blob: bfee29c15dc973508de27ca79bb61c514d56123b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
[Unit]
Description=p4xdp specific process of freerouter
Requires=freerouter.service freerouter-native@cpu_port.service network.target
After=freerouter.service freerouter-native@cpu_port.service network.target
[Service]
Type=simple
ExecStart=/usr/bin/p4xdp_user.bin 127.0.0.1 9080 2 skb eth1 eth2 veth250
ExecStopPost=-/usr/sbin/ip link set dev eth1 xdpgeneric off
ExecStopPost=-/usr/sbin/ip link set dev eth2 xdpgeneric off
ExecStopPost=-/usr/sbin/ip link set dev veth250 xdpgeneric off
Restart=always
RestartSec=5
WorkingDirectory=/var/lib/freerouter
User=freerouter
Group=freerouter
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_ADMIN
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_ADMIN
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/freerouter /etc/freerouter
PrivateTmp=true
# PrivateDevices is not possible because some types need access to a physical device.
PrivateDevices=false
PrivateNetwork=false
# Private Users clears all capabilities.
PrivateUsers=false
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
LockPersonality=true
RemoveIPC=true
[Install]
WantedBy=multi-user.target
|
