#!/bin/sh
### BEGIN INIT INFO
# Provides:          univention-firewall
# Required-Start:    $network $remote_fs
# Required-Stop:     $network $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Univention iptables --wait configuration
### END INIT INFO
# SPDX-FileCopyrightText: 2004-2025 Univention GmbH
# SPDX-License-Identifier: AGPL-3.0-only

. /lib/lsb/init-functions
NAME='univention-firewall'
DESC=$(get_lsb_header_val "$0" Short-Description)
. /usr/share/univention-lib/ucr.sh

apply_docker_rules () {
	local rule="/etc/security/packetfilter.d/20_docker.sh"
	if [ -x "$rule" ]; then
		if ! is_ucr_true security/packetfilter/docker/disabled; then
			$rule
		fi
	fi
}

case "$1" in
    start)
        if ! iptables --wait -t filter -L 2> /dev/null > /dev/null ; then
            log_warning_msg "$NAME: iptables --wait seems to be unsupported."
        elif is_ucr_true security/packetfilter/disabled; then
            # Notice that only a proper "true" or "on" value switches firewall OFF.
            # Everything else like "false" or "off" or "muell" will leave firewall ON.
            log_warning_msg "$DESC has been disabled."
            # always apply docker rules during start
            apply_docker_rules
        else
            "$0" flush
            log_action_begin_msg "Starting $DESC"
            if [ -x /etc/security/packetfilter.d ] ; then
                run-parts --regex='^[a-zA-Z0-9_-]+([.]sh)?$' /etc/security/packetfilter.d/
            fi
            log_action_end_msg $?
        fi
        ;;
    stop)
        if ! iptables --wait -t filter -L 2> /dev/null > /dev/null ; then
            log_warning_msg "$NAME: iptables --wait seems to be unsupported."
        elif is_ucr_true security/packetfilter/disabled; then
            log_warning_msg "$DESC has been disabled.\nUse 'service univention-firewall flush' to remove existing iptable chains."
        else
            "$0" flush
            log_daemon_msg "Stopping $DESC"
        fi
        ;;
    restart|force-reload)
        if ! iptables --wait -t filter -L 2> /dev/null > /dev/null ; then
            log_warning_msg "$NAME: iptables --wait seems to be unsupported."
        else
            "$0" stop
            "$0" start
        fi
        ;;
    flush)
        if ! iptables --wait -t filter -L 2> /dev/null > /dev/null ; then
            log_warning_msg "$NAME: iptables --wait seems to be unsupported."
        else
            log_daemon_msg "Flushing all iptable chains"
            rc=0
            iptables --wait -P INPUT ACCEPT || rc=$?
            iptables --wait -P OUTPUT ACCEPT || rc=$?
            iptables --wait -F || rc=$?
            iptables --wait -F -t nat || rc=$?
            iptables --wait -F -t mangle || rc=$?
            # always apply docker rules during stop
            apply_docker_rules
            ip6tables --wait -P INPUT ACCEPT || rc=$?
            ip6tables --wait -P OUTPUT ACCEPT || rc=$?
            ip6tables --wait -F || rc=$?
            ip6tables --wait -F -t mangle || rc=$?
            log_action_end_msg $rc
        fi
        ;;
    status)
        if is_ucr_true security/packetfilter/disabled
        then
            log_failure_msg "$DESC is disabled."
            exit 3
        else
            log_success_msg "$DESC is enabled"
            exit 0
        fi
        ;;
    *)
        log_action_msg "Usage: $0 {start|stop|restart|force-reload|flush|status}"
        exit 1
        ;;
esac
