Added rules for ipt v6; flag --no-lists

Author: uzen

README.md

@@ -2,15 +2,16 @@
 Custom startup script
 --------
 ```
-. /system/etc/init.d/99dnscrypt.sh start &
+. /system/etc/init.d/99dnscrypt.sh start &
 ```
 Custom shutdown script
 --------
 ```
 . /system/etc/init.d/99dnscrypt.sh stop &
 ```
 
--f | --force  
+-f | --force  reboot during startup if something went wrong
+-s | --no-lists disables the check for list of public DNS resolvers
 -r | --resolv_path  path to new public DNS resolvers (public-resolvers.md.minisig)
 
 To forced update the list of public DNS resolvers needed to remove the timestamp from the minisign secret key (*.md.minisig).

src/system/etc/dnscrypt-proxy/dnscrypt-proxy.toml

@@ -33,8 +33,7 @@ server_names = ['scaleway-fr', 'google', 'cloudflare']
 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
 ## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
 
-#listen_addresses = ['127.0.0.1:5353', '[::1]:5353']
-listen_addresses = ['127.0.0.1:5353']
+listen_addresses = ['127.0.0.1:5353', '[::1]:5353']
 
 
 ## Maximum number of simultaneous client connections to accept

src/system/etc/dnscrypt-proxy/init-functions

@@ -120,47 +120,4 @@ wait_for_daemon () {
 
 		sleep 1
 	done
-}
-
-## Iptables rules ##
-
-IPTABLES=/system/bin/iptables
-WIFI_INT="wlan0"
-PROXY_PORT=5353
-
-iptrules_on () {
-	iptrules_off
-	$IPTABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:$PROXY_PORT
-	$IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:$PROXY_PORT
-}
-
-iptrules_off () {
-	while $IPTABLES -n -t nat -L OUTPUT | grep -q "DNAT.*tcp.*dpt:53.*to:127.0.0.1:$PROXY_PORT" ; do
-		$IPTABLES -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:$PROXY_PORT
-	done
-	while $IPTABLES -n -t nat -L OUTPUT | grep -q "DNAT.*udp.*dpt:53.*to:127.0.0.1:$PROXY_PORT" ; do
-		$IPTABLES -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:$PROXY_PORT
-	done
-}
-
-ipv4_addr_lock () {
-	$IPTABLES -P INPUT DROP
-	$IPTABLES -P OUTPUT DROP
-	$IPTABLES -P FORWARD DROP
-	echo "1" > /proc/sys/net/ipv4/conf/all/disable_policy
-	echo "1" > /proc/sys/net/ipv4/conf/default/disable_policy
-	if [ -d /proc/sys/net/ipv4/conf/$WIFI_INT ]; then
-		echo "1" > /proc/sys/net/ipv4/conf/$WIFI_INT/disable_policy
-	fi
-}
-
-ipv4_addr_unlock () {
-	$IPTABLES -P INPUT ACCEPT
-	$IPTABLES -P OUTPUT ACCEPT
-	$IPTABLES -P FORWARD ACCEPT
-	echo "0" > /proc/sys/net/ipv4/conf/all/disable_policy
-	echo "0" > /proc/sys/net/ipv4/conf/default/disable_policy
-	if [ -d /proc/sys/net/ipv4/conf/$WIFI_INT ]; then
-		echo "0" > /proc/sys/net/ipv4/conf/$WIFI_INT/disable_policy
-	fi
-}
+}

