#!/bin/bash
# Check that there is some input chains loaded with "drop" OR "reject"
# Check that there is no changes since last known state
# Required sudoers config:
#    nagios ALL=NOPASSWD: /usr/sbin/nft --stateless -n list *

CACHE_DIR=/var/lib/nagios/check_ee_nftables
TMP=`mktemp /tmp/check_nft_XXX`

trap "rm -f $TMP" EXIT

NFT="nft --stateless -nn list"

opt_help=0
opt_init=0
opt_auto_init=0
opt_exclude=""

while getopts ":hiae:c:" opt; do
  case $opt in
    h)
        opt_help=1
      ;;
    i)
        opt_init=1
      ;;
    a)
        opt_auto_init=1
      ;;
    e)
        opt_exclude=$OPTARG
      ;;
    c)
        opt_chain=$OPTARG
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      exit 1
      ;;
    :)
      echo "Option -$OPTARG requires an argument." >&2
      exit 1
      ;;
  esac
done

# Set default chain to INPUT if not define from command line
opt_chain=${opt_chain:-input}

function get_tables() {
    if [ -n "$opt_exclude" ]
    then
        sudo ${NFT} tables | grep -Ev 'f2b-table' | grep -Ev "$opt_exclude"
    else
        sudo ${NFT} tables | grep -Ev 'f2b-table'
    fi
}

function get_rules() {
    if [ -n "$opt_exclude" ]
    then
        get_tables | while read table_def
        do
            sudo ${NFT} $table_def | grep -Ev "$opt_exclude"
	done
    else
        get_tables | while read table_def
        do
            sudo ${NFT} $table_def
	done
    fi
}

if [ $opt_help -eq 1 ]
then
    echo "check_ee_nftables [OPTIONS]"
    echo " -i: save current state"
    echo " -a: auto save current state if needed"
    echo " -h: display this helpfull message"
    echo " -c \"STRING\": string to define CHAIN on which REJECT or DROP must be define (arg passed to grep -Ev) Default: INPUT"
    echo " -e \"STRING\": string to exclude from ip(6)tables-save (arg passed to grep -Ev)"
    exit 0
fi

if [ ! -x /usr/sbin/nft ]
then
    echo "CRITICAL: nftables is not installed"
    exit 2
fi

if [ ! -d $CACHE_DIR ]
then
    err_msg=$(mkdir -p $CACHE_DIR 2>&1)
    if [ $? -ne 0 ]
    then
        echo "CRITICAL: unable to create cache dir $CACHE_DIR: $err_msg"
        exit 2
    fi
fi

if [ $opt_init -eq 1 ]
then
    get_rules > $CACHE_DIR/nft.state
    exit 0
fi

# Check that there is at least one INPUT rule with DROP or REJECT
if [ $(sudo ${NFT} chain inet filter ${opt_chain} | grep -Ec "drop|reject") -lt 1 ]
then
    echo "CRITICAL: no drop/reject rules defined in $opt_chain"
    exit 2
fi

# Check for changes

if [ $opt_auto_init -eq 1 ]
then
    [ -f $CACHE_DIR/nft.state ] || get_rules > $CACHE_DIR/nft.state
fi

get_rules > $TMP
cmp -s $CACHE_DIR/nft.state $TMP
if [ $? -ne 0 ]
then
    echo "WARNING: nft rules changed"
    diff -Naur $CACHE_DIR/nft.state $TMP
    exit 1
fi

echo "OK: nft rules loaded without changes"
exit 0

