#!/bin/sh

# This file is part of netfilter-persistent
# (was iptables-persistent)
# Copyright (C) 2009, Simon Richter <sjr@debian.org>
# Copyright (C) 2010, 2014 Jonathan Wiltshire <jmw@debian.org>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, either version 3
# of the License, or (at your option) any later version.

set -e

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Source configuration
if [ -f "/etc/default/netfilter-persistent" ]; then
    . /etc/default/netfilter-persistent
fi

load_rules()
{
    #load IPv4 rules
    if [ ! -f /etc/iptables/rules.v4 ]; then
        echo "Warning: skipping IPv4 (no rules to load)"
    else
        iptables-restore < /etc/iptables/rules.v4
    fi
}

save_rules()
{
    if [ ! "${IPTABLES_SKIP_SAVE}x" = "yesx" ]; then
        #save IPv4 rules
        #need at least iptable_filter loaded:
        modprobe -b -q iptable_filter || true
        if [ ! -f /proc/net/ip_tables_names ]; then
            echo "Warning: skipping IPv4 (Kernel support is missing)"
        else
            touch /etc/iptables/rules.v4
            chmod 0640 /etc/iptables/rules.v4
            iptables-save > /etc/iptables/rules.v4
        fi
    fi
}

flush_rules()
{
    if [ ! -f /proc/net/ip_tables_names ]; then
        log_action_cont_msg "Warning: skipping IPv4 (Kernel support is missing)"
    elif [ $(which iptables) ]; then
        for chain in INPUT FORWARD OUTPUT
        do
            iptables -P $chain ACCEPT
        done
        for param in F Z X; do iptables -$param; done
            for table in $(cat /proc/net/ip_tables_names)
                do
                iptables -t $table -F
                iptables -t $table -Z
                iptables -t $table -X
            done
    fi
}

case "$1" in
start|restart|reload|force-reload)
    load_rules
    ;;
save)
    save_rules
    ;;
stop)
    # Why? because if stop is used, the firewall gets flushed for a variable
    # amount of time during package upgrades, leaving the machine vulnerable
    # It's also not always desirable to flush during purge
    echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
    ;;
flush)
    flush_rules
    ;;
*)
    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
    exit 1
    ;;
esac
