#!/bin/sh

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

# Input files (generated by blacklists_updater_txt.sh)
blacklist_file="${SCRIPT_DIR}/blacklists/blacklist.txt"
blacklist_v4_file="${SCRIPT_DIR}/blacklists/blacklist-v4.txt"
blacklist_v6_file="${SCRIPT_DIR}/blacklists/blacklist-v6.txt"

# Source files for name-based VK filtering
auto_all_v4_file="${SCRIPT_DIR}/auto/all-ru-ipv4.txt"
auto_all_v6_file="${SCRIPT_DIR}/auto/all-ru-ipv6.txt"
auto_ripe_v4_file="${SCRIPT_DIR}/auto/ripe-ru-ipv4.txt"
vk_name_pattern='VK[[:space:]-]*CLOUD|VKCOMPANY|VKONTAKTE'

# Additional VK-only text blacklists
blacklist_vk_file="${SCRIPT_DIR}/blacklists/blacklist-vk.txt"
blacklist_vk_v4_file="${SCRIPT_DIR}/blacklists/blacklist-vk-v4.txt"
blacklist_vk_v6_file="${SCRIPT_DIR}/blacklists/blacklist-vk-v6.txt"

# Output directory and files
iptables_output_dir="${SCRIPT_DIR}/blacklists_iptables"
iptables_output_file="${iptables_output_dir}/blacklist.ipset"
iptables_v4_output_file="${iptables_output_dir}/blacklist-v4.ipset"
iptables_v6_output_file="${iptables_output_dir}/blacklist-v6.ipset"
iptables_vk_output_file="${iptables_output_dir}/blacklist-vk.ipset"
iptables_vk_v4_output_file="${iptables_output_dir}/blacklist-vk-v4.ipset"
iptables_vk_v6_output_file="${iptables_output_dir}/blacklist-vk-v6.ipset"

# Create iptables directory if it doesn't exist
mkdir -p "${iptables_output_dir}"

# Build additional VK-only blacklist from network names in auto/*.txt files
tmp_vk_file="$(mktemp "${SCRIPT_DIR}/blacklists/.blacklist-vk.XXXXXX")"
for source_file in "${auto_all_v4_file}" "${auto_all_v6_file}" "${auto_ripe_v4_file}"; do
    [ -f "${source_file}" ] || continue
    awk -v pattern="${vk_name_pattern}" 'BEGIN { IGNORECASE = 1 } $0 ~ pattern { print $1 }' "${source_file}" >> "${tmp_vk_file}"
done
sort -u "${tmp_vk_file}" > "${blacklist_vk_file}"
grep ':' "${blacklist_vk_file}" | sort -u > "${blacklist_vk_v6_file}" || true
grep -v ':' "${blacklist_vk_file}" | sort -u > "${blacklist_vk_v4_file}" || true
rm -f "${tmp_vk_file}"

# Function to generate ipset config from input file
generate_ipset_config() {
    local input_file="$1"
    local output_file="$2"
    local ip_version="$3"
    local set_name="$4"
    local family="$5"
    local iptables_cmd="iptables"
    local rule_primary=""
    local rule_secondary=""

    [ "${family}" = "inet6" ] && iptables_cmd="ip6tables"

    if printf "%s" "${set_name}" | grep -q '^blacklist-vk'; then
        rule_primary="${iptables_cmd} -I OUTPUT -m set --match-set ${set_name} dst -j REJECT"
        rule_secondary="${iptables_cmd} -I FORWARD -m set --match-set ${set_name} dst -j REJECT"
    else
        rule_primary="${iptables_cmd} -I INPUT -m set --match-set ${set_name} src -m conntrack --ctstate NEW -j DROP"
        rule_secondary="${iptables_cmd} -I FORWARD -m set --match-set ${set_name} src -m conntrack --ctstate NEW -j DROP"
    fi

    # Count entries for hash size calculation
    local count=$(wc -l < "${input_file}" | tr -d ' ')
    local hashsize=$((count > 1024 ? count : 1024))
    local maxelem=$((count * 2))

    # Generate ipset configuration with header
    cat > "${output_file}" << EOF
# IPSet blacklist configuration ${ip_version}
# Auto-generated from $(basename ${input_file})
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Usage:
#   1. Load the ipset:
#      ipset restore < $(basename ${output_file})
#
#   2. Use with iptables/ip6tables:
#      ${rule_primary}
${rule_secondary:+#      ${rule_secondary}}
#
#   3. To flush/delete the set:
#      ipset flush ${set_name}
#      ipset destroy ${set_name}
#

create ${set_name} hash:net family ${family} hashsize ${hashsize} maxelem ${maxelem}
EOF

