add proper ipv6 checking

tzvetkoff · Aug 8, 2023 · 3912330 · 3912330
1 parent 8ff27e9
commit 3912330
Showing 1 changed file with 41 additions and 33 deletions.
diff --git a/container-entrypoint.sh b/container-entrypoint.sh
@@ -23,54 +23,62 @@ fi
 ############################################################################
 
 unconfigure_iptables() { 
-   set +e # Don't exit  
+    echo "Received SIG TERM/INT/KILL. Removing iptables / routing changes"
 
-   echo "Received SIG TERM/INT/KILL. Removing iptables / routing changes"
+    set +e # Don't exit if got error
+    set -x
 
-   iptables -t raw -D PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
-   iptables -t mangle -D POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
+    iptables -t raw -D PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
+    iptables -t mangle -D POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
 
-   iptables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
-   iptables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
+    iptables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
+    iptables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
 
-   ip rule del fwmark 0x1 lookup 100
-   ip route del local 0.0.0.0/0 dev lo table 100
+    ip rule del fwmark 0x1 lookup 100
+    ip route del local 0.0.0.0/0 dev lo table 100
 
 
-   ip6tables -t raw -D PREROUTING ! -i lo -d ::1/128 -j DROP & > /dev/null #silence ipv6 errors
-   ip6tables -t mangle -D POSTROUTING ! -o lo -s ::1/128 -j DROP & > /dev/null
-   ip6tables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f & > /dev/null
-   ip6tables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f & > /dev/null
+    if [ $(cat /proc/sys/net/ipv6/conf/all/disable_ipv6) -eq 0 ]; then
+        ip6tables -t raw -D PREROUTING ! -i lo -d ::1/128 -j DROP
+        ip6tables -t mangle -D POSTROUTING ! -o lo -s ::1/128 -j DROP
+        ip6tables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
+        ip6tables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
 
-   ip -6 rule del fwmark 0x1 lookup 100 & > /dev/null
-   ip -6 route del local ::/0 dev lo table 100 & > /dev/null
-
-   set -e
+        ip -6 rule del fwmark 0x1 lookup 100
+        ip -6 route del local ::/0 dev lo table 100
+    fi
+
+    set -e
+    set +x
 }
 
 configure_iptables() {
-   set +e # Don't exit if rule exist or ipv6 not enabled
-
-   echo "Configuring iptables and routing..."
+    echo "Configuring iptables and routing..."
 
-   iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
-   iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
+    set +e # Don't exit if got error
+    set -x
+
+    iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
+    iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
 
-   iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
-   iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
+    iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN  -j CONNMARK --set-xmark 0x01/0x0f
+    iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
 
-   ip rule add fwmark 0x1 lookup 100
-   ip route add local 0.0.0.0/0 dev lo table 100
+    ip rule add fwmark 0x1 lookup 100
+    ip route add local 0.0.0.0/0 dev lo table 100
 
-   ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP & > /dev/null #silence ipv6 errors
-   ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP & > /dev/null
-   ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f & > /dev/null
-   ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f & > /dev/null
+    if [ $(cat /proc/sys/net/ipv6/conf/all/disable_ipv6) -eq 0 ]; then
+        ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP
+        ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP
+        ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
+        ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
 
-   ip -6 rule add fwmark 0x1 lookup 100 & > /dev/null
-   ip -6 route add local ::/0 dev lo table 100 & > /dev/null
-
-   set -e
+        ip -6 rule add fwmark 0x1 lookup 100
+        ip -6 route add local ::/0 dev lo table 100
+    fi
+
+    set -e
+    set +x
 }
 
 for i in "$@" ; do