## -*- mode: shell-script; -*-
##
## Configlet for coexistence mode: create FirewallFabrik's prefixed
## chains and insert jump rules into the built-in chains.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
setup_fwf_jumps_v4() {
  prefix="$1"

  # Set built-in chain policies to DROP for security.
  $IPTABLES {{$opt_wait}} -P INPUT   DROP
  $IPTABLES {{$opt_wait}} -P FORWARD DROP
  $IPTABLES {{$opt_wait}} -P OUTPUT  DROP

  # Create our prefixed chains (ignore error if they already exist).
  $IPTABLES {{$opt_wait}} -N "${prefix}_INPUT"   2>/dev/null
  $IPTABLES {{$opt_wait}} -N "${prefix}_FORWARD" 2>/dev/null
  $IPTABLES {{$opt_wait}} -N "${prefix}_OUTPUT"  2>/dev/null

  # Insert jump rules at position 1 (top of chain).
  # Tools that start later (Docker, CrowdSec, fail2ban) will insert
  # their own rules at position 1, pushing ours down. Control the
  # evaluation order via systemd unit ordering.
  $IPTABLES {{$opt_wait}} -I INPUT   1 -j "${prefix}_INPUT"
  $IPTABLES {{$opt_wait}} -I FORWARD 1 -j "${prefix}_FORWARD"
  $IPTABLES {{$opt_wait}} -I OUTPUT  1 -j "${prefix}_OUTPUT"
}

setup_fwf_jumps_v6() {
  prefix="$1"

  $IP6TABLES {{$opt_wait}} -P INPUT   DROP
  $IP6TABLES {{$opt_wait}} -P FORWARD DROP
  $IP6TABLES {{$opt_wait}} -P OUTPUT  DROP

  $IP6TABLES {{$opt_wait}} -N "${prefix}_INPUT"   2>/dev/null
  $IP6TABLES {{$opt_wait}} -N "${prefix}_FORWARD" 2>/dev/null
  $IP6TABLES {{$opt_wait}} -N "${prefix}_OUTPUT"  2>/dev/null

  $IP6TABLES {{$opt_wait}} -I INPUT   1 -j "${prefix}_INPUT"
  $IP6TABLES {{$opt_wait}} -I FORWARD 1 -j "${prefix}_FORWARD"
  $IP6TABLES {{$opt_wait}} -I OUTPUT  1 -j "${prefix}_OUTPUT"
}
