#!/bin/sh

clear_restricted_gw()
{
	local state="$1"
	local iface
	local ifname
	local ipaddr
	local netmask
	local gateway

	config_get iface "$state" iface

	if [ "$iface" = "$INTERFACE" ]; then
		config_get ifname "$state" ifname
		config_get ipaddr "$state" ipaddr
		config_get netmask "$state" netmask
		config_get gateway "$state" gateway

		logger -t firewall.freifunk "removing local restriction to $iface($gateway)"
		iptables -D "zone_${INTERFACE}_ACCEPT" ! -i $ifname -o $ifname -d $ipaddr/$netmask -j REJECT
		iptables -D "zone_${INTERFACE}_ACCEPT" ! -i $ifname -o $ifname -d $gateway -j ACCEPT

		uci_revert_state firewall "$state"
	fi
}

get_enabled()
{
	local name
	config_get name "$1" name

	if [ "$name" = "$ZONE" ]; then
		config_get_bool local_restrict "$1" local_restrict
	fi
}

if [ "$ACTION" = add ]; then
	local enabled
	local ipaddr
	local netmask
	local gateway

	include /lib/network
	scan_interfaces

	config_get ipaddr "$INTERFACE" ipaddr
	config_get netmask "$INTERFACE" netmask
	config_get gateway "$INTERFACE" gateway

	if [ -n "$gateway" ] && [ "$gateway" != 0.0.0.0 ]; then
		config_load firewall

		local_restrict=0
		config_foreach get_enabled zone

		if [ "$local_restrict" = 1 ]; then
			logger -t firewall.freifunk "restricting local access to $DEVICE($gateway)"
			iptables -I "zone_${INTERFACE}_ACCEPT" ! -i $DEVICE -o $DEVICE -d $ipaddr/$netmask -j REJECT
			iptables -I "zone_${INTERFACE}_ACCEPT" ! -i $DEVICE -o $DEVICE -d $gateway -j ACCEPT

			local state="restricted_gw_${INTERFACE}"
			uci_set_state firewall "$state" "" restricted_gw_state
			uci_set_state firewall "$state" iface "$INTERFACE"
			uci_set_state firewall "$state" ifname "$DEVICE"
			uci_set_state firewall "$state" ipaddr "$ipaddr"
			uci_set_state firewall "$state" netmask "$netmask"
			uci_set_state firewall "$state" gateway "$gateway"
		fi
	fi

elif [ "$ACTION" = remove ]; then
	config_load firewall
	config_foreach clear_restricted_gw restricted_gw_state	 
fi