#!/bin/sh -e

. /lib/rcscripts/sh/error.sh
. /etc/netd/ipfilter.conf || error "Failed to source config file"

DESCRIPTION="packet filters"

# Hardcode these instead of relying on values from the config
IPTABLES=/usr/sbin/iptables
IP6TABLES=/usr/sbin/ip6tables

[ -x "$IPTABLES" ] || IPTABLES=dummytables
[ -x "$IP6TABLES" ] || IP6TABLES=dummytables

dummytables() {
	:
}

FAILED=0

fail() {
	if [ "$FAILED" != "1" ]; then
		FAILED=1
		stop_filter
	fi
	error "Failed to $@"
}

flush() {
	$IPTABLES -F || fail "flush tables!"
	$IP6TABLES -F || fail "flush tables!"
}

set_policy() {
	$IPTABLES -P INPUT $1 || fail "set $1 policy!"
	$IP6TABLES -P INPUT $1 || fail "set $1 policy!"
}

addr_family() {
	local family
	# This function determines AF but does not validate addresses
	# ':' is found in IPv6 addresses but never in IPv4 addresses
	[ $# -eq 2 ] || error "addr_family(): Invalid number of arguments"
	case $1 in
		*[!.:[:xdigit:][:blank:]\/,]*)
			error "Invalid characters in IP address"
			;
		*:*)
			family=6
			;
		*.*)
			family=4
			;
		*)
			error "Invalid ip address '$1'"
			;
	esac
	eval $2=\$family || error "Failed to evaluate IP address family"
}

start_filter() {
	local added_iptables=0 added_ip6tables=0 af=0

	flush

	if [ "$IPTABLES_INPUT_POLICY" = allow ]; then
		FILTER_ACTION=ACCEPT
		set_policy DROP
	else
		FILTER_ACTION=DROP
		set_policy ACCEPT
	fi

	$IPTABLES -A INPUT -i lo -j ACCEPT || fail "ACCEPT loopback!"
	$IP6TABLES -A INPUT -i lo -j ACCEPT || fail "ACCEPT loopback!"

	$IPTABLES -A INPUT -p icmp -j ACCEPT || fail "ACCEPT ICMP!"
	$IP6TABLES -A INPUT -p icmpv6 -j ACCEPT || fail "ACCEPT ICMP!"

	# Accept incoming packets on locally initiated TCP connections.
	$IPTABLES -A INPUT -p tcp ! --syn -j ACCEPT || fail "ACCEPT TCP !SYN!"
	$IP6TABLES -A INPUT -p tcp ! --syn -j ACCEPT || fail "ACCEPT TCP !SYN!"

	for SRC in $IPTABLES_ACCEPT; do
		addr_family "$SRC" af
		if [ $af = 4 ]; then
			if [ "$IPTABLES_LOG_ENABLED" = yes ] &&
			   [ "$FILTER_ACTION" = DROP ]; then
				$IPTABLES -A INPUT -s "$SRC" -j LOG --log-prefix "IP_FILTER: " ||
					fail "LOG source address \"$SRC\"!"
			fi

			added_iptables=1

			$IPTABLES -A INPUT -s "$SRC" -j $FILTER_ACTION ||
				fail "$FILTER_ACTION source address \"$SRC\"!"

		elif [ $af = 6 ]; then
			if [ "$IPTABLES_LOG_ENABLED" = yes ] &&
			   [ "$FILTER_ACTION" = DROP ]; then
				$IP6TABLES -A INPUT -s "$SRC" -j LOG --log-prefix "IP_FILTER: " ||
					fail "LOG source address \"$SRC\"!"
			fi

			added_ip6tables=1

			$IP6TABLES -A INPUT -s "$SRC" -j $FILTER_ACTION ||
				fail "$FILTER_ACTION source address \"$SRC\"!"
		fi
	done

	if [ "$IPTABLES_LOG_ENABLED" = yes ] && [ $added_iptables -eq 1 ] &&
	   [ "$FILTER_ACTION" = ACCEPT ]; then
		$IPTABLES -A INPUT -j LOG --log-prefix "IP_FILTER: " ||
			fail "LOG source address \"$SRC\"!"
	fi

	if [ "$IPTABLES_LOG_ENABLED" = yes ] && [ $added_ip6tables -eq 1 ] &&
	   [ "$FILTER_ACTION" = ACCEPT ]; then
		$IP6TABLES -A INPUT -j LOG --log-prefix "IP_FILTER: " ||
			fail "LOG source address \"$SRC\"!"
	fi

	# drop in-wire ipv4-mapped addresses
	$IP6TABLES -A INPUT -s ::ffff:0:1/96 -j DROP
	$IP6TABLES -A INPUT -d ::ffff:0:1/96 -j DROP
}

stop_filter() {
	flush
	set_policy ACCEPT
}

conditional_start() {
	if [ "$IPTABLES_ENABLED" = yes ]; then
		start_filter
	else
		information "disabled"
		stop_filter
	fi
}

case "$1" in
	start)
		information "Starting $DESCRIPTION"
		conditional_start
		;
	stop)
		information "Stopping $DESCRIPTION"
		stop_filter
		;
	*)
		error "Usage: $0 start|stop"
		;
esac

exit 0