#!/bin/sh
# vim: syntax=sh ts=4 sw=4 sts=4 sr noet
# postinst script for arno-iptables-firewall
#
# see: dh_installdeb(1)

set -e

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <postinst> `abort-remove'
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see https://www.debian.org/doc/debian-policy/ or
# the debian-policy package


# start up debconf here. 
# why? see https://manpages.debian.org/testing/debconf-doc/debconf-devel.7.en.html, paragraph HACKS. 
. /usr/share/debconf/confmodule
db_version 2.0

# configuration specific to arno-iptables-firewall encapsulated in a function.
aif_configure () {
	# store debconf generated configuration here
	CFG=/etc/arno-iptables-firewall/conf.d/00debconf.conf
	
	# query all vars from debconf
	# most important: is debconf management requested
	db_get arno-iptables-firewall/debconf-wanted
	if [ "$RET" = "true" ]; then
		# debconf is welcome: look whether there is a config file and
		# recreate the config file if missing
		if [ ! -e $CFG ]; then
			cat <<- EOT > $CFG
			#######################################################################
			# Feel free to edit this file.  However, be aware that debconf writes #
			# to (and reads from) this file too.  In case of doubt, only use      #
			# 'dpkg-reconfigure -plow arno-iptables-firewall' to edit this file.  #
			# If you really don't want to use debconf, or if you have specific    #
			# needs, you're likely better off using placing an additional         #
			# configuration snippet into/etc/arno-iptables-firewall/conf.d/.      #
			# Also see README.Debian.                                             #
			#######################################################################
			EXT_IF=""
			EXT_IF_DHCP_IP=0
			OPEN_TCP=""
			OPEN_UDP=""
			INT_IF=""
			NAT=0
			INTERNAL_NET=""
			NAT_INTERNAL_NET=""
			OPEN_ICMP=0
			EOT
		fi
	
		# query the names of the external interfaces from debconf
		db_get arno-iptables-firewall/config-ext-if ; DC_EXT_IF="$RET"
	
		# query the DHCP status from debconf
		db_get arno-iptables-firewall/dynamic-ip
		if [ "$RET" = "true" ]; then
			DC_EXT_IF_DHCP_IP=1
		else
			DC_EXT_IF_DHCP_IP=0
		fi
	
		# query the external services from debconf
		db_get arno-iptables-firewall/services-tcp ; DC_OPEN_TCP="$RET"
		db_get arno-iptables-firewall/services-udp ; DC_OPEN_UDP="$RET"
	
		# query the NAT status from debconf
		db_get arno-iptables-firewall/nat
		if [ "$RET" = "true" ]; then
			DC_NAT=1
		else
			DC_NAT=0
		fi
	
		# query the internal network interfaces from debconf
		db_get arno-iptables-firewall/config-int-if ; DC_INT_IF="$RET"
	
		# query the internal networks from debconf
		db_get arno-iptables-firewall/config-int-net ; DC_INTERNAL_NET="$RET"
	
		# query the internal networks with access to the external world from debconf
		db_get arno-iptables-firewall/config-int-nat-net ; DC_NAT_INTERNAL_NET="$RET"
		# allow the whole internal net for NAT if this was left empty
		if [ -z "$DC_NAT_INTERNAL_NET" ] && [ "$DC_NAT" = "1" ]; then
			DC_NAT_INTERNAL_NET="$DC_INTERNAL_NET"
		fi
	
		# query the 'pingable' status from debconf
		db_get arno-iptables-firewall/icmp-echo
		if [ "$RET" = "true" ]; then
			DC_OPEN_ICMP=1
		else
			DC_OPEN_ICMP=0
		fi
	
