all devices if no explicit
 \fIDeviceAllow=\fR
 is present\&. This is the default\&.
+.sp
+Added in version 208\&.
 .RE
 .sp
 This option cannot be bypassed by prefixing
 "+"
 to the executable path in the service unit, as it applies to the whole control group\&.
+.sp
+Added in version 208\&.
 .RE
 .SS "Control Group Management"
 .PP
@@ -1276,6 +1460,8 @@ Special care should be taken when relying on the default slice assignment in tem
 \fIDefaultDependencies=no\fR
 set, see
 \fBsystemd.service\fR(5), section "Default Dependencies" for details\&.
+.sp
+Added in version 208\&.
 .RE
 .PP
 \fIDelegate=\fR
@@ -1307,7 +1493,9 @@ Not all of these controllers are available on all kernels however, and some are
 Note that because of the hierarchical nature of cgroup hierarchy, any controllers that are delegated will be enabled for the parent and sibling units of the unit with delegation\&.
 .sp
 For further details on the delegation model consult
-\m[blue]\fBControl Group APIs and Delegation\fR\m[]\&\s-2\u[11]\d\s+2\&.
+\m[blue]\fBControl Group APIs and Delegation\fR\m[]\&\s-2\u[12]\d\s+2\&.
+.sp
+Added in version 218\&.
 .RE
 .PP
 \fIDelegateSubgroup=\fR
@@ -1322,6 +1510,8 @@ and similar\&. If delegation is enabled, the latter are always placed inside a s
 \&.control\&. The specified subgroup is automatically created (and potentially ownership is passed to the unit\*(Aqs configured user/group) when a process is started in it\&.
 .sp
 This option is useful to avoid manually moving the invoked process into a subgroup after it has been started\&. Since no processes should live in inner nodes of the control group tree it\*(Aqs almost always necessary to run the main ("supervising") process of a unit that has delegation turned on in a subgroup\&.
+.sp
+Added in version 254\&.
 .RE
 .PP
 \fIDisableControllers=\fR
@@ -1347,6 +1537,8 @@ The following controller names may be specified:
 \fBpids\fR,
 \fBbpf\-firewall\fR, and
 \fBbpf\-devices\fR\&.
+.sp
+Added in version 240\&.
 .RE
 .SS "Memory Pressure Control"
 .PP
@@ -1390,6 +1582,8 @@ will not actively use this cgroup\*(Aqs data for monitoring and detection\&. How
 can still be a candidate for
 \fBsystemd\-oomd\fR
 to terminate\&.
+.sp
+Added in version 247\&.
 .RE
 .PP
 \fIManagedOOMMemoryPressureLimit=\fR
@@ -1399,6 +1593,8 @@ Overrides the default memory pressure limit set by
 for this unit (cgroup)\&. Takes a percentage value between 0% and 100%, inclusive\&. This property is ignored unless
 \fIManagedOOMMemoryPressure=\fR\fBkill\fR\&. Defaults to 0%, which means to use the default set by
 \fBoomd.conf\fR(5)\&.
+.sp
+Added in version 247\&.
 .RE
 .PP
 \fIManagedOOMPreference=none|avoid|omit\fR
@@ -1450,6 +1646,8 @@ will rank this unit\*(Aqs cgroup as defined in
 \fBsystemd-oomd.service\fR(8)
 and
 \fBoomd.conf\fR(5)\&.
+.sp
+Added in version 248\&.
 .RE
 .PP
 \fIMemoryPressureWatch=\fR
@@ -1468,7 +1666,7 @@ environment variable to the literal string
 "on"
 tells the service to watch for memory pressure events\&. This enables memory accounting for the service, and ensures the
 memory\&.pressure
-cgroup attribute files is accessible for read and write to the service\*(Aqs user\&. It then sets the
+cgroup attribute file is accessible for reading and writing by the service\*(Aqs user\&. It then sets the
 \fI$MEMORY_PRESSURE_WATCH\fR
 environment variable for processes invoked by the unit to the file system path to this file\&. The threshold information configured with
 \fIMemoryPressureThresholdSec=\fR
@@ -1481,7 +1679,7 @@ value is set the protocol is enabled if memory accounting is anyway enabled for
 the logic is neither enabled, nor disabled and the two environment variables are not set\&.
