#!/bin/bash
#Copyright 2003 William Stearns
#Released under the GPL.

Me='icmpchk'
MyVersion='0.3'

[ -r /etc/firebricks/firebricks.conf ] &&			. /etc/firebricks/firebricks.conf
[ -r /etc/firebricks/$Me.conf ] &&				. /etc/firebricks/$Me.conf
[ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] &&	. ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib
if [ -z "$FBLibVer" ]; then
	echo 'It looks like firebrickslib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
		$IptablesBin $AppIn INPUT -i \! lo -p icmp					-j $Me
		$IptablesBin $AppIn FORWARD -p icmp						-j $Me
		$IptablesBin $AppIn OUTPUT -p icmp						-j $Me
		;;
	unlink)
		$IptablesBin -D INPUT -i \! lo -p icmp						-j $Me
		$IptablesBin -D FORWARD -p icmp							-j $Me
		$IptablesBin -D OUTPUT -p icmp							-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me"
		FlushOrNewChain $Me
		LogAs='ICMP-Frag'	$Ipt -A $Me -p icmp -f					$Tail
		LogAs='ICMP-AMQ'	$Ipt -A $Me -p icmp --icmp-type address-mask-request	$Tail
		LogAs='ICMP-AMR'	$Ipt -A $Me -p icmp --icmp-type address-mask-reply	$Tail
		LogAs='ICMP-TSQ'	$Ipt -A $Me -p icmp --icmp-type timestamp-request	$Tail
		LogAs='ICMP-TSR'	$Ipt -A $Me -p icmp --icmp-type timestamp-reply		$Tail
		;;
	destroy)
		echo "Stopping $Me"
		#LogAs='ICMP-Frag'	$Ipt -D $Me -p icmp -f					$Tail
		#LogAs='ICMP-AMQ'	$Ipt -D $Me -p icmp --icmp-type address-mask-request	$Tail
		#LogAs='ICMP-AMR'	$Ipt -D $Me -p icmp --icmp-type address-mask-reply	$Tail
		#LogAs='ICMP-TSQ'	$Ipt -D $Me -p icmp --icmp-type timestamp-request	$Tail
		#LogAs='ICMP-TSR'	$Ipt -D $Me -p icmp --icmp-type timestamp-reply		$Tail
		DestroyChain $Me
		;;
	status)
		if $IptablesBin -L $Me >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2
		;;
	help)
		cat <<EOTEXT >&2
	The $Me module puts in some blocks for fragmented icmp packets
(illegal) and address mask and timestamp requests and replies.  At best,
these are uncommon and are used in network mapping.  These rules should
be safe to use on any network.
EOTEXT
		DefaultHelp
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done