#!/bin/bash

PATH=/fabos/sbin:/fabos/bin:/bin:/usr/bin:/sbin

export ROLE_ID=root

argc=$#
argv=("$@")
opt1=${argv[0]}
opt2=${argv[1]}
clp_active=1
no_new_v4=0
no_new_v6=0

show_usage() {
	echo "Usage:"
	echo "logoutclp --disable <all | ext>"
	echo "logoutclp --restore"
	echo "logoutclp --help"
}

if [ $argc -eq 1 -a "$opt1" == "--help" ]; then
	show_usage
	exit 0
elif [ $argc -gt 2 ]; then
	show_usage
	exit 1
elif [ $argc -gt 1 -a "$opt1" == "--restore" ]; then
	show_usage
	exit 2
fi


if [ "$opt1" == "--disable" -o "$opt1" == "--restore" ]; then
	if [ "$opt1" == "--disable" ]; then
		if [ "$opt2" != "all" -a "$opt2" != "ext" ]; then
			show_usage
			exit 3
		fi
	fi
else
	show_usage
	exit 4
fi

old_v4_name=`/fabos/cliexec/config get clp.oldipv4 5`
if [ -z "$old_v4_name" ]; then
	clp_active=0
else
	clp_active=1
fi
old_v6_name=`/fabos/cliexec/config get clp.oldipv6 5`
if [ $clp_active -ne 1 ]; then
	if [ -z "$old_v6_name" ]; then
		clp_active=0
	else
		clp_active=1
	fi
fi
new_v4_name=`/fabos/cliexec/config get clp.newipv4 5`
if [ $clp_active -ne 1 ]; then
	if [ -z "$new_v4_name" ]; then
		clp_active=0
	else
		clp_active=1
	fi
fi
new_v6_name=`/fabos/cliexec/config get clp.newipv6 5`
if [ $clp_active -ne 1 ]; then
	if [ -z "$new_v6_name" ]; then
		clp_active=0
	else
		clp_active=1
	fi
fi

if [ "$opt1" == "--disable" ]; then
	if [ $clp_active -eq 1 ]; then
		echo "Already disabled."
		exit 4
	fi

	# Save before so that if any unsaevd policies don't cause problems
	/fabos/abin/ipfilter --save

	num_policies=`configshow -a | grep ipfilter.*.name | wc -l`
	for (( i = 0; i < 8; i++ ))
	do
		state=`/fabos/cliexec/config get ipfilter.$i.state 2`
		type=`/fabos/cliexec/config get ipfilter.$i.type 2`
		pol_name=`/fabos/cliexec/config get ipfilter.$i.name 5`

		if [ ! -z $state ]; then
			if [ $state -eq 1 -o $state -eq 3 -o $state -eq 5 ]; then
				if [ $type -eq 0 ]; then
					old_v4=$i
					old_v4_name="$pol_name"
					/fabos/cliexec/config set clp.oldipv4 5 "$old_v4_name"
					/fabos/cliexec/configcommit
					if [ ! -z "$old_v6_name" ]; then
						break
					fi
				elif [ $type -eq 1 ]; then
					old_v6=$i
					old_v6_name="$pol_name"
					/fabos/cliexec/config set clp.oldipv6 5 "$old_v6_name"
					/fabos/cliexec/configcommit
					if [ ! -z "$old_v4_name" ]; then
						break
					fi
				fi
			fi
		fi
	done

	if [ $num_policies -gt 6 ]; then
		if [ "$old_v4_name" != "default_ipv4" ]; then
			num_rules=`/fabos/cliexec/config get ipfilter.$old_v4.numofrules 2`
			if [ $num_rules -lt 251 ]; then
				new_v4_name="$old_v4_name"
				no_new_v4=1
			fi
		fi
		if [ "$old_v6_name" != "default_ipv6"  -a $num_policies -ne 7 ]; then
			num_rules=`/fabos/cliexec/config get ipfilter.$old_v6.numofrules 2`
			if [ $num_rules -lt 251 ]; then
				new_v6_name="$old_v6_name"
				no_new_v6=1
			fi
		fi
	fi

