#!/bin/bash

# A pre-up hook to auto-(re)load the iptables rulesets whenever the
# network is brought up. If the action fails, an alert message is passed
# to syslogd.
# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

set -uo pipefail
PATH=/usr/sbin:/usr/bin:/sbin:/bin

# NOTE: syslog starts after networking during the boot process, messages
# won't be logged at boot time.
log="/usr/bin/logger -st firewall"

# Ignore the loopback interface; run the script for ifup only.
[ "$IFACE" != lo -a "$MODE" = start ] || exit 0

# We support only IPv4 and IPv6.
[ "$ADDRFAM" = inet -o "$ADDRFAM" = inet6 ] || exit 0

$log -p user.info -- "Loading $ADDRFAM firewall on interface $IFACE."

case "$ADDRFAM" in
    inet) iptr=/sbin/iptables-restore;  rules=rules.v4;;
    inet6)iptr=/sbin/ip6tables-restore; rules=rules.v6;;
esac
rules="/etc/iptables/$rules"

$iptr < $rules 2>&1 | $log -p user.err
rv=$?

[ $rv -gt 0 ] && $log -p user.alert \
    "WARN: Failed to load iptables rulesets; the machine may be unprotected!"
exit $rv