1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-02 19:21:53 +03:00

Merge pull request #12138 from poettering/doc-ip-allow-src-dst

man: expand IPAddressAllow= docs a bit
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2019-03-29 16:44:48 +01:00 committed by GitHub
commit fc23e06baa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 15 deletions

2
TODO
View File

@ -4,8 +4,6 @@ Bugfixes:
manager or system manager can be always set. It would be better to reject manager or system manager can be always set. It would be better to reject
them when parsing config. them when parsing config.
* Clarify what IPAddress* matches (source, destination, both?)
External: External:
* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros. * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.

View File

@ -513,23 +513,27 @@
<term><varname>IPAddressDeny=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term> <term><varname>IPAddressDeny=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term>
<listitem> <listitem>
<para>Turn on address range network traffic filtering for packets sent and received over AF_INET and AF_INET6 <para>Turn on address range network traffic filtering for IP packets sent and received over
sockets. Both directives take a space separated list of IPv4 or IPv6 addresses, each optionally suffixed <constant>AF_INET</constant> and <constant>AF_INET6</constant> sockets. Both directives take a
with an address prefix length (separated by a <literal>/</literal> character). If the latter is omitted, the space separated list of IPv4 or IPv6 addresses, each optionally suffixed with an address prefix
address is considered a host address, i.e. the prefix covers the whole address (32 for IPv4, 128 for IPv6). length in bits (separated by a <literal>/</literal> character). If the latter is omitted, the
</para> address is considered a host address, i.e. the prefix covers the whole address (32 for IPv4, 128
for IPv6).</para>
<para>The access lists configured with this option are applied to all sockets created by processes of this <para>The access lists configured with this option are applied to all sockets created by processes
unit (or in the case of socket units, associated with it). The lists are implicitly combined with any lists of this unit (or in the case of socket units, associated with it). The lists are implicitly
configured for any of the parent slice units this unit might be a member of. By default all access lists are combined with any lists configured for any of the parent slice units this unit might be a member
empty. When configured the lists are enforced as follows:</para> of. By default all access lists are empty. Both ingress and egress traffic is filtered by these
settings. In case of ingress traffic the source IP address is checked against these access lists,
in case of egress traffic the destination IP address is checked. When configured the lists are
enforced as follows:</para>
<itemizedlist> <itemizedlist>
<listitem><para>Access will be granted in case its destination/source address matches any entry in the <listitem><para>Access will be granted in case an IP packet's destination/source address matches
<varname>IPAddressAllow=</varname> setting.</para></listitem> any entry in the <varname>IPAddressAllow=</varname> setting.</para></listitem>
<listitem><para>Otherwise, access will be denied in case its destination/source address matches any entry <listitem><para>Otherwise, access will be denied in case its destination/source address matches
in the <varname>IPAddressDeny=</varname> setting.</para></listitem> any entry in the <varname>IPAddressDeny=</varname> setting.</para></listitem>
<listitem><para>Otherwise, access will be granted.</para></listitem> <listitem><para>Otherwise, access will be granted.</para></listitem>
</itemizedlist> </itemizedlist>