#!/usr/bin/bash

set -eu

interfaces=$(/usr/bin/ip link | /usr/bin/sed -En 's/.*(macvtap-.*)@.*/\1/p')
gateway=$(/usr/bin/ip route list default | /usr/bin/head -1 | /usr/bin/cut -f 3 -d " ")

filterchain=""
for interface in ${interfaces}; do
  filterchain=$(cat <<- EOF
${filterchain}

    chain filterin_${interface} {
        type filter hook ingress device ${interface} priority filter; policy drop;
        ip saddr \$allowed_ipv4 accept
        ip saddr ${gateway} accept;
        ip saddr 255.255.255.255 accept;
    }

    chain filterout_${interface} {
        type filter hook egress device ${interface} priority filter; policy drop;
        ip daddr \$allowed_ipv4 accept
        ip daddr ${gateway} accept;
        ip daddr 255.255.255.255 accept;
    }
EOF
)
done



nft_table=$(cat <<- EOF
define allowed_ipv4 = { {{ exam_destination_allowed_ipv4 | join(",") }} }

table netdev filtermacvtap {
${filterchain}
}
EOF
)

echo "$nft_table" | /usr/sbin/nft -f -