#!/bin/bash

# This is an example of a Ganeti kvm ifup script that configures network
# interfaces based on the initial deployment of the Okeanos project

TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-)
MAC2EUI64=/usr/bin/mac2eui64
NFDHCPD_STATE_DIR=/var/lib/nfdhcpd

function clear_routed_setup_ipv4 {

 arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
 while ip rule del dev $INTERFACE; do :; done
 iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP

}

function clear_routed_setup_ipv6 {

 while ip -6 rule del dev $INTERFACE; do :; done

}


function clear_routed_setup_firewall {

  for oldchain in protected unprotected limited; do
    iptables  -D FORWARD -o $INTERFACE -j $oldchain
    ip6tables -D FORWARD -o $INTERFACE -j $oldchain
  done

}

function clear_ebtables {

  ebtables -D FORWARD -i $TAP -j $FROM
  ebtables -D FORWARD -o $TAP -j $TO
  #ebtables -D OUTPUT -o $TAP -j $TO

  ebtables -X $FROM
  ebtables -X $TO
}



function routed_setup_ipv4 {

	# mangle ARPs to come from the gw's IP
	arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s    "$NETWORK_GATEWAY"

	# route interface to the proper routing table
	ip rule add dev $INTERFACE table $TABLE

	# static route mapping IP -> INTERFACE
	ip route replace $IP proto static dev $INTERFACE table $TABLE

	# Enable proxy ARP
	echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
}

function routed_setup_ipv6 {
	# Add a routing entry for the eui-64
	prefix=$NETWORK_SUBNET6
	uplink=$PUBLIC_VLAN
	eui64=$($MAC2EUI64 $MAC $prefix)


	ip -6 rule add dev $INTERFACE table $TABLE
	ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
	ip -6 neigh add proxy $eui64 dev $uplink

	# disable proxy NDP since we're handling this on userspace
	# this should be the default, but better safe than sorry
	echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
}

# pick a firewall profile per NIC, based on tags (and apply it)
function routed_setup_firewall {
	ifprefix="synnefo:network:$INTERFACE_INDEX:"
	for tag in $TAGS; do
		case ${tag#$ifprefix} in
		protected)
			chain=protected
		;;
		unprotected)
			chain=unprotected
		;;
		limited)
			chain=limited
		;;
		esac
	done

	if [ "x$chain" != "x" ]; then
		iptables  -A FORWARD -o $INTERFACE -j $chain
		ip6tables -A FORWARD -o $INTERFACE -j $chain
	fi
}

function init_ebtables {

  ebtables -N $FROM
  ebtables -A FORWARD -i $TAP -j $FROM
  ebtables -N $TO
  ebtables -A FORWARD -o $TAP -j $TO

}


function setup_ebtables {

  # do not allow changes in ip-mac pair
  if [ -n "$IP"]; then
    ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
  fi
  ebtables -A $FROM -s \! $MAC -j DROP
  #accept dhcp responses from host (nfdhcpd)
  ebtables -A $TO -p ipv4 --ip-protocol=udp  --ip-destination-port=68 -j ACCEPT
  # allow only packets from the same mac prefix
  ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
}

function setup_masq {

  # allow packets from/to router (for masquerading)
  # ebtables -A $TO -s $PUBLIC_MAC -j ACCEPT
  # ebtables -A INPUT -i $TAP -j $FROM
  # ebtables -A OUTPUT -o $TAP -j $TO
  return

}

function setup_nfdhcpd {
	umask 022
  FILE=$NFDHCPD_STATE_DIR/$INTERFACE
  #IFACE is the interface from which the packet seems to arrive
  #needed in bridged mode where the packets seems to arrive from the
  #bridge and not from the tap
	cat >$FILE <<EOF
INDEV=$INDEV
IP=$IP
MAC=$MAC
HOSTNAME=$INSTANCE
TAGS="$TAGS"
GATEWAY=$NETWORK_GATEWAY
SUBNET=$NETWORK_SUBNET
GATEWAY6=$NETWORK_GATEWAY6
SUBNET6=$NETWORK_SUBNET6
EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
EOF

}


DEFAULT=/etc/default/snf-network
source $DEFAULT
source $CONF

INFRA=$STATE_DIR/infra

source $INFRA

log-env

TAP=$INTERFACE
FROM=FROM${TAP^^}
TO=TO${TAP^^}

clear_routed_setup_ipv4 > /dev/null 2>&1
clear_routed_setup_ipv6 > /dev/null 2>&1
clear_routed_setup_firewall > /dev/null 2>&1
clear_ebtables > /dev/null 2>&1

if [ "$MODE" = "routed" ]; then
  TABLE=$LINK
  ip link set $INTERFACE addr $TAP_CONSTANT_MAC up
  INDEV=$INTERFACE
  DROPDHCPREQCMD="iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP"
elif [ "$MODE" = "bridged" ]; then
  ip link set $INTERFACE up
  brctl addif $BRIDGE $INTERFACE
  INDEV=$BRIDGE
  init_ebtables > /dev/null 2>&1
  DROPDHCPREQCMD="ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP"
fi


for tag in $NETWORK_TAGS; do
  case $tag in
  ip-less-routed)
    routed_setup_ipv4 > /dev/null 2>&1
    routed_setup_ipv6 > /dev/null 2>&1
    routed_setup_firewall > /dev/null 2>&1
  ;;
  nfdhcpd)
    # Drop unicast BOOTP/DHCP packets
    $DROPDHCPREQCMD > /dev/null 2>&1
    setup_nfdhcpd > /dev/null 2>&1
  ;;
  mac-filtered)
    setup_ebtables > /dev/null 2>&1
  ;;
  masq)
    setup_masq > /dev/null 2>&1
  ;;
  esac
done