#!/bin/sh
# shellcheck disable=SC2039

. /lib/functions.sh
. /lib/functions/network.sh

up_rules() {
	local iface="$1"
	local dev="$2"

	case "$iface" in
		wan)
	        iptables -A INPUT -i "$dev" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
			[ "$(uci_get ffwizard settings block_wan_port 0)" -eq 1 ] && {
		        iptables -A INPUT -i "$dev" -j REJECT
			}
			# mss clamping 
			iptables -t mangle -A POSTROUTING -p tcp \
				--tcp-flags SYN,RST SYN -o "$dev" \
				-j TCPMSS --clamp-mss-to-pmtu
			# nat
			iptables -t nat -A POSTROUTING -o "$dev" -j MASQUERADE
			# forbid access to wan subnet (e.g. fritzbox of user)
			# fix static ip
			[ "$(uci_get ffwizard settings restrict 0)" -eq 1 ] && {
				# disable restrict access to local net when ip is static
				[ "$(uci_get network wan proto dhcp)" = "static" ] || { 
					network_get_subnets wan_subnet	"$iface"
					network_get_subnets6 wan_subnet6 "$iface" 
					[ -n "$wan_subnet" ]  && {
						iptables -N restrict-localnet 
						iptables -A restrict-localnet \
							-s "$wan_subnet" -i "$dev" -j REJECT
						iptables -A FORWARD \
							-j restrict-localnet
					}
					[ -n "$wan_subnet6" ] && { 
						ip6tables -N restrict-localnet6
						ip6tables -A restrict-localnet6 \
							-s "$wan_subnet6" -i "$dev" -j REJECT
						ip6tables -A FORWARD \
							-j restrict-localnet6
					} 
				}
			}
			# no internet without vpn
			[ "$(uci_get ffwizard vpn paranoia 0)" -eq 1 ] &&
			[ "$(uci_get ffwizard vpn mode)" = "all" ] &&
			[ "$(uci_get ffwizard vpn enabled)" -eq 1 ] && {
				iptables -N paranoia-vpn
				iptables -A paranoia-vpn -i wlan+ -o "$dev" -j REJECT
				iptables -A paranoia-vpn -i br-vap -o "$dev" -j REJECT
				iptables -A paranoia-vpn -i br-roam -o "$dev" -j REJECT
				iptables -A FORWARD -j paranoia-vpn
			}
		;;
		vpn|lan|fastd|vap|roam|radio0_*|radio1_*)
			# mss clamping 
			iptables -t mangle -A POSTROUTING -p tcp \
				--tcp-flags SYN,RST SYN -o "$dev" \
				-j TCPMSS --clamp-mss-to-pmtu
			# nat
			iptables -t nat -N nat-"$iface"
			# for roaming we need to nat everything
			[ "$iface" = "roam" ] || iptables -t nat -A nat-"$iface" -s 10.63.0.0/16 -j RETURN
			iptables -t nat -A nat-"$iface" -j MASQUERADE
			iptables -t nat -A POSTROUTING -o "$dev" -j nat-"$iface"
		;; 
	esac
}

down_rules() {
	local iface="$1"
	local dev="$2"

	case "$iface" in
		wan)
            iptables -D INPUT -i "$dev" -j REJECT
			iptables -D INPUT -i "$dev" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
			# mss clamping
			iptables -t mangle -D POSTROUTING -p tcp \
				--tcp-flags SYN,RST SYN -o "$dev" \
				-j TCPMSS --clamp-mss-to-pmtu
			# nat
			iptables -t nat -D POSTROUTING -o "$dev" -j MASQUERADE
			# forbid access to wan subnet (e.g. fritzbox of user)
			[ "$(uci_get ffwizard settings restrict 0)" -eq 1 ] && {
				# disable restrict access to local net when ip is static
				[ "$(uci_get network wan proto dhcp)" = "static" ] || { 
					network_get_subnets wan_subnet	"$iface"
					network_get_subnets6 wan_subnet6 "$iface" 
					[ -n "$wan_subnet" ] && {
						iptables -D FORWARD -j restrict-local
						iptables -F restrict-localnet
						iptables -X restrict-localnet 
					}
					[ -n "$wan_subnet6" ] && {
						ip6tables -D FORWARD -j restrict-localnet6
						ip6tables -F restrict-localnet6
						ip6tables -X restrict-localnet6
					}
				}
			}
			# no internet without vpn
			[ "$(uci_get ffwizard vpn paranoia 0)" -eq 1 ] &&
			[ "$(uci_get ffwizard vpn mode)" = "all" ] &&
			[ "$(uci_get ffwizard vpn enabled)" -eq 1 ] && {
				iptables -D FORWARD -j paranoia-vpn
				iptables -F paranoia-vpn
				iptables -X paranoia-vpn
			}
			;;
		    vpn|fastd|vap|roam|radio0_*|radio1_*)
			# mss clamping 
			iptables -t mangle -D POSTROUTING -p tcp \
				--tcp-flags SYN,RST SYN -o "$dev" \
				-j TCPMSS --clamp-mss-to-pmtu
			# nat
			iptables -t nat -D POSTROUTING -o "$dev" -j nat-"$iface"
			iptables -t nat -F nat-"$iface"
			iptables -t nat -X nat-"$iface"
		;;
		
	esac
}

case "$ACTION" in
		ifup)
			up_rules "$INTERFACE" "$DEVICE"
		;;
		ifdown)
			down_rules "$INTERFACE" "$DEVICE"
		;;

esac

# vim: set filetype=sh ai noet ts=4 sw=4 sts=4 :