		# make a backup conf file
		cp -dpf $CFG $CFG.tmp
	
		# check that all vars are in the debconf file
		# If the admin deleted or commented some variables but then set
		# them via debconf, (re-)add them to the conffile.
		test -z "$DC_EXT_IF"           || grep -Eq '^ *EXT_IF=' $CFG.tmp           || echo "EXT_IF=" >> $CFG.tmp
		test -z "$DC_EXT_IF_DHCP_IP"   || grep -Eq '^ *EXT_IF_DHCP_IP=' $CFG.tmp   || echo "EXT_IF_DHCP_IP=" >> $CFG.tmp
		test -z "$DC_OPEN_TCP"         || grep -Eq '^ *OPEN_TCP=' $CFG.tmp         || echo "OPEN_TCP=" >> $CFG.tmp
		test -z "$DC_OPEN_UDP"         || grep -Eq '^ *OPEN_UDP=' $CFG.tmp         || echo "OPEN_UDP=" >> $CFG.tmp
		test -z "$DC_NAT"              || grep -Eq '^ *NAT=' $CFG.tmp              || echo "NAT=" >> $CFG.tmp
		test -z "$DC_INT_IF"           || grep -Eq '^ *INT_IF=' $CFG.tmp           || echo "INT_IF=" >> $CFG.tmp
		test -z "$DC_INTERNAL_NET"     || grep -Eq '^ *INTERNAL_NET=' $CFG.tmp     || echo "INTERNAL_NET=" >> $CFG.tmp
		test -z "$DC_NAT_INTERNAL_NET" || grep -Eq '^ *NAT_INTERNAL_NET=' $CFG.tmp || echo "NAT_INTERNAL_NET=" >> $CFG.tmp
		test -z "$DC_OPEN_ICMP"        || grep -Eq '^ *OPEN_ICMP=' $CFG.tmp        || echo "OPEN_ICMP=" >> $CFG.tmp
	
		# now set the value from the debconf database
		# write values to config file.
		# use s### instead of s/// as *_NET variables may contain slashes
		sed -e "s#^ *EXT_IF=.*#EXT_IF=\"$DC_EXT_IF\"#" \
			-e "s#^ *EXT_IF_DHCP_IP=.*#EXT_IF_DHCP_IP=$DC_EXT_IF_DHCP_IP#" \
			-e "s#^ *OPEN_TCP=.*#OPEN_TCP=\"$DC_OPEN_TCP\"#" \
			-e "s#^ *OPEN_UDP=.*#OPEN_UDP=\"$DC_OPEN_UDP\"#" \
			-e "s#^ *NAT=.*#NAT=$DC_NAT#" \
			-e "s#^ *INT_IF=.*#INT_IF=\"$DC_INT_IF\"#" \
			-e "s#^ *INTERNAL_NET=.*#INTERNAL_NET=\"$DC_INTERNAL_NET\"#" \
			-e "s#^ *NAT_INTERNAL_NET=.*#NAT_INTERNAL_NET=\"$DC_NAT_INTERNAL_NET\"#" \
			-e "s#^ *OPEN_ICMP=.*#OPEN_ICMP=$DC_OPEN_ICMP#" \
			< $CFG.tmp > $CFG
	
		# drop the working copy
		rm -f $CFG.tmp
	
	fi # debconf wanted
}

# (re-)start the firewall via systemd or sysvinit.
# start with new configuration if wanted, else no service is (re-)started
# and an already active service keeps running with its original configuration.
aif_restart () {
	db_get arno-iptables-firewall/restart
	if [ "$RET" = "true" ]; then
		if [ -d /run/systemd/system ]; then
			deb-systemd-invoke restart arno-iptables-firewall.service >/dev/null || true
		else
			invoke-rc.d arno-iptables-firewall restart >/dev/null || true
		fi
	fi
}


case "$1" in
	configure)
		aif_configure $@
	    update-rc.d arno-iptables-firewall defaults >/dev/null
	;;

	abort-upgrade|abort-remove|abort-deconfigure)
	;;

	*)
		echo "postinst called with unknown argument \`$1'" >&2
		exit 1
	;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

case "$1" in
	configure)
		# 'deb-systemd-invoke restart ...' requires the automatically
		# generated systemd related scripts already did their job. That's
		# why the re-starting is done here.
		aif_restart $@
	;;

	abort-upgrade|abort-remove|abort-deconfigure)
	;;

	*)
		echo "postinst called with unknown argument \`$1'" >&2
		exit 1
	;;
esac

exit 0
