#!/bin/sh

# Check if we need to use firewalld or will handle rules directly with iptables


systemctl status firewalld.service >/dev/null
RETVAL=$?
if [ $RETVAL  -eq 0 ]
then
   # use firewalld
   firewall-cmd --reload
   firewall-cmd --direct --get-rules ipv4 raw tcpcrypt
   firewall-cmd --direct --get-rules ipv4 mangle tcpcrypt
else
   # use iptables manually

if [ "$1" == "start" ]
then
	iptables -t raw -N tcpcrypt
	iptables -t raw -A tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
	iptables -t raw -I PREROUTING -j tcpcrypt

	iptables -t mangle -N tcpcrypt
	iptables -t mangle -A tcpcrypt -p tcp -m mark --mark 0x0/0x10 -j NFQUEUE --queue-num 666
	iptables -t mangle -I POSTROUTING -j tcpcrypt
 
	# launch `tcpcryptd` with `-x 0x10`
fi
if [ "$1" == "stop" ]
then
	iptables -t raw -F tcpcrypt
	iptables -t raw -D PREROUTING -j tcpcrypt

	iptables -t mangle -F tcpcrypt
	iptables -t mangle -D PREROUTING -j tcpcrypt
fi

fi
