#!/usr/bin/env python

#
# Copyright (C) 2026 Nethesis S.r.l.
# SPDX-License-Identifier: GPL-2.0-only
#

import os
import subprocess

from euci import EUci
from jinja2 import Environment, BaseLoader

CHAIN = """
chain dpi_dummy {
    # this init is to allow kernel to set labels
    ct label set netify-init
 }

chain dpi_actions {
    type filter hook prerouting priority filter + 10; policy accept;

    {% if log_enabled -%}
    ct label netify-blocked counter log prefix "DPI block: " limit rate 1/second
    {% endif -%}
    ct label netify-blocked counter reject
    ct label bulk counter ip dscp set cs1 return
    ct label best_effort counter ip dscp set cs0 return
    ct label video counter ip dscp set af41 return
    ct label voice counter ip dscp set cs6 return
}

"""


def generate_dpi():
    e_uci = EUci()
    template = Environment(loader=BaseLoader()).from_string(CHAIN)
    render = template.render(
        log_enabled=e_uci.get('dpi', 'config', 'log_blocked', dtype=bool, default=False)
    )
    # save to nftables directory table-pre, only if the file is changed
    file_path = '/usr/share/nftables.d/table-pre/dpi_actions.nft'
    # ensure directory exists
    os.makedirs(os.path.dirname(file_path), exist_ok=True)
    current = None
    if os.path.exists(file_path):
        with open(file_path, 'r') as f:
            current = f.read()
    if current != render:
        with open(file_path, 'w') as f:
            f.write(render)
        # reload nftables
        subprocess.run(['fw4', 'reload'], check=True, capture_output=True)

if __name__ == "__main__":
    generate_dpi()