	for (( i = 0; i < 8; i++ ))
	do
		if [ $num_policies -gt 6 ]; then
			pol_name=`/fabos/cliexec/config get ipfilter.$i.name 5`
			type=`/fabos/cliexec/config get ipfilter.$i.type 2`
			num_rules=`/fabos/cliexec/config get ipfilter.$i.numofrules 2`
			if [ $i -ne $old_v4 -a $i -ne $old_v6 -a "$pol_name" != "default_ipv4" -a "$pol_name" != "default_ipv6" ]; then
				if [ $num_rules -lt 251 ]; then
					if [ $type -eq 0 -a $no_new_v4 -eq 0 ]; then
						new_v4_name="$pol_name"
						no_new_v4=1
						if [ $num_policies -eq 7 ]; then
							break
						fi
						if [ $no_new_v6 -eq 1 ]; then
							break
						fi
					elif [ $type -eq 1 -a $no_new_v6 -eq 0 ]; then
						new_v6_name="$pol_name"
						no_new_v6=1
						if [ $num_policies -eq 7 ]; then
							break
						fi
						if [ $no_new_v4 -eq 1 ]; then
							break
						fi
					fi
				fi
			fi
		else
			break
		fi
	done

	if [ $num_policies -gt 6 ]; then
		if [ $no_new_v4 -eq 0 -o $no_new_v6 -eq 0 ]; then
			for (( i = 0; i < 8 && num_policies > 6; i++ ))
			do
				pol_name=`/fabos/cliexec/config get ipfilter.$i.name 5`
				if [ ! -z "$pol_name" ]; then
					if [ $i -ne $old_v4 -a $i -ne $old_v6 -a "$pol_name" != "default_ipv4" -a "$pol_name" != "default_ipv6" ]; then
						if [ $no_new_v4 -eq 1 -a $no_new_v6 -eq 0 -a "$pol_name" != "$new_v4_name" ]; then
							if [ $num_policies -eq 7 ]; then
								break
							fi
							echo y | /fabos/abin/ipfilter --delete "$pol_name" > /dev/null
							(( num_policies-- ))
							break
						elif [ $no_new_v6 -eq 1 -a $no_new_v4 -eq 0 -a "$pol_name" != "$new_v6_name" ]; then
							if [ $num_policies -eq 7 ]; then
								break
							fi
							echo y | /fabos/abin/ipfilter --delete "$pol_name" > /dev/null
							(( num_policies-- ))
							break
						elif [ $no_new_v4 -eq 0 -a $no_new_v6 -eq 0 ]; then
							echo y | /fabos/abin/ipfilter --delete "$pol_name" > /dev/null
							(( num_policies-- ))
							# no break
						fi
					fi
				fi
			done
			/fabos/abin/ipfilter --save
		fi
	fi

	if [ $no_new_v4 -eq 0 ]; then
		new_v4_name="clpv4_$RANDOM"
		if [ "$opt2" == "ext" ]; then
			/fabos/abin/ipfilter --create $new_v4_name -type ipv4
			/fabos/abin/ipfilter --addrule $new_v4_name -rule 1 -sip any -dp 22 -proto tcp -act permit
			/fabos/abin/ipfilter --addrule $new_v4_name -rule 2 -sip any -dp 23 -proto tcp -act permit
			/fabos/cliexec/config set clp.newipv4 5 "$new_v4_name"
			/fabos/cliexec/config set clp.v4delpolicy 2 1
			/fabos/cliexec/config set clp.disabled 5 "ext"
			/fabos/cliexec/configcommit
			/fabos/abin/ipfilter --activate $new_v4_name
			/fabos/abin/ipfilter --save

