On 12/14/2016 07:44 AM, Scott Schmit wrote:
On Tue, Dec 13, 2016 at 05:54:54PM +0100, Florian Weimer wrote:
On 12/13/2016 12:17 PM, Lennart Poettering wrote:
On Mon, 12.12.16 21:22, Paul Wouters (paul@xxxxxxxxx) wrote:
For us (libreswan) it probably makes less sense to restrict address
family in the daemon. Our daemon just listens to UDP 500/4500, so it
would never be affected by any other kind of address families.
Well, if it creates that UDP socket itself then it needs access to
AF_INET, and AF_INET6 at least. And things like syslog() usually imply
AF_UNIX, hence it would probably be a good idea to add
"RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX" if your service
really needs nothing else. That way the service will lose access to
AF_PACKET, AF_NETLINK, AF_BLUETOOTH, … and everything else.
Proper IPv6 support requires AF_NETLINK, too.
IPsec requires AF_NETLINK (NETLINK_XFRM) to manage the security
associations & security policies. libreswan probably also needs to be
able to manage the routing for IPsec tunnels (NETLINK_ROUTE[6]).
The original RFCs for IPv6 mandated support for IPsec, but that's no
longer required as of RFC 6434. Nothing else popped out at me as
necessary for IPv6, but it's probably a moot point given XFRM.
IPv6 people argue that it's required to sort addresses according to the
length of the overlap with configured subnets and local addresses. This
requires that you enumerate the local network interfaces and their
addresses, and this information is only available over Netlink for IPv6.
IPv4 has an ioctl, too, but not IPv6.
Florian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
