#!/usr/bin/env ruby

# -------------------------------------------------------------------------- #
# Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org)             #
#                                                                            #
# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
# not use this file except in compliance with the License. You may obtain    #
# a copy of the License at                                                   #
#                                                                            #
# http://www.apache.org/licenses/LICENSE-2.0                                 #
#                                                                            #
# Unless required by applicable law or agreed to in writing, software        #
# distributed under the License is distributed on an "AS IS" BASIS,          #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
# See the License for the specific language governing permissions and        #
# limitations under the License.                                             #
#--------------------------------------------------------------------------- #

#------------------------------------------------------------------------------
# Configuration Options for the script. Change it to fit your installation
#------------------------------------------------------------------------------
CONF = {
  :ebtables => "sudo /sbin/ebtables",
  :brctl => "/usr/sbin/brctl",
  :xm => "sudo /usr/sbin/xm"
}
#------------------------------------------------------------------------------

#------------------------------------------------------------------------------
# Applies a given rule to the ebtables
#------------------------------------------------------------------------------
def activate(rule)
    system "#{CONF[:ebtables]} -A #{rule}"
end
#------------------------------------------------------------------------------

#------------------------------------------------------------------------------
# Gets the interfaces attached to a given bridge
#------------------------------------------------------------------------------
def get_interfaces
    bridges    = Hash.new
    brctl_exit =`#{CONF[:brctl]} show`
    cur_bridge = ""

    brctl_exit.split("\n")[1..-1].each do |l| 
        l = l.split

        if l.length > 1
            cur_bridge = l[0]

            bridges[cur_bridge] = Array.new
            bridges[cur_bridge] << l[3]
        else
            bridges[cur_bridge] << l[0]
        end
    end

    bridges
end
#------------------------------------------------------------------------------

###############################################################################
# Main
###############################################################################

VM_NAME  = ARGV[0]

vm_id    =`#{CONF[:xm]} domid #{VM_NAME}`.strip
networks =`#{CONF[:xm]} network-list #{vm_id}`.split("\n")[1..-1]

interfaces = get_interfaces

networks.each {|net|
    n = net.split

    iface_id  = n[0]
    iface_mac = n[2]

    tap = "vif#{vm_id}.#{iface_id}"

    if interfaces.include? tap
        mac     = iface_mac.split(':')
        mac[-1] = '00'

        net_mac = mac.join(':')

        in_rule  = "FORWARD -s ! #{net_mac}/ff:ff:ff:ff:ff:00 -o #{tap} -j DROP"
        out_rule = "FORWARD -s ! #{iface_mac} -i #{tap} -j DROP"

        activate(in_rule)
        activate(out_rule)
    end
}
