#!/bin/bash

###
# Create firewalld rules that secures private bridge networks against public
###

IPCMD="/usr/sbin/ip"
FIREWALL_CMD="/usr/bin/firewall-cmd"
FIREWALL_OFFLINE_CMD="/usr/bin/firewall-offline-cmd"
BR="$1"

function set_private_nets() {
	[ "x$PRIVATE_NETS" = "x" ] && PRIVATE_NETS="$1" && return 0
	echo $PRIVATE_NETS | grep "$1" > /dev/null 2>&1
	[ $? -ne 0 ] && PRIVATE_NETS="$PRIVATE_NETS,$1"
	return 0
}

function fcmd_rule() {
	$FIREWALL_CMD --permanent $* && $FIREWALL_CMD --reload || $FIREWALL_OFFLINE_CMD $*
}

echo $BR | grep -E ^br[0-9]+ > /dev/null 2>&1
# Skip non-bridges
[ $? -ne 0 ] && exit 0

# Support only up
[ "x$2" != "xup" ] && exit 0

for IP in `$IPCMD a l $BR 2>/dev/null | grep inet | awk '{print $2}'`; do
	# Skip IPv6s
	echo $IP | grep ':' > /dev/null 2>&1
	[ $? -eq 0 ] && continue
	[ "x${IP:0:3}" = "x10." ] && set_private_nets 10.0.0.0/8 && continue
	[ "x${IP:0:8}" = "x192.168." ] && set_private_nets 192.168.0.0/16 && continue
	if [ "x${IP:0:4}" = "x172." ]; then
		SECN=`echo ${IP:4:3} | sed "s,\.,,g"`
		[ $SECN -ge 16 -o $SECN -le 31 ] && set_private_nets 172.16.0.0/12
	fi
done

[ "x$PRIVATE_NETS" != "x" ] && fcmd_rule --direct --add-rule ipv4 filter INPUT 0 ! -s $PRIVATE_NETS -d $PRIVATE_NETS -j DROP

exit 0
