#!/bin/bash -ex

function _iptables() {
    local table="QEMU_$1"; shift

    iptables -C "$table" "$@" 2> /dev/null || iptables -A "$table" "$@"
}

function newtable() {
    local table="$1"; shift

    iptables -N "QEMU_$table" "$@" 2> /dev/null || true
    iptables -A "$table" -j "QEMU_$table" "$@"
}

if ! command -v dnsmasq iptables-nft; then
    echo 'missing 1+ dependencies: dnsmasq iptables-nft' >&2
    exit 1
fi

if [ "$EUID" != 0 ]; then
    echo 'this script must be run as root' >&2
    exit 1
fi

BRIDGE="${1-virbr0}"

sysctl net.ipv4.conf.all.forwarding=1

if ! ip link show "$BRIDGE" > /dev/null; then
    ip link add "$BRIDGE" type bridge
fi

ip link set dev "$BRIDGE" up

ip address flush dev "$BRIDGE"
ip address add 192.168.123.1/24 dev "$BRIDGE"

newtable INPUT
newtable FORWARD
newtable POSTROUTING -tnat

_iptables INPUT   -i virbr0 -j ACCEPT
_iptables FORWARD -i virbr0 -j ACCEPT
_iptables FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

_iptables POSTROUTING -t nat -i "$BRIDGE" -j MASQUERADE

pidof dnsmasq | grep -q "$(cat /var/run/dnsmasq-virbr0.pid)" \
    || dnsmasq -z \
        -i "$BRIDGE" \
        -F 192.168.123.2,192.168.123.254,255.255.255.0 \
        -x /var/run/dnsmasq-virbr0.pid