On 12/13/2016 12:17 PM, Lennart Poettering wrote:
On Mon, 12.12.16 21:22, Paul Wouters (paul(a)nohats.ca) wrote:
>> that's totally possible, and can be functionality-wise entirely
>> equivalent. The only difference is: systemd makes all of this
>> trivially easy to use, by making this a single-line change in a unit
>> file without involving C hacking.
>
> For us (libreswan) it probably makes less sense to restrict address
> family in the daemon. Our daemon just listens to UDP 500/4500, so it
> would never be affected by any other kind of address families.
Well, if it creates that UDP socket itself then it needs access to
AF_INET, and AF_INET6 at least. And things like syslog() usually imply
AF_UNIX, hence it would probably be a good idea to add
"RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX" if your service
really needs nothing else. That way the service will lose access to
AF_PACKET, AF_NETLINK, AF_BLUETOOTH, … and everything else.
Proper IPv6 support requires AF_NETLINK, too.
Thanks,
Florian