From 30cbe4bc25387348792f027922b4402adf4dff8a Mon Sep 17 00:00:00 2001
From: Andreas Runfalk <andreas@runfalk.se>
Date: Sat, 23 Mar 2019 13:19:13 +0100
Subject: [PATCH] Added iptables NAT support

---
 INFO.sh                   |  2 +-
 README.rst                |  4 +++
 scripts/start-stop-status | 61 +++++++++++++++++++++++++++++----------
 3 files changed, 51 insertions(+), 16 deletions(-)

diff --git a/INFO.sh b/INFO.sh
index 96a095a..dd6e020 100755
--- a/INFO.sh
+++ b/INFO.sh
@@ -2,7 +2,7 @@
 source /pkgscripts-ng/include/pkg_util.sh
 
 package="WireGuard"
-version="0.0.20190227"
+version="0.0.20190227-2"
 displayname="WireGuard"
 maintainer="Andreas Runfalk"
 arch="$(pkg_get_platform)"
diff --git a/README.rst b/README.rst
index 552cd40..0601719 100644
--- a/README.rst
+++ b/README.rst
@@ -106,3 +106,7 @@ I based a lot of this work on
 by Reddit user `akhener <https://www.reddit.com/user/akhener>`_. However, I had
 to modify their instructions a lot since my NAS has an ARM CPU which made cross
 compilation a lot trickier.
+
+GitHub user `galaxysd <https://github.com/galaxysd>`_ made
+`a guide <https://galaxysd.github.io/linux/20170804/2017-08-04-iptables-on-Synology-DSM-6>`_
+on how to enable iptables NAT support.
diff --git a/scripts/start-stop-status b/scripts/start-stop-status
index 767443f..03052a1 100755
--- a/scripts/start-stop-status
+++ b/scripts/start-stop-status
@@ -1,20 +1,51 @@
 #!/bin/sh
+
+# This files contain environment variables with .ko files required for iptables
+# support. For some reason it's not loaded by default. The other weird thing
+# is that the .ko-files can't be loaded directly using insmod
+IPTABLES_MODULE_LIST="/usr/syno/etc/iptables_modules_list"
+source "$IPTABLES_MODULE_LIST"
+
+# Binary that allows loading iptables kernel modules
+SYNOMODULETOOL="/usr/syno/bin/synomoduletool"
+
+SERVICE_NAME="WireGuard"
+
 case $1 in
-	start)
-		/sbin/insmod $SYNOPKG_PKGDEST/wireguard/wireguard.ko
-		exit 0
-	;;
-	stop)
-		/sbin/rmmod $SYNOPKG_PKGDEST/wireguard/wireguard.ko
-		exit 0
-	;;
-	status)
-		/sbin/lsmod | grep wireguard && exit 0 || exit 3
-	;;
-	killall)
+    start)
+        if [ -x "$SYNOMODULETOOL" -a -f "$IPTABLES_MODULE_LIST" ]; then
+            sysctl -w net.ipv4.ip_forward=1
+
+            # Load required modules
+            "$SYNOMODULETOOL" --insmod "$SERVICE_NAME" $KERNEL_MODULES_CORE
+            echo "Loaded $? iptables core modules"
+            "$SYNOMODULETOOL" --insmod "$SERVICE_NAME" $KERNEL_MODULES_NAT
+            echo "Loaded $? iptables NAT modules"
+        fi
+
+        /sbin/insmod $SYNOPKG_PKGDEST/wireguard/wireguard.ko
+        exit 0
+        ;;
+    stop)
+        /sbin/rmmod $SYNOPKG_PKGDEST/wireguard/wireguard.ko
+
+        if [ -x "$SYNOMODULETOOL" -a -f "$IPTABLES_MODULE_LIST" ]; then
+            "$SYNOMODULETOOL" --rmmod "$SERVICE_NAME" $KERNEL_MODULES_NAT
+            "$SYNOMODULETOOL" --rmmod "$SERVICE_NAME" $KERNEL_MODULES_CORE
+
+            # NOTE: If another service needs this to be set we may screw them
+            #       over by disabling it here.
+            sysctl -w net.ipv4.ip_forward=0
+        fi
+        exit 0
+        ;;
+    status)
+        /sbin/lsmod | grep wireguard && exit 0 || exit 3
+        ;;
+    killall)
+        ;;
+    log)
+        exit 0
         ;;
-	log)
-		exit 0
-	;;
 esac