]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.socket.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
core: Record ExecMainStartTimestamp before forking
[thirdparty/systemd.git] / man / systemd.socket.xml
CommitLineData
514094f9 1<?xml version='1.0'?>
3a54a157 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
eea10b26 3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
db9ecf05 4<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
1f812fea 5
d8e1613e 6<refentry id="systemd.socket" xmlns:xi="http://www.w3.org/2001/XInclude">
798d3a52
ZJS		 7 <refentryinfo>
8 <title>systemd.socket</title>
9 <productname>systemd</productname>
798d3a52
ZJS		 10 </refentryinfo>
11
12 <refmeta>
13 <refentrytitle>systemd.socket</refentrytitle>
14 <manvolnum>5</manvolnum>
15 </refmeta>
16
17 <refnamediv>
18 <refname>systemd.socket</refname>
19 <refpurpose>Socket unit configuration</refpurpose>
20 </refnamediv>
21
22 <refsynopsisdiv>
23 <para><filename><replaceable>socket</replaceable>.socket</filename></para>
24 </refsynopsisdiv>
25
26 <refsect1>
27 <title>Description</title>
28
29 <para>A unit configuration file whose name ends in
30 <literal>.socket</literal> encodes information about an IPC or
31 network socket or a file system FIFO controlled and supervised by
32 systemd, for socket-based activation.</para>
33
34 <para>This man page lists the configuration options specific to
35 this unit type. See
36 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
37 for the common options of all unit configuration files. The common
bdac5608
ZJS		 38 configuration items are configured in the generic [Unit] and
39 [Install] sections. The socket specific configuration options are
40 configured in the [Socket] section.</para>
798d3a52
ZJS		 41
42 <para>Additional options are listed in
43 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
44 which define the execution environment the
45 <option>ExecStartPre=</option>, <option>ExecStartPost=</option>,
46 <option>ExecStopPre=</option> and <option>ExecStopPost=</option>
47 commands are executed in, and in
48 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
49 which define the way the processes are terminated, and in
50 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
51 which configure resource control settings for the processes of the
52 socket.</para>
53
847af199 54 <para>For each socket unit, a matching service unit must exist,
798d3a52
ZJS		 55 describing the service to start on incoming traffic on the socket
56 (see
57 <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
847af199 58 for more information about .service units). The name of the
798d3a52
ZJS		 59 .service unit is by default the same as the name of the .socket
60 unit, but can be altered with the <option>Service=</option> option
61 described below. Depending on the setting of the
62 <option>Accept=</option> option described below, this .service
63 unit must either be named like the .socket unit, but with the
64 suffix replaced, unless overridden with <option>Service=</option>;
65 or it must be a template unit named the same way. Example: a
66 socket file <filename>foo.socket</filename> needs a matching
67 service <filename>foo.service</filename> if
964c4eda 68 <option>Accept=no</option> is set. If
847af199 69 <option>Accept=yes</option> is set, a service template
798d3a52
ZJS		 70 <filename>foo@.service</filename> must exist from which services
71 are instantiated for each incoming connection.</para>
72
45f09f93 73 <para>No implicit <varname>WantedBy=</varname> or
798d3a52
ZJS		 74 <varname>RequiredBy=</varname> dependency from the socket to the
75 service is added. This means that the service may be started
76 without the socket, in which case it must be able to open sockets
77 by itself. To prevent this, an explicit
78 <varname>Requires=</varname> dependency may be added.</para>
79
80 <para>Socket units may be used to implement on-demand starting of
81 services, as well as parallelized starting of services. See the
82 blog stories linked at the end for an introduction.</para>
83
df2f5817
LP		 84 <para>Note that the daemon software configured for socket activation with socket units needs to be able
85 to accept sockets from systemd, either via systemd's native socket passing interface (see
86 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
87 details about the precise protocol used and the order in which the file descriptors are passed) or via
88 traditional <citerefentry
89 project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>-style
90 socket passing (i.e. sockets passed in via standard input and output, using
91 <varname>StandardInput=socket</varname> in the service file).</para>
48e6dd37
LP		 92
93 <para>All network sockets allocated through <filename>.socket</filename> units are allocated in the host's network
94 namespace (see <citerefentry
95 project='man-pages'><refentrytitle>network_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>). This
96 does not mean however that the service activated by a configured socket unit has to be part of the host's network
97 namespace as well. It is supported and even good practice to run services in their own network namespace (for
98 example through <varname>PrivateNetwork=</varname>, see
99 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>), receiving only
100 the sockets configured through socket-activation from the host's namespace. In such a set-up communication within
101 the host's network namespace is only permitted through the activation sockets passed in while all sockets allocated
3d62af7d
YW		 102 from the service code itself will be associated with the service's own namespace, and thus possibly subject to a
103 restrictive configuration.</para>
798d3a52
ZJS		 104 </refsect1>
105
c129bd5d 106 <refsect1>
aed5cb03
ZJS		 107 <title>Automatic Dependencies</title>
108
109 <refsect2>
110 <title>Implicit Dependencies</title>
111
112 <para>The following dependencies are implicitly added:</para>
113
114 <itemizedlist>
115 <listitem><para>Socket units automatically gain a <varname>Before=</varname>
116 dependency on the service units they activate.</para></listitem>
117
e9dd6984
ZJS		 118 <listitem><para>Socket units referring to file system paths (such as <constant>AF_UNIX</constant>
119 sockets or FIFOs) implicitly gain <varname>Requires=</varname> and <varname>After=</varname>
120 dependencies on all mount units necessary to access those paths.</para></listitem>
aed5cb03
ZJS		 121
122 <listitem><para>Socket units using the <varname>BindToDevice=</varname>
123 setting automatically gain a <varname>BindsTo=</varname> and
124 <varname>After=</varname> dependency on the device unit
125 encapsulating the specified network interface.</para></listitem>
126 </itemizedlist>
127
128 <para>Additional implicit dependencies may be added as result of
129 execution and resource control parameters as documented in
130 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
131 and
132 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
133 </refsect2>
134
135 <refsect2>
136 <title>Default Dependencies</title>
137
138 <para>The following dependencies are added unless
139 <varname>DefaultDependencies=no</varname> is set:</para>
140
141 <itemizedlist>
142 <listitem><para>Socket units automatically gain a
143 <varname>Before=</varname> dependency on
144 <filename>sockets.target</filename>.</para></listitem>
145
146 <listitem><para>Socket units automatically gain a pair of
147 <varname>After=</varname> and <varname>Requires=</varname>
148 dependency on <filename>sysinit.target</filename>, and a pair of
149 <varname>Before=</varname> and <varname>Conflicts=</varname>
150 dependencies on <filename>shutdown.target</filename>. These
151 dependencies ensure that the socket unit is started before normal
152 services at boot, and is stopped on shutdown. Only sockets
153 involved with early boot or late system shutdown should disable
154 <varname>DefaultDependencies=</varname> option.</para></listitem>
155 </itemizedlist>
156 </refsect2>
45f09f93
JL		 157 </refsect1>
158
798d3a52
ZJS		 159 <refsect1>
160 <title>Options</title>
161
d8e1613e
ZJS		 162 <para>Socket unit files may include [Unit] and [Install] sections, which are described in
163 <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
164 </para>
165
166 <para>Socket unit files must include a [Socket] section, which carries
798d3a52
ZJS		 167 information about the socket or FIFO it supervises. A number of
168 options that may be used in this section are shared with other
169 unit types. These options are documented in
78a529ca 170 <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
171 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> and
172 <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
798d3a52
ZJS		 173 The options specific to the [Socket] section of socket units are
174 the following:</para>
175
176 <variablelist class='unit-directives'>
177 <varlistentry>
178 <term><varname>ListenStream=</varname></term>
179 <term><varname>ListenDatagram=</varname></term>
180 <term><varname>ListenSequentialPacket=</varname></term>
181 <listitem><para>Specifies an address to listen on for a stream
182 (<constant>SOCK_STREAM</constant>), datagram
183 (<constant>SOCK_DGRAM</constant>), or sequential packet
184 (<constant>SOCK_SEQPACKET</constant>) socket, respectively.
