net-firewall/conntrack-tools/files/init/conntrackd.conf - third_party/overlays/chromiumos-overlay - Git at Google

 # Copyright 2016 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Start conntrackd as a system service"
 author          "chromium-os-dev@chromium.org"

 start on starting system-services
 stop on stopping system-services

 respawn
 expect fork

 pre-start script
   nfct add helper ssdp inet tcp
   nfct add helper ssdp inet udp
   nfct add helper mdns inet udp

   # These depend on the nfct commands, so they cannot be added to
   # iptables.conf.
   iptables -t raw -A OUTPUT -p udp -d 224.0.0.251 '!' --sport 5353 \
     --dport 5353 -j CT --helper mdns -w
   iptables -t raw -A OUTPUT -p udp --dport 1900 -j CT --helper ssdp -w
   iptables -t raw -A PREROUTING -p udp --dport 1900 -j CT --helper ssdp -w

   sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close=120
 end script

 post-stop script
   sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close=10

   iptables -t raw -D PREROUTING -p udp --dport 1900 -j CT --helper ssdp -w
   iptables -t raw -D OUTPUT -p udp --dport 1900 -j CT --helper ssdp -w
   iptables -t raw -D OUTPUT -p udp -d 224.0.0.251 '!' --sport 5353 \
     --dport 5353 -j CT --helper mdns -w

   nfct del helper mdns inet udp
   nfct del helper ssdp inet udp
   nfct del helper ssdp inet tcp
 end script

 # Workaround no_new_privs and selinux security_bounded_transition by
 # putting seccomp into an inner preload minijail.
 exec minijail0 -i \
   -T static --ambient \
   --profile minimalistic-mountns \
   -k tmpfs,/run,tmpfs,0xe -b /run/lock,,1 \
   -l -u nfqueue -g nfqueue -c 1000 \
   /sbin/minijail0 -n \
   -S /usr/share/policy/conntrackd-seccomp.policy \
   /usr/sbin/conntrackd
	# Copyright 2016 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start conntrackd as a system service"
	author "chromium-os-dev@chromium.org"

	start on starting system-services
	stop on stopping system-services

	respawn
	expect fork

	pre-start script
	nfct add helper ssdp inet tcp
	nfct add helper ssdp inet udp
	nfct add helper mdns inet udp

	# These depend on the nfct commands, so they cannot be added to
	# iptables.conf.
	iptables -t raw -A OUTPUT -p udp -d 224.0.0.251 '!' --sport 5353 \
	--dport 5353 -j CT --helper mdns -w
	iptables -t raw -A OUTPUT -p udp --dport 1900 -j CT --helper ssdp -w
	iptables -t raw -A PREROUTING -p udp --dport 1900 -j CT --helper ssdp -w

	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close=120
	end script

	post-stop script
	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close=10

	iptables -t raw -D PREROUTING -p udp --dport 1900 -j CT --helper ssdp -w
	iptables -t raw -D OUTPUT -p udp --dport 1900 -j CT --helper ssdp -w
	iptables -t raw -D OUTPUT -p udp -d 224.0.0.251 '!' --sport 5353 \
	--dport 5353 -j CT --helper mdns -w

	nfct del helper mdns inet udp
	nfct del helper ssdp inet udp
	nfct del helper ssdp inet tcp
	end script

	# Workaround no_new_privs and selinux security_bounded_transition by
	# putting seccomp into an inner preload minijail.
	exec minijail0 -i \
	-T static --ambient \
	--profile minimalistic-mountns \
	-k tmpfs,/run,tmpfs,0xe -b /run/lock,,1 \
	-l -u nfqueue -g nfqueue -c 1000 \
	/sbin/minijail0 -n \
	-S /usr/share/policy/conntrackd-seccomp.policy \
	/usr/sbin/conntrackd