alpine 3.19

hotio · Mar 3, 2024 · 2959808 · 2959808
1 parent f290ab7
commit 2959808
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 45 deletions.
diff --git a/VERSION.json b/VERSION.json
@@ -1,9 +1,9 @@
 {
-  "description": "Alpine 3.18",
-  "upstream_digest_amd64": "sha256:695ae78b4957fef4e53adc51febd07f5401eb36fcd80fff3e5107a2b4aa42ace",
-  "upstream_digest_arm64": "sha256:24b42af5b7bdb9ccf1252e508ee0a4fd85eb3286a4596c422739ae6beb3038f4",
+  "description": "Alpine 3.19",
+  "upstream_digest_amd64": "sha256:6457d53fb065d6f250e1504b9bc42d5b6c65941d57532c072d929dd0628977d0",
+  "upstream_digest_arm64": "sha256:a0264d60f80df12bc1e6dd98bae6c43debe6667c0ba482711f0d806493467a46",
   "upstream_image": "alpine",
-  "upstream_tag": "3.18",
+  "upstream_tag": "3.19",
   "version": "3.1.6.2",
   "version_s6": "3.1.6.2"
 }
diff --git a/linux-amd64.Dockerfile b/linux-amd64.Dockerfile
@@ -61,7 +61,7 @@ VOLUME ["${CONFIG_DIR}"]
 ENTRYPOINT ["/init"]
 
 # install packages
-RUN apk add --no-cache tzdata shadow bash curl wget jq grep sed coreutils findutils python3 unzip p7zip ca-certificates util-linux-misc libcap-utils unbound privoxy iproute2 openresolv wireguard-tools ipcalc iptables ip6tables nftables dos2unix && \
+RUN apk add --no-cache tzdata shadow bash curl wget jq grep sed coreutils findutils python3 unzip p7zip ca-certificates util-linux-misc libcap-utils unbound privoxy iproute2 openresolv wireguard-tools ipcalc iptables nftables dos2unix && \
     apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing wireguard-go && \
     apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community libnatpmp figlet
 

diff --git a/linux-arm64.Dockerfile b/linux-arm64.Dockerfile
@@ -61,7 +61,7 @@ VOLUME ["${CONFIG_DIR}"]
 ENTRYPOINT ["/init"]
 
 # install packages
-RUN apk add --no-cache tzdata shadow bash curl wget jq grep sed coreutils findutils python3 unzip p7zip ca-certificates util-linux-misc libcap-utils unbound privoxy iproute2 openresolv wireguard-tools ipcalc iptables ip6tables nftables dos2unix && \
+RUN apk add --no-cache tzdata shadow bash curl wget jq grep sed coreutils findutils python3 unzip p7zip ca-certificates util-linux-misc libcap-utils unbound privoxy iproute2 openresolv wireguard-tools ipcalc iptables nftables dos2unix && \
     apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing wireguard-go && \
     apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community libnatpmp figlet
 

diff --git a/root/etc/s6-overlay/s6-rc.d/init-wireguard/run.up b/root/etc/s6-overlay/s6-rc.d/init-wireguard/run.up
@@ -127,7 +127,7 @@ if [[ ${VPN_ENABLED} == "true" ]]; then
     fi
 
     if [[ "${VPN_FIREWALL_TYPE}" == "legacy" ]] || ! lsmod | grep -q nf_tables; then
-        echo "[WRN] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] Falling back to [iptables-legacy], removing package [nftables]..."
+        echo "[WRN] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] Falling back to [iptables-nft], removing package [nftables]..."
         if grep -q alpine < /etc/os-release; then
             apk del nftables > /dev/null 2>&1
         else
@@ -239,69 +239,69 @@ if [[ ${VPN_ENABLED} == "true" ]]; then
     echo "[INF] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] Added firewall rules:"
     if ! type nft > /dev/null 2>&1; then
         # Defaults
-        iptables-legacy -P FORWARD DROP
-        iptables-legacy -P INPUT DROP
-        iptables-legacy -P OUTPUT DROP
+        iptables-nft -P FORWARD DROP
+        iptables-nft -P INPUT DROP
+        iptables-nft -P OUTPUT DROP
 
