#!/bin/bash
# Handles firewall part of the show

function firewall_cmds
{
    FIREWALLD_PARMS="--quiet --permanent"
    FIREWALLD_IPSET_NAME="ipdeny_com_${VERSION}"
    if [ -n "${VERBOSE}" ]
    then
        FIREWALLD_PARMS="--permanent"
        echo "firewall_cmds(): Version is '${VERSION}' and param is '${1}'"
        echo "firewall_cmds(): Basic FirewallD params: '${FIREWALLD_PARMS}'"
    fi

    if [ -x /usr/bin/firewall-cmd ]
    then
        case "${1}" in
            pre-create)
                OUTPUT_FILE=$(mktemp)
                FIREWALLD_FILE="/etc/firewalld/ipsets/${FIREWALLD_IPSET_NAME}.xml"

                IPDENY_ZONE_COUNT=$(ls -1 /usr/share/ipdeny/*.zone.xz 2>/dev/null | wc -l)
                if [ "${IPDENY_ZONE_COUNT}" != 0 ]
                then
                    xzcat /usr/share/ipdeny/*.zone.xz | sort --unique > "${OUTPUT_FILE}"
                else
                    touch "${OUTPUT_FILE}"
                fi

                sed -e "s#"d0eedbb5cec0ef40"#${VERSION}#g" /usr/share/ipdeny/ipdeny_com_template.xml > "${FIREWALLD_FILE}"
                sed -e "s#\(.*\)#  <entry>\1</entry>#g" "${OUTPUT_FILE}" >> "${FIREWALLD_FILE}"
                echo "</ipset>" >> "${FIREWALLD_FILE}"
                rm -f "${OUTPUT_FILE}"
                ;;
            add-entries)
                OUTPUT_FILE=$(mktemp)
                xzcat /usr/share/ipdeny/*.zone.xz | sort --unique > "${OUTPUT_FILE}"
                firewall-cmd ${FIREWALLD_PARMS} --ipset="${FIREWALLD_IPSET_NAME}" --add-entries-from-file="${OUTPUT_FILE}"
                rm -f "${OUTPUT_FILE}"
                ;;
            remove-entry)
                ;;
            create-ipset)
                firewall-cmd ${FIREWALLD_PARMS} --new-ipset="${FIREWALLD_IPSET_NAME}" --type=hash:net --option=family=inet --option=hashsize=4096 --option=maxelem=500000
                firewall-cmd ${FIREWALLD_PARMS} --ipset="${FIREWALLD_IPSET_NAME}" --set-description="FirewallD IPDENY.COM Blocklist conversion ${VERSION}"
                firewall-cmd ${FIREWALLD_PARMS} --ipset="${FIREWALLD_IPSET_NAME}" --set-short="Firewalld IPDENY.COM"
                ;;
            remove-ipset)
                firewall-cmd ${FIREWALLD_PARMS} --delete-ipset="${FIREWALLD_IPSET_NAME}"
                ;;
            add-source)
                firewall-cmd ${FIREWALLD_PARMS} --zone="${ZONE}" --add-source="ipset:${FIREWALLD_IPSET_NAME}"
                ;;
            remove-source)
                firewall-cmd ${FIREWALLD_PARMS} --zone="${ZONE}" --remove-source="ipset:${FIREWALLD_IPSET_NAME}"
                ;;
        esac
    fi
}


if [ -z "${VERSION}" ]
then
    VERSION="d0eedbb5cec0ef40"
fi

if [ -z "${ZONE}" ]
then
    ZONE="drop"
fi

if [ -z "$1" ]
then
    firewall_cmds create-ipset
    firewall_cmds add-source
else
    firewall_cmds "$1"
fi

if [ -f "/etc/firewalld/ipsets/ipdeny_com_${VERSION}.xml.old" ]
then
    rm "/etc/firewalld/ipsets/ipdeny_com_${VERSION}.xml.old"
fi
