#!/bin/sh

# Set REJECT as default rule if an interface is not in a zone
uci -q batch <<-EOF >/dev/null
	set firewall.@defaults[0].input='REJECT'
	set firewall.@defaults[0].output='REJECT'
	set firewall.@defaults[0].forward='REJECT'
EOF


if [ "$(uci -q get firewall.@zone[2].name)" = "vpn" ]; then
	uci -q batch <<-EOF >/dev/null
		del firewall.@zone[2]
		commit firewall
	EOF
fi

if [ "$(uci -q get firewall.zone_vpn)" = "" ]; then
    uci -q batch <<-EOF >/dev/null
    set firewall.zone_vpn=zone
    set firewall.zone_vpn.name=vpn
    set firewall.zone_vpn.network=glorytun
    set firewall.zone_vpn.masq=1
    set firewall.zone_vpn.input=REJECT
    set firewall.zone_vpn.forward=ACCEPT
    set firewall.zone_vpn.output=ACCEPT
    commit firewall
    EOF
fi

if [ "$(uci -q get firewall.@rule[5].name)" = "Allow-ICMPv6-Input" ]; then
	uci -q batch <<-EOF >/dev/null
		del firewall.@rule[5]
		commit firewall
	EOF
fi
if [ "$(uci -q get firewall.@rule[6].name)" = "Allow-ICMPv6-Forward" ]; then
	uci -q batch <<-EOF >/dev/null
		del firewall.@rule[6]
		commit firewall
	EOF
fi
if [ "$(uci -q show firewall | grep Allow-All-Ping)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='Allow-All-Ping'
		set firewall.@rule[-1].proto='icmp'
		set firewall.@rule[-1].dest='*'
		set firewall.@rule[-1].src='*'
		set firewall.@rule[-1].icmp_type='echo-request'
		commit firewall
	EOF
fi
if [ "$(uci -q show firewall | grep Allow-VPN-ICMP)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='Allow-VPN-ICMP'
		set firewall.@rule[-1].proto='icmp'
		set firewall.@rule[-1].src='vpn'
		commit firewall
	EOF
fi
if [ "$(uci -q show firewall | grep Allow-Lan-to-Wan)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='Allow-Lan-to-Wan'
		set firewall.@rule[-1].dest='wan'
		set firewall.@rule[-1].src='lan'
		commit firewall
	EOF
fi

if [ "$(uci -q show firewall | grep ICMPv6-Lan-to-OMR)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='ICMPv6-Lan-to-OMR'
		set firewall.@rule[-1].src='lan'
		set firewall.@rule[-1].family='ipv6'
		set firewall.@rule[-1].proto='icmp'
		set firewall.@rule[-1].limit='1000/sec'
		set firewall.@rule[-1].icmp_type='echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded'
		commit firewall
	EOF
fi
uci -q batch <<-EOF >/dev/null
	del_list firewall.wan.masq_dest='!10.0.0.0/8'
	del_list firewall.wan.masq_dest='!172.16.0.0/12'
	del_list firewall.wan.masq_dest='!192.168.0.0/16'
	add_list firewall.wan.masq_dest='!10.0.0.0/8'
	add_list firewall.wan.masq_dest='!172.16.0.0/12'
	add_list firewall.wan.masq_dest='!192.168.0.0/16'
EOF
if [ "$(ubus call system board | jsonfilter -e '@.board_name')" = "bananapi,bpi-r2" ] || [ "$(ubus call system board | jsonfilter -e '@.board_name' | grep -i wrt)" != "" ]; then
	uci -q batch <<-EOF >/dev/null
	set firewall.@defaults[0].flow_offloading='1'
	set firewall.@defaults[0].flow_offloading_hw='1'
	EOF
fi

if [ "$(uci -q get firewall.omr_server)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		set firewall.omr_server=include
		set firewall.omr_server.path=/etc/firewall.omr-server
		set firewall.omr_server.reload=1
		commit firewall
	EOF
fi

uci -q batch <<-EOF >/dev/null
	set firewall.@zone[0].mtu_fix='1'
	set firewall.zone_vpn.mtu_fix='1'
EOF

rm -f /tmp/luci-indexcache

exit 0
