AF_UNSPEC is used in calls to getaddrinfo(3) to request either ipv4 or ipv6 addresses. In the parser, we've been filtering out AF_UNSPEC as an option. It's a simple enough patch to enable it:
Index: b/common/Make.rules
===================================================================
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -98,7 +98,7 @@ list_capabilities: /usr/include/linux/ca
# to mediate. We use PF_ here since that is what is required in
# bits/socket.h, but we will rewrite these as AF_.
__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
However, there's some concern that because the value of AF_UNSPEC is 0, there might be some special handling of that case, or other unexpected issues.
That said, I'm able to reproduce the issue, and adding a rule 'network unspec dgram,' eliminated the rejections that ntpd was creating (whereas adding a rule 'network unspec raw,' as expected, did not).
AF_UNSPEC is used in calls to getaddrinfo(3) to request either ipv4 or ipv6 addresses. In the parser, we've been filtering out AF_UNSPEC as an option. It's a simple enough patch to enable it:
Index: b/common/Make.rules ======= ======= ======= ======= ======= ======= ======= ======= ==== linux/ca
=======
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -98,7 +98,7 @@ list_capabilities: /usr/include/
# to mediate. We use PF_ here since that is what is required in
# bits/socket.h, but we will rewrite these as AF_.
-FILTER_ FAMILIES= PF_UNSPEC PF_UNIX FAMILIES= PF_UNIX
+FILTER_
__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
However, there's some concern that because the value of AF_UNSPEC is 0, there might be some special handling of that case, or other unexpected issues.
That said, I'm able to reproduce the issue, and adding a rule 'network unspec dgram,' eliminated the rejections that ntpd was creating (whereas adding a rule 'network unspec raw,' as expected, did not).