#!/usr/bin/env bash

playbook_add() {
	pkg install nftables

	playbook_sync

	svc enable nftables
	svc start nftables
}

playbook_sync() {
	{
		printf "#!%s -f\n\n" "$(config "$BASHTARD_PLAYBOOK.binpath" "/usr/sbin/nft")"
		printf "flush ruleset\n\n"
		printf "table inet filter {\n"
		printf "\tchain input {\n"
		printf "\t\ttype filter hook input priority filter;\n"

		# Add conntrack state rules
		info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for conntrack state"
		printf "\n"
		printf "\t\tct state established %s;\n" \
			"$(config "$BASHTARD_PLAYBOOK.input.state.established.policy" "accept")"
		printf "\t\tct state related %s;\n" \
			"$(config "$BASHTARD_PLAYBOOK.input.state.related.policy" "accept")"
		printf "\t\tct state invalid %s;\n" \
			"$(config "$BASHTARD_PLAYBOOK.input.state.invalid.policy" "drop")"

		# Add interface rules
		printf "\n"
		while read -r interface
		do
			info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for interface $interface"
			printf "\t\tiifname %s %s;\n" "$interface" "$(config "$BASHTARD_PLAYBOOK.input.interfaces.$interface.policy")"
		done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.interfaces")

		# Add ICMP rules
		info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for ICMP"
		printf "\n"
		printf "\t\tmeta l4proto icmp" \ # IPv4
		if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "")" != "" ]]
		then
			printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "2/second")"
		fi
		printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.policy" "accept")"
		printf ";\n"
		printf "\t\tmeta l4proto ipv6-icmp" \ # IPv6
		if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate" "")" != "" ]]
		then
			printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate")"
		fi
		printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.policy" "accept")"
		printf ";\n"

		# Add custom input rules
		printf "\n"
		while read -r rule
		do
			info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for custom rule $rule"
			printf "\t\tmeta l4proto { %s } th" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.proto")"
			printf " dport %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.port")"
			printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.policy" "accept")"
			printf " comment \"%s\"" "$rule"
			printf ";\n"
		done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.rules")

		# Add fallback policy
		printf "\n"
		printf "\t\tlog prefix \"[nftables] \" counter drop;\n"
		printf "\t\tpolicy %s;\n" "$(config "$BASHTARD_PLAYBOOK.input.policy" "drop")"

		printf "\t}\n"
		printf "\tchain forward {\n"
		printf "\t\ttype filter hook forward priority filter;\n"

		# TODO: Add forward rules

		printf "\t}\n"
		printf "\tchain output {\n"
		printf "\t\ttype filter hook output priority filter;\n"

		# TODO: Add output rules

		printf "\t}\n"
		printf "}\n"
	} > "$(config "fs.etcdir")/nftables.conf"

	[[ "$BASHTARD_COMMAND" == "add" ]] && return

	svc restart nftables
}

playbook_del() {
	svc stop nftables
	svc disable nftables
	pkg uninstall nftables
	rm -fr -- "$(config "fs.etcdir")/nftables"
}