#!/bin/sh

DAEMON=iptables
. /etc/init.d/modlibrc

STATUSPID=/var/run/iptables-cgi.pid
SAVEFILE=/var/tmp/flash/iptables_rules
MODULES="iptable_filter ip_tables ipt_LOG ipt_REJECT"

kver="$(uname -r)"
case "$kver" in
	2.6.28* | 2.6.32* )
		MODULES="$MODULES x_tables xt_mac xt_mark xt_MARK xt_multiport xt_tcpudp"
		;;
	2.6.19.2 )
		MODULES="$MODULES iptable_nat ip_nat ip_conntrack ip_conntrack_ftp \
			ipt_iprange ipt_MASQUERADE ipt_REDIRECT x_tables xt_state \
			xt_mac xt_mark xt_MARK xt_multiport xt_tcpudp"
		;;
	2.6.13* )
		MODULES="$MODULES iptable_nat ip_conntrack ip_conntrack_ftp ipt_iprange \
			ipt_MASQUERADE ipt_REDIRECT ipt_state ipt_mac ipt_multiport"
		;;
	* )
		echo "Unknown kernel version ($kver). Exiting"
		return 1
		;;
esac

save_rules() {
	echo 'Saving list ... '
	iptables-save > $SAVEFILE
	echo ' done.'
}

start() {
	echo -n 'Loading modules ... '
	for MODUL in $MODULES; do
		modprobe $MODUL
		if [ "$MODUL" = "ip_conntrack" ] && [ -n "$IPTABLES_IP_CONNTRACK_HASHSIZE" ]; then
			echo $IPTABLES_IP_CONNTRACK_HASHSIZE > /sys/module/ip_conntrack/parameters/hashsize
		fi
	done
	echo 'done.'
	echo -n 'Loading table list ... '
	iptables-restore < $SAVEFILE
	touch $STATUSPID
	echo 'done.'
}

save () {
	if grep -q "*gui*" /mod/etc/conf/iptables.cfg; then
	sed -e "s/\*gui\*//g" /mod/etc/conf/iptables.cfg > /var/tmp/iptables_tmp
	cat /var/tmp/iptables_tmp > /mod/etc/conf/iptables.cfg
	rm /var/tmp/iptables_tmp

	if [ -z "$IPTABLES_RULE" ]; then
		save_rules
		exit 0
	fi

	echo 'Starting rule script ... '
	CONFFILE="iptables.cfg"
	CONFPATH="/mod/etc/conf"

	. $CONFPATH/$CONFFILE

	# Source Address
	if [ "$IPTABLES_SOURCE" = "anywhere" -o -z "$IPTABLES_SOURCE" ]; then
		IPTABLES_SOURCE=''
	else
		IPTABLES_SOURCE='-s '$IPTABLES_SOURCE
	fi

	if [ "$IPTABLES_SPORT" = "ANY" -o -z "$IPTABLES_SPORT" ]; then
		IPTABLES_SPORT=''
	else
		IPTABLES_SPORT="--sport "$IPTABLES_SPORT
	fi

	# Destination Address
	if [ "$IPTABLES_DESTINATION" = "anywhere" -o -z "$IPTABLES_DESTINATION" ]; then
		IPTABLES_DESTINATION=''
	else
		IPTABLES_DESTINATION='-d '$IPTABLES_DESTINATION
	fi

	if [ "$IPTABLES_DPORT" = "ANY" -o -z "$IPTABLES_DPORT" ]; then
		IPTABLES_DPORT=''
	else
		IPTABLES_DPORT=$(grep "^"$IPTABLES_DPORT: /tmp/flash/iptables_services | sed -e "s/.*://g")
		IPTABLES_DPORT='--dport '$IPTABLES_DPORT
	fi

