How I think systemd IP address restrictions on socket units works

Systemd's IPAddressAllow and IPAddressDeny controls can be applied to socket units, restricting access only to those sockets rather than the entire service. This is implemented through eBPF programs attached to cgroups, with sockets inheriting these restrictions even when passed to other programs. However, this approach doesn't enable per-port IP access controls for regular service units.