From 8d8631d4c9e4132d0a09b7d16996b1942e379223 Mon Sep 17 00:00:00 2001 From: Daniel Mack Date: Sat, 12 Nov 2016 13:38:38 +0100 Subject: [PATCH] man: document the new ip accounting and filting directives --- man/systemd-system.conf.xml | 15 ++--- man/systemd.resource-control.xml | 117 +++++++++++++++++++++++++++++++++++++++ man/systemd.special.xml | 12 ++-- 3 files changed, 129 insertions(+), 15 deletions(-) diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml index 336c7a5..81f1b1e 100644 --- a/man/systemd-system.conf.xml +++ b/man/systemd-system.conf.xml @@ -319,17 +319,14 @@ DefaultBlockIOAccounting= DefaultMemoryAccounting= DefaultTasksAccounting= + DefaultIPAccounting= - Configure the default resource accounting - settings, as configured per-unit by - CPUAccounting=, - BlockIOAccounting=, - MemoryAccounting= and - TasksAccounting=. See + Configure the default resource accounting settings, as configured per-unit by + CPUAccounting=, BlockIOAccounting=, MemoryAccounting=, + TasksAccounting= and IPAccounting=. See systemd.resource-control5 - for details on the per-unit - settings. DefaultTasksAccounting= defaults - to on, the other three settings to off. + for details on the per-unit settings. DefaultTasksAccounting= defaults to on, the other + four settings to off. diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index bb69599..0c0c916 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -481,6 +481,123 @@ + IPAccounting= + + + Takes a boolean argument. If true, turns on IPv4 and IPv6 network traffic accounting for packets sent + or received by the unit. When this option is turned on, all IPv4 and IPv6 sockets created by any process of + the unit are accounted for. When this option is used in socket units, it applies to all IPv4 and IPv6 sockets + associated with it (including both listening and connection sockets where this applies). Note that for + socket-activated services, this configuration setting and the accounting data of the service unit and the + socket unit are kept separate, and displayed separately. No propagation of the setting and the collected + statistics is done, in either direction. Moreover, any traffic sent or received on any of the socket unit's + sockets is accounted to the socket unit — and never to the service unit it might have activated, even if the + socket is used by it. Note that IP accounting is currently not supported for slice units, and enabling this + option for them has no effect. The system default for this setting may be controlled with + DefaultIPAccounting= in + systemd-system.conf5. + + + + + IPAddressAllow=ADDDRESS[/PREFIXLENGTH]… + IPAddressDeny=ADDRESS[/PREFIXLENGTH]… + + + Turn on address range network traffic filtering for packets sent and received over AF_INET and AF_INET6 + sockets. Both directives take a space separated list of IPv4 or IPv6 addresses, each optionally suffixed + with an address prefix length (separated by a / character). If the latter is omitted, the + address is considered a host address, i.e. the prefix covers the whole address (32 for IPv4, 128 for IPv6). + + + The access lists configured with this option are applied to all sockets created by processes of this + unit (or in the case of socket units, associated with it). The lists are implicitly combined with any lists + configured for any of the parent slice units this unit might be a member of. By default all access lists are + empty. When configured the lists are enforced as follows: + + + Access will be granted in case its destination/source address matches any entry in the + IPAddressAllow= setting. + + Otherwise, access will be denied in case its destination/source address matches any entry + in the IPAddressDeny= setting. + + Otherwise, access will be granted. + + + In order to implement a whitelisting IP firewall, it is recommended to use a + IPAddressDeny=any setting on an upper-level slice unit (such as the + root slice -.slice or the slice containing all system services + system.slice – see + systemd.special7 for + details on these slice units), plus individual per-service IPAddressAllow= lines + permitting network access to relevant services, and only them. + + Note that for socket-activated services, the IP access list configured on the socket unit applies to + all sockets associated with it directly, but not to any sockets created by the ultimately activated services + for it. Conversely, the IP access list configured for the service is not applied to any sockets passed into + the service via socket activation. Thus, it is usually a good idea, to replicate the IP access lists on both + the socket and the service unit, however it often makes sense to maintain one list more open and the other + one more restricted, depending on the usecase. + + If these settings are used multiple times in the same unit the specified lists are combined. If an + empty string is assigned to these settings the specific access list is reset and all previous settings undone. + + In place of explicit IPv4 or IPv6 address and prefix length specifications a small set of symbolic + names may be used. The following names are defined: + + + Special address/network names + + + + + + + + + Symbolic Name + Definition + Meaning + + + + + + any + 0.0.0.0/0 ::/0 + Any host + + + + localhost + 127.0.0.0/8 ::1/128 + All addresses on the local loopback + + + + link-local + 169.254.0.0/16 fe80::/64 + All link-local IP addresses + + + + multicast + 224.0.0.0/4 ff00::/8 + All IP multicasting addresses + + + +
+ + Note that these settings might not be supported on some systems (for example if eBPF control group + support is not enabled in the underlying kernel or container manager). These settings will have no effect in + that case. If compatibility with such systems is desired it is hence recommended to not exclusively rely on + them for IP security. +
+
+ + DeviceAllow= diff --git a/man/systemd.special.xml b/man/systemd.special.xml index 73e1e72..5a83114 100644 --- a/man/systemd.special.xml +++ b/man/systemd.special.xml @@ -1009,17 +1009,17 @@ PartOf=graphical-session.target Special Slice Units - There are four .slice units which form - the basis of the hierarchy for assignment of resources for - services, users, and virtual machines or containers. + There are four .slice units which form the basis of the hierarchy for assignment of + resources for services, users, and virtual machines or containers. See + -.slice7 for details about slice + units. -.slice - The root slice is the root of the hierarchy. It - usually does not contain units directly, but may be used to - set defaults for the whole tree. + The root slice is the root of the slice hierarchy. It usually does not contain units directly, but may + be used to set defaults for the whole tree. -- 2.7.4