#!/bin/sh -e

### BEGIN INIT INFO
# Provides:          setfilter
# Required-Start:    ufw
# Required-Stop:     
# Default-Start:     S
# Default-Stop:      
# Short-Description: set network filters with iptables
### END INIT INFO

PATH="/sbin:/bin:/usr/sbin:/usr/bin"

. /lib/lsb/init-functions

if [ -s /etc/ufw/ufw.conf ]; then
    . /etc/ufw/ufw.conf
else
    log_failure_msg "Could not find /etc/ufw/ufw.conf (aborting)"
    exit 1
fi

RULES_PATH="/etc/ufw"

case "$1" in
start)
    if iptables -L LOG_ICMP -t raw -n >/dev/null 2>&1 ; then
        # if firewall loaded, tell to reload instead
        log_action_msg "Network filter already started, use 'force-reload'"
        exit 0
    fi
    if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
        log_action_begin_msg "Setting network filter"
        error=""
        
        tables="raw mangle nat"
        for table in $tables
        do
            RULES="$RULES_PATH/$table.rules"
            
            #flush the chains
            iptables -F -t $table || error="yes"
            iptables -X -t $table || error="yes"
            
            if [ -s "$RULES" ]; then
                if ! iptables-restore -n < $RULES ; then
                    log_action_cont_msg "Problem running '$RULES'"
                    error="yes"
                fi
            else
                log_action_cont_msg "Couldn't find '$RULES'"
            fi
        done
    
        if [ "$error" = "yes" ]; then
            log_action_end_msg 1
            exit 1
        else
            log_action_end_msg 0
        fi
    else
        log_action_begin_msg "Skipping network filter (not enabled)"
        log_action_end_msg 0
    fi
    ;;
stop)
    if [ "$ENABLED" != "yes" ] && [ "$ENABLED" != "YES" ]; then
        log_action_begin_msg "Skipping network filter (not enabled)"
        log_action_end_msg 0
        exit 0
    fi
    
    log_action_begin_msg "Stopping network filter"
    error=""
    
    tables="raw mangle nat"
    for table in $tables
    do
        iptables -F -t $table || error="yes"
        iptables -X -t $table || error="yes"
    done
    
    if [ "$error" = "yes" ]; then
        log_action_end_msg 1
        exit 1
    else
        log_action_end_msg 0
    fi
    ;;
restart|force-reload)
    if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
        $0 stop
        $0 start
    else
        log_warning_msg "Skipping $1 (not enabled)"
    fi
    ;;
*)
    echo "Usage: /etc/init.d/setfilter {start|stop|restart|force-reload}"
    exit 1
    ;;
esac

exit 0

