#!/bin/bash -e

function log {
	echo "$(date +'%Y-%m-%d %H:%M:%S') $@"
}

# Include config file if present
if [ -f "/etc/sshutter.conf" ]; then
	. /etc/sshutter.conf
fi

# Check if args are given
if [ "$WHITELIST" == "" ] || [ "$PORT" == "" ] || [ "$TARGET" == "" ]; then
	echo "Error: you need to specify WHITELIST, PORT and TARGET, either in /etc/sshutter.conf or through environment variables." 1>&2
	exit 1
fi

# Check if permissions are high enough
if [ "$UID" -ne 0 ]; then
	echo "Error: must be root." 1>&2
	exit 1
fi

# Main loop
oldstate=""
while [ true ]; do
	ping -c 3 "$TARGET" 1>/dev/null
	if [ "$?" -eq 0 ]; then
		# Ping successful, apply shutter
		if [ "$oldstate" != "blocked" ]; then
			log "[sshutter] Blocking port 22 for IPs outside $WHITELIST"
			oldstate="blocked"
		fi
		nft add table inet filter
		nft add chain inet filter sshutterv4 \{ type filter hook input priority filter \; policy accept \; \}
		nft add rule inet filter sshutterv4 tcp dport "$PORT" ip saddr "$WHITELIST" accept
		nft add rule inet filter sshutterv4 tcp dport "$PORT" drop
	else
		# Ping failed, lift shutter
		if [ "$oldstate" != "released" ]; then
			log "[sshutter] Releasing port block"
			oldstate="released"
		fi
		nft destroy chain inet filter sshutterv4
	fi

	sleep 60
done
