#!/bin/sh

DAEMON="nftables"

# Main ruleset file, override in /etc/default/nftables if you want a
# different location. The file should include a "flush ruleset"
# command to atomically replace any previous rules on reload (instead
# of adding to them).
NFTABLES_CONFIG="/etc/nftables.conf"

# shellcheck source=/dev/null
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"

# Run only if the ruleset file exists.
if [ ! -f "${NFTABLES_CONFIG}" ]; then
	echo "${NFTABLES_CONFIG} does not exist, nothing to do."
	exit 0
fi

start() {
	printf "Loading nftables rules: "
	/usr/sbin/nft --file "${NFTABLES_CONFIG}"
	status=$?
	if [ "$status" -eq 0 ]; then
		echo "OK"
	else
		echo "FAIL"
	fi
	return "$status"
}

stop() {
	printf "Clearing nftables rules: "
	/usr/sbin/nft flush ruleset
	status=$?
	if [ "$status" -eq 0 ]; then
		echo "OK"
	else
		echo "FAIL"
	fi
	return "$status"
}

restart() {
	stop
	start
}

reload() {
	FLUSH='flush ruleset'
	if ! grep -q -x "$FLUSH" "${NFTABLES_CONFIG}"; then
		printf 'WARNING: no "%s" in %s, duplicated rules likely\n' \
			"$FLUSH" "${NFTABLES_CONFIG}"
	fi
	start
}

case "$1" in
	start)
		start
		;;
	stop)
		stop
		;;
	restart)
		restart
		;;
	reload)
		reload
		;;
	*)
		echo "Usage: $0 {start|stop|restart|reload}"
		exit 1
esac

exit $?
