From 58550c18dc02d208e6d1abb70ea38f8423a12880 Mon Sep 17 00:00:00 2001
From: pexcn <i@pexcn.me>
Date: Sun, 11 Dec 2022 01:13:42 +0800
Subject: [PATCH] add docker support

---
 docker/.dockerignore      |   2 +
 docker/Dockerfile         |  40 ++++++++++++
 docker/README.md          |   3 +
 docker/docker-compose.yml |  26 ++++++++
 docker/phantun.sh         | 131 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 202 insertions(+)
 create mode 100644 docker/.dockerignore
 create mode 100644 docker/Dockerfile
 create mode 100644 docker/README.md
 create mode 100644 docker/docker-compose.yml
 create mode 100755 docker/phantun.sh

diff --git a/docker/.dockerignore b/docker/.dockerignore
new file mode 100644
index 0000000..83e3d09
--- /dev/null
+++ b/docker/.dockerignore
@@ -0,0 +1,2 @@
+README.md
+docker-compose.yml
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 0000000..88432cf
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,40 @@
+#
+# Dockerfile for phantun
+#
+
+#
+# Build stage
+#
+FROM rust:alpine AS builder
+
+ARG VERSION=v0.6.0
+RUN apk update \
+  && apk add --no-cache --virtual .build-deps git musl-dev \
+  && git clone https://github.com/dndx/phantun.git --branch $VERSION \
+  && cd phantun \
+  && git checkout $VERSION \
+  && cargo build --release \
+  && strip target/release/server target/release/client \
+  && install target/release/server /usr/local/bin/phantun-server \
+  && install target/release/client /usr/local/bin/phantun-client \
+  && cd - \
+  && rm -r phantun \
+  && apk del .build-deps \
+  && rm -rf /var/cache/apk/*
+
+#
+# Runtime stage
+#
+FROM alpine:3.16
+LABEL maintainer="pexcn <i@pexcn.me>"
+
+RUN apk update \
+  && apk add --no-cache iptables ip6tables tzdata \
+  && rm -rf /var/cache/apk/*
+
+COPY --from=builder /usr/local/bin/phantun-server /usr/local/bin/
+COPY --from=builder /usr/local/bin/phantun-client /usr/local/bin/
+COPY phantun.sh /usr/local/bin/
+
+ENTRYPOINT ["phantun.sh"]
+CMD ["phantun-server", "--help"]
diff --git a/docker/README.md b/docker/README.md
new file mode 100644
index 0000000..d8f1aeb
--- /dev/null
+++ b/docker/README.md
@@ -0,0 +1,3 @@
+# phantun (docker)
+
+It is recommended to use docker-compose, see [docker-compose.yml](docker-compose.yml) for details.
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
new file mode 100644
index 0000000..204f6e5
--- /dev/null
+++ b/docker/docker-compose.yml
@@ -0,0 +1,26 @@
+version: '3.9'
+
+services:
+  phantun-server:
+    image: pexcn/docker-images:phantun
+    container_name: phantun-server
+    restart: unless-stopped
+    network_mode: host
+    privileged: true
+    environment:
+      TZ: Asia/Taipei
+      RUST_LOG: INFO
+    command: >
+      phantun-server --local 1985 --remote 127.0.0.1:1984 --ipv4-only
+
+  phantun-client:
+    image: pexcn/docker-images:phantun
+    container_name: phantun-client
+    restart: unless-stopped
+    network_mode: host
+    privileged: true
+    environment:
+      TZ: Asia/Taipei
+      RUST_LOG: INFO
+    command: >
+      phantun-client --local 127.0.0.1:1984 --remote 11.22.33.44:1985 --ipv4-only
diff --git a/docker/phantun.sh b/docker/phantun.sh
new file mode 100755
index 0000000..59c2f66
--- /dev/null
+++ b/docker/phantun.sh
@@ -0,0 +1,131 @@
+#!/bin/sh
+
+#
+# TODO: add ipv6 support
+#
+
+info() {
+  local green='\e[0;32m'
+  local clear='\e[0m'
+  local time=$(date '+%Y-%m-%d %T')
