| # Copyright 2016 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start conntrackd as a system service" |
| author "chromium-os-dev@chromium.org" |
| |
| start on starting system-services |
| stop on stopping system-services |
| |
| respawn |
| expect fork |
| |
| pre-start script |
| nfct add helper ssdp inet tcp |
| nfct add helper ssdp inet udp |
| nfct add helper mdns inet udp |
| |
| # These depend on the nfct commands, so they cannot be added to |
| # iptables.conf. |
| iptables -t raw -A OUTPUT -p udp -d 224.0.0.251 '!' --sport 5353 \ |
| --dport 5353 -j CT --helper mdns -w |
| iptables -t raw -A OUTPUT -p udp --dport 1900 -j CT --helper ssdp -w |
| iptables -t raw -A PREROUTING -p udp --dport 1900 -j CT --helper ssdp -w |
| |
| sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close=120 |
| end script |
| |
| post-stop script |
| sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close=10 |
| |
| iptables -t raw -D PREROUTING -p udp --dport 1900 -j CT --helper ssdp -w |
| iptables -t raw -D OUTPUT -p udp --dport 1900 -j CT --helper ssdp -w |
| iptables -t raw -D OUTPUT -p udp -d 224.0.0.251 '!' --sport 5353 \ |
| --dport 5353 -j CT --helper mdns -w |
| |
| nfct del helper mdns inet udp |
| nfct del helper ssdp inet udp |
| nfct del helper ssdp inet tcp |
| end script |
| |
| # Workaround no_new_privs and selinux security_bounded_transition by |
| # putting seccomp into an inner preload minijail. |
| exec minijail0 -i \ |
| -T static --ambient \ |
| --profile minimalistic-mountns \ |
| -k tmpfs,/run,tmpfs,0xe -b /run/lock,,1 \ |
| -l -u nfqueue -g nfqueue -c 1000 \ |
| /sbin/minijail0 -n \ |
| -S /usr/share/policy/conntrackd-seccomp.policy \ |
| /usr/sbin/conntrackd |