Bump to newest release

* fix broken scripts, internalize them here
* bump to 4.1.7

1 files changed, 39 insertions, 0 deletions

diff --git a/jool.service b/jool.service
new file mode 100644
index 000000000000..0ed16b4f503c
--- /dev/null
+++ b/jool.service
@@ -0,0 +1,39 @@
+[Unit]
+Description=Stateful NAT64
+Documentation=https://jool.mx/en/documentation.html
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+
+ExecStartPre=/sbin/modprobe jool
+ExecStart=/usr/bin/jool file handle /etc/jool/jool.conf
+ExecStop=/usr/bin/jool -f /etc/jool/jool.conf instance remove
+# Do not modprobe -r; some other instance could be running.
+
+ConditionPathExists=/etc/jool/jool.conf
+
+# -- Security Section --
+# Long story short: All the jool clients need is read access on the config
+# files, and the Netlink socket to kernelspace.
+# The ExecStartPre above also needs to be able to modify kernel modules.
+# Everything else should probably be blocked.
+
+CapabilityBoundingSet=CAP_SYS_MODULE CAP_NET_ADMIN
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+InaccessiblePaths=/tmp /dev
+ProtectKernelTunables=yes
+ProtectKernelModules=no
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_NETLINK
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target