#!/bin/bash

# Check if file argument is provided
if [ -z "$1" ]; then
    echo "Usage: $0 <path_to_nft_rules_file>"
    exit 1
fi

NEW_RULES="$1"
BACKUP_FILE="/tmp/nft_backup_$(date +%s).rules"
TIMEOUT=30

# 1. Pre-check syntax of the provided file
echo "Checking syntax of $NEW_RULES..."
if ! nft -c -f "$NEW_RULES"; then
    echo "ERROR: Syntax error in $NEW_RULES. Aborting."
    exit 1
fi

# 2. Save current working state to a timestamped backup
if ! touch "$BACKUP_FILE" 2>/dev/null; then
    echo "ERROR: Cannot write to /tmp or directory doesn't exist. Aborting to prevent lock-out."
    exit 1
fi
nft list ruleset > "$BACKUP_FILE"

# 3. Apply rules from the provided file
echo "Applying rules from $NEW_RULES..."
nft -f "$NEW_RULES"

# 4. Confirmation timer
echo "Rules applied! You have $TIMEOUT seconds to confirm."
# We use 'n1' to read exactly one character
read -t "$TIMEOUT" -n 1 -p "Press 'y' to keep changes, otherwise they will be rolled back: " user_input
echo "" # Just for a new line after input

# 5. Decision logic
if [[ "$user_input" == "y" || "$user_input" == "Y" ]]; then
    echo "Changes confirmed. Remember to update your main config if needed."
    rm "$BACKUP_FILE"
else
    echo "Timeout or cancellation. Rolling back to previous state..."
    nft -f "$BACKUP_FILE"
    rm "$BACKUP_FILE"
    exit 1
fi