185 The address can be written in various formats:</para>
186
187 <para>If the address starts with a slash
188 (<literal>/</literal>), it is read as file system socket in
189 the <constant>AF_UNIX</constant> socket family.</para>
190
191 <para>If the address starts with an at symbol
192 (<literal>@</literal>), it is read as abstract namespace
193 socket in the <constant>AF_UNIX</constant> family. The
194 <literal>@</literal> is replaced with a
195 <constant>NUL</constant> character before binding. For
196 details, see
197 <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
198
199 <para>If the address string is a single number, it is read as
200 port number to listen on via IPv6. Depending on the value of
201 <varname>BindIPv6Only=</varname> (see below) this might result
202 in the service being available via both IPv6 and IPv4
203 (default) or just via IPv6.
204 </para>
205
206 <para>If the address string is a string in the format
69e3234d 207 <literal><replaceable>v.w.x.y</replaceable>:<replaceable>z</replaceable></literal>, it is interpreted
a07ab56a 208 as IPv4 address <replaceable>v.w.x.y</replaceable> and port <replaceable>z</replaceable>.</para>
798d3a52 209
a07ab56a
ZJS		 210 <para>If the address string is a string in the format
211 <literal>[<replaceable>x</replaceable>]:<replaceable>y</replaceable></literal>, it is interpreted as
212 IPv6 address <replaceable>x</replaceable> and port <replaceable>y</replaceable>. An optional
69e3234d 213 interface scope (interface name or number) may be specified after a <literal>%</literal> symbol:
a07ab56a
ZJS		 214 <literal>[<replaceable>x</replaceable>]:<replaceable>y</replaceable>%<replaceable>dev</replaceable></literal>.
215 Interface scopes are only useful with link-local addresses, because the kernel ignores them in other
216 cases. Note that if an address is specified as IPv6, it might still make the service available via
217 IPv4 too, depending on the <varname>BindIPv6Only=</varname> setting (see below).</para>
798d3a52 218
359a5bcf 219 <para>If the address string is a string in the format
a07ab56a
ZJS		 220 <literal>vsock:<replaceable>x</replaceable>:<replaceable>y</replaceable></literal>, it is read as CID
221 <replaceable>x</replaceable> on a port <replaceable>y</replaceable> address in the
222 <constant>AF_VSOCK</constant> family. The CID is a unique 32-bit integer identifier in
223 <constant>AF_VSOCK</constant> analogous to an IP address. Specifying the CID is optional, and may be
db7374e1
DDM		 224 set to the empty string. <literal>vsock</literal> may be replaced with
225 <literal>vsock-stream</literal>, <literal>vsock-dgram</literal> or <literal>vsock-seqpacket</literal>
226 to force usage of the corresponding socket type.</para>
359a5bcf 227
798d3a52
ZJS		 228 <para>Note that <constant>SOCK_SEQPACKET</constant> (i.e.
229 <varname>ListenSequentialPacket=</varname>) is only available
230 for <constant>AF_UNIX</constant> sockets.
231 <constant>SOCK_STREAM</constant> (i.e.
232 <varname>ListenStream=</varname>) when used for IP sockets
233 refers to TCP sockets, <constant>SOCK_DGRAM</constant> (i.e.
