diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 8079b4b210..bb38ea2467 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1508,40 +1508,29 @@
RestrictAddressFamilies=
- Restricts the set of socket address families
- accessible to the processes of this unit. Takes a
- space-separated list of address family names to whitelist,
- such as
- AF_UNIX,
- AF_INET or
- AF_INET6. When
- prefixed with ~ the listed address
- families will be applied as blacklist, otherwise as whitelist.
- Note that this restricts access to the
- socket2
- system call only. Sockets passed into the process by other
- means (for example, by using socket activation with socket
- units, see
- systemd.socket5)
- are unaffected. Also, sockets created with
- socketpair() (which creates connected
- AF_UNIX sockets only) are unaffected. Note that this option
- has no effect on 32-bit x86 and is ignored (but works
- correctly on x86-64). If running in user mode, or in system
- mode, but without the CAP_SYS_ADMIN
- capability (e.g. setting User=nobody),
- NoNewPrivileges=yes is implied. By
- default, no restriction applies, all address families are
- accessible to processes. If assigned the empty string, any
- previous list changes are undone.
+ Restricts the set of socket address families accessible to the processes of this unit. Takes a
+ space-separated list of address family names to whitelist, such as AF_UNIX,
+ AF_INET or AF_INET6. When prefixed with ~ the
+ listed address families will be applied as blacklist, otherwise as whitelist. Note that this restricts access
+ to the socket2 system call
+ only. Sockets passed into the process by other means (for example, by using socket activation with socket
+ units, see systemd.socket5)
+ are unaffected. Also, sockets created with socketpair() (which creates connected AF_UNIX
+ sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le,
+ ppc, ppc-le, pcc64, ppc64-le and is ignored (but works correctly on other architectures, including x86-64). If
+ running in user mode, or in system mode, but without the CAP_SYS_ADMIN capability
+ (e.g. setting User=nobody), NoNewPrivileges=yes is implied. By default,
+ no restrictions apply, all address families are accessible to processes. If assigned the empty string, any
+ previous address familiy restriction changes are undone. This setting does not affect commands prefixed with
+ +.
- Use this option to limit exposure of processes to remote
- systems, in particular via exotic network protocols. Note that
- in most cases, the local AF_UNIX address
- family should be included in the configured whitelist as it is
- frequently used for local communication, including for
+ Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive
+ network protocols, such as AF_PACKET. Note that in most cases, the local
+ AF_UNIX address family should be included in the configured whitelist as it is frequently
+ used for local communication, including for
syslog2
- logging. This does not affect commands prefixed with +.
+ logging.