diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index f5cbe688ee..15b7f314a3 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -855,6 +855,52 @@ SocketBindDeny=any
+
+ RestrictNetworkInterfaces=
+
+
+ Takes a list of space-separated network interface names. This option restricts the network
+ interfaces that processes of this unit can use. By default processes can only use the network interfaces
+ listed (allow-list). If the first character of the rule is ~, the effect is inverted:
+ the processes can only use network interfaces not listed (deny-list).
+
+
+ This option can appear multiple times, in which case the network interface names are merged. If the
+ empty string is assigned the set is reset, all prior assigments will have not effect.
+
+
+ If you specify both types of this option (i.e. allow-listing and deny-listing), the first encountered
+ will take precedence and will dictate the default action (allow vs deny). Then the next occurrences of this
+ option will add or delete the listed network interface names from the set, depending of its type and the
+ default action.
+
+
+ The loopback interface ("lo") is not treated in any special way, you have to configure it explicitly
+ in the unit file.
+
+ Example 1: allow-list
+
+RestrictNetworkInterfaces=eth1
+RestrictNetworkInterfaces=eth2
+ Programs in the unit will be only able to use the eth1 and eth2 network
+ interfaces.
+
+
+ Example 2: deny-list
+
+RestrictNetworkInterfaces=~eth1 eth2
+ Programs in the unit will be able to use any network interface but eth1 and eth2.
+
+
+ Example 3: mixed
+
+RestrictNetworkInterfaces=eth1 eth2
+RestrictNetworkInterfaces=~eth1
+ Programs in the unit will be only able to use the eth2 network interface.
+
+
+
+
DeviceAllow=