234 <varname>ListenDatagram=</varname>) to UDP.</para>
235
b938cb90 236 <para>These options may be specified more than once, in which
798d3a52
ZJS		 237 case incoming traffic on any of the sockets will trigger
238 service activation, and all listed sockets will be passed to
239 the service, regardless of whether there is incoming traffic
240 on them or not. If the empty string is assigned to any of
241 these options, the list of addresses to listen on is reset,
242 all prior uses of any of these options will have no
243 effect.</para>
244
245 <para>It is also possible to have more than one socket unit
246 for the same service when using <varname>Service=</varname>,
247 and the service will receive all the sockets configured in all
248 the socket units. Sockets configured in one unit are passed in
249 the order of configuration, but no ordering between socket
250 units is specified.</para>
251
252 <para>If an IP address is used here, it is often desirable to
253 listen on it before the interface it is configured on is up
254 and running, and even regardless of whether it will be up and
255 running at any point. To deal with this, it is recommended to
256 set the <varname>FreeBind=</varname> option described
257 below.</para></listitem>
258 </varlistentry>
259
260 <varlistentry>
261 <term><varname>ListenFIFO=</varname></term>
c758bea7
LP		 262 <listitem><para>Specifies a file system FIFO (see <citerefentry
263 project='man-pages'><refentrytitle>fifo</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
264 details) to listen on. This expects an absolute file system path as argument. Behavior otherwise is
265 very similar to the <varname>ListenDatagram=</varname> directive above.</para></listitem>
798d3a52
ZJS		 266 </varlistentry>
267
268 <varlistentry>
269 <term><varname>ListenSpecial=</varname></term>
270 <listitem><para>Specifies a special file in the file system to
271 listen on. This expects an absolute file system path as
272 argument. Behavior otherwise is very similar to the
273 <varname>ListenFIFO=</varname> directive above. Use this to
274 open character device nodes as well as special files in
3b121157
ZJS		 275 <filename>/proc/</filename> and
276 <filename>/sys/</filename>.</para></listitem>
798d3a52
ZJS		 277 </varlistentry>
278
279 <varlistentry>
280 <term><varname>ListenNetlink=</varname></term>
281 <listitem><para>Specifies a Netlink family to create a socket
282 for to listen on. This expects a short string referring to the
283 <constant>AF_NETLINK</constant> family name (such as
284 <varname>audit</varname> or <varname>kobject-uevent</varname>)
285 as argument, optionally suffixed by a whitespace followed by a
286 multicast group integer. Behavior otherwise is very similar to
287 the <varname>ListenDatagram=</varname> directive
288 above.</para></listitem>
289 </varlistentry>
290
291 <varlistentry>
292 <term><varname>ListenMessageQueue=</varname></term>
c758bea7
LP		 293 <listitem><para>Specifies a POSIX message queue name to listen on (see <citerefentry
294 project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>
295 for details). This expects a valid message queue name (i.e. beginning with
296 <literal>/</literal>). Behavior otherwise is very similar to the <varname>ListenFIFO=</varname>
297 directive above. On Linux message queue descriptors are actually file descriptors and can be
298 inherited between processes.</para></listitem>
798d3a52
ZJS		 299 </varlistentry>
300
8c7c9839
PS		 301 <varlistentry>
302 <term><varname>ListenUSBFunction=</varname></term>
3d314510 303 <listitem><para>Specifies a <ulink
0e685823 304 url="https://docs.kernel.org/usb/functionfs.html">USB
00bb64ec 305 FunctionFS</ulink> endpoints location to listen on, for
3d314510 306 implementation of USB gadget functions. This expects an
885a4e6c 307 absolute file system path of a FunctionFS mount point as the argument.
00bb64ec 308 Behavior otherwise is very similar to the <varname>ListenFIFO=</varname>
a8eaaee7 309 directive above. Use this to open the FunctionFS endpoint
3d314510
LP		 310 <filename>ep0</filename>. When using this option, the
311 activated service has to have the
22065311
ZJS		 312 <varname>USBFunctionDescriptors=</varname> and
313 <varname>USBFunctionStrings=</varname> options set.
ec07c3c8
AK		 314 </para>
315
316 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
8c7c9839
PS		 317 </varlistentry>
318
74bb646e
SS		 319 <varlistentry>
320 <term><varname>SocketProtocol=</varname></term>
a7c64e14 321 <listitem><para>Takes one of <option>udplite</option>
e9dd6984
ZJS		 322 or <option>sctp</option>. The socket will use the UDP-Lite
323 (<constant>IPPROTO_UDPLITE</constant>) or SCTP
324 (<constant>IPPROTO_SCTP</constant>) protocol, respectively.</para>
ec07c3c8
AK		 325
326 <xi:include href="version-info.xml" xpointer="v229"/>
74bb646e
SS		 327 </listitem>
328 </varlistentry>
329
798d3a52
ZJS		 330 <varlistentry>
331 <term><varname>BindIPv6Only=</varname></term>
a7c64e14 332 <listitem><para>Takes one of <option>default</option>,
798d3a52
ZJS		 333 <option>both</option> or <option>ipv6-only</option>. Controls
334 the IPV6_V6ONLY socket option (see
3ba3a79d 335 <citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 336 for details). If <option>both</option>, IPv6 sockets bound
337 will be accessible via both IPv4 and IPv6. If
338 <option>ipv6-only</option>, they will be accessible via IPv6
339 only. If <option>default</option> (which is the default,
340 surprise!), the system wide default setting is used, as
341 controlled by
342 <filename>/proc/sys/net/ipv6/bindv6only</filename>, which in
343 turn defaults to the equivalent of
344 <option>both</option>.</para>
345 </listitem>
346 </varlistentry>
347
348 <varlistentry>
349 <term><varname>Backlog=</varname></term>
da890466 350 <listitem><para>Takes an unsigned 32-bit integer argument. Specifies the number of connections to
768fcd77
LP		 351 queue that have not been accepted yet. This setting matters only for stream and sequential packet
352 sockets. See
353 <citerefentry><refentrytitle>listen</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
bf63dadb
ZJS		 354 details. Defaults to 4294967295. Note that this value is silently capped by the
355 <literal>net.core.somaxconn</literal> sysctl, which typically defaults to 4096, so typically
356 the sysctl is the setting that actually matters.</para></listitem>
798d3a52
ZJS		 357 </varlistentry>
358
359 <varlistentry>
360 <term><varname>BindToDevice=</varname></term>
e9dd6984
ZJS		 361 <listitem><para>Specifies a network interface name to bind this socket to. If set, traffic will only
362 be accepted from the specified network interfaces. This controls the
363 <constant>SO_BINDTODEVICE</constant> socket option (see <citerefentry
364 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
365 details). If this option is used, an implicit dependency from this socket unit on the network
366 interface device unit is created
367 (see <citerefentry><refentrytitle>systemd.device</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
368 Note that setting this parameter might result in additional dependencies to be added to the unit (see
c129bd5d 369 above).</para></listitem>
798d3a52
ZJS		 370 </varlistentry>
371
372 <varlistentry>
373 <term><varname>SocketUser=</varname></term>
374 <term><varname>SocketGroup=</varname></term>
375
e9dd6984
ZJS		 376 <listitem><para>Takes a UNIX user/group name. When specified, all <constant>AF_UNIX</constant>
377 sockets and FIFO nodes in the file system are owned by the specified user and group. If unset (the
378 default), the nodes are owned by the root user/group (if run in system context) or the invoking
379 user/group (if run in user context). If only a user is specified but no group, then the group is
ec07c3c8
AK		 380 derived from the user's default group.</para>
381
382 <xi:include href="version-info.xml" xpointer="v214"/></listitem>
798d3a52
ZJS		 383 </varlistentry>
384
385 <varlistentry>
386 <term><varname>SocketMode=</varname></term>
387 <listitem><para>If listening on a file system socket or FIFO,
388 this option specifies the file system access mode used when
389 creating the file node. Takes an access mode in octal
390 notation. Defaults to 0666.</para></listitem>
391 </varlistentry>
392
393 <varlistentry>
394 <term><varname>DirectoryMode=</varname></term>
395 <listitem><para>If listening on a file system socket or FIFO,
396 the parent directories are automatically created if needed.
