#!/usr/bin/env bash

# Minimal one-time cleanup of legacy iptables/ipset entries before nftables
# - Detect full paths for iptables and ipset
# - Verify binaries with --version (if unsupported, still proceed)
# - Ignore errors for missing chains/sets; continue regardless

set +e

IPTABLES=$(command -v iptables || true)
IPSET=$(command -v ipset || true)

# Verify binaries (unset if unusable)
if [ -n "$IPTABLES" ]; then
	"$IPTABLES" --version >/dev/null 2>&1 || IPTABLES=""
fi
if [ -n "$IPSET" ]; then
	"$IPSET" --version >/dev/null 2>&1 || IPSET=""
fi

# Safe wrappers: run only if binary is available; suppress errors
ipt() { [ -n "$IPTABLES" ] && "$IPTABLES" "$@" 2>/dev/null || true; }
ips() { [ -n "$IPSET" ] && "$IPSET" "$@" 2>/dev/null || true; }

# blocklist-cpguard chain
ipt -D INPUT -j blocklist-cpguard
ipt --flush blocklist-cpguard
ipt -X blocklist-cpguard

# ipset sets (best-effort destroy)
ips destroy whitelist-cpguard
ips destroy blocklist-cpguard
ips destroy cc-blocklist-cpguard

# dos-cpguard chain
ipt -D INPUT -j dos-cpguard
ipt --flush dos-cpguard
ipt -X dos-cpguard





# Removes any /usr/bin/cpgcli lines from /etc/csf/csfpost.sh

CSFPOST="/etc/csf/csfpost.sh"

# Exit silently if file does not exist
[ ! -f "$CSFPOST" ] && exit 0

# Remove lines containing /usr/bin/cpgcli
# -i.bak keeps a backup copy as csfpost.sh.bak (optional safety)
sed -i.bak '/\/usr\/bin\/cpgcli/d' "$CSFPOST"

# If file is now empty or only contains the shebang, delete it
if [ ! -s "$CSFPOST" ] || grep -qx '#!/bin/bash' "$CSFPOST"; then
    rm -f "$CSFPOST"
else
    chmod 755 "$CSFPOST"
fi