man: document the new ip accounting and filting directives

man/systemd-system.conf.xml

@@ -319,17 +319,14 @@
         <term><varname>DefaultBlockIOAccounting=</varname></term>
         <term><varname>DefaultMemoryAccounting=</varname></term>
         <term><varname>DefaultTasksAccounting=</varname></term>
+        <term><varname>DefaultIPAccounting=</varname></term>
 
-        <listitem><para>Configure the default resource accounting
-        settings, as configured per-unit by
-        <varname>CPUAccounting=</varname>,
-        <varname>BlockIOAccounting=</varname>,
-        <varname>MemoryAccounting=</varname> and
-        <varname>TasksAccounting=</varname>. See
+        <listitem><para>Configure the default resource accounting settings, as configured per-unit by
+        <varname>CPUAccounting=</varname>, <varname>BlockIOAccounting=</varname>, <varname>MemoryAccounting=</varname>,
+        <varname>TasksAccounting=</varname> and <varname>IPAccounting=</varname>. See
         <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
-        for details on the per-unit
-        settings. <varname>DefaultTasksAccounting=</varname> defaults
-        to on, the other three settings to off.</para></listitem>
+        for details on the per-unit settings. <varname>DefaultTasksAccounting=</varname> defaults to on, the other
+        four settings to off.</para></listitem>
       </varlistentry>
 
       <varlistentry>

man/systemd.resource-control.xml

@@ -480,6 +480,123 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>IPAccounting=</varname></term>
+
+        <listitem>
+          <para>Takes a boolean argument. If true, turns on IPv4 and IPv6 network traffic accounting for packets sent
+          or received by the unit. When this option is turned on, all IPv4 and IPv6 sockets created by any process of
+          the unit are accounted for. When this option is used in socket units, it applies to all IPv4 and IPv6 sockets
+          associated with it (including both listening and connection sockets where this applies). Note that for
+          socket-activated services, this configuration setting and the accounting data of the service unit and the
+          socket unit are kept separate, and displayed separately. No propagation of the setting and the collected
+          statistics is done, in either direction. Moreover, any traffic sent or received on any of the socket unit's
+          sockets is accounted to the socket unit — and never to the service unit it might have activated, even if the
+          socket is used by it. Note that IP accounting is currently not supported for slice units, and enabling this
+          option for them has no effect. The system default for this setting may be controlled with
+          <varname>DefaultIPAccounting=</varname> in
+          <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>IPAddressAllow=<replaceable>ADDDRESS[/PREFIXLENGTH]…</replaceable></varname></term>
+        <term><varname>IPAddressDeny=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term>
+
+        <listitem>
+          <para>Turn on address range network traffic filtering for packets sent and received over AF_INET and AF_INET6
+          sockets.  Both directives take a space separated list of IPv4 or IPv6 addresses, each optionally suffixed
+          with an address prefix length (separated by a <literal>/</literal> character). If the latter is omitted, the
+          address is considered a host address, i.e. the prefix covers the whole address (32 for IPv4, 128 for IPv6).
+          </para>
+
+          <para>The access lists configured with this option are applied to all sockets created by processes of this
+          unit (or in the case of socket units, associated with it). The lists are implicitly combined with any lists
+          configured for any of the parent slice units this unit might be a member of. By default all access lists are
+          empty. When configured the lists are enforced as follows:</para>
+
+          <itemizedlist>
+            <listitem><para>Access will be granted in case its destination/source address matches any entry in the
+            <varname>IPAddressAllow=</varname> setting.</para></listitem>
+
+            <listitem><para>Otherwise, access will be denied in case its destination/source address matches any entry
+            in the <varname>IPAddressDeny=</varname> setting.</para></listitem>
+
+            <listitem><para>Otherwise, access will be granted.</para></listitem>
+          </itemizedlist>
+
+          <para>In order to implement a whitelisting IP firewall, it is recommended to use a
+          <varname>IPAddressDeny=</varname><constant>any</constant> setting on an upper-level slice unit (such as the
+          root slice <filename>-.slice</filename> or the slice containing all system services
+          <filename>system.slice</filename> – see
+          <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
+          details on these slice units), plus individual per-service <varname>IPAddressAllow=</varname> lines
+          permitting network access to relevant services, and only them.</para>
+
+          <para>Note that for socket-activated services, the IP access list configured on the socket unit applies to
+          all sockets associated with it directly, but not to any sockets created by the ultimately activated services
+          for it. Conversely, the IP access list configured for the service is not applied to any sockets passed into
+          the service via socket activation. Thus, it is usually a good idea, to replicate the IP access lists on both
+          the socket and the service unit, however it often makes sense to maintain one list more open and the other
+          one more restricted, depending on the usecase.</para>
+
+          <para>If these settings are used multiple times in the same unit the specified lists are combined. If an
+          empty string is assigned to these settings the specific access list is reset and all previous settings undone.</para>
+
+          <para>In place of explicit IPv4 or IPv6 address and prefix length specifications a small set of symbolic
+          names may be used. The following names are defined:</para>
+
+          <table>
+            <title>Special address/network names</title>
+
+            <tgroup cols='3'>
+              <colspec colname='name'/>
+              <colspec colname='definition'/>
+              <colspec colname='meaning'/>
+
+              <thead>
+                <row>
+                  <entry>Symbolic Name</entry>
+                  <entry>Definition</entry>
+                  <entry>Meaning</entry>
+                </row>
+              </thead>
+
+            <tbody>
+              <row>
+                <entry><constant>any</constant></entry>
+                <entry>0.0.0.0/0 ::/0</entry>
+                <entry>Any host</entry>
+              </row>
+
+              <row>
+                <entry><constant>localhost</constant></entry>
+                <entry>127.0.0.0/8 ::1/128</entry>
+                <entry>All addresses on the local loopback</entry>
+              </row>
+
+              <row>
+                <entry><constant>link-local</constant></entry>
+                <entry>169.254.0.0/16 fe80::/64</entry>
+                <entry>All link-local IP addresses</entry>
+              </row>
+
+              <row>
+                <entry><constant>multicast</constant></entry>
+                <entry>224.0.0.0/4 ff00::/8</entry>
+                <entry>All IP multicasting addresses</entry>
+              </row>
+            </tbody>
+            </tgroup>
+          </table>
+
+          <para>Note that these settings might not be supported on some systems (for example if eBPF control group
+          support is not enabled in the underlying kernel or container manager). These settings will have no effect in
+          that case. If compatibility with such systems is desired it is hence recommended to not exclusively rely on
+          them for IP security.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>DeviceAllow=</varname></term>
 

man/systemd.special.xml

@@ -1009,17 +1009,17 @@ PartOf=graphical-session.target
   <refsect1>
     <title>Special Slice Units</title>
 
-    <para>There are four <literal>.slice</literal> units which form
-    the basis of the hierarchy for assignment of resources for
-    services, users, and virtual machines or containers.</para>
+    <para>There are four <literal>.slice</literal> units which form the basis of the hierarchy for assignment of
+    resources for services, users, and virtual machines or containers. See
+    <citerefentry><refentrytitle>-.slice</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details about slice
+    units.</para>
 
     <variablelist>
       <varlistentry>
         <term><filename>-.slice</filename></term>
         <listitem>
-          <para>The root slice is the root of the hierarchy. It
-          usually does not contain units directly, but may be used to
-          set defaults for the whole tree.</para>
+          <para>The root slice is the root of the slice hierarchy. It usually does not contain units directly, but may
+          be used to set defaults for the whole tree.</para>
         </listitem>
       </varlistentry>