#!/bin/bash

# this script extends cpHulk to assist managing nftables.

# country codes selected in CPhulk will be banned at the IP level
# whitelisted ips will be included as administratively allowed

set -e
trap 'catch $? $LINENO' EXIT

catch() {
  if [ "$1" != "0" ]; then
    echo failed to update firewall rules
    echo "Error $1 occurred on $2"
  fi
}

geoipdir='/usr/local/cpanel/3rdparty/share/geoipfree/country-cidrs'

whitelist=$(mktemp)
blacklist=$(mktemp)

# get list of CCs that are blocked
cclist=$( whmapi1 --output=json load_cphulk_config |
          jq -r '.data.cphulk_config.country_blacklist' )

# loop over list and concat all subnets from cpanel free geoip
for i in ${cclist//,/ }; do
  grep -oP '(\d+\.){3}\d+/\d+' $geoipdir/$i | tr '\n' ',' >> $blacklist
done

# write list of whitelist ips to temp file
whmapi1 --output=json read_cphulk_records list_name='white' |
        jq -r '.data.ips_in_list | keys[]' | grep -oP '(\d+\.){3}\d+' > $whitelist

# generate new rules for nftables
{
  echo 'flush set inet filter ccblockset'
  echo 'flush set inet filter adminwhitelist'

  # create whitelist set
  echo -n 'add element inet filter adminwhitelist { '
  cat $whitelist | tr '\n' ','
  echo ' }'

  # create blacklist set
  echo -n 'add element inet filter ccblockset { '
  cat $blacklist | tr '\n' ','
  echo ' }'
} | nft -f -

echo firewall was successfully updated