#!/bin/sh

# to allow passive ftp through a default deny iptables firewall:
# modprobe nf_conntrack_ftp
# echo nf_conntrack_ftp >> /etc/modules
# enable helpers automatically via sysctl:
# net.netfilter.nf_conntrack_helper = 1
# OR enable manually for ftp only:
# iptables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp

check_format() {
	# check that we have some ipv4 addresses and some '.' hints
	egrep -q '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]' "$1" \
		&& egrep -q '^\.[[:space:]]+' "$1"
}

ftphosts="FTP.INTERNIC.NET RS.INTERNIC.NET"
roothints=domain/named.cache
unbound_dir=/etc/unbound
outfile=$unbound_dir/root.hints

if [ "$1" = "--verify" ]; then
	if check_format $outfile; then
		echo "$outfile: ok"
		exit 0
	else
		echo "$outfile: failed"
		exit 1
	fi
fi

for host in $ftphosts; do
	url=ftp://$host/$roothints
	if wget -q -O ${outfile}.new $url && check_format ${outfile}.new; then
		mv ${outfile}.new $outfile && exit 0
	fi
done
exit 1