397 This option specifies the file system access mode used when
398 creating these directories. Takes an access mode in octal
399 notation. Defaults to 0755.</para></listitem>
400 </varlistentry>
401
402 <varlistentry>
403 <term><varname>Accept=</varname></term>
c91d2b43
LP		 404 <listitem><para>Takes a boolean argument. If yes, a service instance is spawned for each incoming
405 connection and only the connection socket is passed to it. If no, all listening sockets themselves
406 are passed to the started service unit, and only one service unit is spawned for all connections
407 (also see above). This value is ignored for datagram sockets and FIFOs where a single service unit
408 unconditionally handles all incoming traffic. Defaults to <option>no</option>. For performance
409 reasons, it is recommended to write new daemons only in a way that is suitable for
410 <option>Accept=no</option>. A daemon listening on an <constant>AF_UNIX</constant> socket may, but
411 does not need to, call
412 <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry> on the
413 received socket before exiting. However, it must not unlink the socket from a file system. It should
414 not invoke
415 <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry> on
416 sockets it got with <varname>Accept=no</varname>, but it may do so for sockets it got with
417 <varname>Accept=yes</varname> set. Setting <varname>Accept=yes</varname> is mostly useful to allow
418 daemons designed for usage with <citerefentry
419 project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry> to work
420 unmodified with systemd socket activation.</para>
3b1c5241 421
dbbf0618
LP		 422 <para>Note that depending on this setting the services activated by units of this type are either
423 regular services (in case of <varname>Accept=</varname><option>no</option>) or instances of templated
424 services (in case of <varname>Accept=</varname><option>yes</option>). See the Description section
425 above for a more detailed discussion of the naming rules of triggered services.</para>
426
e9dd6984
ZJS		 427 <para>For IPv4 and IPv6 connections, the <varname>REMOTE_ADDR</varname> environment variable will
428 contain the remote IP address, and <varname>REMOTE_PORT</varname> will contain the remote port. This
429 is the same as the format used by CGI. For <constant>SOCK_RAW</constant>, the port is the IP
c91d2b43
LP		 430 protocol.</para>
431
432 <para>It is recommended to set <varname>CollectMode=inactive-or-failed</varname> for service
433 instances activated via <varname>Accept=yes</varname>, to ensure that failed connection services are
434 cleaned up and released from memory, and do not accumulate.</para></listitem>
798d3a52
ZJS		 435 </varlistentry>
436
55301ec0
LP		 437 <varlistentry>
438 <term><varname>Writable=</varname></term>
439 <listitem><para>Takes a boolean argument. May only be used in
440 conjunction with <varname>ListenSpecial=</varname>. If true,
441 the specified special file is opened in read-write mode, if
ec07c3c8
AK		 442 false, in read-only mode. Defaults to false.</para>
443
444 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
55301ec0
LP		 445 </varlistentry>
446
3e5f04bf
RM		 447 <varlistentry>
448 <term><varname>FlushPending=</varname></term>
449 <listitem><para>Takes a boolean argument. May only be used when
450 <option>Accept=no</option>. If yes, the socket's buffers are cleared after the
451 triggered service exited. This causes any pending data to be
452 flushed and any pending incoming connections to be rejected. If no, the
453 socket's buffers won't be cleared, permitting the service to handle any
454 pending connections after restart, which is the usually expected behaviour.
455 Defaults to <option>no</option>.
ec07c3c8
AK		 456 </para>
457
458 <xi:include href="version-info.xml" xpointer="v247"/></listitem>
3e5f04bf
RM		 459 </varlistentry>
460
798d3a52
ZJS		 461 <varlistentry>
462 <term><varname>MaxConnections=</varname></term>
6b014a2a
MY		 463 <listitem><para>The maximum number of connections to simultaneously run services instances for, when
464 <option>Accept=yes</option> is set. If more concurrent connections are coming in, they will be refused
465 until at least one existing connection is terminated. This setting has no effect on sockets configured
466 with <option>Accept=no</option> or datagram sockets. Defaults to 64.</para></listitem>
798d3a52
ZJS		 467 </varlistentry>
468
469 <varlistentry>
9d565427 470 <term><varname>MaxConnectionsPerSource=</varname></term>
48930a5d
LP		 471 <listitem><para>The maximum number of connections for a service per source IP address (in case of
472 IPv4/IPv6), per source CID (in case of <constant>AF_VSOCK</constant>), or source UID (in case of
473 <constant>AF_UNIX</constant>). This is very similar to the <varname>MaxConnections=</varname>
6b014a2a 474 directive above. Defaults to 0, i.e. disabled.</para>
ec07c3c8
AK		 475
476 <xi:include href="version-info.xml" xpointer="v232"/>
9d565427
SS		 477 </listitem>
478 </varlistentry>
479
480 <varlistentry>
798d3a52 481 <term><varname>KeepAlive=</varname></term>
e9dd6984
ZJS		 482 <listitem><para>Takes a boolean argument. If true, the TCP/IP stack will send a keep alive message
483 after 2h (depending on the configuration of
484 <filename>/proc/sys/net/ipv4/tcp_keepalive_time</filename>) for all TCP streams accepted on this
485 socket. This controls the <constant>SO_KEEPALIVE</constant> socket option (see <citerefentry
486 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> and
487 the <ulink url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP Keepalive
488 HOWTO</ulink> for details.) Defaults to <option>false</option>.</para></listitem>
798d3a52
ZJS		 489 </varlistentry>
490
491 <varlistentry>
492 <term><varname>KeepAliveTimeSec=</varname></term>
b938cb90 493 <listitem><para>Takes time (in seconds) as argument. The connection needs to remain
798d3a52
ZJS		 494 idle before TCP starts sending keepalive probes. This controls the TCP_KEEPIDLE
495 socket option (see
3ba3a79d 496 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 497 and the <ulink
