#!/bin/sh
set -ex

trap exit TERM INT

BIN_DIR="/usr/sbin"

info() {
    { set +x; } 2> /dev/null
    echo '[INFO] ' "$@"
    set -x
}

fatal() {
    { set +x; } 2> /dev/null
    echo '[ERROR] ' "$@" >&2
    set -x
    exit 1
}

check_iptables_mode() {
    set +e
    lsmod | grep -qF nf_tables 2> /dev/null
    if [ $? = 0 ]; then
        mode=nft
    else 
        mode=legacy
    fi
    set -e

    case "$mode" in
        nft)
            info "nft mode detected"
            set_nft
            ;;
        legacy)
            info "legacy mode detected"
            set_legacy
            ;;
        *)
            fatal "invalid iptables mode"
            ;;
    esac
}

set_nft() {
    for i in iptables iptables-save iptables-restore ip6tables; do 
        ln -sf xtables-nft-multi "$BIN_DIR/$i";
    done
}

set_legacy() {
    for i in iptables iptables-save iptables-restore ip6tables; do 
        ln -sf xtables-legacy-multi "$BIN_DIR/$i";
    done
}

start_proxy() {
    for src_range in ${SRC_RANGES//,/ }; do
        if echo ${src_range} | grep -Eq ":"; then
            ip6tables -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${DEST_PORT} -j ACCEPT
        else
            iptables -t filter -I FORWARD -s ${src_range} -p ${DEST_PROTO} --dport ${DEST_PORT} -j ACCEPT
        fi
    done

    for dest_ip in ${DEST_IPS//,/ }; do
        if echo ${dest_ip} | grep -Eq ":"; then
            if [ $(cat /proc/sys/net/ipv6/conf/all/forwarding) == 1 ]; then
                ip6tables -t filter -A FORWARD -d ${dest_ip}/128 -p ${DEST_PROTO} --dport ${DEST_PORT} -j DROP
                ip6tables -t nat -I PREROUTING -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to [${dest_ip}]:${DEST_PORT}
                ip6tables -t nat -I POSTROUTING -d ${dest_ip}/128 -p ${DEST_PROTO} -j MASQUERADE
            fi
        else
            if [ $(cat /proc/sys/net/ipv4/ip_forward) == 1 ]; then
                iptables -t filter -A FORWARD -d ${dest_ip}/32 -p ${DEST_PROTO} --dport ${DEST_PORT} -j DROP
                iptables -t nat -I PREROUTING -p ${DEST_PROTO} --dport ${SRC_PORT} -j DNAT --to ${dest_ip}:${DEST_PORT}
                iptables -t nat -I POSTROUTING -d ${dest_ip}/32 -p ${DEST_PROTO} -j MASQUERADE
            fi
        fi
    done
}

check_iptables_mode
start_proxy

if [ ! -e /pause ]; then
    mkfifo /pause
fi
</pause
