#!/bin/bash

# Yeah, copypaste. Copypaste everywhere.

RULE_FILE="/etc/yandex-hbf-agent/rules.d/60-enable-logdrops.v6"

enable(){
    set -x
    echo "
*filter
:Y_END_IN -
:Y_END_OUT -
:Y_END_OUT_INET -
-I Y_END_IN 1 -j LOG --log-prefix \"Y_FW_IN drop: \"
-I Y_END_OUT 1 -j LOG --log-prefix \"Y_FW_OUT drop: \"
-I Y_END_OUT_INET 1 -j LOG --log-prefix \"Y_END_OUT_INET drop: \"
COMMIT
" | tee ${RULE_FILE}

    # Don't bother if already exists to keep it simple
    ip6tables -I Y_END_IN 1 -j LOG --log-prefix "Y_FW_IN drop: " -w
    ip6tables -I Y_END_OUT 1 -j LOG --log-prefix "Y_FW_OUT drop: " -w
    ip6tables -I Y_END_OUT_INET 1 -j LOG --log-prefix "Y_END_OUT_INET drop: " -w
}

disable(){
    set -x
    rm ${RULE_FILE}

    ip6tables -D Y_END_IN -j LOG --log-prefix "Y_FW_IN drop: " -w
    ip6tables -D Y_END_OUT -j LOG --log-prefix "Y_FW_OUT drop: " -w
    ip6tables -D Y_END_OUT_INET -j LOG --log-prefix "Y_END_OUT_INET drop: " -w
    # If something letf, it will be cleared on next iteration of hbf-agent
}

case $1 in
    enable)
        enable
        ;;
    disable)
        disable
        ;;
    *)
        echo "$(basename $0) <enable|disable>"
        exit 1
        ;;
esac
