#!/bin/sh

# This file is part of netfilter-persistent
# (was iptables-persistent)
# Copyright (C) 2009, Simon Richter <sjr@debian.org>
# Copyright (C) 2010, 2014 Jonathan Wiltshire <jmw@debian.org>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, either version 3
# of the License, or (at your option) any later version.

rc=0

load_rules()
{
	#load IPv6 rules
	if [ ! -f /etc/iptables/rules.v6 ]; then
		echo "Warning: skipping IPv6 (no rules to load)"
	else
{%- if provider == 'iptables-restore' %}
		ip6tables-restore --test < /etc/iptables/rules.v6 2> /dev/null
		if [ $? -ne 0 ]; then
			rc=1
		else
			ip6tables-save > /etc/iptables/rules.v6.bak
			grep -v __saltstack__ /etc/iptables/rules.v6.bak | ip6tables-restore 2> /dev/null
			ip6tables-restore --noflush < /etc/iptables/rules.v6 2> /dev/null
			if [ $? -ne 0 ]; then
				rc=1
				ip6tables-restore < /etc/iptables/rules.v6.bak 2> /dev/null
			fi
		fi
{%- else %}
		ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
		if [ $? -ne 0 ]; then
			rc=1
		fi
{%- endif %}
	fi
}

save_rules()
{
	#save IPv6 rules
	#need at least ip6table_filter loaded:
	/sbin/modprobe -q ip6table_filter
	if [ ! -f /proc/net/ip6_tables_names ]; then
		log_action_cont_msg "Warning: skipping IPv6 (no modules loaded)"
	elif [ -x /sbin/ip6tables-save ]; then
		touch /etc/iptables/rules.v6
		chmod 0640 /etc/iptables/rules.v6
		ip6tables-save > /etc/iptables/rules.v6
		if [ $? -ne 0 ]; then
			rc=1
		fi
	fi
}

flush_rules()
{
	if [ ! -f /proc/net/ip6_tables_names ]; then
		echo "Warning: skipping IPv6 (no module loaded)"
	elif [ -x /sbin/ip6tables ]; then
		for param in F Z X; do /sbin/ip6tables -$param; done
		for table in $(cat /proc/net/ip6_tables_names)
		do
			/sbin/ip6tables -t $table -F
			/sbin/ip6tables -t $table -Z
			/sbin/ip6tables -t $table -X
		done
		for chain in INPUT FORWARD OUTPUT
		do
			/sbin/ip6tables -P $chain ACCEPT
		done
	fi
}

case "$1" in
start|restart|reload|force-reload)
	load_rules
	;;
save)
	save_rules
	;;
stop)
	# Why? because if stop is used, the firewall gets flushed for a variable
	# amount of time during package upgrades, leaving the machine vulnerable
	# It's also not always desirable to flush during purge
	echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
	;;
flush)
	flush_rules
	;;
*)
	echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
	exit 1
	;;
esac

exit $rc