PostUp, PostDown, PreDown truncated

[bitrate16]

When setting very long command for PostUp, PostDown or PreDown, or command containing shell variables reference, after applying config, command is truncated.

Example:

iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE; WGUI="10.10.0.1"; TARGET="192.168.2.27; forward_port () { iptables -t nat -A PREROUTING -p "$1" -d "$2" --dport "$4" -j DNAT --to "$3:$5"; iptables -A FORWARD -p "$1" -d "$3" --dport "$4" -j ACCEPT; }; forward_port udp "$WGUI" "$TARGET" 53 10153; forward_port tcp "$WGUI" "$TARGET" 80 10080; forward_port tcp "$WGUI" "$TARGET" 443 10443;

After reapplying config it becomes (shown in web ui):

iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE; WGUI=

Example 2:

iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE; iptables -t nat -A PREROUTING -p "udp" -d "10.10.0.1" --dport "53" -j DNAT --to "192.168.2.27:10153"; iptables -A FORWARD -p "udp" -d "192.168.2.27" --dport "53" -j ACCEPT; iptables -t nat -A PREROUTING -p "tcp" -d "10.10.0.1" --dport "80" -j DNAT --to "192.168.2.27:10080"; iptables -A FORWARD -p "tcp" -d "192.168.2.27" --dport "80" -j ACCEPT; iptables -t nat -A PREROUTING -p "tcp" -d "10.10.0.1" --dport "443" -j DNAT --to "192.168.2.27:10443"; iptables -A FORWARD -p "tcp" -d "192.168.2.27" --dport "443" -j ACCEPT

After reapplying config it becomes (shown in web ui):

iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE; iptables -t nat -A PREROUTING -p 

which makes absolutely unuseful specifying long custom configuration for iptables.

I've checked wg0.conf after first apply - command matches original. After opening settings in web ui, command is truncated in settings and truncated after second config apply.

I'm using portainer and don't know how to add external files in it unlike in standalone docker on host, so it's important to use long command for custom forwarding rules (preferrable with shell functions to make them shorter), but I can't.

UPD: When settting same config without quotes, everything works

[schwarmik]

I had the same problem and I also have a lot of iptables commands. In my opinion, the cleanest solution is to outsource the commands to a script. The script is then executed via PostUp or PostDown

PostUp = /etc/wireguard/ifscript.sh up
PostDown = /etc/wireguard/ifscript.sh down

if [ "$1" = "up" ]; then .... your PostUp Commands elif [ "$1" = "down" ]; then .... your PostDown Commands fi

[samrocketman]

An alternate solution is to base64 encode your script and decode as part of executing. The backend DB is JSON and so the unescaped shell code corrupts or truncates as part of storing in the DB. Just be careful to not use JSON double quotes (") until there's a fix.