summarylogtreecommitdiffstats
path: root/jool.service
diff options
context:
space:
mode:
authorMattias Giese2022-06-06 18:12:24 +0200
committerMattias Giese2022-06-06 18:12:24 +0200
commit7ceb72cf6e035042168e4943703c185bb3e761b8 (patch)
tree571c810553e7827c5c13cc446785aa8a61edbb48 /jool.service
parent65aaa25a438c75e7e043e6ea828a1a67ad1831f0 (diff)
downloadaur-7ceb72cf6e035042168e4943703c185bb3e761b8.tar.gz
Bump to newest release
* fix broken scripts, internalize them here * bump to 4.1.7
Diffstat (limited to 'jool.service')
-rw-r--r--jool.service39
1 files changed, 39 insertions, 0 deletions
diff --git a/jool.service b/jool.service
new file mode 100644
index 00000000000..0ed16b4f503
--- /dev/null
+++ b/jool.service
@@ -0,0 +1,39 @@
+[Unit]
+Description=Stateful NAT64
+Documentation=https://jool.mx/en/documentation.html
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+
+ExecStartPre=/sbin/modprobe jool
+ExecStart=/usr/bin/jool file handle /etc/jool/jool.conf
+ExecStop=/usr/bin/jool -f /etc/jool/jool.conf instance remove
+# Do not modprobe -r; some other instance could be running.
+
+ConditionPathExists=/etc/jool/jool.conf
+
+# -- Security Section --
+# Long story short: All the jool clients need is read access on the config
+# files, and the Netlink socket to kernelspace.
+# The ExecStartPre above also needs to be able to modify kernel modules.
+# Everything else should probably be blocked.
+
+CapabilityBoundingSet=CAP_SYS_MODULE CAP_NET_ADMIN
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+InaccessiblePaths=/tmp /dev
+ProtectKernelTunables=yes
+ProtectKernelModules=no
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_NETLINK
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target