man: clarify which addresses are affected by IPAddressAllow=/IPAddressDeny=
For ingress traffic it's the source address of IP packets we check, for egress traffic it's the destination address. Mention that.
This commit is contained in:
Lennart Poettering
parent
276cf52fc0
commit
ef81ce6e80
|
|
@ -513,23 +513,27 @@
|
||||||
<term><varname>IPAddressDeny=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term>
|
<term><varname>IPAddressDeny=<replaceable>ADDRESS[/PREFIXLENGTH]…</replaceable></varname></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Turn on address range network traffic filtering for packets sent and received over AF_INET and AF_INET6
|
<para>Turn on address range network traffic filtering for IP packets sent and received over
|
||||||
sockets. Both directives take a space separated list of IPv4 or IPv6 addresses, each optionally suffixed
|
<constant>AF_INET</constant> and <constant>AF_INET6</constant> sockets. Both directives take a
|
||||||
with an address prefix length (separated by a <literal>/</literal> character). If the latter is omitted, the
|
space separated list of IPv4 or IPv6 addresses, each optionally suffixed with an address prefix
|
||||||
address is considered a host address, i.e. the prefix covers the whole address (32 for IPv4, 128 for IPv6).
|
length in bits (separated by a <literal>/</literal> character). If the latter is omitted, the
|
||||||
</para>
|
address is considered a host address, i.e. the prefix covers the whole address (32 for IPv4, 128
|
||||||
|
for IPv6).</para>
|
||||||
|
|
||||||
<para>The access lists configured with this option are applied to all sockets created by processes of this
|
<para>The access lists configured with this option are applied to all sockets created by processes
|
||||||
unit (or in the case of socket units, associated with it). The lists are implicitly combined with any lists
|
of this unit (or in the case of socket units, associated with it). The lists are implicitly
|
||||||
configured for any of the parent slice units this unit might be a member of. By default all access lists are
|
combined with any lists configured for any of the parent slice units this unit might be a member
|
||||||
empty. When configured the lists are enforced as follows:</para>
|
of. By default all access lists are empty. Both ingress and egress traffic is filtered by these
|
||||||
|
settings. In case of ingress traffic the source IP address is checked against these access lists,
|
||||||
|
in case of egress traffic the destination IP address is checked. When configured the lists are
|
||||||
|
enforced as follows:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><para>Access will be granted in case its destination/source address matches any entry in the
|
<listitem><para>Access will be granted in case an IP packet's destination/source address matches
|
||||||
<varname>IPAddressAllow=</varname> setting.</para></listitem>
|
any entry in the <varname>IPAddressAllow=</varname> setting.</para></listitem>
|
||||||
|
|
||||||
<listitem><para>Otherwise, access will be denied in case its destination/source address matches any entry
|
<listitem><para>Otherwise, access will be denied in case its destination/source address matches
|
||||||
in the <varname>IPAddressDeny=</varname> setting.</para></listitem>
|
any entry in the <varname>IPAddressDeny=</varname> setting.</para></listitem>
|
||||||
|
|
||||||
<listitem><para>Otherwise, access will be granted.</para></listitem>
|
<listitem><para>Otherwise, access will be granted.</para></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue