#!/usr/bin/env bash
set -euo pipefail

IPTABLES=${IPTABLES:-/usr/sbin/iptables}

# ---------- filter/default table ----------

ipt() {
  "$IPTABLES" "$@"
}

ensure_chain() {
  local chain="$1"
  ipt -N "$chain" 2>/dev/null || true
}

add_rule() {
  local chain="$1"
  shift
  ipt -C "$chain" "$@" 2>/dev/null || ipt -A "$chain" "$@"
}

# ---------- nat table ----------

ipt_nat() {
  "$IPTABLES" -t nat "$@"
}

ensure_nat_chain() {
  local chain="$1"
  ipt_nat -N "$chain" 2>/dev/null || true
}

add_nat_rule() {
  local chain="$1"
  shift
  ipt_nat -C "$chain" "$@" 2>/dev/null || ipt_nat -A "$chain" "$@"
}