#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

Me='icmpchk'
MyVersion='0.4.0'
DefaultActions='DROP'

[ -r /etc/modwall/modwall.conf ] &&			. /etc/modwall/modwall.conf
[ -r /etc/modwall/$Me.conf ] &&				. /etc/modwall/$Me.conf
[ -r ${MWLibDir:-'/usr/lib/modwall/'}/modwalllib ] &&	. ${MWLibDir:-'/usr/lib/modwall/'}/modwalllib
if [ -z "$MWLibVer" ]; then
	echo 'It looks like modwalllib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
		$IptablesBin $AppIn INPUT -i \! lo -p icmp					-j $Me
		$IptablesBin $AppIn FORWARD -p icmp						-j $Me
		$IptablesBin $AppIn OUTPUT -p icmp						-j $Me
		;;
	unlink)
		$IptablesBin -D INPUT -i \! lo -p icmp						-j $Me
		$IptablesBin -D FORWARD -p icmp							-j $Me
		$IptablesBin -D OUTPUT -p icmp							-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me
		LogAs='ICMP-Frag'	$Ipt -A $Me -p icmp -f					$Tail
		LogAs='ICMP-AMQ'	$Ipt -A $Me -p icmp --icmp-type address-mask-request	$Tail
		LogAs='ICMP-AMR'	$Ipt -A $Me -p icmp --icmp-type address-mask-reply	$Tail
		LogAs='ICMP-TSQ'	$Ipt -A $Me -p icmp --icmp-type timestamp-request	$Tail
		LogAs='ICMP-TSR'	$Ipt -A $Me -p icmp --icmp-type timestamp-reply		$Tail
		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
			$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo	-p icmp	-j $Me
			$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`	-p icmp	-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'`		-p icmp	-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, modwalllib $MWLibVer" >&2
		;;
	help)
		DefaultHelp
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done