1 files changed, 23 insertions, 11 deletions

diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 19c2ca9907..fb51ef6658 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -1,4 +1,4 @@
-<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
+<?xml version='1.0'?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
 
@@ -68,8 +68,8 @@
     or it must be a template unit named the same way. Example: a
     socket file <filename>foo.socket</filename> needs a matching
     service <filename>foo.service</filename> if
-    <option>Accept=false</option> is set. If
-    <option>Accept=true</option> is set, a service template file
+    <option>Accept=no</option> is set. If
+    <option>Accept=yes</option> is set, a service template file
     <filename>foo@.service</filename> must exist from which services
     are instantiated for each incoming connection.</para>
 
@@ -94,6 +94,18 @@
     socket passing (i.e. sockets passed in via standard input and
     output, using <varname>StandardInput=socket</varname> in the
     service file).</para>
+
+    <para>All network sockets allocated through <filename>.socket</filename> units are allocated in the host's network
+    namespace (see <citerefentry
+    project='man-pages'><refentrytitle>network_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>). This
+    does not mean however that the service activated by a configured socket unit has to be part of the host's network
+    namespace as well.  It is supported and even good practice to run services in their own network namespace (for
+    example through <varname>PrivateNetwork=</varname>, see
+    <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>), receiving only
+    the sockets configured through socket-activation from the host's namespace. In such a set-up communication within
+    the host's network namespace is only permitted through the activation sockets passed in while all sockets allocated
+    from the service code itself will be associated with the service's own namespace, and thus possibly subject to a a
+    much more restrictive configuration.</para>
   </refsect1>
 
   <refsect1>
@@ -303,7 +315,7 @@
 
       <varlistentry>
         <term><varname>SocketProtocol=</varname></term>
-        <listitem><para>Takes a one of <option>udplite</option>
+        <listitem><para>Takes one of <option>udplite</option>
         or <option>sctp</option>. Specifies a socket protocol
         (<constant>IPPROTO_UDPLITE</constant>) UDP-Lite
         (<constant>IPPROTO_SCTP</constant>) SCTP socket respectively. </para>
@@ -312,7 +324,7 @@
 
       <varlistentry>
         <term><varname>BindIPv6Only=</varname></term>
-        <listitem><para>Takes a one of <option>default</option>,
+        <listitem><para>Takes one of <option>default</option>,
         <option>both</option> or <option>ipv6-only</option>. Controls
         the IPV6_V6ONLY socket option (see
         <citerefentry project='die-net'><refentrytitle>ipv6</refentrytitle><manvolnum>7</manvolnum></citerefentry>
@@ -395,17 +407,17 @@
         incoming traffic. Defaults to <option>false</option>. For
         performance reasons, it is recommended to write new daemons
         only in a way that is suitable for
-        <option>Accept=false</option>. A daemon listening on an
+        <option>Accept=no</option>. A daemon listening on an
         <constant>AF_UNIX</constant> socket may, but does not need to,
         call
         <citerefentry><refentrytitle>close</refentrytitle><manvolnum>2</manvolnum></citerefentry>
         on the received socket before exiting. However, it must not
         unlink the socket from a file system. It should not invoke
         <citerefentry><refentrytitle>shutdown</refentrytitle><manvolnum>2</manvolnum></citerefentry>
-        on sockets it got with <varname>Accept=false</varname>, but it
+        on sockets it got with <varname>Accept=no</varname>, but it
         may do so for sockets it got with
-        <varname>Accept=true</varname> set. Setting
-        <varname>Accept=true</varname> is mostly useful to allow
+        <varname>Accept=yes</varname> set. Setting
+        <varname>Accept=yes</varname> is mostly useful to allow
         daemons designed for usage with
         <citerefentry project='freebsd'><refentrytitle>inetd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
         to work unmodified with systemd socket
@@ -429,11 +441,11 @@
         <term><varname>MaxConnections=</varname></term>
         <listitem><para>The maximum number of connections to
         simultaneously run services instances for, when
-        <option>Accept=true</option> is set. If more concurrent
+        <option>Accept=yes</option> is set. If more concurrent
         connections are coming in, they will be refused until at least
         one existing connection is terminated. This setting has no
         effect on sockets configured with
-        <option>Accept=false</option> or datagram sockets. Defaults to
+        <option>Accept=no</option> or datagram sockets. Defaults to
         64.</para></listitem>
       </varlistentry>