On Wed, 14 Dec 2016, Scott Schmit wrote:
IPsec requires AF_NETLINK (NETLINK_XFRM) to manage the security associations & security policies. libreswan probably also needs to be able to manage the routing for IPsec tunnels (NETLINK_ROUTE[6]).
The nature of libreswan is that it allows custom "updown" scripts to be executed, which can do things we don't know beforehand. So any limitation here has to be carefully set. This is why we still allow seccomp to be disabled. For instance we don't use IPC, but some database client in updown might use it.
The original RFCs for IPv6 mandated support for IPsec, but that's no longer required as of RFC 6434. Nothing else popped out at me as necessary for IPv6, but it's probably a moot point given XFRM. So "RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK" is probably enough? :)
Unless the updown scripts uses a ping command, which is not uncommon for people to do :) Paul _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
