#! /bin/bash
# postinst script for arno-iptables-firewall

set -e
. /usr/share/debconf/confmodule
db_version 2.0

# move config files from versions prior to 1.8.8
if [ -f /etc/arno-iptables-firewall.debconf ]; then
    echo "Moving debconf settings to /etc/arno-iptables-firewall/debconf.cfg."
    mv /etc/arno-iptables-firewall.debconf /etc/arno-iptables-firewall/debconf.cfg
fi

if [ -f /etc/arno-firewall-blocked-hosts ]; then
    echo "Moving host blacklist to /etc/arno-iptables-firewall/blocked-hosts."
    mv /etc/arno-firewall-blocked-hosts /etc/arno-iptables-firewall/blocked-hosts
fi

if [ -f /etc/arno-firewall-mac-addresses ]; then
    echo "Moving MAC address filter list to /etc/arno-iptables-firewall/mac-addresses."
    mv /etc/arno-firewall-mac-addresses /etc/arno-iptables-firewall/mac-addresses
fi

if [ -f /etc/arno-firewall-custom-rules ]; then
    echo "Merging custom iptables rules into /etc/arno-iptables-firewall/custom-rules."
    cat /etc/arno-firewall-custom-rules >> /etc/arno-iptables-firewall/custom-rules
    rm -f /etc/arno-firewall-custom-rules
fi

CFG=/etc/arno-iptables-firewall/conf.d/00debconf.conf

case "$1" in
    configure)
        # query all vars from debconf
        # most important: is debconf management requested
        db_get arno-iptables-firewall/debconf-wanted
        if [ "$RET" = "true" ]; then
            # debconf is welcome: look whether there is a config file and
            # recreate the config file if missing
            if [ ! -e $CFG ]; then
                cat << EOT > $CFG
#######################################################################
# Feel free to edit this file.  However, be aware that debconf writes #
# to (and reads from) this file too.  In case of doubt, only use      #
# 'dpkg-reconfigure -plow arno-iptables-firewall' to edit this file.  #
# If you really don't want to use debconf, or if you have specific    #
# needs, you're likely better off using placing an additional         #
# configuration snippet into/etc/arno-iptables-firewall/conf.d/.      #
# Also see README.Debian.                                             #
#######################################################################
EXT_IF=""
EXT_IF_DHCP_IP=0
OPEN_TCP=""
OPEN_UDP=""
INT_IF=""
NAT=0
INTERNAL_NET=""
NAT_INTERNAL_NET=""
OPEN_ICMP=0
EOT
            fi

            # query the names of the external interfaces from debconf
            db_get arno-iptables-firewall/config-ext-if ; DC_EXT_IF="$RET"

            # query the DHCP status from debconf
            db_get arno-iptables-firewall/dynamic-ip
            if [ "$RET" = "true" ]; then
                DC_EXT_IF_DHCP_IP=1
            else
                DC_EXT_IF_DHCP_IP=0
            fi

            # query the external services from debconf
            db_get arno-iptables-firewall/services-tcp ; DC_OPEN_TCP="$RET"
            db_get arno-iptables-firewall/services-udp ; DC_OPEN_UDP="$RET"

            # query the NAT status from debconf
            db_get arno-iptables-firewall/nat
            if [ "$RET" = "true" ]; then
                DC_NAT=1
            else
                DC_NAT=0
            fi

            # query the internal network interfaces from debconf
            db_get arno-iptables-firewall/config-int-if ; DC_INT_IF="$RET"

            # query the internal networks from debconf
            db_get arno-iptables-firewall/config-int-net ; DC_INTERNAL_NET="$RET"
            # we need to quote all slashes
            DC_INTERNAL_NET=${DC_INTERNAL_NET//\//\\\/}

            # query the internal networks with access to the external world from debconf
            db_get arno-iptables-firewall/config-int-nat-net ; DC_NAT_INTERNAL_NET="$RET"
            # we need to quote all slashes
            DC_NAT_INTERNAL_NET=${DC_NAT_INTERNAL_NET//\//\\\/}
            # allow the whole internal net for NAT if this was left empty
            if [[ -z $DC_NAT_INTERNAL_NET && "$DC_NAT" == "1" ]]; then
                DC_NAT_INTERNAL_NET="$DC_INTERNAL_NET"
            fi

