#!/bin/sh
#
# firewall	This script sets up firewall/masquerade/accounting
#
# chkconfig: 2345 98 98
# description: Firewall-init is meant to provide an easy to use
#              interface to start and stop the kernel IP packet
#              filters through iptables(8).
# config: /etc/sysconfig/firewall
# config: /etc/sysconfig/firewall.d/*

# Source function library.
. /etc/rc.d/init.d/functions

# Get network config
. /etc/sysconfig/network

# Get iptables config and function library
. /etc/sysconfig/firewall
. /etc/sysconfig/firewall.d/functions
. /etc/sysconfig/firewall.d/functions.rules

is_no "${FIREWALL}" && exit 0

# Check that networking is up.
if is_no "${NETWORKING}"; then
	# nls "ERROR: Networking is down. %s can't be run." <service>
	msg_Network_Down firewall
	exit 1
fi

if [ ! -x "$iptables" ] ; then
	echo "iptables executables not found (\"$iptables\"). Can't continue."
	exit 1
fi

if is_yes "${IPV6_NETWORKING}" && [ ! -x "$iptables" ] ; then
	echo "ip6tables executables not found (\"$ip6tables\"). Can't continue."
	exit 1
fi

# See how we were called.
case "$1" in
  start)
  	ipv4_forward_set 1
	ipv4_spoof_protection
	show "Load netfilter modules (IPv4)"
	busy
	ipv4_load_modules
	deltext ; ok
	ipv4_create_chains
	show "Authorize packet input and output (IPv4)"
	busy
	setup_rules ipv4
	deltext ; ok
	if is_yes "${IPV6_NETWORKING}" ; then
  		ipv6_forward_set 1
		show "Load netfilter modules (IPv6)"
		busy
		ipv6_load_modules
		deltext ; ok
		ipv6_create_chains
		show "Authorize packet input and output (IPv6)"
		busy
		setup_rules ipv6
		deltext ; ok
	fi
	;;
  stop)
  	ipv4_forward_set 0
	show "Flush standard tables and remove remaining chains (IPv4)"
	busy
	clean_rules ipv4
	deltext ; ok
	show "Unload netfilter modules (IPv4)"
	busy
	ipv4_remove_modules
	deltext ; ok
	if is_yes "${IPV6_NETWORKING}" ; then
  		ipv6_forward_set 0
		show "Flush standard tables and remove remaining chains (IPv6)"
		busy
		clean_rules ipv6
		deltext ; ok
		show "Unload netfilter modules (IPv6)"
		busy
		ipv6_remove_modules
		deltext ; ok
	fi
	;;
  restart)
	$0 stop
	$0 start
	;;
  reload)
	show "Flush standard tables and remove remaining chains (IPv4)"
	busy
	clean_rules ipv4
	deltext ; ok
	ipv4_create_chains
	show "Authorize packet input and output (IPv4)"
	busy
	setup_rules ipv4
	deltext ; ok
	if is_yes "${IPV6_NETWORKING}" ; then
		show "Flush standard tables and remove remaining chains (IPv6)"
		busy
		clean_rules ipv6
		deltext ; ok
		ipv6_create_chains
		show "Authorize packet input and output (IPv6)"
		busy
		setup_rules ipv6
		deltext ; ok
	fi
	;;
  save)
	$iptsave > $FIREWALL_DIR/saved-rules
	if is_yes "${IPV6_NETWORKING}" ; then
		$ip6tsave > $FIREWALL_DIR/saved-rules6
	fi
	;;
  restore)
	$iptrestore > $FIREWALL_DIR/saved-rules
	if is_yes "${IPV6_NETWORKING}" ; then
		$ip6trestore > $FIREWALL_DIR/saved-rules6
	fi
	;;
  status)
	$iptables -L -n
	;;
  extstatus)
	$iptables -L -n -v
	;;
  masqstatus|masqextstatus)
  	cat /proc/net/ip_conntrack
	;;
  *)
	echo "Usage: $0 {start|stop|restart|reload|save|restore|status|extstatus|masqstatus|masqextstatus}"
	exit 1
esac

exit 0