src/system/etc/dnscrypt-proxy/iptables-rules

@@ -0,0 +1,61 @@
+## Iptables rules ##
+
+IPTABLES=/system/bin/iptables
+IP6TABLES=/system/bin/ip6tables
+WIFI_INT="wlan0"
+PROXY_PORT=5353
+
+allowed_ipv6 () {
+	[ ! -f /proc/net/ip6_tables_names ] && return 1
+}
+
+iptrules_on () {
+	iptrules_off
+	$IPTABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:$PROXY_PORT
+	$IPTABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:$PROXY_PORT
+	if allowed_ipv6; then
+		$IP6TABLES -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination [::1]:$PROXY_PORT
+		$IP6TABLES -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination [::1]:$PROXY_PORT
+	fi
+}
+
+iptrules_off () {
+	iptrules_off_helper $IPTABLES "tcp" "127.0.0.1"
+	iptrules_off_helper $IPTABLES "udp" "127.0.0.1"
+	if allowed_ipv6; then
+		iptrules_off_helper $IP6TABLES "tcp" "[::1]"
+		iptrules_off_helper $IP6TABLES "udp" "[::1]"
+	fi
+}
+
+iptrules_off_helper () {
+	IPT=$1
+	IPP=$2
+	IPA=$3
+	
+	while $IPT -n -t nat -L OUTPUT | grep -q "DNAT.*$IPP.*dpt:53.*to:$IPA:$PROXY_PORT" ; do
+		$IPT -t nat -D OUTPUT -p $IPP --dport 53 -j DNAT --to-destination $IPA:$PROXY_PORT
+	done
+}
+
+ipv4_addr_lock () {
+	$IPTABLES -P INPUT DROP
+	$IPTABLES -P OUTPUT DROP
+	$IPTABLES -P FORWARD DROP
+	echo "1" > /proc/sys/net/ipv4/conf/all/disable_policy
+	echo "1" > /proc/sys/net/ipv4/conf/default/disable_policy
+	if [ -d /proc/sys/net/ipv4/conf/$WIFI_INT ]; then
+		echo "1" > /proc/sys/net/ipv4/conf/$WIFI_INT/disable_policy
+	fi
+}
+
+ipv4_addr_unlock () {
+	$IPTABLES -P INPUT ACCEPT
+	$IPTABLES -P OUTPUT ACCEPT
+	$IPTABLES -P FORWARD ACCEPT
+	echo "0" > /proc/sys/net/ipv4/conf/all/disable_policy
+	echo "0" > /proc/sys/net/ipv4/conf/default/disable_policy
+	if [ -d /proc/sys/net/ipv4/conf/$WIFI_INT ]; then
+		echo "0" > /proc/sys/net/ipv4/conf/$WIFI_INT/disable_policy
+	fi
+}

src/system/etc/init.d/99dnscrypt.sh

@@ -12,23 +12,23 @@ LOCKFILE=$PIDDIR/dnscrypt-proxy.lock
 CONFIG_FILE=/etc/dnscrypt-proxy/dnscrypt-proxy.toml
 DESC="dns client proxy"
 
-
-. /system/etc/dnscrypt-proxy/init-functions
+. /etc/dnscrypt-proxy/iptables-rules
+. /etc/dnscrypt-proxy/init-functions
 
 # Exit if the package is not installed
 test -x $DAEMON || exit 0
 
 log_debug_msg () {
 	if [ -n "${1:-}" ]; then
 		echo "[D] $NAME: $@" || true
-		log -p d -t $NAME "$@" || true
+		log -p d -t $NAME "$@"
 	fi
 }
 
 log_error_msg () {
 	if [ -n "${1:-}" ]; then
 		echo "[E] $NAME: $@" || true
-		log -p e -t $NAME "$@" || true
+		log -p e -t $NAME "$@"
 	fi
 }
 
@@ -86,7 +86,9 @@ do_start () {
 
     case "$status" in
        0)
-            if ! wait_for_daemon _wfd_call; then
+            if [[ "$DNSCRYPT_NOLIST" = 1 ]]; then
+            	sleep $WAITFORDAEMON
+            elif ! wait_for_daemon _wfd_call; then
                 log_error_msg "the resolvers file couldn't be uploaded?"
                 set_prop "dnscrypt-resolvers" ""
                 return 10
@@ -105,7 +107,6 @@ do_start () {
 
 do_stop () {    
     if ! killproc "$DAEMON" "$PIDFILE"; then
-        log_debug_msg "$DAEMON died: process not running or permission denied"
         killall $NAME >/dev/null 2>&1
     fi
 
@@ -134,6 +135,8 @@ case "$1" in
                 continue
             elif [[ $arg == -f || $arg == --force ]]; then
                 DNSCRYPT_FORCE=1
+            elif [[ $arg == -s || $arg == --no-lists ]]; then
+                DNSCRYPT_NOLIST=1
             elif [[ $arg == -r || $arg == --resolv_path ]]; then
                 :
             elif [[ $prev == -r || $prev == --resolv_path ]]; then
@@ -144,9 +147,9 @@ case "$1" in
             prev=$arg
         done
 
-        status="0"
-        do_start || status="$?"
+        do_start
 
+        status="$?"     
         if [[ "$status" -ne 0 || "$DNSCRYPT_FORCE" = 1 ]]; then
             log_debug_msg "restore $DESC (#$status)"
             do_restart