From fa32608c61a2db7984f6c4b29af6a41873bd0d89 Mon Sep 17 00:00:00 2001
From: Peter Galonza <p.galonza@evaron.ru>
Date: Fri, 28 Mar 2025 18:29:06 +0300
Subject: [PATCH 1/2] fix: use iptables-nft if nftables is loaded

---
 client/server_scripts/awg/start.sh                 | 5 +++++
 client/server_scripts/openvpn/start.sh             | 5 +++++
 client/server_scripts/openvpn_cloak/start.sh       | 5 +++++
 client/server_scripts/openvpn_shadowsocks/start.sh | 5 +++++
 client/server_scripts/setup_host_firewall.sh       | 5 +++++
 client/server_scripts/wireguard/start.sh           | 5 +++++
 client/server_scripts/xray/start.sh                | 5 +++++
 7 files changed, 35 insertions(+)

diff --git a/client/server_scripts/awg/start.sh b/client/server_scripts/awg/start.sh
index 108e85df..a23d2111 100644
--- a/client/server_scripts/awg/start.sh
+++ b/client/server_scripts/awg/start.sh
@@ -11,6 +11,11 @@ wg-quick down /opt/amnezia/awg/wg0.conf
 # start daemons if configured
 if [ -f /opt/amnezia/awg/wg0.conf ]; then (wg-quick up /opt/amnezia/awg/wg0.conf); fi
 
+# check if nf_tables is loaded
+if lsmod | grep -qw nf_tables; then
+    ln -sf /sbin/xtables-nft-multi /sbin/iptables
+fi
+
 # Allow traffic on the TUN interface.
 iptables -A INPUT -i wg0 -j ACCEPT
 iptables -A FORWARD -i wg0 -j ACCEPT
diff --git a/client/server_scripts/openvpn/start.sh b/client/server_scripts/openvpn/start.sh
index 4a56b5de..c3a73950 100644
--- a/client/server_scripts/openvpn/start.sh
+++ b/client/server_scripts/openvpn/start.sh
@@ -7,6 +7,11 @@ ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up
 
 if [ ! -c /dev/net/tun ]; then mkdir -p /dev/net; mknod /dev/net/tun c 10 200; fi
 
+# check if nf_tables is loaded
+if lsmod | grep -qw nf_tables; then
+    ln -sf /sbin/xtables-nft-multi /sbin/iptables
+fi
+
 # Allow traffic on the TUN interface.
 iptables -A INPUT -i tun0 -j ACCEPT
 iptables -A FORWARD -i tun0 -j ACCEPT
diff --git a/client/server_scripts/openvpn_cloak/start.sh b/client/server_scripts/openvpn_cloak/start.sh
index d40dafce..ea66ff4c 100644
--- a/client/server_scripts/openvpn_cloak/start.sh
+++ b/client/server_scripts/openvpn_cloak/start.sh
@@ -7,6 +7,11 @@ ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up
 
 if [ ! -c /dev/net/tun ]; then mkdir -p /dev/net; mknod /dev/net/tun c 10 200; fi
 
+# check if nf_tables is loaded
+if lsmod | grep -qw nf_tables; then
+    ln -sf /sbin/xtables-nft-multi /sbin/iptables
+fi
+
 # Allow traffic on the TUN interface.
 iptables -A INPUT -i tun0 -j ACCEPT
 iptables -A FORWARD -i tun0 -j ACCEPT
diff --git a/client/server_scripts/openvpn_shadowsocks/start.sh b/client/server_scripts/openvpn_shadowsocks/start.sh
index f9ab99c4..94664e48 100644
--- a/client/server_scripts/openvpn_shadowsocks/start.sh
+++ b/client/server_scripts/openvpn_shadowsocks/start.sh
@@ -7,6 +7,11 @@ ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up
 
 if [ ! -c /dev/net/tun ]; then mkdir -p /dev/net; mknod /dev/net/tun c 10 200; fi
 
