RestrictAddressFamilies setting

This systemd unit setting was added since systemd 211.

Purpose: control what socket address families can be used by a unit

Why and when to use RestrictAddressFamilies

The setting RestrictAddressFamilies aims to restrict what socket address families can be used. When using it, the default is that it is used as an allow-list and define what address families can be used.

Settings

When this setting is not configured, there are no restrictions to what address families can be used.

Setting the value to none will block all address families.

To block specific address families only, a ~ can be used to turn the allow-list into a deny-list.

Caveats

This setting does not have effect on hardware platforms like:

• 32-bit x86
• s390 / s390x
• mips / mips-le
• ppc / ppc-le / ppc64/ ppc64-le

This setting does also not have effect on sockets created using alternative methods, including the systemd socket unit type or those created with the syscall socketpair.

Generic advice

Services that use networking functonality typically use AF_INET (IPv4) and AF_INET6 (IPv6). Using the address family AF_UNIX is suggested, as it may be used for local communication between services, including the usage of syslog syscall.

It is advised to use SystemCallArchitectures=native in combination with this setting, to prevent easy circumvention of the restrictions.

Example

A common combination might look like this.

[Service]
SystemCallArchitectures=native
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX

Values

• none: all socket address families will be blocked
• [LIST OF FAMILIES]: socket address families listed will be allowed

Example to show the current value of RestrictAddressFamilies for the dmesg service: