# vim:ft=sh:noexpandtab
# Firewall configuration (iptables on linux)
# TODO FreeBSD

FIREWALL_PREFIX="./files/firewall/$(hostname)"

firewall_check_common() {
	if do_diff "./files/firewall/$2.conf" "/etc/conf.d/$2" \
			"Firewall IPv$1 service config changes"; then
		ops_require "ipv$1_config"
	fi
	if do_diff "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1" \
			"Firewall IPv$1 changes"; then
		ops_require "ipv$1"
	fi
}

firewall_check() {
	ops_set_current firewall
	if ! ( which iptables && which ip6tables ) >/dev/null; then
		echo_error "Firewall operation requires iptables and ip6tables."
		return 0
	fi

	firewall_check_common 4 iptables
	[ -n "$FIREWALL_NO_IPV6" ] && [ "$FIREWALL_NO_IPV6" = "true" ] || \
		firewall_check_common 6 ip6tables

	ops_required_any "Firewall" # return 1 fall trough
}

firewall_prepare() {
	# We have nothing to do for prepare
	true
}

firewall_apply_common() {
	local RELOAD=false
	if ops_is_required "ipv$1_config"; then
		echo_trace "Updating $2 service config"
		cp "./files/firewall/$2.conf" "/etc/conf.d/$2"
		RELOAD=true
	fi
	if ops_is_required "ipv$1"; then
		echo_trace "Updating ipv$1 tables"
		mkdir -p /etc/iptables
		cp "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1"
		RELOAD=true
	fi
	if $RELOAD; then
		echo_trace "Reloading service $2"
		service "$2" reload
	fi
}

firewall_apply() {
	ops_set_current firewall
	firewall_apply_common 4 iptables
	firewall_apply_common 6 ip6tables
}

firewall_clean() {
	# We have nothing to do for clean
	true
}