#!/bin/bash
#Copyright 2003 William Stearns <wstearns@pobox.com>
#Released under the GPL.

Me='outputdstaddrtype'
MyVersion='0.4.1'
DefaultActions='DROP'

[ -r /etc/modwall/modwall.conf ] &&			. /etc/modwall/modwall.conf
[ -r /etc/modwall/$Me.conf ] &&				. /etc/modwall/$Me.conf
[ -r ${MWLibDir:-'/usr/lib/modwall/'}/modwalllib ] &&	. ${MWLibDir:-'/usr/lib/modwall/'}/modwalllib
if [ -z "$MWLibVer" ]; then
	echo 'It looks like modwalllib was not loaded, why?  Exiting' >&2
	exit 1
fi

for OneTask in $Tasks ; do
	case "$OneTask" in
	link)
		$IptablesBin -N $Me >/dev/null 2>&1
		#$IptablesBin $AppIn INPUT -i \! lo						-j $Me
		#$IptablesBin $AppIn FORWARD							-j $Me
		$IptablesBin $AppIn OUTPUT -o \! lo						-j $Me
		;;
	unlink)
		#$IptablesBin -D INPUT -i \! lo							-j $Me
		#$IptablesBin -D FORWARD							-j $Me
		$IptablesBin -D OUTPUT -o \! lo							-j $Me
		$IptablesBin -X $Me >/dev/null 2>&1
		;;
	create)
		echo "Starting $Me" >&2
		FlushOrNewChain $Me
#FIXME - case, where approriate, on state NEW, ESABLISHED, and RELATED?
		LogAs='LOCALDst'	$Ipt -A $Me -m addrtype --dst-type LOCAL		$Tail			#Accept locally
		LogAs='BLACKHOLEDst'	$Ipt -A $Me -m addrtype --dst-type BLACKHOLE		$Tail			#Drop
		LogAs='UNREACHABLEDst'	$Ipt -A $Me -m addrtype --dst-type UNREACHABLE		$Tail			#Destination is unreachable
		LogAs='PROHIBITDst'	$Ipt -A $Me -m addrtype --dst-type PROHIBIT		$Tail			#Administratively prohibited
		LogAs='UNSPECDst'	$IptablesBin -A $Me -m addrtype --dst-type UNSPEC	-j RETURN
		LogAs='UNICASTDst'	$IptablesBin -A $Me -m addrtype --dst-type UNICAST	-j RETURN		#Gateway or direct route
		LogAs='BROADCASTDst'	$IptablesBin -A $Me -m addrtype --dst-type BROADCAST	-j RETURN		#Accept locally as broadcast, send as broadcast
		LogAs='ANYCASTDst'	$IptablesBin -A $Me -m addrtype --dst-type ANYCAST	-j RETURN		#Accept locally as broadcast, but send as unicast
		LogAs='MULTICASTDst'	$IptablesBin -A $Me -m addrtype --dst-type MULTICAST	-j RETURN		#Multicast route
		LogAs='THROWDst'	$IptablesBin -A $Me -m addrtype --dst-type THROW	-j RETURN		#Not in the kernel addrtype table
		LogAs='NATDst'		$IptablesBin -A $Me -m addrtype --dst-type NAT		-j RETURN		#Translate this address
		LogAs='XRESOLVEDst'	$IptablesBin -A $Me -m addrtype --dst-type XRESOLVE	-j RETURN		#Use external resolver
		;;
	destroy)
		echo "Stopping $Me" >&2
		DestroyChain $Me
		;;
	renamechain)
		TempChain="$Me-$RANDOM"
		echo "Replacing existing rules in $Me with new rules" >&2
		$IptablesBin -E $Me $TempChain
		;;
	replacelinks)
		if [ -z "$TempChain" ]; then
			echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2
		elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "No $Me chain in $Me, replace operation incomplete." >&2
		elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then
			echo "No $TempChain chain in $Me, replace operation incomplete." >&2
		#elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
		#	echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2
		#elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
		#	echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2
		elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then
			echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2
		else
			#$IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo		-j $Me
			#$IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'`		-j $Me
			$IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -o \! lo		-j $Me
			DestroyChain $TempChain
			unset TempChain
		fi
		;;
	status)
		if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then
			echo "$Me created" >&2
		else
			echo "$Me destroyed" >&2
		fi
		;;
	version)
		echo "$Me $MyVersion, modwalllib $MWLibVer" >&2
		;;
	help)
		DefaultHelp
		cat <<EOTEXT >&2
	The $Me module checks the destination address for valid and
invalid address types, as maintained by the kernel.  For example, should
we really be sending packets to an address the kernel knows is
administratively prohibited?
	This module is somewhat experimental, but the checks should be
conservative enough to safely use.
EOTEXT
		;;
	*)
		echo "Unknown action $Action in $Me, no action taken." >&2
		;;
	esac
done