summaryrefslogtreecommitdiff
path: root/freerouter-p4mnl.service
diff options
context:
space:
mode:
Diffstat (limited to 'freerouter-p4mnl.service')
-rw-r--r--freerouter-p4mnl.service37
1 files changed, 37 insertions, 0 deletions
diff --git a/freerouter-p4mnl.service b/freerouter-p4mnl.service
new file mode 100644
index 0000000..82c3c4e
--- /dev/null
+++ b/freerouter-p4mnl.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=p4mnl specific process of freerouter
+Requires=freerouter.service freerouter-native@cpu_port.service network.target
+After=freerouter.service freerouter-native@cpu_port.service network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/p4mnl_user.bin 127.0.0.1 9080 2 eth1 eth2 veth250
+ExecStopPost=-/usr/sbin/ip link set dev eth1 xdpgeneric off
+ExecStopPost=-/usr/sbin/ip link set dev eth2 xdpgeneric off
+ExecStopPost=-/usr/sbin/ip link set dev veth250 xdpgeneric off
+Restart=always
+RestartSec=5
+WorkingDirectory=/var/lib/freerouter
+User=freerouter
+Group=freerouter
+CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_ADMIN
+AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_ADMIN
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=/var/lib/freerouter /etc/freerouter
+PrivateTmp=true
+# PrivateDevices is not possible because some types need access to a physical device.
+PrivateDevices=false
+PrivateNetwork=false
+# Private Users clears all capabilities.
+PrivateUsers=false
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictNamespaces=true
+LockPersonality=true
+RemoveIPC=true
+
+[Install]
+WantedBy=multi-user.target
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-21 14:21:23 +0000