mirror of
https://github.com/systemd/systemd.git
synced 2024-11-02 19:21:53 +03:00
Merge pull request #12138 from poettering/doc-ip-allow-src-dst
man: expand IPAddressAllow= docs a bit
This commit is contained in:
commit
fc23e06baa
2
TODO
2
TODO
@ -4,8 +4,6 @@ Bugfixes:
|
|||||||
manager or system manager can be always set. It would be better to reject
|
manager or system manager can be always set. It would be better to reject
|
||||||
them when parsing config.
|
them when parsing config.
|
||||||
|
|
||||||
* Clarify what IPAddress* matches (source, destination, both?)
|
|
||||||
|
|
||||||
External:
|
External:
|
||||||
|
|
||||||
* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
|
* Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros.
|
||||||
|
@ -513,23 +513,27 @@
|
|||||||
<term><varname>IPAddressDeny=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term>
|
<term><varname>IPAddressDeny=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Turn on address range network traffic filtering for packets sent and received over AF_INET and AF_INET6
|
<para>Turn on address range network traffic filtering for IP packets sent and received over
|
||||||
sockets. Both directives take a space separated list of IPv4 or IPv6 addresses, each optionally suffixed
|
<constant>AF_INET</constant> and <constant>AF_INET6</constant> sockets. Both directives take a
|
||||||
with an address prefix length (separated by a <literal>/</literal> character). If the latter is omitted, the
|
space separated list of IPv4 or IPv6 addresses, each optionally suffixed with an address prefix
|
||||||
address is considered a host address, i.e. the prefix covers the whole address (32 for IPv4, 128 for IPv6).
|
length in bits (separated by a <literal>/</literal> character). If the latter is omitted, the
|
||||||
</para>
|
address is considered a host address, i.e. the prefix covers the whole address (32 for IPv4, 128
|
||||||
|
for IPv6).</para>
|
||||||
|
|
||||||
<para>The access lists configured with this option are applied to all sockets created by processes of this
|
<para>The access lists configured with this option are applied to all sockets created by processes
|
||||||
unit (or in the case of socket units, associated with it). The lists are implicitly combined with any lists
|
of this unit (or in the case of socket units, associated with it). The lists are implicitly
|
||||||
configured for any of the parent slice units this unit might be a member of. By default all access lists are
|
combined with any lists configured for any of the parent slice units this unit might be a member
|
||||||
empty. When configured the lists are enforced as follows:</para>
|
of. By default all access lists are empty. Both ingress and egress traffic is filtered by these
|
||||||
|
settings. In case of ingress traffic the source IP address is checked against these access lists,
|
||||||
|
in case of egress traffic the destination IP address is checked. When configured the lists are
|
||||||
|
enforced as follows:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><para>Access will be granted in case its destination/source address matches any entry in the
|
<listitem><para>Access will be granted in case an IP packet's destination/source address matches
|
||||||
<varname>IPAddressAllow=</varname> setting.</para></listitem>
|
any entry in the <varname>IPAddressAllow=</varname> setting.</para></listitem>
|
||||||
|
|
||||||
<listitem><para>Otherwise, access will be denied in case its destination/source address matches any entry
|
<listitem><para>Otherwise, access will be denied in case its destination/source address matches
|
||||||
in the <varname>IPAddressDeny=</varname> setting.</para></listitem>
|
any entry in the <varname>IPAddressDeny=</varname> setting.</para></listitem>
|
||||||
|
|
||||||
<listitem><para>Otherwise, access will be granted.</para></listitem>
|
<listitem><para>Otherwise, access will be granted.</para></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
Loading…
Reference in New Issue
Block a user