From: Mauricio Vásquez <mauricio@kinvolk.io>
Date: Thu, 21 Jan 2021 20:36:13 +0000 (-0500)
Subject: man: add RestrictNetworkInterfaces= documentation
X-Git-Tag: v250-rc1~800^2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=795ccb03e05f794467410aa6e825dd5a48d09504;p=thirdparty%2Fsystemd.git

man: add RestrictNetworkInterfaces= documentation

Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
---

diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index f5cbe688ee8..15b7f314a37 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -855,6 +855,52 @@ SocketBindDeny=any
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>RestrictNetworkInterfaces=</varname></term>
+
+        <listitem>
+          <para>Takes a list of space-separated network interface names. This option restricts the network
+          interfaces that processes of this unit can use. By default processes can only use the network interfaces
+          listed (allow-list). If the first character of the rule is <literal>~</literal>, the effect is inverted:
+          the processes can only use network interfaces not listed (deny-list).
+          </para>
+
+          <para>This option can appear multiple times, in which case the network interface names are merged. If the
+          empty string is assigned the set is reset, all prior assigments will have not effect.
+          </para>
+
+          <para>If you specify both types of this option (i.e. allow-listing and deny-listing), the first encountered
+          will take precedence and will dictate the default action (allow vs deny). Then the next occurrences of this
+          option will add or delete the listed network interface names from the set, depending of its type and the
+          default action.
+          </para>
+
+          <para>The loopback interface ("lo") is not treated in any special way, you have to configure it explicitly
+          in the unit file.
+          </para>
+          <para>Example 1: allow-list
+          <programlisting>
+RestrictNetworkInterfaces=eth1
+RestrictNetworkInterfaces=eth2</programlisting>
+          Programs in the unit will be only able to use the eth1 and eth2 network
+          interfaces.
+          </para>
+
+          <para>Example 2: deny-list
+          <programlisting>
+RestrictNetworkInterfaces=~eth1 eth2</programlisting>
+          Programs in the unit will be able to use any network interface but eth1 and eth2.
+          </para>
+
+          <para>Example 3: mixed
+          <programlisting>
+RestrictNetworkInterfaces=eth1 eth2
+RestrictNetworkInterfaces=~eth1</programlisting>
+          Programs in the unit will be only able to use the eth2 network interface.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>DeviceAllow=</varname></term>