            # query the 'pingable' status from debconf
            db_get arno-iptables-firewall/icmp-echo
            if [ "$RET" = "true" ]; then
                DC_OPEN_ICMP=1
            else
                DC_OPEN_ICMP=0
            fi

            # make a backup conf file
            cp -dpf $CFG $CFG.tmp

            # check that all vars are in the debconf file
            # If the admin deleted or commented some variables but then set
            # them via debconf, (re-)add them to the conffile.
            test -z "$DC_EXT_IF"           || grep -Eq '^ *EXT_IF=' $CFG.tmp           || echo "EXT_IF=" >> $CFG.tmp
            test -z "$DC_EXT_IF_DHCP_IP"   || grep -Eq '^ *EXT_IF_DHCP_IP=' $CFG.tmp   || echo "EXT_IF_DHCP_IP=" >> $CFG.tmp
            test -z "$DC_OPEN_TCP"         || grep -Eq '^ *OPEN_TCP=' $CFG.tmp         || echo "OPEN_TCP=" >> $CFG.tmp
            test -z "$DC_OPEN_UDP"         || grep -Eq '^ *OPEN_UDP=' $CFG.tmp         || echo "OPEN_UDP=" >> $CFG.tmp
            test -z "$DC_NAT"              || grep -Eq '^ *NAT=' $CFG.tmp              || echo "NAT=" >> $CFG.tmp
            test -z "$DC_INT_IF"           || grep -Eq '^ *INT_IF=' $CFG.tmp           || echo "INT_IF=" >> $CFG.tmp
            test -z "$DC_INTERNAL_NET"     || grep -Eq '^ *INTERNAL_NET=' $CFG.tmp     || echo "INTERNAL_NET=" >> $CFG.tmp
            test -z "$DC_NAT_INTERNAL_NET" || grep -Eq '^ *NAT_INTERNAL_NET=' $CFG.tmp || echo "NAT_INTERNAL_NET=" >> $CFG.tmp
            test -z "$DC_OPEN_ICMP"        || grep -Eq '^ *OPEN_ICMP=' $CFG.tmp        || echo "OPEN_ICMP=" >> $CFG.tmp

            # now set the value from the debconf database
            # write values to config file
            sed -e "s/^ *EXT_IF=.*/EXT_IF=\"$DC_EXT_IF\"/" \
                -e "s/^ *EXT_IF_DHCP_IP=.*/EXT_IF_DHCP_IP=$DC_EXT_IF_DHCP_IP/" \
                -e "s/^ *OPEN_TCP=.*/OPEN_TCP=\"$DC_OPEN_TCP\"/" \
                -e "s/^ *OPEN_UDP=.*/OPEN_UDP=\"$DC_OPEN_UDP\"/" \
                -e "s/^ *NAT=.*/NAT=$DC_NAT/" \
                -e "s/^ *INT_IF=.*/INT_IF=\"$DC_INT_IF\"/" \
                -e "s/^ *INTERNAL_NET=.*/INTERNAL_NET=\"$DC_INTERNAL_NET\"/" \
                -e "s/^ *NAT_INTERNAL_NET=.*/NAT_INTERNAL_NET=\"$DC_NAT_INTERNAL_NET\"/" \
                -e "s/^ *OPEN_ICMP=.*/OPEN_ICMP=$DC_OPEN_ICMP/" \
                < $CFG.tmp > $CFG

            # replace the old conffile  by the working copy
            rm -f $CFG.tmp

            db_get arno-iptables-firewall/restart
            if [ "$RET" = "true" ]; then
            invoke-rc.d arno-iptables-firewall restart
            fi
        fi # debconf wanted

        # reload rsyslog if available
        if [ -x /etc/init.d/rsyslog ]; then
            invoke-rc.d rsyslog restart
        fi
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
        # nothing to do
    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

if [ -x "/etc/init.d/arno-iptables-firewall" ]; then
    update-rc.d arno-iptables-firewall defaults >/dev/null || exit 0
fi

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0


