einat.service


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

[Unit]
Description=eBPF-based Endpoint-Independent NAT
Documentation=https://github.com/EHfive/einat-ebpf
Requires=modprobe@cls_bpf.service
Requires=modprobe@act_bpf.service
Wants=network.target
Wants=network-online.target
After=networkt.target
After=network-online.target
After=modprobe@cls_bpf.service
After=modprobe@act_bpf.service

[Service]
Type=simple
ExecStart=/usr/bin/einat --config /etc/einat/config.toml
# Environment
User=einat
DynamicUser=yes
AmbientCapabilities=CAP_SYS_ADMIN CAP_NET_ADMIN
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_NET_ADMIN
NoNewPrivileges=yes
# Sandboxing
ProtectSystem=strict
ProtectHome=yes
ConfigurationDirectory=einat
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
LockPersonality=yes
RestrictRealtime=yes
PrivateMounts=yes
# TODO: SystemCallFilter

[Install]
WantedBy=multi-user.target