#!/bin/sh

DAEMON=avm-firewall
. /etc/init.d/modlibrc

# Variablen fuer Pfade
REAL=/var/flash/ar7.cfg
REALCOPY=/var/tmp/firewall.ar7.copy
CONFIG=/mod/etc/conf/avm-firewall.cfg
TEMP1=/var/tmp/firewall.temp1

config() {
	# Suche nach Bereich von "dslifaces" bis "} {"
	DSLIFACES=$(cat $REAL | sed -n '/dslifaces/,/} {/p')
	# In diesem Bereich der von "lowinput" bis zu schliessenden Klammer
	LOWINPUT=$(echo "$DSLIFACES" | sed -n '/lowinput/,/}/p')
	# "policy" und "accesslit" String erzeugen
	# nur policy ist immer da, denn leere Rulestabelle ist ohne accesslist-Eintrag!
	POL=$(echo "$DSLIFACES" | sed '/policy/!d ; q' | sed 's/\(^.*= "\).*/\1/')
	ACCL=$(echo "$POL" | sed 's/policy = "/accesslist = /')
	SPACES=${ACCL//?/ }
	RET=$'\n'

	# Die eigentlichen Rules rauslesen (Am Anfang Leereichen und " loeschen, am Ende die ", oder "; Kombination)
	LIRULES=$(echo "$LOWINPUT" | sed -n "s/^[ ]*\(accesslist = \)*\"//g ; /^permit\|^deny\|^reject/ {s/\"[,;]//g;s/[ ]*$//gp}")
	LIPOL=$(echo "$LOWINPUT" | grep "policy =" | sed 's/^.*policy.*"\(.*\)";/\1/')

	HIGHOUTPUT=$(echo "$DSLIFACES" | sed -n '/highoutput/,/}/p')
	HORULES=$(echo "$HIGHOUTPUT" | sed -n "s/^[ ]*\(accesslist = \)*\"//g ; /^permit\|^deny\|^reject/ {s/\"[,;]//g;s/[ ]*$//gp}")
	HOPOL=$(echo "$HIGHOUTPUT" | grep "policy =" | sed 's/^.*policy.*"\(.*\)";/\1/')

	# Die FWD-Rules rauslesen (Am Anfang Leereichen und alles bis zum " loeschen, am Ende die ", oder "; Kombination)
	# dafuer wird der "gewuenschte Teil" im Ausdruck mit \( und \) eingefasst und mit \1 ersetzt
	FWDRULES=$(echo "$DSLIFACES" | sed -n '/forwardrules/,/;/ { /shaper/ q ; s/^[^"]*"\(.*\)"[,;][ ]*/\1/gp}')
	FWDSTART=$(echo "$DSLIFACES" | sed -n 's/lowinput.*/forwardrules = /p')
	ENDBRACE=$(echo "$DSLIFACES" | sed -n 's/lowinput.*/\}/p')
	FWDSPACES=${FWDSTART//?/ }
}

load() {
	BOXID=$(sed -n 's/ProductID[ ]*//gp' /proc/sys/urlader/environment | tr -d '\t')
	BOXOEM=$(cat /proc/sys/urlader/firmware_version)
	# Original Regeln Kennzeichnen, falls noch nicht geschehen
	if [ $(sed "/targets/q" $REAL | grep -c '/\*AVM\*/') -eq 0 ]; then
		DEFar7=$(cat "/etc/default.$BOXID/$BOXOEM/ar7.cfg" | sed -n '/dslifaces/,/} {/p')
		DEFli=$(echo "$DEFar7" | sed -n '/lowinput/,/}/p' | sed -n "s/^[ ]*\"//g ; /^permit\|^deny\|^reject/ s/\"[,;][ ]*/%/gp" | tr '\n' '|' | sed 's/%|$//' | tr '%' '\')
		DEFho=$(echo "$DEFar7" | sed -n '/highoutput/,/}/p' | sed -n "s/^[ ]*\"//g ; /^permit\|^deny\|^reject/ s/\"[,;][ ]*/%/gp" | tr '\n' '|' | sed 's/%|$//' | tr '%' '\')
		tmp='cat $REAL | sed "/dslifaces/,/lowoutput/ {/'$DEFli'/ s/^[ ]*\".*\"[,;][ ]*$/&\/*AVM*\/ /g}" | sed "/dslifaces/,/} {/  {/highoutput/,/}/ {/'$DEFho'/ s/^[ ]*\".*\"[,;][ ]*$/&\/*AVM*\/ /g}}" > $REALCOPY'
		eval $tmp
		cat $REALCOPY > $REAL
	fi

