#!/usr/bin/env python3
#
# Copyright (C) 2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# T2199: Remove unavailable nodes due to XML/Python implementation using nftables
#        monthdays: nftables does not have a monthdays equivalent
#        utc: nftables userspace uses localtime and calculates the UTC offset automatically
#        icmp/v6: migrate previously available `type-name` to valid type/code
# T4178: Update tcp flags to use multi value node

import re

from sys import argv
from sys import exit

from vyos.configtree import ConfigTree
from vyos.ifconfig import Section

if (len(argv) < 1):
    print("Must specify file name!")
    exit(1)

file_name = argv[1]

with open(file_name, 'r') as f:
    config_file = f.read()

base = ['firewall']
config = ConfigTree(config_file)

if not config.exists(base):
    # Nothing to do
    exit(0)

icmp_remove = ['any']
icmp_translations = {
    'ping': 'echo-request',
    'pong': 'echo-reply',
    'ttl-exceeded': 'time-exceeded',
    # Network Unreachable
    'network-unreachable': [3, 0],
    'host-unreachable': [3, 1],
    'protocol-unreachable': [3, 2],
    'port-unreachable': [3, 3],
    'fragmentation-needed': [3, 4],
    'source-route-failed': [3, 5],
    'network-unknown': [3, 6],
    'host-unknown': [3, 7],
    'network-prohibited': [3, 9],
    'host-prohibited': [3, 10],
    'TOS-network-unreachable': [3, 11],
    'TOS-host-unreachable': [3, 12],
    'communication-prohibited': [3, 13],
    'host-precedence-violation': [3, 14],
    'precedence-cutoff': [3, 15],
    # Redirect
    'network-redirect': [5, 0],
    'host-redirect': [5, 1],
    'TOS-network-redirect': [5, 2],
    'TOS host-redirect': [5, 3],
    #  Time Exceeded
    'ttl-zero-during-transit': [11, 0],
    'ttl-zero-during-reassembly': [11, 1],
    # Parameter Problem
    'ip-header-bad': [12, 0],
    'required-option-missing': [12, 1]
}

icmpv6_remove = []
icmpv6_translations = {
    'ping': 'echo-request',
    'pong': 'echo-reply',
    # Destination Unreachable
    'no-route': [1, 0],
    'communication-prohibited': [1, 1],
    'address-unreachble': [1, 3],
    'port-unreachable': [1, 4],
    # Redirect
    'redirect': 'nd-redirect',
    #  Time Exceeded
    'ttl-zero-during-transit': [3, 0],
    'ttl-zero-during-reassembly': [3, 1],
    # Parameter Problem
    'bad-header': [4, 0],
    'unknown-header-type': [4, 1],
    'unknown-option': [4, 2]
}

if config.exists(base + ['name']):
    for name in config.list_nodes(base + ['name']):
        if not config.exists(base + ['name', name, 'rule']):
            continue

        for rule in config.list_nodes(base + ['name', name, 'rule']):
            rule_recent = base + ['name', name, 'rule', rule, 'recent']
            rule_time = base + ['name', name, 'rule', rule, 'time']
            rule_tcp_flags = base + ['name', name, 'rule', rule, 'tcp', 'flags']
            rule_icmp = base + ['name', name, 'rule', rule, 'icmp']

            if config.exists(rule_time + ['monthdays']):
                config.delete(rule_time + ['monthdays'])

            if config.exists(rule_time + ['utc']):
                config.delete(rule_time + ['utc'])

            if config.exists(rule_recent + ['time']):
                tmp = int(config.return_value(rule_recent + ['time']))
                unit = 'minute'
                if tmp > 600:
                    unit = 'hour'
                elif tmp < 10:
                    unit = 'second'
                config.set(rule_recent + ['time'], value=unit)

            if config.exists(rule_tcp_flags):
                tmp = config.return_value(rule_tcp_flags)
                config.delete(rule_tcp_flags)
                for flag in tmp.split(","):
                    if flag[0] == '!':
                        config.set(rule_tcp_flags + ['not', flag[1:].lower()])
                    else:
                        config.set(rule_tcp_flags + [flag.lower()])