 .sp
 Note that services are free to use the two environment variables, but it\*(Aqs unproblematic if they ignore them\&. Memory pressure handling must be implemented individually in each service, and usually means different things for different software\&. For further details on memory pressure handling see
-\m[blue]\fBMemory Pressure Handling in systemd\fR\m[]\&\s-2\u[12]\d\s+2\&.
+\m[blue]\fBMemory Pressure Handling in systemd\fR\m[]\&\s-2\u[13]\d\s+2\&.
 .sp
 Services implemented using
 \fBsd-event\fR(3)
@@ -1493,6 +1691,8 @@ If not explicit set, defaults to the
 \fIDefaultMemoryPressureWatch=\fR
 setting in
 \fBsystemd-system.conf\fR(5)\&.
+.sp
+Added in version 254\&.
 .RE
 .PP
 \fIMemoryPressureThresholdSec=\fR
@@ -1508,12 +1708,36 @@ or
 "μs", see
 \fBsystemd.time\fR(7)
 for details on the permitted syntax\&.
+.sp
+Added in version 254\&.
+.RE
+.SS "Coredump Control"
+.PP
+\fICoredumpReceive=\fR
+.RS 4
+Takes a boolean argument\&. This setting is used to enable coredump forwarding for containers that belong to this unit\*(Aqs cgroup\&. Units with
+\fICoredumpReceive=yes\fR
+must also be configured with
+\fIDelegate=yes\fR\&. Defaults to false\&.
+.sp
+When
+\fBsystemd\-coredump\fR
+is handling a coredump for a process from a container, if the container\*(Aqs leader process is a descendant of a cgroup with
+\fICoredumpReceive=yes\fR
+and
+\fIDelegate=yes\fR, then
+\fBsystemd\-coredump\fR
+will attempt to forward the coredump to
+\fBsystemd\-coredump\fR
+within the container\&.
+.sp
+Added in version 255\&.
 .RE
 .SH "HISTORY"
 .PP
 systemd 252
 .RS 4
-Options for controlling the Legacy Control Group Hierarchy (\m[blue]\fBControl Groups version 1\fR\m[]\&\s-2\u[13]\d\s+2) are now fully deprecated:
+Options for controlling the Legacy Control Group Hierarchy (\m[blue]\fBControl Groups version 1\fR\m[]\&\s-2\u[14]\d\s+2) are now fully deprecated:
 \fICPUShares=\fR\fI\fIweight\fR\fR,
 \fIStartupCPUShares=\fR\fI\fIweight\fR\fR,
 \fIMemoryLimit=\fR\fI\fIbytes\fR\fR,
@@ -1523,6 +1747,8 @@ Options for controlling the Legacy Control Group Hierarchy (\m[blue]\fBControl G
 \fIBlockIODeviceWeight=\fR\fI\fIdevice\fR\fR\fI \fR\fI\fIweight\fR\fR,
 \fIBlockIOReadBandwidth=\fR\fI\fIdevice\fR\fR\fI \fR\fI\fIbytes\fR\fR,
 \fIBlockIOWriteBandwidth=\fR\fI\fIdevice\fR\fR\fI \fR\fI\fIbytes\fR\fR\&. Please switch to the unified cgroup hierarchy\&.
+.sp
+Added in version 252\&.
 .RE
 .SH "SEE ALSO"
 .PP
@@ -1582,26 +1808,31 @@ IO Interface Files
 \%https://docs.kernel.org/admin-guide/cgroup-v2.html#io-interface-files
 .RE
 .IP " 9." 4
+NFT
+.RS 4
+\%https://netfilter.org/projects/nftables/index.html
+.RE
+.IP "10." 4
 bpf.h
 .RS 4
 \%https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/include/uapi/linux/bpf.h
 .RE
-.IP "10." 4
+.IP "11." 4
 BPF documentation
 .RS 4
 \%https://docs.kernel.org/bpf/
 .RE
-.IP "11." 4
+.IP "12." 4
 Control Group APIs and Delegation
 .RS 4
 \%https://systemd.io/CGROUP_DELEGATION
 .RE
-.IP "12." 4
+.IP "13." 4
 Memory Pressure Handling in systemd
 .RS 4
 \%https://systemd.io/MEMORY_PRESSURE
 .RE
-.IP "13." 4
+.IP "14." 4
 Control Groups version 1
 .RS 4
 \%https://docs.kernel.org/admin-guide/cgroup-v1/index.html