498 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
499 Keepalive HOWTO</ulink> for details.)
ec07c3c8
AK		 500 Default value is 7200 seconds (2 hours).</para>
501
502 <xi:include href="version-info.xml" xpointer="v216"/></listitem>
798d3a52
ZJS		 503 </varlistentry>
504
505 <varlistentry>
506 <term><varname>KeepAliveIntervalSec=</varname></term>
e9dd6984
ZJS		 507 <listitem><para>Takes time (in seconds) as argument between individual keepalive probes, if the
508 socket option <constant>SO_KEEPALIVE</constant> has been set on this socket. This controls the
509 <constant>TCP_KEEPINTVL</constant> socket option (see <citerefentry
510 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> and
511 the <ulink url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP Keepalive
ec07c3c8
AK		 512 HOWTO</ulink> for details.) Default value is 75 seconds.</para>
513
514 <xi:include href="version-info.xml" xpointer="v216"/></listitem>
798d3a52
ZJS		 515 </varlistentry>
516
517 <varlistentry>
518 <term><varname>KeepAliveProbes=</varname></term>
7ca41557 519 <listitem><para>Takes an integer as argument. It is the number of
798d3a52
ZJS		 520 unacknowledged probes to send before considering the
521 connection dead and notifying the application layer. This
522 controls the TCP_KEEPCNT socket option (see
3ba3a79d 523 <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>
798d3a52
ZJS		 524 and the <ulink
525 url="http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/">TCP
6870daff 526 Keepalive HOWTO</ulink> for details.) Default value is
ec07c3c8
AK		 527 9.</para>
528
529 <xi:include href="version-info.xml" xpointer="v216"/></listitem>
798d3a52
ZJS		 530 </varlistentry>
531
532 <varlistentry>
533 <term><varname>NoDelay=</varname></term>
534 <listitem><para>Takes a boolean argument. TCP Nagle's
535 algorithm works by combining a number of small outgoing
536 messages, and sending them all at once. This controls the
537 TCP_NODELAY socket option (see
e9dd6984 538 <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>).
ec07c3c8
AK		 539 Defaults to <option>false</option>.</para>
540
541 <xi:include href="version-info.xml" xpointer="v216"/></listitem>
798d3a52
ZJS		 542 </varlistentry>
543
544 <varlistentry>
545 <term><varname>Priority=</varname></term>
e9dd6984
ZJS		 546 <listitem><para>Takes an integer argument controlling the priority for all traffic sent from this
547 socket. This controls the <constant>SO_PRIORITY</constant> socket option (see <citerefentry
548 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
549 details.).</para></listitem>
798d3a52
ZJS		 550 </varlistentry>
551
552 <varlistentry>
553 <term><varname>DeferAcceptSec=</varname></term>
554
555 <listitem><para>Takes time (in seconds) as argument. If set,
556 the listening process will be awakened only when data arrives
557 on the socket, and not immediately when connection is
558 established. When this option is set, the
559 <constant>TCP_DEFER_ACCEPT</constant> socket option will be
560 used (see
3ba3a79d 561 <citerefentry project='die-net'><refentrytitle>tcp</refentrytitle><manvolnum>7</manvolnum></citerefentry>),
798d3a52
ZJS		 562 and the kernel will ignore initial ACK packets without any
563 data. The argument specifies the approximate amount of time
564 the kernel should wait for incoming data before falling back
2dd67817 565 to the normal behavior of honoring empty ACK packets. This
798d3a52
ZJS		 566 option is beneficial for protocols where the client sends the
567 data first (e.g. HTTP, in contrast to SMTP), because the
568 server process will not be woken up unnecessarily before it
569 can take any action.
570 </para>
571
572 <para>If the client also uses the
573 <constant>TCP_DEFER_ACCEPT</constant> option, the latency of
574 the initial connection may be reduced, because the kernel will
575 send data in the final packet establishing the connection (the
576 third packet in the "three-way handshake").</para>
577
578 <para>Disabled by default.</para>
ec07c3c8
AK		 579
580 <xi:include href="version-info.xml" xpointer="v216"/>
798d3a52
ZJS		 581 </listitem>
582 </varlistentry>
583
584 <varlistentry>
585 <term><varname>ReceiveBuffer=</varname></term>
586 <term><varname>SendBuffer=</varname></term>
e9dd6984
ZJS		 587 <listitem><para>Takes an integer argument controlling the receive or send buffer sizes of this
588 socket, respectively. This controls the <constant>SO_RCVBUF</constant> and
589 <constant>SO_SNDBUF</constant> socket options (see <citerefentry
590 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
591 details.). The usual suffixes K, M, G are supported and are understood to the base of
592 1024.</para></listitem>
798d3a52
ZJS		 593 </varlistentry>
594
595 <varlistentry>
596 <term><varname>IPTOS=</varname></term>
c6a79245
LP		 597 <listitem><para>Takes an integer argument controlling the IP Type-Of-Service field for packets
598 generated from this socket. This controls the <constant>IP_TOS</constant> socket option (see
599 <citerefentry
600 project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
601 details.). Either a numeric string or one of <option>low-delay</option>, <option>throughput</option>,
602 <option>reliability</option> or <option>low-cost</option> may be specified.</para></listitem>
798d3a52
ZJS		 603 </varlistentry>
604
605 <varlistentry>
606 <term><varname>IPTTL=</varname></term>
c6a79245
LP		 607 <listitem><para>Takes an integer argument controlling the IPv4 Time-To-Live/IPv6 Hop-Count field for
608 packets generated from this socket. This sets the
609 <constant>IP_TTL</constant>/<constant>IPV6_UNICAST_HOPS</constant> socket options (see <citerefentry
610 project='die-net'><refentrytitle>ip</refentrytitle><manvolnum>7</manvolnum></citerefentry> and
611 <citerefentry
612 project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
613 details.)</para></listitem>
798d3a52
ZJS		 614 </varlistentry>
615
616 <varlistentry>
617 <term><varname>Mark=</varname></term>
e9dd6984
ZJS		 618 <listitem><para>Takes an integer value. Controls the firewall mark of packets generated by this
619 socket. This can be used in the firewall logic to filter packets from this socket. This sets the
620 <constant>SO_MARK</constant> socket option. See <citerefentry
621 project='die-net'><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
622 details.</para></listitem>
798d3a52
ZJS		 623 </varlistentry>
624
625 <varlistentry>
626 <term><varname>ReusePort=</varname></term>
e9dd6984
ZJS		 627 <listitem><para>Takes a boolean value. If true, allows multiple
628 <citerefentry><refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum></citerefentry>s to this TCP
629 or UDP port. This controls the <constant>SO_REUSEPORT</constant> socket option. See <citerefentry
630 project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
ec07c3c8
AK		 631 details.</para>
632
633 <xi:include href="version-info.xml" xpointer="v206"/></listitem>
798d3a52
ZJS		 634 </varlistentry>
635
636 <varlistentry>
637 <term><varname>SmackLabel=</varname></term>
638 <term><varname>SmackLabelIPIn=</varname></term>
639 <term><varname>SmackLabelIPOut=</varname></term>
640 <listitem><para>Takes a string value. Controls the extended
641 attributes <literal>security.SMACK64</literal>,
642 <literal>security.SMACK64IPIN</literal> and
643 <literal>security.SMACK64IPOUT</literal>, respectively, i.e.
