diff options
| author | Kai Lüke <kailueke@riseup.net> | 2019-04-23 12:14:20 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2019-06-25 09:56:16 +0200 |
| commit | fab347489fcfafbc8367c86afc637ce1b81ae59e (patch) | |
| tree | 25eb895a90940163ff7e6f0e3d8c0054433ae6d1 /man/systemd.resource-control.xml | |
| parent | 2d901d33a90ef9d3fe01ac66c4894c9e6bf48ce0 (diff) | |
| download | systemd-fab347489fcfafbc8367c86afc637ce1b81ae59e.tar.gz | |
bpf-firewall: custom BPF programs through IP(Ingress|Egress)FilterPath=
Takes a single /sys/fs/bpf/pinned_prog string as argument, but may be
specified multiple times. An empty assignment resets all previous filters.
Closes https://github.com/systemd/systemd/issues/10227
Diffstat (limited to 'man/systemd.resource-control.xml')
| -rw-r--r-- | man/systemd.resource-control.xml | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 95209a8a6a..e7b5dfbce6 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -619,6 +619,39 @@ </varlistentry> <varlistentry> + <term><varname>IPIngressFilterPath=<replaceable>BPF_FS_PROGRAMM_PATH</replaceable></varname></term> + <term><varname>IPEgressFilterPath=<replaceable>BPF_FS_PROGRAMM_PATH</replaceable></varname></term> + + <listitem> + <para>Add custom network traffic filters implemented as BPF programs, applying to all IP packets + sent and received over <constant>AF_INET</constant> and <constant>AF_INET6</constant> sockets. + Takes an absolute path to a pinned BPF program in the BPF virtual filesystem (<filename>/sys/fs/bpf/</filename>). + </para> + + <para>The filters configured with this option are applied to all sockets created by processes + of this unit (or in the case of socket units, associated with it). The filters are loaded in addition + to filters any of the parent slice units this unit might be a member of as well as any + <varname>IPAddressAllow=</varname> and <varname>IPAddressDeny=</varname> filters in any of these units. + By default there are no filters specified.</para> + + <para>If these settings are used multiple times in the same unit all the specified programs are attached. If an + empty string is assigned to these settings the program list is reset and all previous specified programs ignored.</para> + + <para>Note that for socket-activated services, the IP filter programs configured on the socket unit apply to + all sockets associated with it directly, but not to any sockets created by the ultimately activated services + for it. Conversely, the IP filter programs configured for the service are not applied to any sockets passed into + the service via socket activation. Thus, it is usually a good idea, to replicate the IP filter programs on both + the socket and the service unit, however it often makes sense to maintain one configuration more open and the other + one more restricted, depending on the usecase.</para> + + <para>Note that these settings might not be supported on some systems (for example if eBPF control group + support is not enabled in the underlying kernel or container manager). These settings will fail the service in + that case. If compatibility with such systems is desired it is hence recommended to attach your filter manually + (requires <varname>Delegate=</varname><constant>yes</constant>) instead of using this setting.</para> + </listitem> + </varlistentry> + + <varlistentry> <term><varname>DeviceAllow=</varname></term> <listitem> |