On Sa, 07.07.18 14:35, Michael Biebl ([email protected]) wrote: > 2018-07-06 13:23 GMT+02:00 Lennart Poettering <[email protected]>: > > Yes, Mantas is right, PrivateNetwork= disconnects the whole of > > AF_NETLINK from the rest of the system, which means services that > > require libudev device events can't use it. > > Thank you Lennart and Mantas. > I was indeed not aware that PrivateNetwork=true has that effect wrt > AF_NETLINK. > Thanks for the explanation, this makes it perfectly clear now. > It's indeed a pitfall one has to keep in mind when using PrivateNetwork= > > Tbh, I find it a bit confusing that we have three mechanisms now > (PrivateNetwork, RestrictAddressFamilies, IPAddressDeny) and when one > is supposed to use which one of these.
I'd just use all of them wherever possible. They do different things, and while they might conceptually overlap in parts they also don't overlap in many others. PrivateNetwork= doesn't work if you need device enumeration. IPAddressDeny= only does IP, but does allow restriction per IP address range. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
