support three routing modes as proposed by @bfg100k

Adds `ZEROTIER_ONE_GATEWAY_MODE` variable. Supported values are
`inbound` (forward traffic from ZeroTier cloud to local interfaces),
`outbound` (forward traffic from local interfaces to ZeroTier cloud)
and `both` (bi-directional). Defaults to `inbound`.

Also checks for `net.ipv4.ip_forward=1`. If not enabled, falls back
to standard client mode.

Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>

scripts/entrypoint-router.sh

@@ -1,8 +1,6 @@
 #!/usr/bin/env sh
 set -Eeo pipefail
 
-echo "$(date) - launching ZeroTier-One in routing mode"
-
 if [ "${1:0:1}" = '-' ]; then
 	set -- zerotier-one "$@"
 fi
@@ -31,6 +29,19 @@ if [ "$(id -u)" = '0' -a -d "${CONFIG_DIR}" ]; then
 	chown -Rc "${PUID}:${PGID}" "${CONFIG_DIR}"
 fi
 
+# is routing enabled?
+if [ $(sysctl -n net.ipv4.ip_forward) -ne 1 ] ; then
+
+	# no! there is no point in setting up rules or termination handler
+	echo "$(date) - IPv4 forwarding not enabled - launching ZeroTier-One in non-routing mode"
+
+	# just exec the client (this script ends here)
+	exec "$@"
+
+fi
+
+echo "$(date) - launching ZeroTier-One in routing mode"
+
 # use an appropriate default for a local physical interface
 # (using eth0 maintains backwards compatibility)
 PHY_IFACES="${ZEROTIER_ONE_LOCAL_PHYS:-"eth0"}"
@@ -40,21 +51,50 @@ IPTABLES_CMD=iptables
 # but support an override to use iptables-nft
 [ "${ZEROTIER_ONE_USE_IPTABLES_NFT}" = "true" ] && IPTABLES_CMD=iptables-nft
 
+# the default forwarding mode is inbound (backwards compatible)
+GATEWAY_MODE="${ZEROTIER_ONE_GATEWAY_MODE:-"inbound"}"
+
 # the wildcard for the local zerotier interface is
 ZT_IFACE="zt+"
 
 # function to add and remove the requisite rules
 # - $1 is either "A" (add) or "D" (delete)
+# - $2 is comment
 update_iptables() {
-	for PHY_IFACE in ${PHY_IFACES} ; do
-		${IPTABLES_CMD} -t nat -${1} POSTROUTING -o ${PHY_IFACE} -j MASQUERADE
-		${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
-		${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -j ACCEPT
-	done
+	case "${GATEWAY_MODE}" in
+		"inbound" )
+			echo "$2 ${IPTABLES_CMD} rules for inbound traffic (ZeroTier to local interfaces ${PHY_IFACES})"
+			for PHY_IFACE in ${PHY_IFACES} ; do
+				${IPTABLES_CMD} -t nat -${1} POSTROUTING -o ${PHY_IFACE} -j MASQUERADE
+				${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
+				${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -j ACCEPT
+			done
+			;;
+		"outbound" )
+			echo "$2 ${IPTABLES_CMD} rules for outbound traffic (local interfaces ${PHY_IFACES} to ZeroTier)"
+			${IPTABLES_CMD} -t nat -${1} POSTROUTING -o ${ZT_IFACE} -j MASQUERADE
+			for PHY_IFACE in ${PHY_IFACES} ; do
+				${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT
+				${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -j ACCEPT
+			done
+			;;
+		"both" )
+			echo "$2 ${IPTABLES_CMD} rules for bi-directional traffic (local interfaces ${PHY_IFACES} to/from ZeroTier)"
+			${IPTABLES_CMD} -t nat -${1} POSTROUTING -o ${ZT_IFACE} -j MASQUERADE
+			for PHY_IFACE in ${PHY_IFACES} ; do
+				${IPTABLES_CMD} -t nat -${1} POSTROUTING -o ${PHY_IFACE} -j MASQUERADE
+				${IPTABLES_CMD} -${1} FORWARD -i ${ZT_IFACE} -o ${PHY_IFACE} -j ACCEPT
+				${IPTABLES_CMD} -${1} FORWARD -i ${PHY_IFACE} -o ${ZT_IFACE} -j ACCEPT
+			done
+			;;
+		* )
+			echo "Warning: ZEROTIER_ONE_GATEWAY_MODE=${GATEWAY_MODE} is not supported - ignored"
+			;;
+	esac
 }
 
 # add rules to set up NAT-routing
-update_iptables "A"
+update_iptables "A" "adding"
 
 # define where the ZeroTier daemon will write its output (if any)
 TAIL_PIPE=$(mktemp /tmp/zerotier-ipc-XXXXXX)
@@ -80,7 +120,7 @@ termination_handler() {
 	echo "$(date) - terminating ZeroTier-One"
 
 	# remove rules
-	update_iptables "D"
+	update_iptables "D" "removing"
 
 	# relay the termination message to the daemon
 	if [ -d "/proc/${ZEROTIER_DAEMON_PID}" ] ; then