+# check if nf_tables is loaded
+if lsmod | grep -qw nf_tables; then
+    ln -sf /sbin/xtables-nft-multi /sbin/iptables
+fi
+
 # Allow traffic on the TUN interface.
 iptables -A INPUT -i tun0 -j ACCEPT
 iptables -A FORWARD -i tun0 -j ACCEPT
diff --git a/client/server_scripts/setup_host_firewall.sh b/client/server_scripts/setup_host_firewall.sh
index 605de511..2108b226 100644
--- a/client/server_scripts/setup_host_firewall.sh
+++ b/client/server_scripts/setup_host_firewall.sh
@@ -1,3 +1,8 @@
+# check if nf_tables is loaded
+if lsmod | grep -qw nf_tables; then
+    sudo update-alternatives --set iptables /usr/sbin/iptables-nft
+fi
+
 sudo sysctl -w net.ipv4.ip_forward=1
 sudo iptables -C INPUT -p icmp --icmp-type echo-request -j DROP || sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
 
diff --git a/client/server_scripts/wireguard/start.sh b/client/server_scripts/wireguard/start.sh
index 62d8127c..7d523c67 100644
--- a/client/server_scripts/wireguard/start.sh
+++ b/client/server_scripts/wireguard/start.sh
@@ -11,6 +11,11 @@ wg-quick down /opt/amnezia/wireguard/wg0.conf
 # start daemons if configured
 if [ -f /opt/amnezia/wireguard/wg0.conf ]; then (wg-quick up /opt/amnezia/wireguard/wg0.conf); fi
 
+# check if nf_tables is loaded
+if lsmod | grep -qw nf_tables; then
+    ln -sf /sbin/xtables-nft-multi /sbin/iptables
+fi
+
 # Allow traffic on the TUN interface.
 iptables -A INPUT -i wg0 -j ACCEPT
 iptables -A FORWARD -i wg0 -j ACCEPT
diff --git a/client/server_scripts/xray/start.sh b/client/server_scripts/xray/start.sh
index 0148552f..5eeb0ca2 100644
--- a/client/server_scripts/xray/start.sh
+++ b/client/server_scripts/xray/start.sh
@@ -5,6 +5,11 @@
 echo "Container startup"
 #ifconfig eth0:0 $SERVER_IP_ADDRESS netmask 255.255.255.255 up
 
+# check if nf_tables is loaded
+if lsmod | grep -qw nf_tables; then
+    ln -sf /sbin/xtables-nft-multi /sbin/iptables
+fi
+
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -p icmp -j ACCEPT

From 924fda7c80fd271ec52173375e2ec6e88629c933 Mon Sep 17 00:00:00 2001
From: Peter Galonza <p.galonza@evaron.ru>
Date: Sat, 29 Mar 2025 23:01:01 +0300
Subject: [PATCH 2/2] refactor: update-alternatives in prepare step

---
 client/server_scripts/prepare_host.sh        | 5 +++++
 client/server_scripts/setup_host_firewall.sh | 5 -----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/client/server_scripts/prepare_host.sh b/client/server_scripts/prepare_host.sh
index 1cc56a01..1f176c8c 100644
--- a/client/server_scripts/prepare_host.sh
+++ b/client/server_scripts/prepare_host.sh
@@ -7,3 +7,8 @@ if ! sudo docker network ls | grep -q amnezia-dns-net; then sudo docker network
   --opt com.docker.network.bridge.name=amn0 \
   amnezia-dns-net;\
 fi
+
+# check if nf_tables is loaded
+if lsmod | grep -qw nf_tables; then
+    sudo update-alternatives --set iptables /usr/sbin/iptables-nft
+fi
\ No newline at end of file
diff --git a/client/server_scripts/setup_host_firewall.sh b/client/server_scripts/setup_host_firewall.sh
index 2108b226..605de511 100644
--- a/client/server_scripts/setup_host_firewall.sh
+++ b/client/server_scripts/setup_host_firewall.sh
@@ -1,8 +1,3 @@
-# check if nf_tables is loaded
-if lsmod | grep -qw nf_tables; then
-    sudo update-alternatives --set iptables /usr/sbin/iptables-nft
-fi
-
 sudo sysctl -w net.ipv4.ip_forward=1
 sudo iptables -C INPUT -p icmp --icmp-type echo-request -j DROP || sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP