Handle IPv6-less hosts in ip6tables shim

2026-06-10 09:35:58 +02:00 · 2025-11-18 12:28:20 +01:00
parent db54b2a505
commit c0539ea87d
12 changed files with 429 additions and 14 deletions
--- a/qbittorrent/rootfs/usr/local/sbin/ip6tables-restore
+++ b/qbittorrent/rootfs/usr/local/sbin/ip6tables-restore
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REAL_IP6TABLES_RESTORE="/sbin/ip6tables-restore"
+if [[ ! -x "${REAL_IP6TABLES_RESTORE}" ]]; then
+    REAL_IP6TABLES_RESTORE="/usr/sbin/ip6tables-restore"
+fi
+
+cleanup() {
+    [[ -n "${RULES_FILE:-}" && -f "${RULES_FILE}" ]] && rm -f "${RULES_FILE}"
+    [[ -n "${SANITIZED_FILE:-}" && -f "${SANITIZED_FILE}" ]] && rm -f "${SANITIZED_FILE}"
+}
+trap cleanup EXIT
+
+RULES_FILE="$(mktemp)"
+cat > "${RULES_FILE}"
+
+ipv6_unavailable() {
+    local message="$1"
+    [[ "${message}" =~ [Tt]able[[:space:]]does[[:space:]]not[[:space:]]exist ]] && return 0
+    [[ "${message}" =~ address[[:space:]]family[[:space:]]not[[:space:]]supported ]] && return 0
+    [[ "${message}" =~ can't[[:space:]]initialize[[:space:]]ip6tables[[:space:]]table ]] && return 0
+    [[ "${message}" =~ IPv6[[:space:]]support[[:space:]]not[[:space:]]available ]] && return 0
+    return 1
+}
+
+# First attempt with the original ruleset
+output=""
+if output="$(${REAL_IP6TABLES_RESTORE} "$@" < "${RULES_FILE}" 2>&1)"; then
+    [[ -n "${output}" ]] && printf '%s\n' "${output}" >&2
+    exit 0
+fi
+status=$?
+
+# Retry without comment matches if the kernel is missing the comment module
+SANITIZED_FILE="$(mktemp)"
+sed -E 's/-m[[:space:]]+comment[[:space:]]+--comment[[:space:]]+"[^"]*"//g' "${RULES_FILE}" > "${SANITIZED_FILE}"
+
+retry_output=""
+if retry_output="$(${REAL_IP6TABLES_RESTORE} "$@" < "${SANITIZED_FILE}" 2>&1)"; then
+    printf '%s\n' "ip6tables-restore failed with comment matches; reapplied without comments." >&2
+    printf '%s\n' "Original error: ${output}" >&2
+    [[ -n "${retry_output}" ]] && printf '%s\n' "${retry_output}" >&2
+    exit 0
+fi
+retry_status=$?
