#!/sbin/openrc-run
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

SHOREWALLRC_FILE="/usr/share/shorewall/shorewallrc"
CONFIG_FILE="/etc/conf.d/${SVCNAME}"

description="Puts Shorewall in a safe state at boot time"
description="${description} prior to bringing up the network."

required_files="$SHOREWALLRC_FILE"

depend() {
	need localmount
	before net
	after bootmisc ipset tmpfiles.setup ulogd
}


. $SHOREWALLRC_FILE

checkconfig() {
	local PRODUCT=

	if [ -z "${VARLIB}" ]; then
		eerror "\"VARLIB\" isn't defined or empty! Please check" \
			"\"${SHOREWALLRC_FILE}\"."

		return 1
	fi

	if [ -z "${PRODUCTS}" ]; then
		eerror "${SVCNAME} isn't configured! Please check" \
			"\"${CONFIG_FILE}\"."

		return 1
	fi

	for PRODUCT in ${PRODUCTS}; do
		if [ ! -x ${SBINDIR}/${PRODUCT} ]; then
			eerror "Invalid product \"${PRODUCT}\" specified" \
				"in \"${CONFIG_FILE}\"!"
			eerror "Maybe \"${PRODUCT}\" isn't installed?"

			return 1
		fi
	done

	return 0
}

check_firewall_script() {
	if [ ${PRODUCT} = shorewall -o ${PRODUCT} = shorewall6 ]; then
		ebegin "Checking \"${STATEDIR}/firewall\""
		${SBINDIR}/${PRODUCT} compile -c 1>/dev/null
		eend $?
	fi

	if [ ! -x ${STATEDIR}/firewall ]; then
		eerror "\"${PRODUCT}\" isn't configured!"

		if [ ${PRODUCT} = shorewall-lite -o ${PRODUCT} = shorewall6-lite ]; then
			eerror "Please go to your 'administrative system'" \
				"and deploy the compiled firewall" \
				"configuration for this system."
		fi

		return 1
	fi

	return 0
}

is_allowed_to_be_executed() {
	# This is not a real service. shorewall-init is an intermediate
	# script to put your Shorewall-based firewall into a safe state
	# at boot time prior to bringing up the network.
	# Please read /usr/share/doc/shorewall-init-*/README.gentoo.gz
	# for more information.
	# When your system is up, there is no need to call shorewall-init.
	# Please call shorewall{,6,-lite,6-lite} directly. That's the
	# reason why we are preventing start, stop or restart here.

	local PRODUCT=

	if [ "${RC_RUNLEVEL}" != "boot" -a "${RC_CMD}" = "start" ]; then
		# Starting shorewall-init is only allowed at boot time
		eerror "This is a boot service, which can only be started" \
			"at boot."
		eerror "If you want to get your shorewall-based firewall" \
			"into the same safe boot state again, run"
		eerror ""
		eindent
		for PRODUCT in ${PRODUCTS}; do
			eerror "/etc/init.d/${PRODUCT} stop"
		done
		eoutdent
		eerror ""
		eerror "Yes, \"stop\" and not start."
		eerror ""
		return 1
	fi

	if [ "${RC_RUNLEVEL}" != "shutdown" -a "${RC_CMD}" = "stop" ]; then
		# Stopping shorewall-init is only allowed at shutdown
		eerror "This is a boot service, which cannot be stopped."
		eerror "If you really want to stop your Shorewall-based" \
			"firewall the same way this service would stop" \
			"Shorewall at shutdown, please run"
		eerror ""
		eindent
		for PRODUCT in ${PRODUCTS}; do
			eerror "/etc/init.d/${PRODUCT} clear"
		done
		eoutdent
		eerror ""
		eerror "Keep in mind that this will clear (=bring down)" \
			"your firewall!"
		eerror ""
		return 1
	fi

	if [ "${RC_CMD}" = "restart" ]; then
		eerror "This is a boot service, which cannot be restarted."
		eerror "If you want to restart any of your Shorewall-based" \
			"firewalls, run"
		eerror ""
		eindent
		for PRODUCT in ${PRODUCTS}; do
			eerror "/etc/init.d/${PRODUCT} restart"
		done
		eoutdent
		eerror ""
		return 1
	fi

	return 0
}

set_statedir() {
	STATEDIR=
	local VARDIR=

	if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
		STATEDIR=$( . ${CONFDIR}/${PRODUCT}/vardir && echo ${VARDIR} )
	fi

	[ ! -n "${STATEDIR}" ] && STATEDIR=${VARLIB}/${PRODUCT}
}

start_pre() {
	checkconfig || return 1

	is_allowed_to_be_executed || return 1
}

start() {
	local PRODUCT=
	local STATEDIR=

	for PRODUCT in ${PRODUCTS}; do
		set_statedir

		check_firewall_script || return 1

		ebegin "Initializing \"${PRODUCT}\""
		${STATEDIR}/firewall stop 1>/dev/null
		eend $?
	done
}

stop_pre() {
	checkconfig || return 1

	is_allowed_to_be_executed || return 1
}

stop() {
	local PRODUCT=
	local STATEDIR=

	for PRODUCT in ${PRODUCTS}; do
		set_statedir

		check_firewall_script || return 1

		ebegin "Clearing \"${PRODUCT}\""
		${STATEDIR}/firewall clear 1>/dev/null
		eend $?
	done
}
