</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>SocketBindAllow=<replaceable>bind-rule</replaceable></varname></term>
+ <term><varname>SocketBindDeny=<replaceable>bind-rule</replaceable></varname></term>
+
+ <listitem>
+ <para>Allow or deny binding a socket address to a socket by matching it with the <replaceable>bind-rule</replaceable> and
+ applying a corresponding action if there is a match.</para>
+
+ <para><replaceable>bind-rule</replaceable> describes socket properties such as <replaceable>address-family</replaceable>
+ and <replaceable>ip-ports</replaceable>.</para>
+
+ <para><replaceable>bind-rule</replaceable> := [<replaceable>address-family</replaceable><constant>:</constant>]<replaceable>ip-ports</replaceable></para>
+
+ <para><replaceable>address-family</replaceable> := { <constant>IPv4</constant> | <constant>IPv6</constant> }</para>
+
+ <para><replaceable>ip-ports</replaceable> := { <replaceable>ip-port</replaceable> | <replaceable>ip-port-range</replaceable> |
+ <constant>any</constant> }</para>
+
+ <para>An optional <replaceable>address-family</replaceable> expects <constant>IPv4</constant> or <constant>IPv6</constant> values.
+ If not specified, a rule will be matched for both IPv4 and IPv6 addresses and applied depending on other socket fields, e.g.
+ <replaceable>ip-port</replaceable>.</para>
+
+ <para><replaceable>ip-port</replaceable> value must lie within 1…65535 interval inclusively, i.e.
+ dynamic port <constant>0</constant> is not allowed. A range of sequential ports is described by
+ <replaceable>ip-port-range</replaceable> := <replaceable>ip-port-low</replaceable><constant>-</constant><replaceable>ip-port-high</replaceable>,
+ where <replaceable>ip-port-low</replaceable> is smaller than or equal to <replaceable>ip-port-high</replaceable>
+ and both are within 1…65535 inclusively. A special value <constant>any</constant>
+ should be used to apply a rule to any port with a positive value.</para>
+
+ <para>To allow multiple rules assign <varname>SocketBindAllow=</varname> or <varname>SocketBindDeny=</varname> multiple times.
+ To clear the existing assignments pass an empty <varname>SocketBindAllow=</varname> or <varname>SocketBindDeny=</varname>
+ assignment.</para>
+
+ <para>For each of <varname>SocketBindAllow=</varname> and <varname>SocketBindDeny=</varname>, maximum allowed number of assignments is
+ <constant>128</constant>.</para>
+
+ <itemizedlist>
+ <listitem><para>Binding to a socket is allowed when a socket address matches an entry in the
+ <varname>SocketBindAllow=</varname> list.</para></listitem>
+
+ <listitem><para>Otherwise, binding is denied when the socket address matches an entry in the
+ <varname>SocketBindDeny=</varname> list.</para></listitem>
+
+ <listitem><para>Otherwise, binding is allowed.</para></listitem>
+ </itemizedlist>
+
+ <para>The feature is implemented with <constant>cgroup/bind4</constant> and <constant>cgroup/bind6</constant> cgroup-bpf hooks.</para>
+ <para>Examples:<programlisting>…
+# Allow binding IPv6 socket addresses with a port greater than or equal to 10000.
+[Service]
+SocketBindAllow=IPv6:10000-65535
+SocketBindDeny=any
+…
+# Allow binding IPv4 and IPv6 socket addresses with 1234 and 4321 ports.
+[Service]
+SocketBindAllow=1234
+SocketBindAllow=4321
+SocketBindDeny=any
+…
+# Deny binding IPv6 socket addresses.
+[Service]
+SocketBindDeny=IPv6:any
+…
+# Deny binding IPv4 and IPv6 socket addresses.
+[Service]
+SocketBindDeny=any
+…</programlisting></para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>DeviceAllow=</varname></term>
projects / thirdparty / systemd.git / commitdiff
