#!/bin/bash
# info: update firewall ipset
# options: [REFRESH]
#
# example: v-update-firewall-ipset
#
# This function creates ipset lists and updates the lists if they are expired or ondemand

#----------------------------------------------------------#
#                Variables & Functions                     #
#----------------------------------------------------------#

refresh=${1:-no}

# Includes
source /etc/profile.d/hestia.sh
# shellcheck source=/etc/hestiacp/hestia.conf
source /etc/hestiacp/hestia.conf
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# load config file
source_conf "$HESTIA/conf/hestia.conf"

#----------------------------------------------------------#
#                    Verifications                         #
#----------------------------------------------------------#

is_refresh_ipset_format_valid "$refresh" 'Refresh IP lists (load/yes/no)'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'

# Perform verification if read-only mode is enabled
check_hestia_demo_mode

ipset_hstobject='../../data/firewall/ipset'

for ipset_name in $(search_objects "$ipset_hstobject" 'SUSPENDED' 'no' 'LISTNAME' 2> /dev/null); do

	ipset_time="$(get_object_value "$ipset_hstobject" 'LISTNAME' "$ipset_name" '$TIME')"
	ipset_date="$(get_object_value "$ipset_hstobject" 'LISTNAME' "$ipset_name" '$DATE')"
	ipset_au="$(get_object_value "$ipset_hstobject" 'LISTNAME' "$ipset_name" '$AUTOUPDATE')"

	if [ "$ipset_au" = 'no' ] || [ "$refresh" = 'load' ]; then
		# Load existing ip list files in the kernel but don't auto update them
		# The "load" refresh option is only used by hestia-iptables systemd service
		$BIN/v-add-firewall-ipset "$ipset_name"
		continue
	fi

	last_updated_ts=$(date -d "$ipset_date $ipset_time" +%s)
	now=$(date +%s)
	hours_since_update=$(((now - last_updated_ts) / (60 * 60)))

	if [[ "$hours_since_update" -lt 24 ]] && [ "$refresh" = 'no' ]; then
		# Load existing ip list files in the kernel but don't auto update them
		$BIN/v-add-firewall-ipset "$ipset_name"
		continue
	fi

	$BIN/v-add-firewall-ipset "$ipset_name" '' '' '' 'yes'
done

#----------------------------------------------------------#
#                       Hestia                             #
#----------------------------------------------------------#

# Logging
log_event "$OK" "$ARGUMENTS"

exit