package nat

import (
	"encoding/json"
	"fmt"
	"os"
	"os/exec"
	"path/filepath"
	"strings"
)

const tableName = "alpine-router-nat"

// Config holds NAT masquerade settings per interface.
type Config struct {
	// Interfaces is the list of LAN interface names for which masquerade is enabled.
	// Traffic arriving on these interfaces will be NATted to the outgoing WAN interface.
	Interfaces []string `json:"interfaces"`
}

// configPath returns the path to nat.json next to the running binary.
func configPath() string {
	exe, err := os.Executable()
	if err != nil {
		return filepath.Join("configs", "nat.json")
	}
	return filepath.Join(filepath.Dir(exe), "configs", "nat.json")
}

// IsInstalled reports whether the nft (nftables) binary is available.
func IsInstalled() bool {
	_, err := exec.LookPath("nft")
	return err == nil
}

// Load reads the NAT config from disk.
// Returns an empty config if the file does not exist yet.
func Load() (*Config, error) {
	data, err := os.ReadFile(configPath())
	if err != nil {
		if os.IsNotExist(err) {
			return &Config{Interfaces: []string{}}, nil
		}
		return nil, fmt.Errorf("read nat config: %w", err)
	}
	var cfg Config
	if err := json.Unmarshal(data, &cfg); err != nil {
		return nil, fmt.Errorf("parse nat config: %w", err)
	}
	if cfg.Interfaces == nil {
		cfg.Interfaces = []string{}
	}
	return &cfg, nil
}

// Save writes the NAT config to the configs/ directory next to the binary.
func Save(cfg *Config) error {
	p := configPath()
	if err := os.MkdirAll(filepath.Dir(p), 0755); err != nil {
		return fmt.Errorf("mkdir configs: %w", err)
	}
	data, err := json.MarshalIndent(cfg, "", "  ")
	if err != nil {
		return err
	}
	return os.WriteFile(p, data, 0644)
}

// ApplyRules flushes the existing alpine-router NAT table and recreates it
// from the provided config. Called on every daemon startup and on config save.
//
// nftables is used instead of iptables because it applies all rules atomically
// in a single kernel call, which is faster and avoids partial-state issues.
func ApplyRules(cfg *Config) error {
	return ApplyRulesWithBlocked(cfg, nil)
}

// ApplyRulesWithBlocked is like ApplyRules but also installs drop rules for
// the given list of blocked client IPs.
func ApplyRulesWithBlocked(cfg *Config, blockedIPs []string) error {
	if err := os.WriteFile("/proc/sys/net/ipv4/ip_forward", []byte("1"), 0644); err != nil {
		return fmt.Errorf("enable ip_forward: %w", err)
	}

	exec.Command("nft", "delete", "table", "ip", tableName).Run()

	if len(cfg.Interfaces) == 0 && len(blockedIPs) == 0 {
		return nil
	}

	var sb strings.Builder
	fmt.Fprintf(&sb, "table ip %s {\n", tableName)

	sb.WriteString("    chain forward {\n")
	sb.WriteString("        type filter hook forward priority filter; policy drop;\n")
	sb.WriteString("        ct state established,related accept\n")

	for _, ip := range blockedIPs {
		fmt.Fprintf(&sb, "        ip saddr %s drop\n", ip)
		fmt.Fprintf(&sb, "        ip daddr %s drop\n", ip)
	}

	for _, iface := range cfg.Interfaces {
		fmt.Fprintf(&sb, "        iifname \"%s\" accept\n", iface)
	}
	sb.WriteString("    }\n")

	sb.WriteString("    chain postrouting {\n")
	sb.WriteString("        type nat hook postrouting priority srcnat; policy accept;\n")
	for _, iface := range cfg.Interfaces {
		fmt.Fprintf(&sb, "        iifname \"%s\" masquerade\n", iface)
	}
	sb.WriteString("    }\n")
	sb.WriteString("}\n")

	cmd := exec.Command("nft", "-f", "-")
	cmd.Stdin = strings.NewReader(sb.String())
	out, err := cmd.CombinedOutput()
	if err != nil {
		return fmt.Errorf("nft apply: %s: %w", strings.TrimSpace(string(out)), err)
	}
	return nil
}