<?php

class ConfigRouterOSFirewallFilter extends NetworkConfigItem
{
  function Run(): void
  {
    $Path = array('ip', 'firewall', 'filter');

    $Routerboard = new Routerboard($this->SystemConfig['MainRouter']['HostName']);
    $Routerboard->UserName = $this->SystemConfig['MainRouter']['UserName'];
    $Routerboard->Timeout = $this->SystemConfig['MainRouter']['ConnectTimeout'];
    $Routerboard->Debug = true;

    $InetInterface = $this->SystemConfig['MainRouter']['InetInterface'];
    $LocalInterface = $this->SystemConfig['MainRouter']['LocalInterface'];

    $Items = array();


    // Total inet traffic measuring
    $Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'action' => 'passthrough', 'comment' => 'total-out');
    $Items[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'action' => 'passthrough', 'comment' => 'total-in');

    // Inet traffic groups
    //$Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-out', 'comment' => 'inet-out');
    //$Items[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-in', 'comment' => 'inet-in');

    // Input to router
    $Items[] = array('chain' => 'input', 'in-interface' => $InetInterface, 'protocol' => 'icmp', 'action' => 'accept', 'comment' => 'local-ping');
    $Items[] = array('chain' => 'input', 'in-interface' => $InetInterface, 'src-address' => '216.66.80.30', 'action' => 'accept', 'comment' => 'ipv6-tunnel');
    $Items[] = array('chain' => 'input', 'in-interface' => $InetInterface, 'action' => 'drop', 'comment' => 'drop-rest-input');

    // Allowed SMTP servers
    $Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'src-address' => '10.145.64.8', 'action' => 'accept', 'comment' => 'smtp.zdechov.net');
    $Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '212.111.0.12', 'action' => 'accept', 'comment' => 'smtp.inext.cz');
    $Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '93.89.98.3', 'action' => 'accept', 'comment' => 'smtp.sychrovnet.cz');
    $Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '77.75.72.43', 'action' => 'accept', 'comment' => 'smtp.seznam.cz');
    $Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'dst-address' => '82.119.226.113', 'action' => 'accept', 'comment' => 'smtp.svarko.cz');
    $Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'protocol' => 'tcp', 'dst-port' => 25, 'action' => 'drop', 'comment' => 'drop-rest-smtp');


    // Insert blocked addresses
    $DbResult = $this->Database->query('SELECT Member.*, Subject.Name FROM Member JOIN Subject ON Member.Subject = Subject.Id WHERE Member.Blocked=1');
    while ($Member = $DbResult->fetch_assoc())
    {
      echo($Member['Name'].': ');
      // Hosts
      $DbResult2 = $this->Database->query('SELECT NetworkInterface.*, NetworkDevice.Name AS DeviceName FROM NetworkInterface LEFT JOIN NetworkDevice ON NetworkDevice.Id = NetworkInterface.Device WHERE (NetworkInterface.ExternalIP <> "") AND (NetworkDevice.Member = '.$Member['Id'].') AND (NetworkInterface.LocalIP != NetworkInterface.ExternalIP) ORDER BY id DESC');
      while ($Interface = $DbResult2->fetch_assoc())
      {
        $Name = $Interface['DeviceName'];
        if ($Interface['Name'] != '') $Name .= '-'.$Interface['Name'];
        $Name = RouterOSIdent($Name);
        echo($Name.'('.$Interface['LocalIP'].'), ');
        $Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'src-address' => $Interface['LocalIP'], 'action' => 'drop', 'comment' => $Name.'-out-drop');
        $Items[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'dst-address' => $Interface['LocalIP'], 'action' => 'drop', 'comment' => $Name.'-in-drop');
      }

      // Subnets
      $DbResult2 = $this->Database->select('NetworkSubnet', '*', 'Member='.$Member['Id']);
      while ($Subnet = $DbResult2->fetch_assoc())
      {
        $Subnet['Name'] = RouterOSIdent('subnet-'.$Subnet['Name']);
        echo($Subnet['Name'].'('.$Subnet['AddressRange'].'/'.$Subnet['Mask'].'), ');
        $NewAddress = new NetworkAddressIPv4();
        $NewAddress->AddressFromString($Subnet['ExtAddressRange']);
        $NewAddress->Prefix = $Subnet['ExtMask'];
        $Range = $NewAddress->GetRange();
        if ($Subnet['ExtMask'] != 32) $Range = $Range['From']->AddressToString().'-'.$Range['To']->AddressToString();
        else $Range = $Range['From']->AddressToString();
        if ($Subnet['Mask'] == 32) $Src = $Subnet['AddressRange'];
        else $Src = $Subnet['AddressRange'].'/'.$Subnet['Mask'];
        $Items[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'src-address' => $Src, 'action' => 'drop','comment' => $Subnet['Name'].'-out-drop');

        $NewAddress = new NetworkAddressIPv4();
        $NewAddress->AddressFromString($Subnet['AddressRange']);
        $NewAddress->Prefix = $Subnet['Mask'];
        $Range = $NewAddress->GetRange();
        if ($Subnet['Mask'] != 32) $Range = $Range['From']->AddressToString().'-'.$Range['To']->AddressToString();
        else $Range = $Range['From']->AddressToString();
        if ($Subnet['ExtMask'] == 32) $Dest = $Subnet['ExtAddressRange'];
        else $Dest = $Subnet['ExtAddressRange'].'/'.$Subnet['ExtMask'];
        $Items[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'dst-address' => $Dest, 'action' => 'drop', 'comment' => $Subnet['Name'].'-in-drop');
      }
      echo("\n");
    }

    $Routerboard->ListUpdate($Path, array('chain', 'dst-address', 'in-interface', 'src-address', 'out-interface', 'dst-port', 'protocol', 'action', 'comment', 'jump-target', 'src-port'), $Items);
  }
}