#!/bin/bash
# $Id$
# iptables configuration script for systemd

# default cmds
SVC_NAME=iptables
IPTABLES=/usr/sbin/iptables
IPTABLES_SAVE=/usr/sbin/iptables-save
IPTABLES_RESTORE=/usr/sbin/iptables-restore
IPTABLES_PROC=/proc/net/ip_tables_names
SYSTEMDLIBDIR=/usr/lib/systemd

# read config
source /etc/conf.d/${SVC_NAME}

checkconfig()
{
	if [[ ! -f ${IPTABLES_SAVE_PATH} ]]
	then
		echo "Not starting ${SVC_NAME}. First create some rules then run:"
		echo "${SYSTEMDLIBDIR}/magellan-${SVC_NAME} save"
		exit 1
	fi
	return 0
}

set_table_policy()
{
	local chains
	local chain

	table=$1
	policy=$2

	# select correct rules from corresponding chains
	case ${table} in
		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
		filter) chains="INPUT FORWARD OUTPUT";;
		*)      chains="";;
	esac

	# set rules to given policy
	for chain in ${chains}
	do
		${IPTABLES} -t ${table} -P ${chain} ${policy}
	done
}

case "$1" in
	start)
		checkconfig
		echo "Loading ${SVC_NAME} ruleset ..."
		${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}"
		;;

	stop)
		if [[ ${SAVE_ON_STOP} = yes ]]
		then
			$0 save
		fi

		echo "Stopping ${SVC_NAME} and reseting ruleset ..."
		for rule in $(<${IPTABLES_PROC})
		do
			# flush rules
			${IPTABLES} -F -t ${rule}

			# delete chains
			${IPTABLES} -X -t ${rule}

			# set all policies to ACCEPT
			set_table_policy ${rule} ACCEPT
		done
		;;

	reload)
		echo "Flushing ${SVC_NAME} ruleset ..."
		for rule in $(<${IPTABLES_PROC})
		do
			# flush rules
			${IPTABLES} -F -t ${rule}

			# delete chains
			${IPTABLES} -X -t ${rule}
		done
		$0 start
		;;

	save)
		echo "Saving ${SVC_NAME} ruleset ..."
		[ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] &&
			install -d $(dirname ${IPTABLES_SAVE_PATH})
		touch "${IPTABLES_SAVE_PATH}"
		chmod 0600 "${IPTABLES_SAVE_PATH}"
		${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}"
		;;

	panic)
		echo "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..."
		for rule in $(<${IPTABLES_PROC})
		do
			${IPTABLES} -F -t ${rule}
			${IPTABLES} -X -t ${rule}

			set_table_policy ${rule} DROP
		done
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;

	*)
		echo "Usage: $0 {start|stop|reload|save|panic|restart}"
		exit 1
		;;
esac