#!/bin/bash
#
#  Copyright (c) 2021, The OpenThread Authors.
#  All rights reserved.
#
#  Redistribution and use in source and binary forms, with or without
#  modification, are permitted provided that the following conditions are met:
#  1. Redistributions of source code must retain the above copyright
#     notice, this list of conditions and the following disclaimer.
#  2. Redistributions in binary form must reproduce the above copyright
#     notice, this list of conditions and the following disclaimer in the
#     documentation and/or other materials provided with the distribution.
#  3. Neither the name of the copyright holder nor the
#     names of its contributors may be used to endorse or promote products
#     derived from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
#  POSSIBILITY OF SUCH DAMAGE.
#
### BEGIN INIT INFO
# Provides:          otbr-firewall
# Required-Start:
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:
# Short-Description: OTBR firewall
# Description:       This service sets up firewall for OTBR.
### END INIT INFO

THREAD_IF="wpan0"
OTBR_FORWARD_INGRESS_CHAIN="OTBR_FORWARD_INGRESS"

. /lib/lsb/init-functions
. /lib/init/vars.sh

set -euxo pipefail

ipset_destroy_if_exist()
{
    if ipset list "$1"; then
        ipset destroy "$1"
    fi
}

firewall_start()
{
    firewall_stop
    ipset create -exist otbr-ingress-deny-src hash:net family inet6
    ipset create -exist otbr-ingress-deny-src-swap hash:net family inet6
    ipset create -exist otbr-ingress-allow-dst hash:net family inet6
    ipset create -exist otbr-ingress-allow-dst-swap hash:net family inet6

    ip6tables -N $OTBR_FORWARD_INGRESS_CHAIN
    ip6tables -I FORWARD 1 -o $THREAD_IF -j $OTBR_FORWARD_INGRESS_CHAIN

    ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -i $THREAD_IF -j DROP
    ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-deny-src src -j DROP
    ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-allow-dst dst -j ACCEPT
    ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -j DROP
    ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -j ACCEPT
}

firewall_stop()
{
    while ip6tables -C FORWARD -o $THREAD_IF -j $OTBR_FORWARD_INGRESS_CHAIN; do
        ip6tables -D FORWARD -o $THREAD_IF -j $OTBR_FORWARD_INGRESS_CHAIN
    done

    if ip6tables -L $OTBR_FORWARD_INGRESS_CHAIN; then
        ip6tables -w -F $OTBR_FORWARD_INGRESS_CHAIN
        ip6tables -w -X $OTBR_FORWARD_INGRESS_CHAIN
    fi

    ipset_destroy_if_exist otbr-ingress-deny-src
    ipset_destroy_if_exist otbr-ingress-deny-src-swap
    ipset_destroy_if_exist otbr-ingress-allow-dst
    ipset_destroy_if_exist otbr-ingress-allow-dst-swap
}

case "$1" in
    start)
        firewall_start
        ;;
    restart | reload | force-reload)
        echo "Error: argument '$1' not supported" >&2
        exit 3
        ;;
    stop)
        firewall_stop
        ;;
    status)
        # No-op
        ;;
    *)
        echo "Usage: $0 start|stop" >&2
        exit 3
        ;;
esac