#!/bin/bash

NFT="/usr/sbin/nft"

NFTABLES_COMMAND="${1}"

NFTABLES_CONFIG="/etc/nftables.conf"
NFTABLES_AUTO_CONFIG="/etc/nftables-auto.conf"

case "${NFTABLES_COMMAND}" in
  start | reload)
    NFTABLES_USE_CONFIG="${NFTABLES_CONFIG}"
    if [ -e "${NFTABLES_AUTO_CONFIG}" ] ; then
      if [ -s "${NFTABLES_AUTO_CONFIG}" ] ; then
        NFTABLES_USE_CONFIG="${NFTABLES_AUTO_CONFIG}"
      else
        echo "Not loading empty '${NFTABLES_AUTO_CONFIG}'. Falling back to '${NFTABLES_CONFIG}'."
      fi
    fi

    if ${NFT} --check --file "${NFTABLES_USE_CONFIG}" ; then
      echo "Loading '${NFTABLES_USE_CONFIG}'"
      ${NFT} --file "${NFTABLES_USE_CONFIG}"
    else
      echo "nft --check for '${NFTABLES_USE_CONFIG}' failed. Not loading the config."
      exit 1
    fi
  ;;
  stop)
    NFTABLES_RULESET_LINECOUNT=$(nft list ruleset | wc -l)
    if [ -e "${NFTABLES_AUTO_CONFIG}" ] ; then
      if [ $NFTABLES_RULESET_LINECOUNT -gt 0 ] ; then
        echo "Saving current ruleset to '${NFTABLES_AUTO_CONFIG}'"
        echo "flush ruleset" > "${NFTABLES_AUTO_CONFIG}"
        ${NFT} list ruleset >> "${NFTABLES_AUTO_CONFIG}"
      else
        echo "Not saving empty ruleset"
      fi
    fi
    ${NFT} flush ruleset
  ;;
  *)
     echo "Usage: ${0} (start|stop|reload)"
     echo ""
     echo "If '${NFTABLES_AUTO_CONFIG}' exists then the stop action will save the current ruleset to this file and load the config from this file, if it is not empty. In case of an empty file it will load the normal config file."
     echo ""
     echo "Otherwise '${NFTABLES_CONFIG}' will be used and the stop action will only flush the ruleset."
  ;;
esac
