#!/bin/sh

# {{ ansible_managed }}

### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $network
# Required-Stop:     $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Set up iptables rules
# Description:       Loads current iptables rules from/to /etc/firewall
### END INIT INFO

. /lib/lsb/init-functions

PATH="/sbin:$PATH"

rc=0

flush_ipv4()
{
	for chain in INPUT FORWARD OUTPUT; do
		iptables -P $chain ACCEPT
	done
	for table in $(iptables-save | awk '/^\*/ { print substr($1,2) }'); do
		iptables -t $table -F
		iptables -t $table -X
		iptables -t $table -Z
	done
}

flush_ipv6()
{
	for chain in INPUT FORWARD OUTPUT; do
		ip6tables -P $chain ACCEPT
	done
	for table in $(ip6tables-save | awk '/^\*/ { print substr($1,2) }'); do
		ip6tables -t $table -F
		ip6tables -t $table -X
		ip6tables -t $table -Z
	done
}

load_rules()
{
	log_action_begin_msg "Loading iptables rules"

	# load IPv4 rules
	if [ ! -d /etc/firewall/rules-v4.d ]; then
		log_action_cont_msg " skipping IPv4 (no rules to load)"
	else
		log_action_cont_msg " IPv4"

		flush_ipv4
		for frag in /etc/firewall/rules-v4.d/*.sh; do
			if [ -r "$frag" ]; then
				. "$frag"
				if [ $? -ne 0 ]; then
			    		rc=1
				fi
			fi
		done
	fi

	# load IPv6 rules
	if [ ! -d /etc/firewall/rules-v6.d ]; then
		log_action_cont_msg " skipping IPv6 (no rules to load)"
	else
		log_action_cont_msg " IPv6"

		flush_ipv6
		for frag in /etc/firewall/rules-v6.d/*.sh; do
			if [ -r "$frag" ]; then
				. "$frag"
				if [ $? -ne 0 ]; then
			    		rc=1
				fi
			fi
		done
	fi

	log_action_end_msg $rc
}

flush_rules()
{
	log_action_begin_msg "Flushing rules"

	if [ ! -f /proc/net/ip_tables_names ]; then
		log_action_cont_msg " skipping IPv4"
	else
		log_action_cont_msg " IPv4"
		flush_ipv4
	fi

	if [ ! -f /proc/net/ip6_tables_names ]; then
		log_action_cont_msg " skipping IPv6"
	else
		log_action_cont_msg " IPv6"
		flush_ipv6
	fi

	log_action_end_msg 0
}

case "$1" in
start|restart|reload|force-reload)
	load_rules
	;;
stop)
	echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
	;;
flush)
	flush_rules
	;;
debug)
	iptables() { echo "iptables $@"; }
	ip6tables() { echo "ip6tables $@"; }
	ipset() { echo "ipset $@"; }
	log_action_begin_msg() { :; }
	log_action_cont_msg() { :; }
	log_action_end_msg() { :; }

	load_rules
	;;
*)
	echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
	exit 1
	;;
esac

exit $rc