[Unit]
Description=p4mnl specific process of freerouter
Requires=freerouter.service freerouter-native@cpu_port.service network.target
After=freerouter.service freerouter-native@cpu_port.service network.target

[Service]
Type=simple
ExecStart=/usr/bin/p4mnl_user.bin 127.0.0.1 9080 2 eth1 eth2 veth250
ExecStopPost=-/usr/sbin/ip link set dev eth1 xdpgeneric off
ExecStopPost=-/usr/sbin/ip link set dev eth2 xdpgeneric off
ExecStopPost=-/usr/sbin/ip link set dev veth250 xdpgeneric off
Restart=always
RestartSec=5
WorkingDirectory=/var/lib/freerouter
User=freerouter
Group=freerouter
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_ADMIN
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_ADMIN
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/freerouter /etc/freerouter
PrivateTmp=true
# PrivateDevices is not possible because some types need access to a physical device.
PrivateDevices=false
PrivateNetwork=false
# Private Users clears all capabilities.
PrivateUsers=false
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
LockPersonality=true
RemoveIPC=true

[Install]
WantedBy=multi-user.target