#!/bin/sh
# Allow InfluxDB management access for selected hosts
# © 2016, Multapplied Networks, Inc.

NAME="43_influxdb"
CHAIN="allow_influxdb"

iptables_4() {
    iptables "$@"
}


iptables_6() {
    ip6tables "$@"
}


iptables_all() {
    iptables "$@"
    ip6tables "$@"
}



# Contents of influxdb_hosts file should define INFLUXDB_HOSTS as a space-separated
# list of IP addresses, eg:
# INFLUXDB_HOSTS="10.1.1.1 10.2.2.2"
test -f /etc/firewall.d/influxdb_hosts && . /etc/firewall.d/influxdb_hosts

# Contents of influxdb_hosts file should define INFLUXDB_HOSTS as a space-separated
# list of IPv6 addresses
# INFLUXDB_HOSTS_IP6="fe80:1::1 fe80:1::2"
test -f /etc/firewall.d/influxdb_hosts_ip6 && . /etc/firewall.d/influxdb_hosts_ip6

start () {
    log_progress_msg $NAME

    remove 2> /dev/null # Remove first to avoid duplicate rules

    iptables_all -N $CHAIN
    if [ ! -z $INFLUXDB_HOSTS ] ; then
        for host in $INFLUXDB_HOSTS ; do
            iptables_4 -A $CHAIN -s $host -p tcp --dport 8086 -j ACCEPT
            iptables_4 -A $CHAIN -s $host -p tcp --dport 8088 -j ACCEPT
        done
    fi

    if [ ! -z $INFLUXDB_HOSTS_IP6 ] ; then
        for host in $INFLUXDB_HOSTS_IP6 ; do
            iptables_6 -A $CHAIN -s $host -p tcp --dport 8086 -j ACCEPT
            iptables_6 -A $CHAIN -s $host -p tcp --dport 8088 -j ACCEPT
        done
    fi

    iptables_all -A INPUT -p tcp -j $CHAIN
}
stop () {
    log_progress_msg $NAME
    remove
}
remove () {
    iptables_all -D INPUT -p tcp -j $CHAIN
    iptables_all -F $CHAIN
    iptables_all -X $CHAIN
}
status () {
    iptables_all -L $CHAIN -nv
}

test -f /lib/lsb/init-functions && . /lib/lsb/init-functions

case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart|force-reload)
        stop
        start
        ;;
    status)
        status
        exit 0
        ;;
    *)
        echo "Usage: $0 {start|stop|restart|force-reload|status}"
        exit 1
        ;;
esac
