#!/bin/bash -ex

function _iptables() {
    local table="QEMU_$1"; shift

    iptables -C "$table" "$@" 2> /dev/null || iptables -A "$table" "$@"
}

function newtable() {
    local table="$1"; shift

    iptables -N "QEMU_$table" "$@" 2> /dev/null || true
    iptables -A "$table" -j "QEMU_$table" "$@"
}

if ! command -v dnsmasq iptables-nft; then
    echo 'missing 1+ dependencies: dnsmasq iptables-nft' >&2
    exit 1
fi

if [ "$EUID" != 0 ]; then
    echo 'this script must be run as root' >&2
    exit 1
fi

BRIDGE="${1-virbr0}"
DEV="$(ip route | grep -Po '^default.*dev\s+\K\w+')"

sysctl net.ipv4.conf.all.forwarding=1

if ! ip link show "$BRIDGE" > /dev/null; then
    ip link add "$BRIDGE" type bridge
fi

ip link set dev "$BRIDGE" up

ip address flush dev "$BRIDGE"
ip address add 192.168.122.1/24 dev "$BRIDGE"

newtable INPUT
newtable FORWARD
newtable OUTPUT
newtable POSTROUTING -tnat

_iptables INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
_iptables INPUT -i virbr0 -j ACCEPT
_iptables FORWARD -i "$BRIDGE" -o "$DEV" -j ACCEPT
_iptables FORWARD -i "$DEV" -o "$BRIDGE" -m state --state RELATED,ESTABLISHED -j ACCEPT

_iptables POSTROUTING -o "$DEV" -j MASQUERADE -tnat

pidof dnsmasq | grep -q "$(cat /var/run/dnsmasq-virbr0.pid)" \
    || dnsmasq --bind-dynamic \
        -i "$BRIDGE" \
        -F 192.168.122.2,192.168.122.254,255.255.255.0 \
        -x /var/run/dnsmasq-virbr0.pid