On 12/13/2016 12:17 PM, Lennart Poettering wrote:
On Mon, 12.12.16 21:22, Paul Wouters (paul@xxxxxxxxx) wrote:
that's totally possible, and can be functionality-wise entirely
equivalent. The only difference is: systemd makes all of this
trivially easy to use, by making this a single-line change in a unit
file without involving C hacking.
For us (libreswan) it probably makes less sense to restrict address
family in the daemon. Our daemon just listens to UDP 500/4500, so it
would never be affected by any other kind of address families.
Well, if it creates that UDP socket itself then it needs access to
AF_INET, and AF_INET6 at least. And things like syslog() usually imply
AF_UNIX, hence it would probably be a good idea to add
"RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX" if your service
really needs nothing else. That way the service will lose access to
AF_PACKET, AF_NETLINK, AF_BLUETOOTH, … and everything else.
Proper IPv6 support requires AF_NETLINK, too.
Thanks,
Florian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
