#!/bin/bash
#
# Idempotently build an IPTables chain which will filter to only permitted MAC
# addresses, on incoming BOOTP requests on the control plane interface.

set -eux

INTERFACE=br-ctlplane
. /root/stackrc
MACS=$(for node in $(nova baremetal-node-list | grep -v '+\|ID' | awk ' { print $2 } '); do nova baremetal-interface-list $node | awk '/:/ { print $8}' ; done)

# In case this script crashed earlier, flush, unlink and delete the temp chain.
iptables -F FILTERBOOTPSNEW || true
iptables -D INPUT -i $INTERFACE -p udp --dport 67 -j FILTERBOOTPSNEW || true
iptables -X FILTERBOOTPSNEW || true
iptables -N FILTERBOOTPSNEW
# Build the chain we want.
for MAC in $MACS; do
    iptables -A FILTERBOOTPSNEW -m mac --mac-source $MAC -j ACCEPT
done
# Drop rather than reject as this is a broadcast protocol: we'd just be
# creating noise on the network.
iptables -A FILTERBOOTPSNEW -j DROP
# Link it in.
iptables -I INPUT -i $INTERFACE -p udp --dport 67 -j FILTERBOOTPSNEW
# Delete the old chain if present.
iptables -F FILTERBOOTPS || true
iptables -D INPUT -i $INTERFACE -p udp --dport 67 -j FILTERBOOTPS || true
iptables -X FILTERBOOTPS || true
# Rename the new chain into permanence.
iptables -E FILTERBOOTPSNEW FILTERBOOTPS