#!/bin/sh
#============================================================================
# /etc/xen/vif-bridge
#
# Script for configuring a vif in bridged mode.
# Xend calls a vif script when bringing a vif up or down.
# This script is the default - but it can be configured for each vif.
#
# Example invocation:
#
# vif-bridge up domain=VM1 vif=vif1.0 bridge=xen-br0 ip="128.232.38.45/28 10.10.10.55/24"
#
#
# Usage:
# vif-bridge (up|down) {VAR=VAL}*
#
# Vars:
#
# domain  name of the domain the interface is on (required).
# vif     vif interface name (required).
# mac     vif MAC address (required).
# bridge  bridge to add the vif to (required).
# ip      list of IP networks for the vif, space-separated (optional).
#
# up:
# Enslaves the vif interface to the bridge and adds iptables rules
# for its ip addresses (if any).
#
# down:
# Removes the vif interface from the bridge and removes the iptables
# rules for its ip addresses (if any).
#============================================================================

# Exit if anything goes wrong
set -e 

echo "vif-bridge $*"

# Operation name.
OP=$1
shift

# Pull variables in args into environment
for arg ; do export "${arg}" ; done

# Required parameters. Fail if not set.
domain=${domain:?}
vif=${vif:?}
mac=${mac:?}
bridge=${bridge:?}

# Optional parameters. Set defaults.
ip=${ip:-''}   # default to null (do nothing)

# Are we going up or down?
case $OP in
    up)
        brcmd='addif'
        iptcmd='-A'
        ;;
    down)
        brcmd='delif'
        iptcmd='-D'
        ;;
    *)
        echo 'Invalid command: ' $OP
        echo 'Valid commands are: up, down'
        exit 1
        ;;
esac

# Don't do anything if the bridge is "null".
if [ "${bridge}" == "null" ] ; then
    exit
fi

# Add/remove vif to/from bridge.
brctl ${brcmd} ${bridge} ${vif}
ifconfig ${vif} $OP

if [ ${ip} ] ; then

    # If we've been given a list of IP networks, allow pkts with these src addrs.
    for addr in ${ip} ; do
        iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -s ${addr} -j ACCEPT
    done 

    # Always allow us to talk to a DHCP server anyhow.
    iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -p udp --sport 68 --dport 67 -j ACCEPT
fi