         # INPUT
         IFS=',' read -ra additional_ports <<< "${open_ports%,}"
         for additional_port in "${additional_ports[@]}"; do
-            iptables-legacy -A INPUT -i "${nw_interface}" -p "${additional_port##*/}" --dport "${additional_port%/*}" -j ACCEPT
+            iptables-nft -A INPUT -i "${nw_interface}" -p "${additional_port##*/}" --dport "${additional_port%/*}" -j ACCEPT
             grep -q "${additional_port}" <<< "${VPN_AUTO_PORT_FORWARD_TO_PORTS}" && continue
-            iptables-legacy -I INPUT -i "${VPN_CONF}" -p "${additional_port##*/}" --dport "${additional_port%/*}" -j DROP
+            iptables-nft -I INPUT -i "${VPN_CONF}" -p "${additional_port##*/}" --dport "${additional_port%/*}" -j DROP
         done
         for nw_cidr in $networks_cidr; do
-            iptables-legacy -A INPUT -s "${nw_cidr}" -d "${nw_cidr}" -j ACCEPT
+            iptables-nft -A INPUT -s "${nw_cidr}" -d "${nw_cidr}" -j ACCEPT
         done
-        iptables-legacy -A INPUT -i "${VPN_CONF}" -j ACCEPT
-        iptables-legacy -A INPUT -i lo -j ACCEPT
-        iptables-legacy -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-        ipcalc -4 -c "${vpn_endpoint_ip}" && iptables-legacy -A INPUT -i "${nw_interface}" -p udp --sport "${vpn_endpoint_port}" -d "${default_ip}" -s "${vpn_endpoint_ip}" -j ACCEPT
+        iptables-nft -A INPUT -i "${VPN_CONF}" -j ACCEPT
+        iptables-nft -A INPUT -i lo -j ACCEPT
+        iptables-nft -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
+        ipcalc -4 -c "${vpn_endpoint_ip}" && iptables-nft -A INPUT -i "${nw_interface}" -p udp --sport "${vpn_endpoint_port}" -d "${default_ip}" -s "${vpn_endpoint_ip}" -j ACCEPT
 
         # OUTPUT
         IFS=',' read -ra additional_ports <<< "${open_ports%,}"
         for additional_port in "${additional_ports[@]}"; do
-            iptables-legacy -A OUTPUT -o "${nw_interface}" -p "${additional_port##*/}" --sport "${additional_port%/*}" -j ACCEPT
+            iptables-nft -A OUTPUT -o "${nw_interface}" -p "${additional_port##*/}" --sport "${additional_port%/*}" -j ACCEPT
             grep -q "${additional_port}" <<< "${VPN_AUTO_PORT_FORWARD_TO_PORTS}" && continue
-            iptables-legacy -I OUTPUT -o "${VPN_CONF}" -p "${additional_port##*/}" --sport "${additional_port%/*}" -j DROP
+            iptables-nft -I OUTPUT -o "${VPN_CONF}" -p "${additional_port##*/}" --sport "${additional_port%/*}" -j DROP
         done
         for nw_cidr in $networks_cidr; do
-            iptables-legacy -A OUTPUT -s "${nw_cidr}" -d "${nw_cidr}" -j ACCEPT
+            iptables-nft -A OUTPUT -s "${nw_cidr}" -d "${nw_cidr}" -j ACCEPT
         done
-        iptables-legacy -A OUTPUT -o "${VPN_CONF}" -j ACCEPT
-        iptables-legacy -A OUTPUT -o lo -j ACCEPT
-        iptables-legacy -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-        ipcalc -4 -c "${vpn_endpoint_ip}" && iptables-legacy -A OUTPUT -o "${nw_interface}" -p udp --dport "${vpn_endpoint_port}" -s "${default_ip}" -d "${vpn_endpoint_ip}" -j ACCEPT
+        iptables-nft -A OUTPUT -o "${VPN_CONF}" -j ACCEPT
+        iptables-nft -A OUTPUT -o lo -j ACCEPT
+        iptables-nft -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
+        ipcalc -4 -c "${vpn_endpoint_ip}" && iptables-nft -A OUTPUT -o "${nw_interface}" -p udp --dport "${vpn_endpoint_port}" -s "${default_ip}" -d "${vpn_endpoint_ip}" -j ACCEPT
 
         # Show result
-        iptables-legacy -S
+        iptables-nft -S
 
         if [[ ${ipv6_wanted} == "true" ]]; then
             # Defaults
-            ip6tables-legacy -P FORWARD DROP
-            ip6tables-legacy -P INPUT DROP
-            ip6tables-legacy -P OUTPUT DROP
+            ip6tables-nft -P FORWARD DROP
+            ip6tables-nft -P INPUT DROP
+            ip6tables-nft -P OUTPUT DROP
 
             # INPUT
             IFS=',' read -ra additional_ports <<< "${open_ports%,}"
             for additional_port in "${additional_ports[@]}"; do
                 grep -q "${additional_port}" <<< "${VPN_AUTO_PORT_FORWARD_TO_PORTS}" && continue
-                ip6tables-legacy -I INPUT -i "${VPN_CONF}" -p "${additional_port##*/}" --dport "${additional_port%/*}" -j DROP
+                ip6tables-nft -I INPUT -i "${VPN_CONF}" -p "${additional_port##*/}" --dport "${additional_port%/*}" -j DROP
             done
-            ip6tables-legacy -A INPUT -i "${VPN_CONF}" -j ACCEPT
-            ip6tables-legacy -A INPUT -p ipv6-icmp --icmpv6-type echo-reply -j ACCEPT # Needs more work
+            ip6tables-nft -A INPUT -i "${VPN_CONF}" -j ACCEPT
+            ip6tables-nft -A INPUT -p ipv6-icmp --icmpv6-type echo-reply -j ACCEPT # Needs more work
 