	# Input-Interface
	if [ "$IPTABLES_INPUT_INTERFACE" = "ANY" -o -z "$IPTABLES_INPUT_INTERFACE" ]; then
		IPTABLES_INPUT_INTERFACE=''
	else
		if [ "$IPTABLES_CHAIN" != "OUTPUT" ]; then
			IPTABLES_INPUT_INTERFACE='-i '$IPTABLES_INPUT_INTERFACE
		else
			IPTABLES_INPUT_INTERFACE=''
		fi
	fi
	# Output-Interface
	if [ "$IPTABLES_OUTPUT_INTERFACE" = "ANY" -o -z "$IPTABLES_OUTPUT_INTERFACE" ]; then
		IPTABLES_OUTPUT_INTERFACE=''
	else
		if [ "$IPTABLES_CHAIN" != "INPUT" ]; then
			IPTABLES_OUTPUT_INTERFACE='-o '$IPTABLES_OUTPUT_INTERFACE
		else
			IPTABLES_OUTPUT_INTERFACE=''
		fi
	fi
	# NAT
	if [ "$IPTABLES_NAT" != "None" ]; then
		IPTABLES_RULE="-t nat "$IPTABLES_RULE
		IPTABLES_ACTION=$IPTABLES_NAT
		IPTABLES_INPUT_INTERFACE="-o ${IPTABLES_INPUT_INTERFACE//-i /}"
		if [ "$IPTABLES_NAT" != "Normal" ]; then
			SPECIAL="--to ${IPTABLES_DESTINATION//-d /}"
			IPTABLES_DESTINATION=''
		fi
	fi

	# Apply rule
	echo "iptables $IPTABLES_RULE $IPTABLES_CHAIN $IPTABLES_POSITION $IPTABLES_SOURCE $IPTABLES_DESTINATION -p $IPTABLES_PROTOKOLL $IPTABLES_SPORT $IPTABLES_DPORT $IPTABLES_INPUT_INTERFACE $IPTABLES_OUTPUT_INTERFACE -j $IPTABLES_ACTION $SPECIAL"
	iptables $IPTABLES_RULE $IPTABLES_CHAIN $IPTABLES_POSITION $IPTABLES_SOURCE $IPTABLES_DESTINATION -p $IPTABLES_PROTOKOLL $IPTABLES_SPORT $IPTABLES_DPORT $IPTABLES_INPUT_INTERFACE $IPTABLES_OUTPUT_INTERFACE -j $IPTABLES_ACTION $SPECIAL > /dev/null 2>&1

	exitval=$?
	if [ "$exitval" -eq 0 ]; then
		echo 'Rule setting done.'
		save_rules
	else
		echo 'Rule setting failed.'
		exit $exitval
	fi
	else
		echo "ERROR: Can only be used by GUI."
		exit 1
	fi
}

stop () {
	echo -n 'Flushing rules and unloading modules ... '
	iptables -F
	iptables -X
	for t in $(cat /proc/net/ip_tables_names 2>/dev/null); do
		iptables -t $t -F
		iptables -t $t -X
	done
	# remove modules in reverse order
	reverse_list=
	for MODUL in $MODULES; do
		reverse_list="$MODUL $reverse_list"
	done
	for MODUL in $reverse_list; do
		rmmod $MODUL
	done
	rm -rf $STATUSPID 2>/dev/null
	echo 'done.'
}

case $1 in
	""|load)
		modreg cgi 'iptables' 'Iptables'
		modreg daemon $DAEMON
		modreg extra iptables "" 2 controller
		modreg conf iptables editor 'Editor'
		modreg file iptables rules '$(lang de:"Regeln" en:"Rules")' 0 "iptables"
		modreg file iptables services 'Services' 0 "services"

		[ ! -r "/var/tmp/flash/iptables_services" ] && cp /mod/etc/default.iptables/iptables_services /var/tmp/flash/iptables_services
		[ ! -r "/var/tmp/flash/iptables_rules" ] && touch /var/tmp/flash/iptables_rules

		modlib_start $IPTABLES_ENABLED
		;;
	start)
		if [ -e $STATUSPID ]; then
			echo "$DAEMON is already running."
			exit 1
		fi
		start
		;;
	stop)
		if [ ! -e $STATUSPID ]; then
			echo "$DAEMON is not running."
			exit 1
		fi
		stop
		;;
	restart)
		stop
		sleep 1
		start
		;;
	status)
		[ -e $STATUSPID ] && echo 'running' || echo 'stopped'
		;;
	save)
		[ -e $STATUSPID ] || start
		save
		;;

	unload)
		modunreg cgi iptables
		modunreg daemon $DAEMON
		modunreg conf iptables editor
		modunreg file iptables
		stop
		;;
	*)
		echo "Usage: $0 [load|unload|start|stop|restart|status]" 1>&2
		exit 1
		;;
esac

exit 0