		else
			/fabos/abin/ipfilter --create $new_v4_name -type ipv4
			/fabos/abin/ipfilter --addrule $new_v4_name -rule 1 -sip any -dp "1-65535" -proto tcp -act deny
			/fabos/cliexec/config set clp.newipv4 5 "$new_v4_name"
			/fabos/cliexec/config set clp.v4delpolicy 2 1
			/fabos/cliexec/config set clp.disabled 5 "all"
			/fabos/cliexec/configcommit
			/fabos/abin/ipfilter --activate $new_v4_name
			/fabos/abin/ipfilter --save
		fi
	else
		if [ "$opt2" == "ext" ]; then
			/fabos/abin/ipfilter --addrule $new_v4_name -rule 1 -sip any -dp "1-21" -proto tcp -act deny
			/fabos/abin/ipfilter --addrule $new_v4_name -rule 2 -sip any -dp "24-65535" -proto tcp -act deny
			/fabos/abin/ipfilter --addrule $new_v4_name -rule 3 -sip any -dp 22 -proto tcp -act permit
			/fabos/abin/ipfilter --addrule $new_v4_name -rule 4 -sip any -dp 23 -proto tcp -act permit
			/fabos/cliexec/config set clp.newipv4 5 "$new_v4_name"
			/fabos/cliexec/config set clp.v4delpolicy 2 0
			/fabos/cliexec/config set clp.disabled 5 "ext"
			/fabos/cliexec/configcommit
			/fabos/abin/ipfilter --activate $new_v4_name
			/fabos/abin/ipfilter --save
		else
			/fabos/abin/ipfilter --addrule $new_v4_name -rule 1 -sip any -dp "1-65535" -proto tcp -act deny
			/fabos/cliexec/config set clp.newipv4 5 "$new_v4_name"
			/fabos/cliexec/config set clp.v4delpolicy 2 0
			/fabos/cliexec/config set clp.disabled 5 "all"
			/fabos/cliexec/configcommit
			/fabos/abin/ipfilter --activate $new_v4_name
			/fabos/abin/ipfilter --save
		fi
	fi

	if [ $no_new_v6 -eq 0 ]; then
		new_v6_name="clpv6_$RANDOM"
		if [ "$opt2" == "ext" ]; then
			/fabos/abin/ipfilter --create $new_v6_name -type ipv6
			/fabos/abin/ipfilter --addrule $new_v6_name -rule 1 -sip any -dp 22 -proto tcp -act permit
			/fabos/abin/ipfilter --addrule $new_v6_name -rule 2 -sip any -dp 23 -proto tcp -act permit
			/fabos/cliexec/config set clp.newipv6 5 "$new_v6_name"
			/fabos/cliexec/config set clp.v6delpolicy 2 1
			/fabos/cliexec/configcommit
			/fabos/abin/ipfilter --activate $new_v6_name
			/fabos/abin/ipfilter --save
		else
			/fabos/abin/ipfilter --create $new_v6_name -type ipv6
			/fabos/abin/ipfilter --addrule $new_v6_name -rule 1 -sip any -dp "1-65535" -proto tcp -act deny
			/fabos/cliexec/config set clp.newipv6 5 "$new_v6_name"
			/fabos/cliexec/config set clp.v6delpolicy 2 1
			/fabos/cliexec/configcommit
			/fabos/abin/ipfilter --activate $new_v6_name
			/fabos/abin/ipfilter --save
		fi
	else
		if [ "$opt2" == "ext" ]; then
			/fabos/abin/ipfilter --addrule $new_v6_name -rule 1 -sip any -dp 1-21 -proto tcp -act deny
			/fabos/abin/ipfilter --addrule $new_v6_name -rule 2 -sip any -dp 24-65535 -proto tcp -act deny
			/fabos/abin/ipfilter --addrule $new_v6_name -rule 3 -sip any -dp 22 -proto tcp -act permit
			/fabos/abin/ipfilter --addrule $new_v6_name -rule 4 -sip any -dp 23 -proto tcp -act permit
			/fabos/cliexec/config set clp.newipv6 5 "$new_v6_name"
			/fabos/cliexec/config set clp.v6delpolicy 2 0
			/fabos/cliexec/configcommit
			/fabos/abin/ipfilter --activate $new_v6_name
			/fabos/abin/ipfilter --save
		else
			/fabos/abin/ipfilter --addrule $new_v6_name -rule 1 -sip any -dp "1-65535" -proto tcp -act deny
			/fabos/cliexec/config set clp.newipv6 5 "$new_v6_name"
			/fabos/cliexec/config set clp.v6delpolicy 2 0
			/fabos/cliexec/configcommit
			/fabos/abin/ipfilter --activate $new_v6_name
			/fabos/abin/ipfilter --save
		fi
	fi
fi

if [ "$opt1" == "--restore" ]; then
	if [ $clp_active -ne 1 ]; then
		echo "Already enabled"
		exit 5
	fi

