%def %%get_protocol_port(%%port)
  %if ':' in %%port
    %set %%protocol, %%port = %%port.split(':')
  %else
    %set %%protocol = 'tcp'
  %end if
  %return %%protocol, %%port
%end def
[Unit]
Description=Firewall for Risotto
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
%set %%has_rules = False
%set %%incoming_ports = {'tcp': {}, 'udp': {}}
%for %%dns in %%machined.machines
  %set %%machine = %%normalize_family(%%dns)
  %set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
  %if %%outgoing
    %set %%ip = %%machined['machine_' + %%machine]['ip_' + %%machine]
    %for %%port in %%outgoing
       %set %%protocol, %%port = %%get_protocol_port(%%port)
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
       %set %%has_rules = False
    %end for
  %end if
  %set %%incoming = %%machined['machine_' + %%machine]['incoming_ports_' + %%machine]
  %for %%port in %%incoming
     %set %%protocol, %%port = %%get_protocol_port(%%port)
     %if %%port in %%incoming_ports[%%protocol]
       %raise Exception('the port "' + %%port + '" cannot be deployed for multiple machines: "' + %%dns + '" and "' + %%incoming_ports[%%protocol][%%port] + '"')
     %end if
     %set %%incoming_ports[%%protocol][%%port] = %%dns
  %end for
%end for
%if not %%has_rules
ExecStart=/usr/bin/echo "No rule"
%end if

[Install]
WantedBy=multi-user.target