#!/bin/bash

NFT="/usr/sbin/nft"

NFTABLES_COMMAND="${1}"

NFTABLES_CONFIG="/etc/nftables.conf"
NFTABLES_OLD_AUTO_CONFIG="/etc/nftables-auto.conf"
NFTABLES_AUTO_CONFIG="/var/lib/nftables/auto.conf"
NFTABLES_AUTO_MIGRATED="/var/lib/nftables/auto-migrated"

if [ -e "${NFTABLES_OLD_AUTO_CONFIG}" ] ; then
  if [ -e "${NFTABLES_AUTO_MIGRATED}" ] ; then
    echo "Warning: Found an old style auto file ${NFTABLES_OLD_AUTO_CONFIG}. Those are no longer supported. The new path is ${NFTABLES_AUTO_CONFIG}. If you restore files from a backup, please restore them to the new path."
  else
    echo "Warning: Found an old style auto file ${NFTABLES_OLD_AUTO_CONFIG}. Moving to the new path ${NFTABLES_AUTO_CONFIG}."
    mv "${NFTABLES_OLD_AUTO_CONFIG}" "${NFTABLES_AUTO_CONFIG}"
    touch "${NFTABLES_AUTO_MIGRATED}"
  fi
fi

echo "Interfaces which are set up already: "
/usr/sbin/ip --brief link show

case "${NFTABLES_COMMAND}" in
  start | reload)
    NFTABLES_USE_CONFIG="${NFTABLES_CONFIG}"
    echo "Checking if '${NFTABLES_AUTO_CONFIG}' exists."
    if [ -e "${NFTABLES_AUTO_CONFIG}" ] ; then
      echo "Found an autosave configuration file '${NFTABLES_AUTO_CONFIG}'. Checking if it is non zero size."
      if [ -s "${NFTABLES_AUTO_CONFIG}" ] ; then
        NFTABLES_USE_CONFIG="${NFTABLES_AUTO_CONFIG}"
      else
        echo "Not loading empty '${NFTABLES_AUTO_CONFIG}'. Falling back to '${NFTABLES_CONFIG}'."
      fi
    fi

    echo "Checking '${NFTABLES_USE_CONFIG}' for correctness"
    if ${NFT} --check --file "${NFTABLES_USE_CONFIG}" ; then
      echo "Loading '${NFTABLES_USE_CONFIG}'"
      ${NFT} --file "${NFTABLES_USE_CONFIG}"
    else
      echo "nft --check for '${NFTABLES_USE_CONFIG}' failed. Not loading the config."
      exit 1
    fi
  ;;
  stop)
    NFTABLES_RULESET_LINECOUNT=$(nft list ruleset | wc -l)
    if [ -e "${NFTABLES_AUTO_CONFIG}" ] ; then
      echo "Found an autosave configuration file '${NFTABLES_AUTO_CONFIG}'. Checking if we have a ruleset for saving."
      if [ $NFTABLES_RULESET_LINECOUNT -gt 0 ] ; then
        echo "Saving current ruleset to '${NFTABLES_AUTO_CONFIG}'"
        echo "flush ruleset" > "${NFTABLES_AUTO_CONFIG}"
        ${NFT} list ruleset >> "${NFTABLES_AUTO_CONFIG}"
      else
        echo "Not saving empty ruleset"
      fi
    fi
    echo "Flushing ruleset"
    ${NFT} flush ruleset
  ;;
  *)
     echo "Usage: ${0} (start|stop|reload)"
     echo ""
     echo "If '${NFTABLES_AUTO_CONFIG}' exists then the stop action will save the current ruleset to this file and load the config from this file, if it is not empty. In case of an empty file it will load the normal config file."
     echo ""
     echo "Otherwise '${NFTABLES_CONFIG}' will be used and the stop action will only flush the ruleset."
  ;;
esac
