#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

Me='policy'
MyVersion='0.3.3'
#DefaultActions=''	#Set down in ...-z $DefaultPolicy... section below.

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

#Grab the last valid (accept or drop) action from the command line as the policy
for OneAction in $Actions ; do
	case $OneAction in
	[Aa][Cc][Cc][Ee][Pp][Tt])
		DefaultPolicy="ACCEPT"
		;;
	[Rr][Ee][Jj][Ee][Cc][Tt]|[Rr][Ee][Jj][Ee][Cc][Tt]*)
		echo 'Warning: Reject is not a valid policy.  Using DROP instead.' >&2
		DefaultPolicy="DROP"
		;;
	[Dd][Rr][Oo][Pp])
		DefaultPolicy="DROP"
		;;
	esac
done

if [ -z "$DefaultPolicy" ]; then
	DefaultPolicy='DROP'
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -P INPUT								$DefaultPolicy
		$IptablesBin -P FORWARD								$DefaultPolicy
		$IptablesBin -P OUTPUT								$DefaultPolicy
		;;
	unlink)
		$IptablesBin -P INPUT								ACCEPT
		$IptablesBin -P FORWARD								ACCEPT
		$IptablesBin -P OUTPUT								ACCEPT
		;;
	create)		#Nothing to do
		echo "Starting $Me" >&2
		;;
	destroy)	#Nothing to do
		echo "Stopping $Me" >&2
		;;
	renamechain)	#Nothing to do
		:
		;;
	replacelinks)	#Nothing to do
		:
		;;
	status)
		echo 'Default Policies:' >&2
		$IptablesBin -L -nv | grep '(policy ' | awk '{print $2,$4}' >&2
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		DefaultHelp
		cat <<EOTEXT >&2
	The $Me module sets the policy (action to take if no rule
matches) at the end of each of the 3 built-in chains (INPUT, OUTPUT, and
FORWARD).  The policy can be set by setting:
DefaultPolicy='ACCEPT'
	or
DefaultPolicy='DROP'
	in /etc/firebricks/firebricks.conf , or can be specified on the
command line (command line overrides file setings).
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done
