shill/init/netfilter-queue.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description   "Run the netfilter-queue-helper multicast firewall extension"
 author        "chromium-os-dev@chromium.org"

 start on started system-services
 stop on stopping system-services
 expect fork
 respawn

 script
   EXEC_NAME="/usr/sbin/netfilter-queue-helper"
   . /usr/sbin/netfilter-common

   # use minijail (drop root, keep CAP_NET_ADMIN)
   exec minijail0 -u nfqueue -g nfqueue -c 1000 -i \
       -S /usr/share/policy/nfqueue-seccomp.policy -n \
       ${EXEC_NAME} \
           --input-queue=${NETFILTER_INPUT_NFQUEUE} \
           --output-queue=${NETFILTER_OUTPUT_NFQUEUE}
 end script
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Run the netfilter-queue-helper multicast firewall extension"
	author "chromium-os-dev@chromium.org"

	start on started system-services
	stop on stopping system-services
	expect fork
	respawn

	script
	EXEC_NAME="/usr/sbin/netfilter-queue-helper"
	. /usr/sbin/netfilter-common

	# use minijail (drop root, keep CAP_NET_ADMIN)
	exec minijail0 -u nfqueue -g nfqueue -c 1000 -i \
	-S /usr/share/policy/nfqueue-seccomp.policy -n \
	${EXEC_NAME} \
	--input-queue=${NETFILTER_INPUT_NFQUEUE} \
	--output-queue=${NETFILTER_OUTPUT_NFQUEUE}
	end script