+
+# Final fallback: try legacy backend if available
+legacy_output=""
+for legacy in /sbin/ip6tables-restore-legacy /usr/sbin/ip6tables-restore-legacy; do
+    if [[ -x "${legacy}" ]]; then
+        if legacy_output="$(${legacy} "$@" < "${RULES_FILE}" 2>&1)"; then
+            printf '%s\n' "ip6tables-restore failed; succeeded using legacy backend." >&2
+            printf '%s\n' "Original error: ${output}" >&2
+            [[ -n "${legacy_output}" ]] && printf '%s\n' "${legacy_output}" >&2
+            exit 0
+        fi
+    fi
+
+done
+
+if ipv6_unavailable "${output}" || ipv6_unavailable "${retry_output}" || ipv6_unavailable "${legacy_output}"; then
+    printf '%s\n' "IPv6 firewall support not detected; skipping IPv6 ruleset restore and continuing." >&2
+    printf '%s\n' "Original error: ${output}" >&2
+    [[ -n "${retry_output}" ]] && printf '%s\n' "Sanitized retry error: ${retry_output}" >&2
+    [[ -n "${legacy_output}" ]] && printf '%s\n' "Legacy backend error: ${legacy_output}" >&2
+    exit 0
+fi
+
+printf '%s\n' "ip6tables-restore failed and fallbacks were unsuccessful." >&2
+printf '%s\n' "Original error: ${output}" >&2
+printf '%s\n' "Sanitized retry error: ${retry_output}" >&2
+exit ${retry_status}
--- a/qbittorrent/rootfs/usr/local/sbin/iptables-restore
+++ b/qbittorrent/rootfs/usr/local/sbin/iptables-restore
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REAL_IPTABLES_RESTORE="/sbin/iptables-restore"
+if [[ ! -x "${REAL_IPTABLES_RESTORE}" ]]; then
+    REAL_IPTABLES_RESTORE="/usr/sbin/iptables-restore"
+fi
+
+cleanup() {
+    [[ -n "${RULES_FILE:-}" && -f "${RULES_FILE}" ]] && rm -f "${RULES_FILE}"
+    [[ -n "${SANITIZED_FILE:-}" && -f "${SANITIZED_FILE}" ]] && rm -f "${SANITIZED_FILE}"
+}
+trap cleanup EXIT
+
+RULES_FILE="$(mktemp)"
+cat > "${RULES_FILE}"
+
+# First attempt with the original ruleset
+if output="$(${REAL_IPTABLES_RESTORE} "$@" < "${RULES_FILE}" 2>&1)"; then
+    [[ -n "${output}" ]] && printf '%s\n' "${output}" >&2
+    exit 0
+fi
+status=$?
+
+# Retry without comment matches if the kernel is missing the comment module
+SANITIZED_FILE="$(mktemp)"
+sed -E 's/-m[[:space:]]+comment[[:space:]]+--comment[[:space:]]+"[^"]*"//g' "${RULES_FILE}" > "${SANITIZED_FILE}"
+
+if retry_output="$(${REAL_IPTABLES_RESTORE} "$@" < "${SANITIZED_FILE}" 2>&1)"; then
+    printf '%s\n' "iptables-restore failed with comment matches; reapplied without comments." >&2
+    printf '%s\n' "Original error: ${output}" >&2
+    [[ -n "${retry_output}" ]] && printf '%s\n' "${retry_output}" >&2
+    exit 0
+fi
+retry_status=$?
+
+# Final fallback: try legacy backend if available
+for legacy in /sbin/iptables-restore-legacy /usr/sbin/iptables-restore-legacy; do
+    if [[ -x "${legacy}" ]]; then
+        if legacy_output="$(${legacy} "$@" < "${RULES_FILE}" 2>&1)"; then
+            printf '%s\n' "iptables-restore failed; succeeded using legacy backend." >&2
+            printf '%s\n' "Original error: ${output}" >&2
+            [[ -n "${legacy_output}" ]] && printf '%s\n' "${legacy_output}" >&2
+            exit 0
+        fi
+    fi
+done
+
+printf '%s\n' "iptables-restore failed and fallbacks were unsuccessful." >&2
+printf '%s\n' "Original error: ${output}" >&2
+printf '%s\n' "Sanitized retry error: ${retry_output}" >&2
+exit ${retry_status}
--- a/qbittorrent/rootfs/usr/local/sbin/sysctl
+++ b/qbittorrent/rootfs/usr/local/sbin/sysctl
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REAL_SYSCTL="/sbin/sysctl"
+if [[ ! -x "${REAL_SYSCTL}" ]]; then
+    REAL_SYSCTL="/usr/sbin/sysctl"
+fi
+
+if [[ "$#" -ge 2 && "$1" == "-q" && "$2" == "net.ipv4.conf.all.src_valid_mark=1" ]]; then
+    if "${REAL_SYSCTL}" "$@" >/dev/null 2>&1; then
+        exit 0
+    fi
+    # Suppress failure for this specific key to keep wg-quick from aborting in unprivileged environments.
+    exit 0
+fi
+
+exec "${REAL_SYSCTL}" "$@"