#!/bin/bash -eu

fix_nft_drops() {
    local j s='"add chain \(.family) \(.table) \(.name) { policy \(.policy); }"'

    if [ -f /tmp/restore-nft.conf ]; then
        nft -f /tmp/restore-nft.conf
    fi
    j="$(nft -j list chains | jq '.[][].chain | select(.policy == "drop")')"
    jq -r ".policy=\"accept\" | $s" <<< "$j"
    jq -r "$s" <<< "$j" > /tmp/restore-nft.conf
}

command -V dnsmasq > /dev/null
command -V nft > /dev/null

if [ "$EUID" != 0 ]; then
    echo 'this script must be run as root' >&2
    exit 1
fi

BRIDGE="${1-virbr0}"

modprobe nft_masq
sysctl net.ipv4.conf.all.forwarding=1

if ! ip link show "$BRIDGE" 2> /dev/null; then
    ip link add "$BRIDGE" type bridge
fi
ip link set dev "$BRIDGE" up
ip address add 192.168.123.1/24 dev "$BRIDGE"

nft -f- <<EOF
$(fix_nft_drops)
destroy table ip qemu; table ip qemu {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "$BRIDGE" counter accept
	}
	chain forward {
		type filter hook forward priority filter; policy accept;
		iifname "$BRIDGE" counter accept
	}
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		masquerade
	}
}
EOF

if ! [ -f /var/run/dnsmasq-virbr0.pid ]; then
    dnsmasq -z \
        -i "$BRIDGE" \
        -F 192.168.123.2,192.168.123.254,255.255.255.0 \
        -x /var/run/dnsmasq-virbr0.pid \
        --server 1.1.1.1
fi