            if config.exists(rule_icmp + ['type-name']):
                tmp = config.return_value(rule_icmp + ['type-name'])
                if tmp in icmp_remove:
                    config.delete(rule_icmp + ['type-name'])
                elif tmp in icmp_translations:
                    translate = icmp_translations[tmp]
                    if isinstance(translate, str):
                        config.set(rule_icmp + ['type-name'], value=translate)
                    elif isinstance(translate, list):
                        config.delete(rule_icmp + ['type-name'])
                        config.set(rule_icmp + ['type'], value=translate[0])
                        config.set(rule_icmp + ['code'], value=translate[1])

            for src_dst in ['destination', 'source']:
                pg_base = base + ['name', name, 'rule', rule, src_dst, 'group', 'port-group']
                proto_base = base + ['name', name, 'rule', rule, 'protocol']
                if config.exists(pg_base) and not config.exists(proto_base):
                    config.set(proto_base, value='tcp_udp')

if config.exists(base + ['ipv6-name']):
    for name in config.list_nodes(base + ['ipv6-name']):
        if not config.exists(base + ['ipv6-name', name, 'rule']):
            continue

        for rule in config.list_nodes(base + ['ipv6-name', name, 'rule']):
            rule_recent = base + ['ipv6-name', name, 'rule', rule, 'recent']
            rule_time = base + ['ipv6-name', name, 'rule', rule, 'time']
            rule_tcp_flags = base + ['ipv6-name', name, 'rule', rule, 'tcp', 'flags']
            rule_icmp = base + ['ipv6-name', name, 'rule', rule, 'icmpv6']

            if config.exists(rule_time + ['monthdays']):
                config.delete(rule_time + ['monthdays'])

            if config.exists(rule_time + ['utc']):
                config.delete(rule_time + ['utc'])

            if config.exists(rule_recent + ['time']):
                tmp = int(config.return_value(rule_recent + ['time']))
                unit = 'minute'
                if tmp > 600:
                    unit = 'hour'
                elif tmp < 10:
                    unit = 'second'
                config.set(rule_recent + ['time'], value=unit)

            if config.exists(rule_tcp_flags):
                tmp = config.return_value(rule_tcp_flags)
                config.delete(rule_tcp_flags)
                for flag in tmp.split(","):
                    if flag[0] == '!':
                        config.set(rule_tcp_flags + ['not', flag[1:].lower()])
                    else:
                        config.set(rule_tcp_flags + [flag.lower()])

            if config.exists(base + ['ipv6-name', name, 'rule', rule, 'protocol']):
                tmp = config.return_value(base + ['ipv6-name', name, 'rule', rule, 'protocol'])
                if tmp == 'icmpv6':
                    config.set(base + ['ipv6-name', name, 'rule', rule, 'protocol'], value='ipv6-icmp')

            if config.exists(rule_icmp + ['type']):
                tmp = config.return_value(rule_icmp + ['type'])
                type_code_match = re.match(r'^(\d+)(?:/(\d+))?$', tmp)

                if type_code_match:
                    config.set(rule_icmp + ['type'], value=type_code_match[1])
                    if type_code_match[2]:
                        config.set(rule_icmp + ['code'], value=type_code_match[2])
                elif tmp in icmpv6_remove:
                    config.delete(rule_icmp + ['type'])
                elif tmp in icmpv6_translations:
                    translate = icmpv6_translations[tmp]
                    if isinstance(translate, str):
                        config.delete(rule_icmp + ['type'])
                        config.set(rule_icmp + ['type-name'], value=translate)
                    elif isinstance(translate, list):
                        config.set(rule_icmp + ['type'], value=translate[0])
                        config.set(rule_icmp + ['code'], value=translate[1])
                else:
                    config.rename(rule_icmp + ['type'], 'type-name')

            for src_dst in ['destination', 'source']:
                pg_base = base + ['ipv6-name', name, 'rule', rule, src_dst, 'group', 'port-group']
                proto_base = base + ['ipv6-name', name, 'rule', rule, 'protocol']
                if config.exists(pg_base) and not config.exists(proto_base):
                    config.set(proto_base, value='tcp_udp')

try:
    with open(file_name, 'w') as f:
        f.write(config.to_string())
except OSError as e:
    print("Failed to save the modified config: {}".format(e))
    exit(1)