#!/bin/bash
# Netify FWA Application Filter Scriptlet

NFA_ACTION=DROP
NFA_CHAIN=FORWARD
NFA_EXEC="/usr/clearos/sandbox/usr/bin/php -q /usr/share/netify-fwa/netify-fwa.php"
NFA_PID_FILE=/run/netify-fwa/netify-fwa.pid
NFA_RELOAD_LOCK=/run/netify-fwa/netify-fwa.reload
NFA_RELOAD_TIMEOUT=5
NFA_CONF_FILE=/etc/netify-fwa.conf
NFA_SED_FILE=/usr/clearos/apps/netify_fwa/deploy/netify-fwa.sed
NFA_MARK_BASE=$($NFA_EXEC -m | grep NFA_MARK_BASE | sed -e 's/.*NFA_MARK_BASE.*=[[:space:]]*//g')
NFA_BASE_MASK=$($NFA_EXEC -m | grep NFA_BASE_MASK | sed -e 's/.*NFA_BASE_MASK.*=[[:space:]]*//g')

if [ ! -f $NFA_CONF_FILE ]; then
    fw_logger warning "Netify FWA config not found, not creating hook rules."
elif [ ! -f $NFA_PID_FILE ]; then
    fw_logger warning "Netify FWA is not running, not creating hook rules."
elif [ ! -d "/proc/$(cat $NFA_PID_FILE)" ]; then
    fw_logger warning "Netify FWA is not running, not creating hook rules."
else
    touch $NFA_RELOAD_LOCK
    kill -USR1 $(cat $NFA_PID_FILE)
    while [ $NFA_RELOAD_TIMEOUT -gt 0 ]; do
        [ -f $NFA_RELOAD_LOCK ] || break
        sleep 1
        NFA_RELOAD_TIMEOUT=$[ $NFA_RELOAD_TIMEOUT - 1 ]
    done

    if [ -f $NFA_RELOAD_LOCK ]; then
        fw_logger warning "Netify FWA took too long to reload."
    else
        egrep '^rule\[.*,(1|true)$' $NFA_CONF_FILE | sed -f $NFA_SED_FILE | sort | uniq |\
        while read NFA_TABLE NFA_MARK_CHAIN NFA_ID; do
            if ! $IPTABLES -t $NFA_TABLE -L ${NFA_MARK_CHAIN}_INGRESS >/dev/null 2>&1; then
                $IPTABLES -t $NFA_TABLE -N ${NFA_MARK_CHAIN}_INGRESS
            fi
            if ! $IPTABLES -t $NFA_TABLE -L ${NFA_MARK_CHAIN}_EGRESS >/dev/null 2>&1; then
                $IPTABLES -t $NFA_TABLE -N ${NFA_MARK_CHAIN}_EGRESS
            fi
            if ! $IPTABLES -t $NFA_TABLE -C $NFA_CHAIN -j ${NFA_MARK_CHAIN}_INGRESS 2>/dev/null; then
                $IPTABLES -t $NFA_TABLE -A $NFA_CHAIN -j ${NFA_MARK_CHAIN}_INGRESS
            fi
            if ! $IPTABLES -t $NFA_TABLE -C $NFA_CHAIN -j ${NFA_MARK_CHAIN}_EGRESS 2>/dev/null; then
                $IPTABLES -t $NFA_TABLE -A $NFA_CHAIN -j ${NFA_MARK_CHAIN}_EGRESS
            fi
        done

        egrep '^rule\[.*,(1|true)$' $NFA_CONF_FILE | sed -f $NFA_SED_FILE | sort | uniq |\
        while read NFA_TABLE NFA_MARK_CHAIN NFA_ID; do
            if ! $IPTABLES -t $NFA_TABLE -C $NFA_CHAIN -m mark --mark $NFA_MARK_BASE/$NFA_BASE_MASK -j $NFA_ACTION 2>/dev/null; then
                $IPTABLES -t $NFA_TABLE -A $NFA_CHAIN -m mark --mark $NFA_MARK_BASE/$NFA_BASE_MASK -j $NFA_ACTION
            fi
        done
    fi
fi

