[Unit] Description=Stateless IP/ICMP Translator Documentation=https://nicmx.github.io/Jool After=network-pre.target ConditionPathExists=/etc/jool/jool_siit.conf [Service] Type=oneshot RemainAfterExit=yes ExecStartPre=/sbin/modprobe jool_siit ExecStart=/usr/bin/jool_siit file handle /etc/jool/jool_siit.conf ExecStop=/usr/bin/jool_siit -f /etc/jool/jool_siit.conf instance remove # Do not modprobe -r; some other instance could be running. # -- Security Section -- # Long story short: All the jool clients need is read access on the config # files, and the Netlink socket to kernelspace. # The ExecStartPre above also needs to be able to modify kernel modules. # Everything else should probably be blocked. CapabilityBoundingSet=CAP_SYS_MODULE CAP_NET_ADMIN NoNewPrivileges=yes ProtectSystem=strict ProtectHome=yes InaccessiblePaths=/tmp /dev ProtectKernelTunables=yes ProtectKernelModules=no ProtectControlGroups=yes RestrictAddressFamilies=AF_NETLINK RestrictNamespaces=yes LockPersonality=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes SystemCallArchitectures=native [Install] WantedBy=multi-user.target