From 9d9fe7bfd869f72e83c6f77e1c2d4bdccda5660b Mon Sep 17 00:00:00 2001
From: nadoo <287492+nadoo@users.noreply.github.com>
Date: Mon, 28 Aug 2017 23:14:52 +0800
Subject: [PATCH] systemd: add CAP_NET_ADMIN capability for ipset

---
 systemd/glider@.service | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/systemd/glider@.service b/systemd/glider@.service
index b634b35..399292a 100644
--- a/systemd/glider@.service
+++ b/systemd/glider@.service
@@ -11,8 +11,10 @@ Restart=always
 ExecStart=/usr/bin/glider -config /etc/glider/%i.conf
 
 # work with systemd v229 or later, so glider can listen on port below 1024 with none-root user
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+# CAP_NET_ADMIN: ipset
+# CAP_NET_BIND_SERVICE: bind ports under 1024
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
 
 [Install]