    # Add entries for each network/IP
    while IFS= read -r network; do
        # Skip empty lines
        [ -z "${network}" ] && continue
        echo "add ${set_name} ${network}" >> "${output_file}"
    done < "${input_file}"

    echo "✓ Generated ${ip_version}: ${output_file}"
    echo "  Total entries: ${count}"
}

# Generate ipset configurations from blacklist files
generate_ipset_config "${blacklist_v4_file}" "${iptables_v4_output_file}" "(IPv4 only)" "blacklist-v4" "inet"
generate_ipset_config "${blacklist_v6_file}" "${iptables_v6_output_file}" "(IPv6 only)" "blacklist-v6" "inet6"
generate_ipset_config "${blacklist_vk_v4_file}" "${iptables_vk_v4_output_file}" "(VK names, IPv4 only)" "blacklist-vk-v4" "inet"
generate_ipset_config "${blacklist_vk_v6_file}" "${iptables_vk_v6_output_file}" "(VK names, IPv6 only)" "blacklist-vk-v6" "inet6"

# For mixed file, we need to create two sets (IPv4 and IPv6) as ipset doesn't support mixed families
cat > "${iptables_output_file}" << EOF
# IPSet blacklist configuration (mixed IPv4/IPv6)
# Auto-generated from $(basename ${blacklist_file})
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Usage:
#   1. Load the ipset:
#      ipset restore < $(basename ${iptables_output_file})
#
#   2. Use with iptables/ip6tables:
#      iptables -I INPUT -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
#      iptables -I FORWARD -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
#      ip6tables -I INPUT -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
#      ip6tables -I FORWARD -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
#
#   3. To flush/delete the sets:
#      ipset flush blacklist-v4 && ipset destroy blacklist-v4
#      ipset flush blacklist-v6 && ipset destroy blacklist-v6
#

EOF

# Append both IPv4 and IPv6 sets to the mixed file
tail -n +2 "${iptables_v4_output_file}" | grep -E "^(create|add)" >> "${iptables_output_file}"
echo "" >> "${iptables_output_file}"
tail -n +2 "${iptables_v6_output_file}" | grep -E "^(create|add)" >> "${iptables_output_file}"

echo "✓ Generated (mixed IPv4/IPv6): ${iptables_output_file}"
echo "  Total entries: $(wc -l < "${blacklist_file}" | tr -d ' ')"

# Generate mixed VK-only ipset file (contains both v4 and v6 sets)
cat > "${iptables_vk_output_file}" << EOF
# IPSet blacklist configuration (VK names: VK Cloud / VKCOMPANY / VKONTAKTE)
# Auto-generated from name-filtered auto/*.txt sources
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Usage:
#   1. Load the ipset:
#      ipset restore < $(basename "${iptables_vk_output_file}")
#
#   2. Use with iptables/ip6tables:
#      iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -j REJECT
#      iptables -I FORWARD -m set --match-set blacklist-vk-v4 dst -j REJECT
#      ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -j REJECT
#      ip6tables -I FORWARD -m set --match-set blacklist-vk-v6 dst -j REJECT
#
#   3. To flush/delete the sets:
#      ipset flush blacklist-vk-v4 && ipset destroy blacklist-vk-v4
#      ipset flush blacklist-vk-v6 && ipset destroy blacklist-vk-v6
#

EOF

tail -n +2 "${iptables_vk_v4_output_file}" | grep -E "^(create|add)" >> "${iptables_vk_output_file}"
echo "" >> "${iptables_vk_output_file}"
tail -n +2 "${iptables_vk_v6_output_file}" | grep -E "^(create|add)" >> "${iptables_vk_output_file}"

echo "✓ Generated (VK names, mixed IPv4/IPv6): ${iptables_vk_output_file}"
echo "  Total entries: $(wc -l < "${blacklist_vk_file}" | tr -d ' ')"

echo ""
echo "VK outgoing block examples (iptables/ipset):"
echo "  ipset restore < ${iptables_vk_output_file}"
echo "  iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -j REJECT"
echo "  iptables -I FORWARD -m set --match-set blacklist-vk-v4 dst -j REJECT"
echo "  ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -j REJECT"
echo "  ip6tables -I FORWARD -m set --match-set blacklist-vk-v6 dst -j REJECT"
echo ""
echo "Tip: Do not install Messenger MAX on the same phone/device that has VPN access configured."