#!/usr/bin/lua

--! LibreMesh community mesh networks meta-firmware
--!
--! Copyright (C) 2020  Asociación Civil Altermundi <info@altermundi.net>
--! Copyright (C) 2020  Gioacchino Mazzurco <gio@eigenlab.org>
--!
--! SPDX-License-Identifier: AGPL-3.0-only


local fs = require("nixio.fs")
local utils = require("lime.utils")
local config = require("lime.config")

firewall = {}

firewall.RULES_DIR="/etc/firewall.lime.d/"

function firewall.clean()
	--! There could be things to cleanup here, but we don't do it as it would
	--! interfere with rules generated by network protocols, deleting them too.
	--! So better we do nothing here.
end

function firewall.configure()
	if utils.is_installed('firewall') then
        local uci = config:get_uci_cursor()
        local lanIfs = {}
        uci:foreach("firewall", "defaults",
            function(section)
                uci:set("firewall", section[".name"], "input", "ACCEPT")
                uci:set("firewall", section[".name"], "output", "ACCEPT")
                uci:set("firewall", section[".name"], "forward", "ACCEPT")
            end
        )

        uci:foreach("network", "interface",
            function(section)
                if "lan" == section[".name"] or
                   "lm_" == string.sub(section[".name"], 1, 3) and
                   "_if" == string.sub(section[".name"], -3) then
                    table.insert(lanIfs, section[".name"])
                end
            end
        )

		uci:foreach("firewall", "zone",
			function(section)
				if uci:get("firewall", section[".name"], "name") == "lan" then
					uci:set("firewall", section[".name"], "input", "ACCEPT")
					uci:set("firewall", section[".name"], "output", "ACCEPT")
					uci:set("firewall", section[".name"], "forward", "ACCEPT")
					uci:set("firewall", section[".name"], "mtu_fix", "1")
					uci:set("firewall", section[".name"], "network", lanIfs)
				end
			end
		)

        uci:set("firewall", "include_firewall_lime", "include")
        uci:set("firewall", "include_firewall_lime", "path", "/etc/firewall.lime")
        uci:save("firewall")
	else
		fs.mkdir(firewall.RULES_DIR)
		fs.writefile(
			firewall.RULES_DIR.."/20-lime-system-mtu_fix",
			"\n" ..
		--! Workaround PMTU discovery being historically broken on IPv4 Internet
		"iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" ..
		"iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" ..

		--! For some reason with some websites like https://www.rt.com/ PMTU
		--! discovery doesn't work even for IPv6, so workaround this too
		"ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" ..
		"ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n"
		)
	end
end

return firewall