#!/bin/sh
# Allow SaltStack traffic
# © 2015, Multapplied Networks, Inc.

NAME="41_salt"
CHAIN="allow_salt"
IPSET="salt-minions"

iptables_all() {
    iptables --wait "$@"
    ip6tables --wait "$@"
}


start () {
    log_progress_msg $NAME

    remove 2> /dev/null # Remove first to avoid duplicate rules

    iptables_all -N $CHAIN
    # Salt only listens on IPv4
    ipset create $IPSET hash:ip
    iptables --wait -A $CHAIN -m set --match-set $IPSET src -p tcp --dport 4505 -j ACCEPT # SaltStack job publisher
    iptables --wait -A $CHAIN -m set --match-set $IPSET src -p tcp --dport 4506 -j ACCEPT # SaltStack return value collection
    iptables_all -A $CHAIN -p tcp --dport 4505 -j DROP
    iptables_all -A $CHAIN -p tcp --dport 4506 -j DROP
    iptables_all -A INPUT -p tcp -j $CHAIN

    # If the syncer is running, get it to resync now
    if systemctl is-active bondingadmin-salt-access.service ; then
        systemctl start bondingadmin-salt-access-resync.service
    fi
}
stop () {
    log_progress_msg $NAME
    remove
}
remove () {
    iptables_all -D INPUT -p tcp -j $CHAIN
    iptables_all -F $CHAIN
    iptables_all -X $CHAIN
    ipset -q flush $IPSET
    # iptables may not clean up quickly so wait up to 5 seconds for the rules
    # to be truly released
    deadline=$(($(date +"%s") + 5))
    while test $(date +"%s") -lt $deadline ; do
        ipset -q destroy $IPSET > /dev/null
        test $? -eq 0 && break
    done
}
status () {
    iptables_all -L $CHAIN -nv
}

test -f /lib/lsb/init-functions && . /lib/lsb/init-functions

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart|force-reload)
        stop
        start
        ;;
    status)
        status
        exit 0
        ;;
    *)
        echo "Usage: $0 {start|stop|restart|force-reload|status}"
        exit 1
        ;;
esac
