#!/bin/sh
#
# Startup script to implement /etc/sysconfig/ipchains pre-defined rules.
#
# chkconfig: 2345 11 91
#
# description: Automates a packet filtering firewall with ipchains.
#
# Script Author:	Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
#   ALT modifications by Dmitry V. Levin <ldv@altlinux.org>
#
# config: /etc/sysconfig/ipchains

WITHOUT_RC_COMPAT=1

# Source function library.
. /etc/init.d/functions

# Source networking configuration.
SourceIfNotEmpty /etc/sysconfig/network

IPCHAINS_CONFIG=/etc/sysconfig/ipchains
LOCKFILE=/var/lock/subsys/ipchains
RETVAL=0

KERNELVER=`/bin/uname -r |/bin/cut -d- -f1`
[ -n "$KERNELVER" ] || exit

KERNELMAJ=`echo "$KERNELVER" |/bin/cut -d. -f1`
[ "$KERNELMAJ" -ge 2 ] || exit

KERNELMIN=`echo "$KERNELVER" |/bin/cut -d. -f2`

unload()
{
	if [ "$KERNELMAJ" -gt 2 -o "$KERNELMIN" -gt 2 ]; then
		if [ -f /proc/net/ip_fwchains ]; then
			modprobe -r ipchains >/dev/null 2>&1 || return
		fi
	fi
}

start()
{
	if [ "$NETWORKING" != no -a -s "$IPCHAINS_CONFIG" ]; then
		# If we don't clear these first, we might be adding to pre-existing rules.
		action "Flushing all current rules and user defined chains:" ipchains -F
		action "Clearing all current rules and user defined chains:" ipchains -X
		ipchains -Z
		echo -n "Applying ipchains firewall rules: "
		grep -v "^[[:space:]]*#" "$IPCHAINS_CONFIG" |
			grep -v '^[[:space:]]*$' |
			/sbin/ipchains-restore -p -f
		RETVAL=$?
		if [ $RETVAL -eq 0 ]; then
			success "Applying ipchains firewall rules"
			touch "$LOCKFILE"
		else
			failure "Applying ipchains firewall rules"
		fi
		echo
	fi
	return $RETVAL
}

stop()
{
	action "Flushing all chains:" ipchains -F
	action "Removing user defined chains:" ipchains -X
	echo -n "Resetting built-in chains to the default ACCEPT policy:"
	ipchains -P input ACCEPT &&
		ipchains -P forward ACCEPT &&
		ipchains -P output ACCEPT
	RETVAL=$?
	if [ $RETVAL -eq 0 ]; then
		success "Resetting built-in chains to the default ACCEPT policy"
		rm -f "$LOCKFILE"
	else
		failure "Resetting built-in chains to the default ACCEPT policy"
	fi
	echo
	unload
	return $RETVAL
}

panic()
{
	echo -n "Changing target policies to DENY: "	
	ipchains -P input DENY &&
		ipchains -P forward DENY &&
		ipchains -P output DENY
	RETVAL=$?
	if [ $RETVAL -eq 0 ]; then
		success "Changing target policies to DENY"
	else
		failure "Changing target policies to DENY"
	fi
	echo
	action "Flushing all chains:" ipchains -F
	action "Removing user defined chains:" ipchains -X
	return $RETVAL
}

save()
{
	umask 077
	[ -f "$IPCHAINS_CONFIG" ] ||
		action "Creating $IPCHAINS_CONFIG:" touch "$IPCHAINS_CONFIG" ||
		return
	echo -n "Saving current rules to $IPCHAINS_CONFIG: "
	/sbin/ipchains-save >"$IPCHAINS_CONFIG" 2>/dev/null
	RETVAL=$?
	if [ $RETVAL -eq 0 ]; then
		success "Saving current rules to $IPCHAINS_CONFIG"
	else
		failure "Saving current rules to $IPCHAINS_CONFIG"
	fi
	echo
	return $RETVAL
}

case "$1" in
	start|restart|reload)
		start
		;;
	stop)
		stop
		;;
	status)
		ipchains -nL
		RETVAL=$?
		;;
	panic)
		panic
		;;

	save)
		save
		;;

	condstop)
		if [ -e "$LOCKFILE" ]; then
			stop
		fi
		;;
	condreload|condrestart)
		if [ -e "$LOCKFILE" ]; then
			start
		fi
		;;
	*)
		msg_usage "${0##*/} {start|stop|restart|status|panic|save}"
		RETVAL=1
esac

exit $RETVAL
