#!/bin/sh
#
# Update firewall rules of <jailname> or all
# Usage: firewall <jailname>|all
#

# shellcheck source=./includes
LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes"

jail_name="${1:?}"

if [ -z "${jail_name}" ]; then
    "${LIBDIR}/bkctld-help" && exit 1
fi
jail_path=$(jail_path "${jail_name}")

iptables_input_accept() {
    jail_name="${1}"
    port="${2}"
    ip="${3}"

    echo "/sbin/iptables -A INPUT -p tcp --sport 1024: --dport ${port} -s ${ip} -j ACCEPT #${jail_name}"
}

if [ -n "${FIREWALL_RULES}" ]; then
    # remove existing rules for this jail
    [ -f "${FIREWALL_RULES}" ] && sed -i "/#${jail_name}$/d" "${FIREWALL_RULES}"
    if [ -d "${jail_path}" ]; then
        port=$("${LIBDIR}/bkctld-port" "${jail_name}")
        # Add a rule for each IP
        for ip in $("${LIBDIR}/bkctld-ip" "${jail_name}"); do
            iptables_input_accept "${jail_name}" "${port}" "${ip}" >> "${FIREWALL_RULES}"
        done
        # Restart the firewall
        [ -f /etc/init.d/minifirewall ] && /etc/init.d/minifirewall restart >/dev/null
    fi
    notice "${jail_name}: firewall rules have been updated."
else
    warning "${jail_name}: skipping firewall update, FIREWALL_RULES variable is empty."
fi