diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index b8843f1ea0b..2ed8c38f37c 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1100,7 +1100,29 @@ BindReadOnlyPaths=/var/lib/systemd
Note that the implementation of this setting might be impossible (for example if network namespaces are
not available), and the unit should be written in a way that does not solely rely on this setting for
- security.
+ security.
+
+ When this option is used on a socket unit any sockets bound on behalf of this unit will be
+ bound within a private network namespace. This may be combined with
+ JoinsNamespaceOf= to listen on sockets inside of network namespaces of other
+ services.
+
+
+
+ NetworkNamespacePath=
+
+ Takes an absolute file system path refererring to a Linux network namespace
+ pseudo-file (i.e. a file like /proc/$PID/ns/net or a bind mount or symlink to
+ one). When set the invoked processes are added to the network namespace referenced by that path. The
+ path has to point to a valid namespace file at the moment the processes are forked off. If this
+ option is used PrivateNetwork= has no effect. If this option is used together with
+ JoinsNamespaceOf= then it only has an effect if this unit is started before any of
+ the listed units that have PrivateNetwork= or
+ NetworkNamespacePath= configured, as otherwise the network namespace of those
+ units is reused.
+
+ When this option is used on a socket unit any sockets bound on behalf of this unit will be
+ bound within the specified network namespace.
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index 82c63e1609d..14418c359f4 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -728,23 +728,18 @@
JoinsNamespaceOf=
- For units that start processes (such as
- service units), lists one or more other units whose network
- and/or temporary file namespace to join. This only applies to
- unit types which support the
- PrivateNetwork= and
+ For units that start processes (such as service units), lists one or more other units
+ whose network and/or temporary file namespace to join. This only applies to unit types which support
+ the PrivateNetwork=, NetworkNamespacePath= and
PrivateTmp= directives (see
- systemd.exec5
- for details). If a unit that has this setting set is started,
- its processes will see the same /tmp,
- /var/tmp and network namespace as one
- listed unit that is started. If multiple listed units are
- already started, it is not defined which namespace is joined.
- Note that this setting only has an effect if
- PrivateNetwork= and/or
- PrivateTmp= is enabled for both the unit
- that joins the namespace and the unit whose namespace is
- joined.
+ systemd.exec5 for
+ details). If a unit that has this setting set is started, its processes will see the same
+ /tmp, /var/tmp and network namespace as one listed unit
+ that is started. If multiple listed units are already started, it is not defined which namespace is
+ joined. Note that this setting only has an effect if
+ PrivateNetwork=/NetworkNamespacePath= and/or
+ PrivateTmp= is enabled for both the unit that joins the namespace and the unit
+ whose namespace is joined.