Skip to content

Commit c80f57a

Browse files
twnessstaamarin
twnesss
authored and
taamarin
committed
Extend routing/NAT rules for tun device
- Add POSTROUTING MASQUERADE rule for tun interface - Re-enable IPv6 rules for ULA (`fc00::/7`, `fd00::/8`) and link-local (`fe80::/10`)
1 parent a8ee249 commit c80f57a

File tree

1 file changed

+14
-10
lines changed

1 file changed

+14
-10
lines changed

box/scripts/box.iptables

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -194,12 +194,14 @@ probe_tun_index() {
194194
while [ ! -f "/data/misc/net/rt_tables" ]; do
195195
sleep 1
196196
done
197+
197198
while read -r index name; do
198199
if [ "${name}" = "${tun_device}" ]; then
199200
tun_table_index=${index}
200201
return 0
201202
fi
202203
done < /data/misc/net/rt_tables
204+
203205
return 1
204206
}
205207

@@ -214,17 +216,18 @@ tun_forward_ip_rules() {
214216
"from 192.168.0.0/16 lookup ${tun_table_index} pref 5050"
215217
"nop pref 6000"
216218
)
217-
219+
218220
ipv6_rules=(
219221
"iif lo goto 6000 pref 5000"
220222
"iif ${tun_device} lookup main suppress_prefixlength 0 pref 5010"
221-
# "from 2001:db8::/32 lookup ${tun_table_index} pref 5030"
222-
# "from fc00::/7 lookup ${tun_table_index} pref 5040"
223-
# "from fd00::/8 lookup ${tun_table_index} pref 5050"
224223
"iif ${tun_device} goto 6000 pref 5020"
224+
"from fc00::/7 lookup ${tun_table_index} pref 5030" # ULA
225+
"from fd00::/8 lookup ${tun_table_index} pref 5040" # Subset of ULA
226+
"from fe80::/10 lookup ${tun_table_index} pref 5050" # Link-local
227+
# "from 2000::/3 lookup ${tun_table_index} pref 5060"
225228
"nop pref 6000"
226229
)
227-
230+
228231
if [ "${iptables}" = "$IPV" ]; then
229232
for rule in "${ipv4_rules[@]}"; do
230233
ip -4 rule "${action}" ${rule}
@@ -237,23 +240,24 @@ tun_forward_ip_rules() {
237240
}
238241

239242
tun_forward_ip_rules_del() {
240-
for preff in 5000 5010 5020 5030 5040 5050 6000; do
241-
ip -4 rule del pref $preff
242-
ip -6 rule del pref $preff
243+
for pref in 5000 5010 5020 5030 5040 5050 6000; do
244+
ip -4 rule del pref $pref 2>/dev/null
245+
ip -6 rule del pref $pref 2>/dev/null
243246
done
244247
}
245248

246249
sing_tun_ip_rules() {
247250
ip -4 rule $1 from all iif ${tun_device} lookup main suppress_prefixlength 0 pref 8000
248251
ip -4 rule $1 lookup main pref 7000
249-
250252
ip -6 rule $1 from all iif ${tun_device} lookup main suppress_prefixlength 0 pref 8000
251253
ip -6 rule $1 lookup main pref 7000
252254
}
253255

254256
forward() {
255257
local action=$1
256258

259+
${iptables} -t nat "${action}" POSTROUTING -o ${tun_device} -j MASQUERADE
260+
257261
${iptables} "${action}" FORWARD -i "${tun_device}" -j ACCEPT
258262
${iptables} "${action}" FORWARD -o "${tun_device}" -j ACCEPT
259263

@@ -280,7 +284,7 @@ forward() {
280284
return 1
281285
fi
282286
fi
283-
} >> /dev/null 2>&1
287+
} >/dev/null 2>&1
284288

285289
start_redirect() {
286290
if [ "${iptables}" = "$IPV" ]; then

0 commit comments

Comments
 (0)