#!/sbin/openrc-run
# Copyright 2014 Nicholas Vinson
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

extra_commands="list panic save"
extra_started_commands="reload"

description="Manage nftable based firewall."
description_save="Save current nftables rulesets to disk."
description_list="Displays the current nftables ruleset."
description_panic="Immediately drop all packets on all interfaces."
description_reload="Clear current rulesets and load rulesets from the saved ruleset files."

# Uppercase variables are there for backward compatibility.
: ${rules_file:=${NFTABLES_SAVE:="/etc/firewall.nft"}}
: ${save_options:=${SAVE_OPTIONS:="-n"}}
: ${save_on_stop:=${SAVE_ON_STOP:="yes"}}
: ${enable_forwarding:="no"}

depend() {
	need localmount
	after sysctl
	before net
	provide firewall
}

start_pre() {
	checkkernel && checkconfig
}

list() {
	nft list ruleset
}

panic() {
	checkkernel || return 1

	if service_started "$RC_SVCNAME"; then
		rc-service "$RC_SVCNAME" stop
	fi

	ebegin "Dropping all packets"
	nft -f /dev/stdin <<-EOF
		flush ruleset
		table inet filter {
		    chain input { type filter hook input priority 0; policy drop; }
		    chain forward { type filter hook forward priority 0; policy drop; }
		    chain output { type filter hook output priority 0; policy drop; }
		}
	EOF
	eend $?
}

reload() {
	start
}

save() {
	ebegin "Saving nftables state"

	checkpath -q -d "${rules_file%/*}"
	checkpath -q -m 0600 -f "$rules_file"

	local tmp_save="$rules_file.tmp"

	echo 'flush ruleset' > "$tmp_save"
	nft list ruleset >> "$tmp_save"; local retval=$?

	[ $retval -eq 0 ] && mv "$tmp_save" "$rules_file"

	return $retval
}

start() {
	ebegin "Loading nftables state and starting firewall"

	nft -f "$rules_file"
	eend $? || return 1

	if yesno "$enable_forwarding"; then
		ebegin "Enabling forwarding"
		forwarding 1
		eend $? || return 1
	fi
}

stop() {
	if yesno "$save_on_stop"; then
		save || return 1
	fi

	if yesno "$enable_forwarding"; then
		ebegin "Disabling forwarding"
		forwarding 0
		eend $?
	fi

	ebegin "Stopping firewall"
	nft flush ruleset
	eend $?
}

checkconfig() {
	if [ ! -f "$rules_file" ]; then
		eerror "Not starting nftables. First create some rules then run:"
		eerror "  rc-service nftables save"
		return 1
	fi
	return 0
}

checkkernel() {
	if ! nft list tables >/dev/null 2>&1; then
		eerror "Your kernel lacks nftables support, please load"
		eerror "appropriate modules and try again."
		return 1
	fi
	return 0
}

forwarding() {
	/sbin/sysctl -qw \
		net.ipv4.ip_forward=$1 \
		net.ipv6.conf.default.forwarding=$1 \
		net.ipv6.conf.all.forwarding=$1
}