#!/bin/sh
#
# Startup script for nupyf
#
# chkconfig: 345 87 16
# description: nupyf is user filtering firewall. 
# processname: nupyf

# Source function library.
. /etc/rc.d/init.d/functions

ipt="/sbin/iptables"
iptsave="/sbin/iptables-save"
iptrestore="/sbin/iptables-restore"
nupyf="/usr/sbin/nupyf"
BASEDIR=/etc/nuface
LOCAL_RULES=$BASEDIR/local_rules
LOCAL_RULES_D=$BASEDIR/local_rules.d
LOCAL_NAT_RULES=$BASEDIR/nat
#FWD_RULES=$BASEDIR/dyn/fwd_rules
STOP_RULES=$BASEDIR/stop_rules
NONUFW_RULES=$BASEDIR/dyn/nonufw_rules
BACKUP_FILE=/var/lib/nuface/backups/firewall_good_conf
MANGLE_RULES_PRE=$BASEDIR/pre-mangle
MANGLE_RULES_POST=$BASEDIR/post-mangle
MANGLE_RULES_DYN=$BASEDIR/dyn/vpn_rules

NUFW_RULES_DIR=$BASEDIR/dyn/nufw
STD_RULES_DIR=$BASEDIR/dyn/standard
DISPATCH_RULES=dispatch_rules
FWD_RULES=forward_rules
INPUT_RULES=input_rules
OUTPUT_RULES=output_rules
NAT_RULES=nat_rules

LDAP_DATA=/etc/nuface/dyn/ldap_objects
NUPYF_CONF=/etc/nuface/desc/nupyf.conf

LOCK_FILE=/var/lock/subsys/nupyf

# are theses rules managed by nuface or not?
MANAGE_INPUT=1
MANAGE_OUTPUT=1
MANAGE_NAT=1

# test generated files rules
for dir in $NUFW_RULES_DIR $STD_RULES_DIR; do
  
  if [ ! -f $dir/$DISPATCH_RULES ]; then
    gprintf "Sorry. Can't find file %s/%s\n" "${dir}" "${DISPATCH_RULES}"
    exit -1
  fi
  if [ ! -f $dir/$FWD_RULES ]; then
    gprintf "Sorry. Can't find file %s/%s\n" "${dir}" "${FWD_RULES}"
    exit -1
  fi
  if [ $MANAGE_INPUT == 1 ] && [ ! -f $dir/$INPUT_RULES ]; then
    gprintf "Sorry. Can't find file %s/%s\n" "${dir}" "${INPUT_RULES}"
    exit -1
  fi
  if [ $MANAGE_OUTPUT == 1 ] && [ ! -f $dir/$OUTPUT_RULES ]; then
    gprintf "Sorry. Can't find file %s/%s\n" "${dir}" "${OUTPUT_RULES}"
    exit -1
  fi
  if [ $MANAGE_NAT == 1 ] && [ ! -f $dir/$NAT_RULES ]; then
    gprintf "Sorry. Can't find file %s/%s\n" "${dir}" "${NAT_RULES}"
    exit -1
  fi
done


#if [ ! -f $NONUFW_RULES ]; then
#  gprintf "Sorry. Can't find file %s\n" "${NONUFW_RULES}"
#  exit -1
#fi

reload_good_conf() {
  gprintf "A problem occured, reloading old config\n"
  $iptrestore < ${BACKUP_FILE}
  /bin/rm ${LOCK_FILE}
  exit -1
}

try_run(){
    if [ -f $1 ]; then
	. $1
    fi
}

reset_chains() {
    $ipt -F
    $ipt -X
    $ipt -t nat -F
    $ipt -t nat -X
    $ipt -t mangle -F
    $ipt -t mangle -X
}

load_mangle(){
   if [ -f $MANGLE_RULES_PRE ] && [ -f $MANGLE_RULES_POST ]; then
     . $MANGLE_RULES_PRE
     . $MANGLE_RULES_POST
     if [ -f $MANGLE_RULES_DYN  ]; then
       . $MANGLE_RULES_DYN
     fi
   fi
}

# load rules generated by nuface
# arg1: directory where rules files has been written
load_dyn_rules(){
  dir=$1
  gprintf " o Dispatch Rules\n"
  . $dir/$DISPATCH_RULES
  if [ $MANAGE_INPUT == 1 ]; then
    echo ' o Input Rules'
    . $dir/$INPUT_RULES
  fi
  if [ $MANAGE_OUTPUT == 1 ]; then
    gprintf " o Output Rules\n"
    . $dir/$OUTPUT_RULES
  fi
  gprintf " o Forward Rules\n"
  . $dir/$FWD_RULES
  if [ $MANAGE_NAT == 1 ]; then
    gprintf " o Nat Rules\n"
    . $dir/$NAT_RULES
  fi
}


#load local rules
load_local_rules(){
    if [ -f $LOCAL_RULES ]; then
    . $LOCAL_RULES
    fi
    if [ -d $LOCAL_RULES_D ]; then
        for f in $LOCAL_RULES_D/*.rules; do
            if [ -f $f ]; then
                . $f
            fi
        done
    fi
}

if [ -f $LOCK_FILE ]; then
  gprintf "Lock file %s exists. Is script already running? If not, please delete lock by hand.\n" "${LOCK_FILE}"
  exit -1
fi

touch $LOCK_FILE

case $1 in
  start | restart | reload)
    gprintf "Saving current configuration as good\n"
    $iptsave > ${BACKUP_FILE}
    set -e
    trap reload_good_conf ERR
    reset_chains
    gprintf "Loading new firewall configuration\n"
    gprintf " o Local rules\n"
    load_local_rules
    load_dyn_rules $NUFW_RULES_DIR
    if [ -f $LOCAL_NAT_RULES ]; then
      . $LOCAL_NAT_RULES
    fi
    load_mangle
    if [ -f $LDAP_DATA  ]; then
      gprintf "Merging ldap with nupyf\n"
      $nupyf --config $NUPYF_CONF --loadldap $LDAP_DATA
      rm -f $LDAP_DATA
    fi
    set +e
    trap -
  ;;
  stop)
    gprintf "Loading stopped configuration\n"
    reset_chains
    gprintf " o Local rules\n"
    load_local_rules
    if [ $MANAGE_INPUT == 1 ] || [ $MANAGE_OUTPUT == 1 ]; then
      gprintf " o Dispatch Rules\n"
      . $STD_RULES_DIR/$DISPATCH_RULES
    fi
    if [ $MANAGE_INPUT == 1 ]; then
      gprintf " o Input Rules\n"
      . $STD_RULES_DIR/$INPUT_RULES
    fi
    if [ $MANAGE_OUTPUT ==1 ]; then
      gprintf " o Output Rules\n"
      . $STD_RULES_DIR/$OUTPUT_RULES
    fi

if [ -f $STOP_RULES ]; then
    gprintf " o Stop Rules\n"
    . $STOP_RULES
fi
  ;;
  nonufw | panic | standard)
    echo "Loading \"classical\" firewall configuration"
    $iptsave > ${BACKUP_FILE}
    set -e
    trap reload_good_conf ERR
    reset_chains
    gprintf " o Local rules\n"
    load_local_rules
    load_dyn_rules $STD_RULES_DIR
    if [ -f $LOCAL_NAT_RULES ]; then
      . $LOCAL_NAT_RULES
    fi
    set -e
    trap -
  ;;
  *)
    gprintf "Usage: %s start|stop|restart|reload\n" "$0"
  ;;
esac
  
/bin/rm ${LOCK_FILE}
