#!/sbin/openrc-run
# Init script for ipset
# Copyright (C) 2012 Kaarle Ritvanen
# Licensed under the terms of the GPL2

description="Manage IP sets in the Linux kernel"
description_save="Save firewall IP sets"
description_reload="Load firewall IP sets"

extra_started_commands="save reload"

IPSET=/usr/sbin/ipset
DIR=/etc/ipset.d
STATUS=0

ipset() {
	$IPSET $* || STATUS=1
}

set_files() {
	(cd $DIR && ls)
}

set_file() {
	grep -v ^# $DIR/$1
}

set_exists() {
	$IPSET save $1 &> /dev/null
}

sets() {
	$IPSET save | sed "s/^create \\([^ ]\\+\\) ${1:+$1 }.*/\\1/;ta;d;:a"
}


depend() {
	before iptables ip6tables
}

start() {
	reload
}

stop() {
	ebegin "Flushing firewall IP sets"

	for name in $(sets list:set); do
		ipset destroy $name
	done

	for name in $(sets); do
		ipset destroy $name
	done

	eend $STATUS
}

save() {
	ebegin "Saving firewall IP sets"

	ipset save | while read cmd; do
		set -- $cmd
		local action=$1
		local file=$DIR/$2
		shift 2
		if [ "$action" = create ]; then
			echo $* > $file
		elif [ "$action" = add ]; then
			echo $* >> $file
		fi
	done

	for name in $(set_files); do
		set_exists $name || rm -f $DIR/$name
	done

	eend $STATUS
}

reload() {
	ebegin "Loading firewall IP sets"

	local swap=
	for name in $(set_files); do
		local new=$name
		if set_exists $name; then
			new=_init_$name
			swap="$swap $name"
		fi
		ipset create $new $(set_file $name | head -n 1)
	done

	for name in $(set_files); do
		local new=$name
		set_exists _init_$name && new=_init_$name
		set_file $name | tail -n +2 | while read m; do
			ipset add $new $m
		done
	done

	for name in $swap; do
		ipset swap $name _init_$name
	done

	for name in $(sets list:set); do
		[ -f $DIR/$name ] || ipset destroy $name
	done

	for name in $(sets); do
		[ -f $DIR/$name ] || ipset destroy $name
	done

	eend $STATUS
}