	#Save before so that if any unsaved policies don't cause problems
	/fabos/abin/ipfilter --save

	v4del_pol=`/fabos/cliexec/config get clp.v4delpolicy 2`
	v6del_pol=`/fabos/cliexec/config get clp.v6delpolicy 2`
	restore_type=`/fabos/cliexec/config get clp.disabled 5`

	if [ $v4del_pol -eq 1 ]; then
		/fabos/abin/ipfilter --activate $old_v4_name
		echo y | /fabos/abin/ipfilter --delete $new_v4_name > /dev/null
		/fabos/abin/ipfilter --save
		/fabos/cliexec/config remove clp.oldipv4
		/fabos/cliexec/config remove clp.newipv4
		/fabos/cliexec/config remove clp.v4delpolicy
		/fabos/cliexec/configcommit
	elif [ "$restore_type" == "all" ]; then
		/fabos/abin/ipfilter --delrule $new_v4_name -rule 1
		/fabos/abin/ipfilter --activate $new_v4_name
		/fabos/abin/ipfilter --activate $old_v4_name
		/fabos/abin/ipfilter --save
		/fabos/cliexec/config remove clp.oldipv4
		/fabos/cliexec/config remove clp.newipv4
		/fabos/cliexec/config remove clp.v4delpolicy
		/fabos/cliexec/configcommit
	else
		/fabos/abin/ipfilter --delrule $new_v4_name -rule 1
		/fabos/abin/ipfilter --delrule $new_v4_name -rule 1
		/fabos/abin/ipfilter --delrule $new_v4_name -rule 1
		/fabos/abin/ipfilter --delrule $new_v4_name -rule 1
		/fabos/abin/ipfilter --activate $new_v4_name
		/fabos/abin/ipfilter --activate $old_v4_name
		/fabos/abin/ipfilter --save
		/fabos/cliexec/config remove clp.oldipv4
		/fabos/cliexec/config remove clp.newipv4
		/fabos/cliexec/config remove clp.v4delpolicy
		/fabos/cliexec/configcommit
	fi

	if [ $v6del_pol -eq 1 ]; then
		/fabos/abin/ipfilter --activate $old_v6_name
		echo y | /fabos/abin/ipfilter --delete $new_v6_name > /dev/null
		/fabos/abin/ipfilter --save
		/fabos/cliexec/config remove clp.oldipv6
		/fabos/cliexec/config remove clp.newipv6
		/fabos/cliexec/config remove clp.v6delpolicy
		/fabos/cliexec/config remove clp.disabled
		/fabos/cliexec/configcommit
	elif [ "$restore_type" == "all" ]; then
		/fabos/abin/ipfilter --delrule $new_v6_name -rule 1
		/fabos/abin/ipfilter --activate $new_v6_name
		/fabos/abin/ipfilter --activate $old_v6_name
		/fabos/abin/ipfilter --save
		/fabos/cliexec/config remove clp.oldipv6
		/fabos/cliexec/config remove clp.newipv6
		/fabos/cliexec/config remove clp.v6delpolicy
		/fabos/cliexec/config remove clp.disabled
		/fabos/cliexec/configcommit
	else
		/fabos/abin/ipfilter --delrule $new_v6_name -rule 1
		/fabos/abin/ipfilter --delrule $new_v6_name -rule 1
		/fabos/abin/ipfilter --delrule $new_v6_name -rule 1
		/fabos/abin/ipfilter --delrule $new_v6_name -rule 1
		/fabos/abin/ipfilter --activate $new_v6_name
		/fabos/abin/ipfilter --activate $old_v6_name
		/fabos/abin/ipfilter --save
		/fabos/cliexec/config remove clp.oldipv6
		/fabos/cliexec/config remove clp.newipv6
		/fabos/cliexec/config remove clp.v6delpolicy
		/fabos/cliexec/config remove clp.disabled
		/fabos/cliexec/configcommit
	fi
fi