644 the security label of the FIFO, or the security label for the
645 incoming or outgoing connections of the socket, respectively.
646 See <ulink
0e685823 647 url="https://docs.kernel.org/admin-guide/LSM/Smack.html">Smack</ulink>
ec07c3c8
AK		 648 for details.</para>
649
650 <xi:include href="version-info.xml" xpointer="v196"/></listitem>
798d3a52
ZJS		 651 </varlistentry>
652
653 <varlistentry>
654 <term><varname>SELinuxContextFromNet=</varname></term>
655 <listitem><para>Takes a boolean argument. When true, systemd
656 will attempt to figure out the SELinux label used for the
657 instantiated service from the information handed by the peer
658 over the network. Note that only the security level is used
659 from the information provided by the peer. Other parts of the
660 resulting SELinux context originate from either the target
661 binary that is effectively triggered by socket unit or from
662 the value of the <varname>SELinuxContext=</varname> option.
49590d67
MS		 663 This configuration option applies only when activated service
664 is passed in single socket file descriptor, i.e. service
665 instances that have standard input connected to a socket or
666 services triggered by exactly one socket unit. Also note
667 that this option is useful only when MLS/MCS SELinux policy
668 is deployed. Defaults to
ec07c3c8
AK		 669 <literal>false</literal>. </para>
670
671 <xi:include href="version-info.xml" xpointer="v217"/></listitem>
798d3a52
ZJS		 672 </varlistentry>
673
674 <varlistentry>
675 <term><varname>PipeSize=</varname></term>
676 <listitem><para>Takes a size in bytes. Controls the pipe
677 buffer size of FIFOs configured in this socket unit. See
678 <citerefentry><refentrytitle>fcntl</refentrytitle><manvolnum>2</manvolnum></citerefentry>
679 for details. The usual suffixes K, M, G are supported and are
680 understood to the base of 1024.</para></listitem>
681 </varlistentry>
682
683 <varlistentry>
684 <term><varname>MessageQueueMaxMessages=</varname>,
685 <varname>MessageQueueMessageSize=</varname></term>
686 <listitem><para>These two settings take integer values and
687 control the mq_maxmsg field or the mq_msgsize field,
688 respectively, when creating the message queue. Note that
689 either none or both of these variables need to be set. See
3ba3a79d 690 <citerefentry project='die-net'><refentrytitle>mq_setattr</refentrytitle><manvolnum>3</manvolnum></citerefentry>
798d3a52
ZJS		 691 for details.</para></listitem>
692 </varlistentry>
693
694 <varlistentry>
695 <term><varname>FreeBind=</varname></term>
c6a79245
LP		 696 <listitem><para>Takes a boolean value. Controls whether the socket can be bound to non-local IP
697 addresses. This is useful to configure sockets listening on specific IP addresses before those IP
698 addresses are successfully configured on a network interface. This sets the
699 <constant>IP_FREEBIND</constant>/<constant>IPV6_FREEBIND</constant> socket option. For robustness
700 reasons it is recommended to use this option whenever you bind a socket to a specific IP
701 address. Defaults to <option>false</option>.</para></listitem>
798d3a52
ZJS		 702 </varlistentry>
703
704 <varlistentry>
705 <term><varname>Transparent=</varname></term>
706 <listitem><para>Takes a boolean value. Controls the
c6a79245 707 <constant>IP_TRANSPARENT</constant>/<constant>IPV6_TRANSPARENT</constant> socket option. Defaults to
798d3a52
ZJS		 708 <option>false</option>.</para></listitem>
709 </varlistentry>
710
711 <varlistentry>
712 <term><varname>Broadcast=</varname></term>
e9dd6984
ZJS		 713 <listitem><para>Takes a boolean value. This controls the <constant>SO_BROADCAST</constant> socket
714 option, which allows broadcast datagrams to be sent from this socket. Defaults to
798d3a52
ZJS		 715 <option>false</option>.</para></listitem>
716 </varlistentry>
717
718 <varlistentry>
719 <term><varname>PassCredentials=</varname></term>
e9dd6984
ZJS		 720 <listitem><para>Takes a boolean value. This controls the <constant>SO_PASSCRED</constant> socket
721 option, which allows <constant>AF_UNIX</constant> sockets to receive the credentials of the sending
722 process in an ancillary message. Defaults to <option>false</option>.</para></listitem>
798d3a52
ZJS		 723 </varlistentry>
724
725 <varlistentry>
726 <term><varname>PassSecurity=</varname></term>
e9dd6984
ZJS		 727 <listitem><para>Takes a boolean value. This controls the <constant>SO_PASSSEC</constant> socket
728 option, which allows <constant>AF_UNIX</constant> sockets to receive the security context of the
729 sending process in an ancillary message. Defaults to <option>false</option>.</para></listitem>
798d3a52
ZJS		 730 </varlistentry>
731
a3d19f5d
LP		 732 <varlistentry>
733 <term><varname>PassPacketInfo=</varname></term>
734 <listitem><para>Takes a boolean value. This controls the <constant>IP_PKTINFO</constant>,
2d6d4136
LP		 735 <constant>IPV6_RECVPKTINFO</constant>, <constant>NETLINK_PKTINFO</constant> or
736 <constant>PACKET_AUXDATA</constant> socket options, which enable reception of additional per-packet
737 metadata as ancillary message, on <constant>AF_INET</constant>, <constant>AF_INET6</constant>,
738 <constant>AF_UNIX</constant> and <constant>AF_PACKET</constant> sockets. Defaults to
ec07c3c8
AK		 739 <option>false</option>.</para>
740
741 <xi:include href="version-info.xml" xpointer="v246"/></listitem>
a3d19f5d
LP		 742 </varlistentry>
743
95923d7e
LP		 744 <varlistentry>
745 <term><varname>Timestamping=</varname></term>
746 <listitem><para>Takes one of <literal>off</literal>, <literal>us</literal> (alias:
e503019b 747 <literal>usec</literal>, <literal>μs</literal>) or <literal>ns</literal> (alias:
95923d7e
LP		 748 <literal>nsec</literal>). This controls the <constant>SO_TIMESTAMP</constant> or
749 <constant>SO_TIMESTAMPNS</constant> socket options, and enables whether ingress network traffic shall
ec07c3c8
AK		 750 carry timestamping metadata. Defaults to <option>off</option>.</para>
751
752 <xi:include href="version-info.xml" xpointer="v247"/></listitem>
95923d7e
