#!/bin/bash


## Depends lxc-scripts installed


##
## Install
##

version_gt() { test "$(echo "$@" | tr " " "\n" | sort -V | head -n 1)" != "$1"; }

shorewall_candidate_version=$(echo $(apt-cache policy shorewall | grep "Candidate:" | cut -f 2 -d :))

## Support for docker introduced in 5.0.6
if version_gt "$shorewall_candidate_version" 5.0.5; then
    apt-get install -y shorewall
else
    (
        VERSION="5.0.7.2-1"
        cd /tmp &&
        wget http://ftp.fr.debian.org/debian/pool/main/s/shorewall-core/shorewall-core_${VERSION}_all.deb &&
        wget http://ftp.fr.debian.org/debian/pool/main/s/shorewall/shorewall_${VERSION}_all.deb &&
        dpkg -i shorewall-core_${VERSION}_all.deb shorewall_${VERSION}_all.deb &&
        rm shorewall-core_${VERSION}_all.deb shorewall_${VERSION}_all.deb
    ) || {
        echo "Failed to install shorewall."
        exit 1
    }
fi


##
## Configuration
##

cat <<EOF > /etc/shorewall/zones
fw                firewall
net               ipv4
lan               ipv4
EOF

cat <<EOF > /etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0
## Uncomment to enable vpn setup
#vpn    tun0    detect
lan     lxcbr0  -                       routeback
EOF

cat <<EOF > /etc/shorewall/policy
#SOURCE DEST    RULE     LOG

fw      all     ACCEPT
lan     all     ACCEPT
net     all     DROP info
all     all     DROP info
EOF

cat <<EOF > /etc/shorewall/rules
SSH/ACCEPT      net             fw
Ping/ACCEPT     net             fw


BEGIN SHELL

host_ip="\$(/sbin/ifconfig eth0 2> /dev/null | sed "s/^.*inet ad\+r://g" | grep ^[0-9] | sed "s/ .*$//g")"

for name in \$(lxc-ls-running); do
    ip=\$(dig +short A "\$name")
    [ -e "/var/lib/lxc/\$name/shorewall" ] &&
    cat /var/lib/lxc/\$name/shorewall | sed -r "s/%%HOST_INTERNET_IP%%/\$host_ip/g" \
                                     | sed -r "s/%%IP%%/\$ip/g"

done

true

END SHELL

EOF

cat <<EOF > /etc/shorewall/masq
eth0    lxcbr0
EOF

cat <<EOF > /etc/shorewall/start
## correct a bug that prevent DHCP packet to be correctly sent between
## LXC, preventing them to receive an IP.

. /etc/default/lxc

if [ -d "/sys/class/net/\$LXC_BRIDGE" -a "\$(cat /sys/class/net/\$LXC_BRIDGE/operstate)" == "up" ]; then
    source_file=/etc/init/lxc-net.conf
    code=\$(egrep '^\s+iptables.*\s+-j\s+' /etc/init/lxc-net.conf | grep -v '\-D' | sed -r 's/^\s+[^-]+/run_iptables /g')
    echo "Adding LXC rules:"
    echo "\$code"
    eval "\$code"
fi

EOF

##
## lxc-scripts
##

[ -d "/opt/apps/lxc-scripts" ] || {
    echo "Error: required 'lxc-scripts' not installed." >&2
    exit 1
}

apt-get install -y moreutils  ## needed because ``ts`` is used in this script
ln -sf /opt/apps/lxc-scripts/etc/cron.d/lxc-shorewall-repair /etc/cron.d/lxc-shorewall-repair


##
## Logs
##

mkdir -p /var/log/shorewall
chgrp syslog /var/log/shorewall
chmod g+w /var/log/shorewall

cat <<EOF > /etc/rsyslog.d/shorewall.conf
:msg, contains, "Shorewall:" /var/log/shorewall/main.log
& ~
EOF

cat <<EOF > /etc/logrotate.d/shorewall
/var/log/shorewall/init.log {
    weekly
    rotate 4
    compress
    missingok
    create 0640 root adm
}

/var/log/shorewall/main.log
{
    rotate 7
    weekly
    missingok
    notifempty
    compress
    delaycompress
    postrotate
        reload rsyslog >/dev/null 2>&1 || true
    endscript
}

EOF

## Init logs
sed -ri 's%^(STARTUP_LOG=).*$%\1/var/log/shorewall/init.log%g' /etc/shorewall/shorewall.conf

service rsyslog restart


##
##
##


## Activate support for docker
sed -ri 's/^DOCKER=No$/DOCKER=Yes/g' /etc/shorewall/shorewall.conf