#!/bin/bash
#
# qubes-iptables	Start Qubes base iptables firewall
#
# chkconfig: 2345 08 92
# description:	Loads iptables firewall
#
# config: /etc/qubes/iptables.rules
# config: /etc/qubes/ip6tables.rules
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Loads Qubes base iptables firewall
# Description: Loads Qubes base iptables firewall
### END INIT INFO

IPTABLES=iptables
IPTABLES_DATA_DIR=/etc/qubes

if [ ! -x /sbin/$IPTABLES ]; then
    echo $"${IPTABLES}: /sbin/$IPTABLES does not exist."
    exit 5
fi

start() {
    ipt=$1
    IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
    ipv6_enabled=
    if qubesdb-read /qubes-ip6 >/dev/null 2>&1 || \
        qubesdb-read /qubes-netvm-gateway6 >/dev/null 2>&1; then
        ipv6_enabled=true
    fi
    # if IPv6 is enabled, load alternative rules file
    if [ "$ipt" = "ip6tables" ] && [ -n "$ipv6_enabled" ]; then
        IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}-enabled.rules
    fi
    CMD=$ipt
    # Do not start if there is no config file.
    [ ! -f "$IPTABLES_DATA" ] && return 6

    CMD_ARGS=
    if "$CMD-restore" --help 2>&1 | grep -q wait=; then
        # 'wait' must be last on command line if secs not specified
        CMD_ARGS=--wait
    fi

    echo -n $"${CMD}: Applying firewall rules: "

    "$CMD-restore" "$IPTABLES_DATA" $CMD_ARGS
    ret="$?"
    if [ "$ret" -eq 0 ]; then
        echo OK
    else
        echo FAIL; return 1
    fi

    return $ret
}

case "$1" in
    start)
	start iptables && start ip6tables
	RETVAL=$?
	;;
    *)
	echo $"Usage: ${IPTABLES} start"
	RETVAL=2
	;;
esac

exit $RETVAL