Commit Graph

13 Commits

Author SHA1 Message Date
Lukas Prettenthaler
d18dfe3b09
keep legacy iptables as default to stay compatible with previous behavior 2023-11-05 12:59:36 -07:00
Phill Kelley
4d0f21c52b
unexpected script termination - entrypoint-router.sh
Resolves issue raised in #15 where `entrypoint-router.sh` exits after
telling the pipe listener process to go away, with the result that the
temporary pipe file does not get cleaned up on a container restart.

> The temporary pipe file is not persisted so it will always get cleaned
 up when the container is terminated or recreated.

The pipe listener process exits automatically without needing any signal
from `entrypoint-router.sh` so the script lines doing that are removed.

Instead of creating the pipe file using `mktemp` with a random suffix,
the hard-coded name "/tmp/zerotier-ipc-log" will be used. The pipe file
is:

* still in `/tmp` so it is not persisted and will get cleaned up when
 the container is terminated.

* always initalised empty each time the script runs (important if the
 container restarts).

Fixes: #15

Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
2022-08-03 12:45:22 +10:00
bfg100k
a130232f3e
fixed inbound / outbound drop rule order 2022-07-30 14:05:09 +10:00
bfg100k
4b154771fd
Fixed firewall rules for inbound/outbound scenarios 2022-07-29 18:07:34 +10:00
Phill Kelley
09df8bf66e
support three routing modes as proposed by @bfg100k
Adds `ZEROTIER_ONE_GATEWAY_MODE` variable. Supported values are
`inbound` (forward traffic from ZeroTier cloud to local interfaces),
`outbound` (forward traffic from local interfaces to ZeroTier cloud)
and `both` (bi-directional). Defaults to `inbound`.

Also checks for `net.ipv4.ip_forward=1`. If not enabled, falls back
to standard client mode.

Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
2022-07-27 21:58:39 +10:00
Phill Kelley
41d4501593
Improve entrypoint-router.sh:
- Remove redundant echo statements
- Improve comments
- Rename `PIPE` to `TAIL_PIPE` to clarify purpose
- Remove traps used during testing and consolidate on INT TERM and HUP
 (TERM being the usual case)
- Normal exit when ZeroTier aborts or exits just calls termination
handler
- Termination handler unconditionally removes iptables rules but
conditionally clobbers processes.
- All logging includes date.

Tested combination of waiting on ZeroTier + TERM trap correctly
handling:

1. Docker commands to restart, terminate, recreate, stack down, etc.
2. A reboot while the container is running (assuming restart unless
stopped).
3. External action clobbering the ZeroTier daemon.

Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
2022-07-25 11:09:06 +10:00
Phill Kelley
9b98b470f8
Change ZEROTIER_ONE_NETWORK_ID to ZEROTIER_ONE_NETWORK_IDS so more
than one network can be specified as defaults.

First cut at improved launch/tear-down so iptables entries do not get
duplicated, especially if the zerotier daemon quits because networking
has not come up properly after a reboot.

Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
2022-07-22 13:50:28 +10:00
Phill Kelley
f28b665afd
Extend router launch script:
1. Support `ZEROTIER_ONE_USE_IPTABLES_NFT` environment variable. If
omitted or has any value other than `true`, `iptables` is used
(maintains backwards compatibility). If `true`, substitutes
`iptables-nft`. This definitely seems to be necessary on Raspberry Pi
running Bullseye.
2. Support `ZEROTIER_ONE_LOCAL_PHYS` environment variable. Defaults to
`eth0` if omitted (maintains backwards compatibility). Allows for
overriding to `wlan0` (eg Raspberry Pi Zero 2W), or both `eth0 wlan0` to
support multiple subnets or failover modes, or similar situations (eg
extra network interface cards).
3. Support `ZEROTIER_ONE_NETWORK_ID` as an alternative to the `join`
command. Means container will always fail safe if its persistent storage
is erased - will look like a new identity but can be authorised and
will then be reachable for additional configuration.
4. Support `PUID` + `PGID` environment variables. Default to 999 and
994, respectively, mimicking what happens on a "native" install of
ZeroTier-One (on a Raspberry Pi).
5. Perform unconditional reset of ownership (PUID:PGID) throughout
persistent store on each launch. This avoids many permission problems
that can sometimes occur in docker environments.
6. Add launch message with date. Assists in assessing recency of
"sendto: Network unreachable" messages that can occur after a reboot
where the container resumes before networking is available.

Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
2022-07-19 18:41:38 +10:00
Phill Kelley
ddb2636141
rename "bridge" to "router"
1. Rename files with "bridge" in the name to "router".
2. Edit file contents referring to "bridge" so they refer to "router".
3. Update README to reflect this change, plus point to the relevant
link in the ZeroTier documentation.

Signed-off-by: Phill Kelley <34226495+Paraphraser@users.noreply.github.com>
2022-07-18 16:03:36 +10:00
Lukas Prettenthaler
52ee605ed1
add entrypoint and define env variables to override local settings 2022-06-12 17:53:02 +02:00
red
78fa865823 cleanup bridge 2022-01-30 12:28:43 +01:00
red
467f991907 fixed comments 2022-01-28 21:43:52 +01:00
red
1723b030ea Added bridge mode
Added K8S deployment
2022-01-19 09:02:11 +01:00