blob: d809f87aa80e4fdf19e7861a5fdd3e94db6eb818 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
[Unit]
Description=p4dpdk specific process of freerouter
Requires=freerouter.service freerouter-native@cpu_port.service network.target
After=freerouter.service freerouter-native@cpu_port.service network.target
[Service]
Type=simple
ExecStart=/usr/bin/p4dpdk.bin -m 2048 --no-huge --no-pci --vdev=net_af_packet0,iface=eth1,blocksz=16384,framesz=16384 --vdev=net_af_packet1,iface=eth2,blocksz=16384,framesz=16384 --vdev=net_af_packet2,iface=veth250,blocksz=16384,framesz=16384 -- 127.0.0.1 9080 2 0 1 2 1 3 4 -2 65407 0 -9 256 0 -4 512 0
Restart=always
RestartSec=5
WorkingDirectory=/var/lib/freerouter
User=freerouter
Group=freerouter
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_IPC_LOCK
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_IPC_LOCK
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/freerouter /etc/freerouter
PrivateTmp=true
# PrivateDevices is not possible because some types need access to a physical device.
PrivateDevices=false
PrivateNetwork=false
# Private Users clears all capabilities.
PrivateUsers=false
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
LockPersonality=true
RemoveIPC=true
[Install]
WantedBy=multi-user.target
|
