[Unit]
Description=Firewall for Risotto
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
{% set ns = namespace(has_rules=False, incoming_ports={"tcp": {}, "udp": {}}) %}
{% for dns in machined.machines %}
{% set machine = dns|normalize_family %}
{% set outgoing = machined["machine_" + machine]["outgoing_ports_" + machine] %}
{% if outgoing %}
{% set ip = machined["machine_" + machine]["ip_" + machine] %}
{% for port in outgoing %}
{% if ":" in port %}
{% set protocol, port = port.split(":") %}
{% else %}
{% set protocol = "tcp" %}
{% endif %}
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
{% set ns.has_rules = True %}
{% endfor %}
{% endif %}
{% set incoming = machined["machine_" + machine]["incoming_ports_" + machine] %}
{% for port in incoming %}
{% if ":" in port %}
{% set protocol, port = port.split(":") %}
{% else %}
{% set protocol = "tcp" %}
{% endif %}
{% if port in ns.incoming_ports[protocol] %}
{% set msg = 'the port "' + port + '" cannot be deployed for multiple machines: "' + dns + '" and "' + ns.incoming_ports[protocol][port] + '"' %}
{{ msg|raise }}
{% endif %}
{% set x=ns.incoming_ports.__getitem__(protocol).__setitem__(port, dns) %}
{% endfor %}
{% endfor %}
{% if not ns.has_rules %}
ExecStart=/usr/bin/echo "No rule"
{% endif %}
#FIXME
ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
#FIXME

[Install]
WantedBy=multi-user.target