             # OUTPUT
             IFS=',' read -ra additional_ports <<< "${open_ports%,}"
             for additional_port in "${additional_ports[@]}"; do
                 grep -q "${additional_port}" <<< "${VPN_AUTO_PORT_FORWARD_TO_PORTS}" && continue
-                ip6tables-legacy -I OUTPUT -o "${VPN_CONF}" -p "${additional_port##*/}" --sport "${additional_port%/*}" -j DROP
+                ip6tables-nft -I OUTPUT -o "${VPN_CONF}" -p "${additional_port##*/}" --sport "${additional_port%/*}" -j DROP
             done
-            ip6tables-legacy -A OUTPUT -o "${VPN_CONF}" -j ACCEPT
-            ip6tables-legacy -A OUTPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT # Needs more work
+            ip6tables-nft -A OUTPUT -o "${VPN_CONF}" -j ACCEPT
+            ip6tables-nft -A OUTPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT # Needs more work
 
             # Show result
-            ip6tables-legacy -S
+            ip6tables-nft -S
         fi
     else
         # Create chains

diff --git a/root/etc/s6-overlay/s6-rc.d/service-forwarder/run b/root/etc/s6-overlay/s6-rc.d/service-forwarder/run
@@ -13,11 +13,11 @@ for forward_port in "${forward_ports[@]}"; do
     [[ ! ${forward_port} =~ "@" ]] && continue
     internal="${forward_port##*@}"
     if ! type nft > /dev/null 2>&1; then
-        iptables-legacy -t nat -C PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${forward_port%@*}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null || \
-            iptables-legacy -t nat -A PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${forward_port%@*}" -j REDIRECT --to-ports "${internal%/*}"
+        iptables-nft -t nat -C PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${forward_port%@*}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null || \
+            iptables-nft -t nat -A PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${forward_port%@*}" -j REDIRECT --to-ports "${internal%/*}"
         if [[ ${ipv6_wanted} == "true" ]]; then
-            ip6tables-legacy -t nat -C PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${forward_port%@*}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null || \
-                ip6tables-legacy -t nat -A PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${forward_port%@*}" -j REDIRECT --to-ports "${internal%/*}"
+            ip6tables-nft -t nat -C PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${forward_port%@*}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null || \
+                ip6tables-nft -t nat -A PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${forward_port%@*}" -j REDIRECT --to-ports "${internal%/*}"
         fi
     else
         new_rule=$(grep "iifname \"${VPN_CONF}\" ${internal##*/} dport ${forward_port%@*} redirect to :${internal##*/} " <<< "$(nft --handle list chain inet hotio prerouting)" | sed 's/.* # handle //g')
@@ -46,13 +46,13 @@ while true; do
                 [[ ${forward_port} =~ "@" ]] && continue
                 internal="${forward_port##*@}"
                 if ! type nft > /dev/null 2>&1; then
-                    iptables-legacy -t nat -D PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${old_port}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null
-                    iptables-legacy -t nat -C PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${port}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null || \
-                        iptables-legacy -t nat -A PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${port}" -j REDIRECT --to-ports "${internal%/*}"
+                    iptables-nft -t nat -D PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${old_port}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null
+                    iptables-nft -t nat -C PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${port}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null || \
+                        iptables-nft -t nat -A PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${port}" -j REDIRECT --to-ports "${internal%/*}"
                     if [[ ${ipv6_wanted} == "true" ]]; then
-                        ip6tables-legacy -t nat -D PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${old_port}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null
-                        ip6tables-legacy -t nat -C PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${port}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null || \
-                            ip6tables-legacy -t nat -A PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${port}" -j REDIRECT --to-ports "${internal%/*}"
+                        ip6tables-nft -t nat -D PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${old_port}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null
+                        ip6tables-nft -t nat -C PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${port}" -j REDIRECT --to-ports "${internal%/*}" 2> /dev/null || \
+                            ip6tables-nft -t nat -A PREROUTING -i "${VPN_CONF}" -p "${internal##*/}" --dport "${port}" -j REDIRECT --to-ports "${internal%/*}"
                     fi
                 else
                     old_rule=$(grep "iifname \"${VPN_CONF}\" ${internal##*/} dport ${old_port} redirect to :${internal##*/} " <<< "$(nft --handle list chain inet hotio prerouting)" | sed 's/.* # handle //g')