[Unit]
Description=Refresh policy routes for %I

[Service]
Type=oneshot
PrivateTmp=yes
AmbientCapabilities=CAP_NET_ADMIN
NoNewPrivileges=yes
User=root
ExecStart=/usr/bin/setup-policy-routes %i start
ExecStartPost=/usr/bin/setup-policy-routes %i cleanup
SuccessExitStatus=SIGTERM