LP		 753 </varlistentry>
754
798d3a52
ZJS		 755 <varlistentry>
756 <term><varname>TCPCongestion=</varname></term>
e9dd6984 757 <listitem><para>Takes a string value. Controls the TCP congestion algorithm used by this
a7d8cacc 758 socket. Should be one of <literal>westwood</literal>, <literal>reno</literal>,
e9dd6984
ZJS		 759 <literal>cubic</literal>, <literal>lp</literal> or any other available algorithm supported by the IP
760 stack. This setting applies only to stream sockets.</para></listitem>
798d3a52
ZJS		 761 </varlistentry>
762
763 <varlistentry>
764 <term><varname>ExecStartPre=</varname></term>
765 <term><varname>ExecStartPost=</varname></term>
766 <listitem><para>Takes one or more command lines, which are
767 executed before or after the listening sockets/FIFOs are
768 created and bound, respectively. The first token of the
769 command line must be an absolute filename, then followed by
770 arguments for the process. Multiple command lines may be
771 specified following the same scheme as used for
772 <varname>ExecStartPre=</varname> of service unit
773 files.</para></listitem>
774 </varlistentry>
775
776 <varlistentry>
777 <term><varname>ExecStopPre=</varname></term>
778 <term><varname>ExecStopPost=</varname></term>
779 <listitem><para>Additional commands that are executed before
780 or after the listening sockets/FIFOs are closed and removed,
781 respectively. Multiple command lines may be specified
782 following the same scheme as used for
783 <varname>ExecStartPre=</varname> of service unit
784 files.</para></listitem>
785 </varlistentry>
786
787 <varlistentry>
788 <term><varname>TimeoutSec=</varname></term>
789 <listitem><para>Configures the time to wait for the commands
790 specified in <varname>ExecStartPre=</varname>,
791 <varname>ExecStartPost=</varname>,
792 <varname>ExecStopPre=</varname> and
793 <varname>ExecStopPost=</varname> to finish. If a command does
794 not exit within the configured time, the socket will be
795 considered failed and be shut down again. All commands still
796 running will be terminated forcibly via
797 <constant>SIGTERM</constant>, and after another delay of this
798 time with <constant>SIGKILL</constant>. (See
799 <option>KillMode=</option> in
800 <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>.)
801 Takes a unit-less value in seconds, or a time span value such
802 as "5min 20s". Pass <literal>0</literal> to disable the
803 timeout logic. Defaults to
804 <varname>DefaultTimeoutStartSec=</varname> from the manager
805 configuration file (see
806 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
807 </para></listitem>
808 </varlistentry>
809
810 <varlistentry>
811 <term><varname>Service=</varname></term>
812 <listitem><para>Specifies the service unit name to activate on
813 incoming traffic. This setting is only allowed for sockets
814 with <varname>Accept=no</varname>. It defaults to the service
815 that bears the same name as the socket (with the suffix
816 replaced). In most cases, it should not be necessary to use
c129bd5d
LP		 817 this option. Note that setting this parameter might result in
818 additional dependencies to be added to the unit (see
819 above).</para></listitem>
798d3a52
ZJS		 820 </varlistentry>
821
822 <varlistentry>
823 <term><varname>RemoveOnStop=</varname></term>
e9dd6984
ZJS		 824 <listitem><para>Takes a boolean argument. If enabled, any file nodes created by this socket unit are
825 removed when it is stopped. This applies to <constant>AF_UNIX</constant> sockets in the file system,
826 POSIX message queues, FIFOs, as well as any symlinks to them configured with
827 <varname>Symlinks=</varname>. Normally, it should not be necessary to use this option, and is not
828 recommended as services might continue to run after the socket unit has been terminated and it should
829 still be possible to communicate with them via their file system node. Defaults to
ec07c3c8
AK		 830 off.</para>
831
832 <xi:include href="version-info.xml" xpointer="v214"/></listitem>
798d3a52
ZJS		 833 </varlistentry>
834
835 <varlistentry>
836 <term><varname>Symlinks=</varname></term>
3ecc7fc3
LP		 837 <listitem><para>Takes a list of file system paths. The specified paths will be created as symlinks to the
838 <constant>AF_UNIX</constant> socket path or FIFO path of this socket unit. If this setting is used, only one
839 <constant>AF_UNIX</constant> socket in the file system or one FIFO may be configured for the socket unit. Use
840 this option to manage one or more symlinked alias names for a socket, binding their lifecycle together. Note
841 that if creation of a symlink fails this is not considered fatal for the socket unit, and the socket unit may
842 still start. If an empty string is assigned, the list of paths is reset. Defaults to an empty
ec07c3c8
AK		 843 list.</para>
844
845 <xi:include href="version-info.xml" xpointer="v214"/></listitem>
798d3a52
ZJS		 846 </varlistentry>
847
8dd4c05b
LP		 848 <varlistentry>
849 <term><varname>FileDescriptorName=</varname></term>
850 <listitem><para>Assigns a name to all file descriptors this
851 socket unit encapsulates. This is useful to help activated
a8eaaee7 852 services identify specific file descriptors, if multiple fds
8dd4c05b
LP		 853 are passed. Services may use the
854 <citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry>
855 call to acquire the names configured for the received file
856 descriptors. Names may contain any ASCII character, but must
a8eaaee7 857 exclude control characters and <literal>:</literal>, and must
8dd4c05b 858 be at most 255 characters in length. If this setting is not
b938cb90 859 used, the file descriptor name defaults to the name of the
8dd4c05b 860 socket unit, including its <filename>.socket</filename>
ec07c3c8
AK		 861 suffix.</para>
862
863 <xi:include href="version-info.xml" xpointer="v227"/></listitem>
8dd4c05b
LP		 864 </varlistentry>
865
8b26cdbd
LP		 866 <varlistentry>
867 <term><varname>TriggerLimitIntervalSec=</varname></term>
db985064 868 <term><varname>TriggerLimitBurst=</varname></term>
8b26cdbd 869
