X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;ds=inline;f=filesystem%2Fetc%2Fsystemd%2Fsystem%2Fopenvpn-client-nn%40.service;h=ab5ccba2958e68dc5102ef62764bb25accc6651a;hb=a44ee8f739e11ef40402ea7eab92508f70445e68;hp=2f3b01323afa3f4ced14e2d127a615bb8188ab68;hpb=427d24b2b5edfa4ff53ec7e23e969b663ef8b9b5;p=distro-setup

diff --git a/filesystem/etc/systemd/system/openvpn-client-nn@.service b/filesystem/etc/systemd/system/openvpn-client-nn@.service
index 2f3b013..ab5ccba 100644
--- a/filesystem/etc/systemd/system/openvpn-client-nn@.service
+++ b/filesystem/etc/systemd/system/openvpn-client-nn@.service
@@ -13,18 +13,20 @@ RuntimeDirectory=openvpn-client
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/client
 ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/%i /usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# Ian: commented out these lines from upstream
 # until we get the next systemd version (233), which can do bind mounts
 # inside a mnt namespace via systemd, we have to setup our own, which requires
 # full priveledges.
+# when we enable CababilityBoundingSet, s/=/=+/ on these ExecStart/Stop lines.
+# systemd ver in flidas does not suppot =+
 #CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 # DeviceAllow=/dev/null rw
 # DeviceAllow=/dev/net/tun rw
 
-# ian: added just these  lines from upstream
-ExecStartPre=+/a/bin/nnnat/systemd-nnnat start %i
-ExecStartPre=+/sbin/iptables-restore /a/bin/transmission-firewall/netns.rules
-ExecStopPost=+/a/bin/nnnat/systemd-nnnat stop %i
+ExecStartPre=/a/bin/newns/newns -n 10.173.0 start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+ExecStopPost=/a/bin/newns/newns stop %i
 PrivateNetwork=true