| # |
| # Copyright (C) 2013 The Android Open Source Project |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| |
| description "Run the netfilter-queue-helper multicast firewall extension" |
| author "chromium-os-dev@chromium.org" |
| |
| start on started system-services |
| stop on stopping system-services |
| expect fork |
| respawn |
| |
| script |
| EXEC_NAME="/usr/sbin/netfilter-queue-helper" |
| . /usr/sbin/netfilter-common |
| |
| # use minijail (drop root, keep CAP_NET_ADMIN) |
| exec minijail0 -u nfqueue -g nfqueue -c 1000 -i \ |
| -S /usr/share/policy/nfqueue-seccomp.policy -n \ |
| ${EXEC_NAME} \ |
| --input-queue=${NETFILTER_INPUT_NFQUEUE} \ |
| --output-queue=${NETFILTER_OUTPUT_NFQUEUE} |
| end script |