	config

	echo "$(cat $CONFIG | grep '_cgi\|_LOG')" > $CONFIG
	echo "export AVM_FIREWALL_DO_ACTIVATE=''" >> $CONFIG
	echo "export AVM_FIREWALL_GUI=''" >> $CONFIG
	echo "export AVM_FIREWALL_RULESTABLE_LI='$LIRULES'" >> $CONFIG
	echo "export AVM_FIREWALL_RULESTABLE_HO='$HORULES'" >> $CONFIG
	echo "export AVM_FIREWALL_POLICY_LI='$LIPOL'" >> $CONFIG
	echo "export AVM_FIREWALL_POLICY_HO='$HOPOL'" >> $CONFIG
	echo "export AVM_FIREWALL_FORWARDINGRULES='$FWDRULES'" >> $CONFIG
}

save() {
	config
	if grep -q "*gui*" /mod/etc/conf/avm-firewall.cfg || [ "$1" = defaults_restored ]; then
		echo "$(sed -e "s/\*gui\*//g" $CONFIG)" > $CONFIG
		echo -n "Saving new firewall rules ... "

		# Die LI-Accesslist (vorne "Spaces", dann die "Rules" ans Ende ", letzte Zeile "; )
		TMPACCL="" && [ -n "$AVM_FIREWALL_RULESTABLE_LI" ] && TMPACCL="$RET$ACCL$RET"$(echo "$AVM_FIREWALL_RULESTABLE_LI" | sed "s/^/$SPACES\"/ ; s%\(..\)[ ]*\(/\*.*\*/\)*[ ]*$%\1\", \2 % ; $ s/, /;/")
		LI="$POL$AVM_FIREWALL_POLICY_LI\";$TMPACCL"
		# Die HO-Liste ...
		TMPACCL="" && [ -n "$AVM_FIREWALL_RULESTABLE_HO" ] && TMPACCL="$RET$ACCL$RET"$(echo "$AVM_FIREWALL_RULESTABLE_HO" | sed "s/^/$SPACES\"/ ; s%\(..\)[ ]*\(/\*.*\*/\)*[ ]*$%\1\", \2 % ; $ s/, /;/")
		HO="$POL$AVM_FIREWALL_POLICY_HO\";$TMPACCL"
		# Die Forwarding-Regeln ...
		FWD=$ENDBRACE && [ -n "$AVM_FIREWALL_FORWARDINGRULES" ] && FWD="${ENDBRACE}${RET}${FWDSTART}\""$(echo "$AVM_FIREWALL_FORWARDINGRULES" | sed "2,$ s/^/$FWDSPACES\"/ ; s%\(..\)[ ]*\(/\*.*\*/\)*[ ]*$%\1\", \2% ; $ s/,/;/")
		# ... und alles Einsetzen ...
		cat $REAL | awk -v v1="$LI" -v v2="$HO" -v v3="$FWD" '/dslifaces/ {ifstart=1} ;/targets/ {ifstart=0}; /lowinput/{if (ifstart && !liend) {listart=1}};/highoutput/{if (ifstart && !hoend) {hostart=1}}; /policy/{{if (listart) {lirules=1;printli=1}}; {if (hostart) {horules=1;printho=1}}};/\}/{{if (lirules) {lirules=0; listart=0}}; {if(horules){horules=0; hostart=0 ; fwd=1 }}} ;/shaper/||/}/{if (fwd && fwdready) {fwd=0}} ;{if (lirules) {{if (printli) {print v1; liend=1; printli=0}}; {next}}} ;{if(horules){{if (printho){ print v2; hoend=1; printho=0}}; {next}}}; {if (fwd){ { if (!fwdready) {print v3; fwdready=1}}; {next}}}; {print}' > $REALCOPY

		# echte ar7.cfg schreiben
		cat $REALCOPY > $REAL
		echo "done."
	else
		echo "ERROR: Can only be used by GUI."
	fi
}

case $1 in
	""|load)
		modreg cgi $DAEMON AVM-Firewall
		modreg daemon --hide avm-firewall
		load
		;;
	unload)
		modunreg cgi $DAEMON
		modunreg daemon avm-firewall
		config
		;;
	save)
		save "$2"
		;;
	*)
		echo "Usage: $0 [load|unload|save]" 1>&2
		exit 1
		;;
esac

exit 0