9373fce6
LP		 870 <listitem><para>Configures a limit on how often this socket unit may be activated within a specific
871 time interval. The <varname>TriggerLimitIntervalSec=</varname> setting may be used to configure the
872 length of the time interval in the usual time units <literal>us</literal>, <literal>ms</literal>,
873 <literal>s</literal>, <literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
874 <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
875 details on the various time units understood). The <varname>TriggerLimitBurst=</varname> setting
876 takes a positive integer value and specifies the number of permitted activations per time interval,
877 and defaults to 200 for <varname>Accept=yes</varname> sockets (thus by default permitting 200
878 activations per 2s), and 20 otherwise (20 activations per 2s). Set either to 0 to disable any form of
879 trigger rate limiting.</para>
880
881 <para>If the limit is hit, the socket unit is placed into a failure mode, and will not be connectible
882 anymore until restarted. Note that this limit is enforced before the service activation is
883 enqueued.</para>
884
885 <para>Compare with <varname>PollLimitIntervalSec=</varname>/<varname>PollLimitBurst=</varname>
886 described below, which implements a temporary slowdown if a socket unit is flooded with incoming
887 traffic, as opposed to the permanent failure state
888 <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> results in.</para>
ec07c3c8
AK		 889
890 <xi:include href="version-info.xml" xpointer="v230"/></listitem>
8b26cdbd
LP		 891 </varlistentry>
892
9373fce6
LP		 893 <varlistentry>
894 <term><varname>PollLimitIntervalSec=</varname></term>
895 <term><varname>PollLimitBurst=</varname></term>
896
897 <listitem><para>Configures a limit on how often polling events on the file descriptors backing this
898 socket unit will be considered. This pair of settings is similar to
899 <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> but instead of
900 putting a (fatal) limit on the activation frequency puts a (transient) limit on the polling
901 frequency. The expected parameter syntax and range are identical to that of the aforementioned
902 options, and can be disabled the same way.</para>
903
904 <para>If the polling limit is hit polling is temporarily disabled on it until the specified time
905 window passes. The polling limit hence slows down connection attempts if hit, but unlike the trigger
906 limit won't cause permanent failures. It's the recommended mechanism to deal with DoS attempts
907 through packet flooding.</para>
908
909 <para>The polling limit is enforced per file descriptor to listen on, as opposed to the trigger limit
910 which is enforced for the entire socket unit. This distinction matters for socket units that listen
911 on multiple file descriptors (i.e. have multiple <varname>ListenXYZ=</varname> stanzas).</para>
912
913 <para>These setting defaults to 150 (in case of <varname>Accept=yes</varname>) and 15 (otherwise)
914 polling events per 2s. This is considerably lower than the default values for the trigger limit (see
915 above) and means that the polling limit should typically ensure the trigger limit is never hit,
916 unless one of them is reconfigured or disabled.</para>
917
918 <xi:include href="version-info.xml" xpointer="v255"/></listitem>
919 </varlistentry>
920
97df75d7
JS		 921 <varlistentry>
922 <term><varname>PassFileDescriptorsToExec=</varname></term>
923
924 <listitem><para>Takes a boolean argument. Defaults to off. If enabled, file descriptors created by
925 the socket unit are passed to <varname>ExecStartPost=</varname>, <varname>ExecStopPre=</varname>, and
926 <varname>ExecStopPost=</varname> commands from the socket unit. The passed file descriptors can be
927 accessed with
928 <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> as
929 if the commands were invoked from the associated service units. Note that
930 <varname>ExecStartPre=</varname> command cannot access socket file descriptors.</para>
931
932 <xi:include href="version-info.xml" xpointer="v256"/></listitem>
933 </varlistentry>
934
798d3a52
ZJS		 935 </variablelist>
936
d8e1613e 937 <xi:include href="systemd.service.xml" xpointer="shared-unit-options" />
798d3a52
ZJS		 938 </refsect1>
939
940 <refsect1>
941 <title>See Also</title>
13a69c12
DT		 942 <para><simplelist type="inline">
943 <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
944 <member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
945 <member><citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
946 <member><citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
947 <member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
948 <member><citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
949 <member><citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
950 <member><citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
951 <member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
952 <member><citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
953 <member><citerefentry><refentrytitle>sd_listen_fds_with_names</refentrytitle><manvolnum>3</manvolnum></citerefentry></member>
954 </simplelist></para>
798d3a52
ZJS		 955 <para>
956 For more extensive descriptions see the "systemd for Developers" series:
13a69c12
DT		 957 <simplelist type="inline">
958 <member><ulink url="https://0pointer.de/blog/projects/socket-activation.html">Socket Activation</ulink></member>
959 <member><ulink url="https://0pointer.de/blog/projects/socket-activation2.html">Socket Activation, part II</ulink></member>
960 <member><ulink url="https://0pointer.de/blog/projects/inetd.html">Converting inetd Services</ulink></member>
961 <member><ulink url="https://0pointer.de/blog/projects/socket-activated-containers.html">Socket Activated Internet Services and OS Containers</ulink></member>
962 </simplelist>.
798d3a52
ZJS		 963 </para>
964 </refsect1>
1f812fea
LP		 965
966</refentry>
Unnamed repository; edit this file 'description' to name the repository.