#!/bin/sh -e

start() {
  /usr/sbin/nft -f /etc/nftables.conf
  [ -f /var/lib/nftables/ip-blocklist.nft ] && /usr/sbin/nft -f /var/lib/nftables/ip-blocklist.nft || :
  [ -f /var/lib/nftables/ip6-blocklist.nft ] && /usr/sbin/nft -f /var/lib/nftables/ip6-blocklist.nft || :
}

stop() {
  /usr/sbin/nft list set inet chef-filter ip-blocklist > /var/lib/nftables/ip-blocklist.nft
  /usr/sbin/nft list set inet chef-filter ip6-blocklist > /var/lib/nftables/ip6-blocklist.nft
  /usr/sbin/nft delete table inet chef-filter
<% if node[:roles].include?("gateway") -%>
  /usr/sbin/nft delete table inet chef-nat
<% end -%>
}

reload() {
  stop
  start
}

case "$1" in
  start) start;;
  stop) stop;;
  reload) reload;;
esac

exit 0