From 3912330040381eca9bf41ceaf602aba37f9daac5 Mon Sep 17 00:00:00 2001
From: clement <s10205095@connect.np.edu.sg>
Date: Tue, 8 Aug 2023 08:02:54 +0800
Subject: [PATCH] add proper ipv6 checking

---
 container-entrypoint.sh | 74 +++++++++++++++++++++++------------------
 1 file changed, 41 insertions(+), 33 deletions(-)

diff --git a/container-entrypoint.sh b/container-entrypoint.sh
index b0641e4..643fe88 100755
--- a/container-entrypoint.sh
+++ b/container-entrypoint.sh
@@ -23,54 +23,62 @@ fi
 ############################################################################
 
 unconfigure_iptables() { 
-   set +e # Don't exit  
+    echo "Received SIG TERM/INT/KILL. Removing iptables / routing changes"
 
-   echo "Received SIG TERM/INT/KILL. Removing iptables / routing changes"
+    set +e # Don't exit if got error
+    set -x
 
-   iptables -t raw -D PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
-   iptables -t mangle -D POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
+    iptables -t raw -D PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
+    iptables -t mangle -D POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
 
-   iptables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
-   iptables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
+    iptables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
+    iptables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
 
-   ip rule del fwmark 0x1 lookup 100
-   ip route del local 0.0.0.0/0 dev lo table 100
+    ip rule del fwmark 0x1 lookup 100
+    ip route del local 0.0.0.0/0 dev lo table 100
 
 
-   ip6tables -t raw -D PREROUTING ! -i lo -d ::1/128 -j DROP & > /dev/null #silence ipv6 errors
-   ip6tables -t mangle -D POSTROUTING ! -o lo -s ::1/128 -j DROP & > /dev/null
-   ip6tables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f & > /dev/null
-   ip6tables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f & > /dev/null
+    if [ $(cat /proc/sys/net/ipv6/conf/all/disable_ipv6) -eq 0 ]; then
+        ip6tables -t raw -D PREROUTING ! -i lo -d ::1/128 -j DROP
+        ip6tables -t mangle -D POSTROUTING ! -o lo -s ::1/128 -j DROP
+        ip6tables -t nat -D OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
+        ip6tables -t mangle -D OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
 
-   ip -6 rule del fwmark 0x1 lookup 100 & > /dev/null
-   ip -6 route del local ::/0 dev lo table 100 & > /dev/null
-   
-   set -e
+        ip -6 rule del fwmark 0x1 lookup 100
+        ip -6 route del local ::/0 dev lo table 100
+    fi
+        
+    set -e
+    set +x
 }
 
 configure_iptables() {
-   set +e # Don't exit if rule exist or ipv6 not enabled
+    echo "Configuring iptables and routing..."
 
-   echo "Configuring iptables and routing..."
+    set +e # Don't exit if got error
+    set -x
+    
+    iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
+    iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
 
-   iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
-   iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
+    iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN  -j CONNMARK --set-xmark 0x01/0x0f
+    iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
 
-   iptables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
-   iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
+    ip rule add fwmark 0x1 lookup 100
+    ip route add local 0.0.0.0/0 dev lo table 100
 
-   ip rule add fwmark 0x1 lookup 100
-   ip route add local 0.0.0.0/0 dev lo table 100
+    if [ $(cat /proc/sys/net/ipv6/conf/all/disable_ipv6) -eq 0 ]; then
+        ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP
+        ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP
+        ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
+        ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f
 
-   ip6tables -t raw -A PREROUTING ! -i lo -d ::1/128 -j DROP & > /dev/null #silence ipv6 errors
-   ip6tables -t mangle -A POSTROUTING ! -o lo -s ::1/128 -j DROP & > /dev/null
-   ip6tables -t nat -A OUTPUT -m owner --uid-owner sslh -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f & > /dev/null
-   ip6tables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f & > /dev/null
-
-   ip -6 rule add fwmark 0x1 lookup 100 & > /dev/null
-   ip -6 route add local ::/0 dev lo table 100 & > /dev/null
-   
-   set -e
+        ip -6 rule add fwmark 0x1 lookup 100
+        ip -6 route add local ::/0 dev lo table 100
+    fi
+    
+    set -e
+    set +x
 }
 
 for i in "$@" ; do