#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

Me='autoreject'
MyVersion='0.3.3'
#DefaultActions=''

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
		#No need to link in, this is called on demand.
		#$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		#$IptablesBin $AppIn FORWARD							-j $Me
		#$IptablesBin $AppIn OUTPUT							-j $Me
		;;
	unlink)
		#$IptablesBin -D INPUT -i \! lo							-j $Me
		#$IptablesBin -D FORWARD							-j $Me
		#$IptablesBin -D OUTPUT								-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me
		LogAs='autorejectRst'	$IptablesBin -A $Me -p tcp --tcp-flags RST RST			-j DROP
		LogAs='autorejectTcp'	$IptablesBin -A $Me -p tcp					-j REJECT --reject-with tcp-reset
		LogAs='autorejectUdp'	$IptablesBin -A $Me -p udp					-j REJECT --reject-with port-unreach
		LogAs='autorejectUnrch'	$IptablesBin -A $Me -p icmp --icmp-type destination-unreachable	-j DROP
		LogAs='autorejectTimex'	$IptablesBin -A $Me -p icmp --icmp-type time-exceeded		-j DROP
		LogAs='autorejectParam'	$IptablesBin -A $Me -p icmp --icmp-type parameter-problem	-j DROP
		LogAs='autorejectIcmp'	$IptablesBin -A $Me -p icmp					-j REJECT --reject-with host-unreach
		LogAs='autorejectOther'	$IptablesBin -A $Me						-j REJECT --reject-with proto-unreach
		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		echo "Renamechain not available for $Me" >&2
		#TempChain="$Me-$RANDOM"
		#echo "Replacing existing rules in $Me with new rules" >&2
		#$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		echo "Replacelinks not available for $Me" >&2
		#if [ -z "$TempChain" ]; then
		#	echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		#elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
		#	echo "No $Me chain in $Me, replace operation incomplete." >&2
		#elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
		#	echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		#elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
		#	echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		#elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
		#	echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		#elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
		#	echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		#else
		#	$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
		#	$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
		#	$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`			-j $Me
		#	DestroyChain $TempChain
		#	unset TempChain
		#fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
		cat <<EOTEXT >&2
	The $Me module sets up a chain that can be called from other
firewall rules.  It detects what kind of traffic is going by and sets up
the appropriate reject for that traffic, as opposed to just calling -j
REJECT which sends a port unreachable, even if the traffic is not udp.
	It specifically sends _no_ reject message in response to the
following: tcp rst packets, icmp destination unreachables, icmp time
exceededs, and icmp parameter problems (to avoid rfc-violating loops).
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done
