#!/bin/sh

add_chain() {
  /sbin/iptables -N $1 2>/dev/null
  /sbin/iptables -A in_mod -j $1 2>/dev/null
  /sbin/iptables -t nat -N $1 2>/dev/null
  /sbin/iptables -t nat -A pre_mod -j $1 2>/dev/null
}

del_chain() {
  /sbin/iptables -D in_mod -j $1 2>/dev/null
  /sbin/iptables -F $1 2>/dev/null
  /sbin/iptables -X $1 2>/dev/null
  /sbin/iptables -t nat -D pre_mod -j $1 2>/dev/null
  /sbin/iptables -t nat -F $1 2>/dev/null
  /sbin/iptables -t nat -X $1 2>/dev/null
}

add_rule() {
  [ $3 ] && PORT="--dport $3"
  /sbin/iptables -A $1 -p $2 $PORT -j ACCEPT 2>/dev/null
  /sbin/iptables -t nat -A $1 -p $2 $PORT -j ACCEPT 2>/dev/null
}

MOD_NAME=stunnel
MOD_DEFAULTS=/opt/$MOD_NAME/etc/defaults
MOD_SETTINGS=/opt/$MOD_NAME/etc/settings
[ -L "$MOD_SETTINGS" ] && MOD_SETTINGS=`readlink $MOD_SETTINGS`

[ -f "$MOD_SETTINGS" ] || cp $MOD_DEFAULTS $MOD_SETTINGS
[ -x "/sbin/hash_verify" ] && [ ! -f "$MOD_SETTINGS.hash" ] && cp $MOD_DEFAULTS.hash $MOD_SETTINGS.hash

case "$1" in

  start|restart)
    [ -x "/sbin/hash_verify" ] && ! hash_verify $MOD_SETTINGS && exit 1
    . $MOD_SETTINGS
    if [ "$1" = "restart" ]; then
      echo -n "Restarting module stunnel: "
      killall stunnel 2>/dev/null
      del_chain mod_stunnel 2>/dev/null
    else
      echo -n "Starting module stunnel: "
    fi
    if [ "$MOD_STUNNEL_ENABLED" != "1" ]; then
      echo "skipped"
      exit 0
    fi
    add_chain mod_stunnel
    if [ "$MOD_STUNNEL_SERV0_ENABLED" == "1" ]; then
      add_rule mod_stunnel tcp $MOD_STUNNEL_SERV0_ACCEPT
    fi
    if [ "$MOD_STUNNEL_SERV1_ENABLED" == "1" ]; then
      add_rule mod_stunnel tcp $MOD_STUNNEL_SERV1_ACCEPT
    fi
    if [ "$MOD_STUNNEL_SERV2_ENABLED" == "1" ]; then
       add_rule mod_stunnel tcp $MOD_STUNNEL_SERV2_ACCEPT
    fi
    if [ "$MOD_STUNNEL_SERV3_ENABLED" == "1" ]; then
       add_rule mod_stunnel tcp $MOD_STUNNEL_SERV3_ACCEPT
    fi
    if [ "$MOD_STUNNEL_SERV4_ENABLED" == "1" ]; then
       add_rule mod_stunnel tcp $MOD_STUNNEL_SERV4_ACCEPT
    fi
    if [ "$MOD_STUNNEL_SERV5_ENABLED" == "1" ]; then
       add_rule mod_stunnel tcp $MOD_STUNNEL_SERV5_ACCEPT
    fi
    if [ "$MOD_STUNNEL_SERV6_ENABLED" == "1" ]; then
       add_rule mod_stunnel tcp $MOD_STUNNEL_SERV6_ACCEPT
    fi
    if [ "$MOD_STUNNEL_SERV7_ENABLED" == "1" ]; then
       add_rule mod_stunnel tcp $MOD_STUNNEL_SERV7_ACCEPT
    fi
    if [ "$MOD_STUNNEL_SERV8_ENABLED" == "1" ]; then
       add_rule mod_stunnel tcp $MOD_STUNNEL_SERV8_ACCEPT
    fi
    if [ "$MOD_STUNNEL_SERV9_ENABLED" == "1" ]; then
       add_rule mod_stunnel tcp $MOD_STUNNEL_SERV9_ACCEPT
    fi
    ifconfig | grep -q lo
    if [ $? = 1 ]; then
      # nahodit loopback
      ifconfig lo up
    fi
    # vytvoreni adresaru pokud neexistuji
    if [ ! -d "/var/data/$MOD_NAME" ]; then
      mkdir -p /var/data/$MOD_NAME
    fi
    if [ ! -d "/var/$MOD_NAME" ]; then
      mkdir -p /var/$MOD_NAME
    fi
    # vytvoreni certifikatu pokud neexistuji
    if [ ! -e "/var/data/$MOD_NAME/cert.pem" ] || [ ! -e "/var/data/$MOD_NAME/key.pem" ] || [ `awk 'END {print NR}' /var/data/$MOD_NAME/key.pem` -lt 20 ]; then
      /usr/bin/mac - | /usr/bin/openssl req -new -newkey rsa:2048 -x509 -nodes -out /var/data/$MOD_NAME/cert.pem -keyout /var/data/$MOD_NAME/key.pem -days 3660 2>/dev/null
      chmod 400 /var/data/$MOD_NAME/key.pem
    fi
    cp /opt/$MOD_NAME/etc/stunnel.conf /var/$MOD_NAME/stunnel_server.conf
    cp /opt/$MOD_NAME/etc/stunnel.conf /var/$MOD_NAME/stunnel_client.conf
    /opt/$MOD_NAME/bin/server_conf /var/$MOD_NAME/stunnel_server.conf
    if [ $? = 0 ]; then
      # konfigurace obsahuje server mod => pustime stunnel
      /opt/$MOD_NAME/bin/stunnel /var/$MOD_NAME/stunnel_server.conf >/dev/null 2>&1 &
    fi
    /opt/$MOD_NAME/bin/client_conf /var/$MOD_NAME/stunnel_client.conf
    if [ $? = 0 ]; then
      # konfigurace obsahuje server mod => pustime stunnel
      /opt/$MOD_NAME/bin/stunnel /var/$MOD_NAME/stunnel_client.conf >/dev/null 2>&1 &
    fi
    RETVAL=$?
    if [ $RETVAL = 0 ]; then echo "done"; else echo "failed"; fi
    exit $RETVAL
  ;;

  stop)
    echo -n "Stopping module stunnel: "
    killall stunnel 2>/dev/null
    del_chain mod_stunnel 2>/dev/null
    RETVAL=$?
    if [ $RETVAL = 0 ]; then echo "done"; else echo "failed"; fi
    exit $RETVAL
  ;;

  status)
    echo -n "Module stunnel is "
    killall -0 stunnel 2>/dev/null
    RETVAL=$?
    if [ $RETVAL = 0 ]; then echo "running"; else echo "stopped"; fi
    exit $RETVAL
  ;;

  defaults)
    cp $MOD_DEFAULTS $MOD_SETTINGS 2>/dev/null
    [ -f "$MOD_DEFAULTS.hash" ] && cp $MOD_DEFAULTS.hash $MOD_SETTINGS.hash 2>/dev/null
    exit 0
  ;;

  *)
    echo "Usage: $0 {start|stop|restart|status|defaults}"
    exit 1
  ;;

esac
