#!/bin/env bash


# docker network create \
#     --driver bridge \
#     --subnet 172.25.0.0/16 \
#     --gateway 172.25.0.1 \
#     --ipv6=false \
#     isolated-net
#
# #     --ipv6 \
# #     --subnet fd00:25::/64
# #     --gateway fd00:25::1


ISOLATEDPREFIX=172.25.0
ISOLATEDSUFFIX=.0
ISOLATEDSEGMENT=16

ISOLATEDNETv6=fd00:25::/64

DOCKERZONE=docker
HOMEZONE=home

FWCMD=$(which firewall-cmd)

# Decide if rules should persist after reboot/reload. "--permanent" or ""
MKPERMANENT=

LANSUBNETS="10.0.0.0/8 192.168.1.0/24"

# IPv4

# Allow traffic to own subnet by default
RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" destination address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" accept"
$FWCMD $MKPERMANENT --zone=$DOCKERZONE --add-rich-rule="$RULE"

# Deny all other traffic to docker zone
RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" drop"
$FWCMD $MKPERMANENT --zone=$DOCKERZONE --add-rich-rule="$RULE"

# Deny isolated segment to lan
for addr in $LANSUBNETS ; do
    RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" destination address=\"$addr\" drop"
    $FWCMD $MKPERMANENT --zone=$HOMEZONE --add-rich-rule="$RULE"
done

# IPv6

# Dont bother allowing intra-subnet traffic for IPv6

# # Deny IPv6 traffic to docker zone
# RULE="rule family=\"ipv6\" source address=\"${ISOLATEDNETv6}\" drop"
# $FWCMD $MKPERMANENT --zone=$DOCKERZONE --add-rich-rule=\'$RULE\'
#
# # Deny isolated ipv6 segment to LAN ipv6
# for addr in $LAN6SUBNETS ; do
#     RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" destination address=\"$addr\" drop"
#     $FWCMD $MKPERMANENT --zone=$HOMEZONE --add-rich-rule=\'$RULE\'
# done


# $FWCMD --reload