#!/bin/sh
mkdir /tmp/tinc

sysctl -w net.ipv6.conf.\$INTERFACE.disable_ipv6=1 || echo "[WARNING] IPv6 couldn't be disabled on the \$INTERFACE interface!"

{{ if len "${internal_address6:-}" }}
ifconfig ${internal_interface} ${internal_address6}/${internal_mask6:-128}
{{ end }}


{{ if len "${vip:-}" }}ifconfig "\$INTERFACE:0" ${vip}{{ end }}
{{ if len "${ip_aliases:-}" }}{{ range "$ip_aliases" | split "," }}iptables -t nat -I PREROUTING -d {{ . }} -i \$INTERFACE -j DNAT --to-destination ${tinc_peer_address}
iptables -t nat -I PREROUTING -d {{ . }} -i eth0 -j DNAT --to-destination ${tinc_peer_address}
{{ end }}{{ end }}

iptables -A FORWARD -i eth0 -o \$INTERFACE -j ACCEPT

# Plugins may communicate over eth0, the 'internal' docker network.
# Because of this, we should allow masquerading NAT through eth0
iptables -t nat -A PREROUTING -i eth0 ! -s ${network_address}/${global_prefix:-16} -j MARK --set-mark 1
iptables -t nat -A POSTROUTING -m mark --mark 1 -o \$INTERFACE -j MASQUERADE

# Prevent spoofing attacks
iptables -A FORWARD -i \$INTERFACE ! -s ${network_address}/${global_prefix:-16} -j DROP
{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}iptables -A FORWARD -i \$INTERFACE -s {{.}} -j DROP
{{ end }}{{ end }}

# Enable IPv4 kernel routing/forwarding for this network
iptables -A FORWARD -o \$INTERFACE -d ${network_address}/${global_prefix:-16} -j ACCEPT
{{ if len "${bgp_routes:-}" }}{{ range "$bgp_routes" | split "," }}iptables -A FORWARD -o eth0 -d {{.}} -j ACCEPT
{{ end }}{{ end }}

ifconfig \$INTERFACE ${tinc_peer_address} netmask ${netmask:-255.255.255.0}