+  printf "${green}[${time}] [INFO]: ${clear}%s\n" "$*"
+}
+
+warn() {
+  local yellow='\e[1;33m'
+  local clear='\e[0m'
+  local time=$(date '+%Y-%m-%d %T')
+  printf "${yellow}[${time}] [WARN]: ${clear}%s\n" "$*" >&2
+}
+
+error() {
+  local red='\e[0;31m'
+  local clear='\e[0m'
+  local time=$(date '+%Y-%m-%d %T')
+  printf "${red}[${time}] [ERROR]: ${clear}%s\n" "$*" >&2
+}
+
+_get_default_iface() {
+  ip -4 route show default | awk -F 'dev' '{print $2}' | awk '{print $1}'
+}
+
+_get_addr_by_iface() {
+  ip -4 addr show dev "$1" | grep -w "inet" | awk '{print $2}' | awk -F '/' '{print $1}' | head -1
+}
+
+#_get_peer_by_iface() {
+#  ip -4 addr show dev "$1" | grep -w "inet" | awk '{print $4}' | awk -F '/' '{print $1}' | head -1
+#}
+
+_check_rule_by_comment() {
+  iptables-save | grep -q "$1"
+}
+
+_is_server_mode() {
+  [ "$1" = "phantun-server" ]
+}
+
+_is_ipv4_only() {
+  case "$@" in
+    *-4*|*--ipv4-only*)
+      return 0
+      ;;
+    *\ -4*|*\ --ipv4-only*)
+      return 0
+      ;;
+  esac
+  return 1
+}
+
+_get_tun_from_args() {
+  local tun=$(echo "$@" | awk -F '--tun' '{print $2}' | awk '{print $1}')
+  echo ${tun:=tun0}
+}
+
+_get_peer_from_args() {
+  local peer=$(echo "$@" | awk -F '--tun-peer' '{print $2}' | awk '{print $1}')
+  _is_server_mode "$1" && echo ${peer:=192.168.201.2} || echo ${peer:=192.168.200.2}
+}
+
+_get_port_from_args() {
+  echo "$@" | awk -F '-l|--local' '{print $2}' | awk '{print $1}'
+}
+
+_stop_process() {
+  kill $(pidof phantun-server phantun-client)
+  info "terminate phantun process."
+}
+
+_revoke_iptables() {
+  local tun=$(_get_tun_from_args "$@")
+  local port=$(_get_port_from_args "$@")
+  local comment="phantun_${tun}_${port}"
+  iptables-save | grep -v "${comment}" | iptables-restore
+  info "remove iptables rule: [${comment}]."
+}
+
+apply_sysctl() {
+  info "apply sysctl: $(sysctl -w net.ipv4.ip_forward=1)"
+  _is_ipv4_only "$@" || info "apply sysctl: $(sysctl -w net.ipv6.conf.all.forwarding=1)"
+}
+
+apply_iptables() {
+  local interface=$(_get_default_iface)
+  local address=$(_get_addr_by_iface "${interface}")
+  local tun=$(_get_tun_from_args "$@")
+  local peer=$(_get_peer_from_args "$@")
+  local port=$(_get_port_from_args "$@")
+  local comment="phantun_${tun}_${port}"
+
+  if _check_rule_by_comment "${comment}"; then
+    warn "iptables rule already exist, maybe needs to check."
+  else
+    iptables -A FORWARD -i $tun -j ACCEPT -m comment --comment "${comment}"
+    iptables -A FORWARD -o $tun -j ACCEPT -m comment --comment "${comment}"
+    if _is_server_mode "$1"; then
+      info "add iptables DNAT rule: [${comment}]: ${interface} -> ${tun}, ${address} -> ${peer}"
+      iptables -t nat -A PREROUTING -p tcp -i $interface --dport $port -j DNAT --to-destination $peer \
+        -m comment --comment "${comment}" || error "iptables DNAT rule add failed."
+    else
+      info "add iptables SNAT rule: [${comment}]: ${tun} -> ${interface}, ${peer} -> ${address}"
+      iptables -t nat -A POSTROUTING -s $peer -o $interface -j SNAT --to-source $address \
+        -m comment --comment "${comment}" || error "iptables SNAT rule add failed."
+    fi
+  fi
+}
+
+graceful_stop() {
+  warn "caught SIGTERM or SIGINT signal, graceful stopping..."
+  _stop_process
+  _revoke_iptables "$@"
+}
+
+start_phantun() {
+  trap 'graceful_stop "$@"' SIGTERM SIGINT
+  apply_sysctl "$@"
+  apply_iptables "$@"
+  "$@" &
+  wait
+}
+
+start_phantun "$@"