#!/bin/sh /etc/rc.common
# Copyright (C) 2013 Project Gluon
#
# Firewall script for inserting and removing ebtables rules.
#
# Example format, for filtering any IPv4 multicast packets to the SSDP UDP port:
# rule FORWARD --logical-out br-client -d Multicast -p IPv4 --ip-protocol udp --ip-destination-port 5355 -j DROP
#
# Removing all rules:
# $ /etc/init.d/gluon-ebtables stop
# Inserting all rules:
# $ /etc/init.d/gluon-ebtables start
# Inserting a specific rule file:
# $ /etc/init.d/gluon-ebtables start /lib/gluon/ebtables/100-mcast-chain
# Removing a specific rule file:
# $ /etc/init.d/gluon-ebtables stop /lib/gluon/ebtables/100-mcast-chain


START=19
STOP=91


exec_file() {
	local file="$1"

	/usr/bin/lua -e "
		function rule(command, table)
			table = table or 'filter'
			os.execute($EBTABLES_RULE)
		end
		function chain(name, policy, table)
			table = table or 'filter'
			os.execute($EBTABLES_CHAIN)
		end

	" "$file"
}

exec_all() {
	local sort_arg="$1"

	local old_ifs="$IFS"
	IFS='
'
	for file in `find /lib/gluon/ebtables -type f | sort $sort_arg`; do
		exec_file "$file"
	done
	IFS="$old_ifs"
}


start() {
	(
		export EBTABLES_RULE='"ebtables-tiny -t " .. table .. " -A " .. command'
		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. "  -N " .. name .. " -P " .. policy'

		# Contains /var/lib/ebtables/lock for '--concurrent'
		[ ! -d "/var/lib/ebtables" ] && \
			mkdir -p /var/lib/ebtables

		if [ -z "$1" ]; then
			exec_all ''
		else
			exec_file "$1"
		fi
	)
}

stop() {
	(
		export EBTABLES_RULE='"ebtables-tiny -t " ..	table .. " -D " .. command'
		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. " -X " .. name'

		if [ -z "$1" ]; then
			exec_all '-r'
		else
			exec_file "$1"
		fi
	)
}
