
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2001-04-19  Dougal Holmes <dholmes@bigpond.net.au>
#             Added INCHAIN/OUTCHAIN swap for clusters
# 2000-10-25  Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#             Initial module written for v5.1.
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# accept ignore
#i# cluster
#n# icmp
#t# clients
#
#   |--------------------------------------------------------------------|
#d# Accept ping and traceroute (using ICMP) from these hosts/networks 
#d# (accepts are logged). ping and traceroute are denied by default. Use
#d# the ignore option if you want to block a subset of the accept option. 
#d#
#d# Example:
#d#   accept-eth1-icmp-clients = 
#d#   ignore-eth1-icmp-clients = any/0 
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

for action in ignore accept
do
	case $action in
		ignore)
			action_msg="Deny/Reject"
			action_in_jump="DENY"
			action_out_jump="REJECT"
			;;
		accept)
			action_msg="Accept"
			action_in_jump="ACCEPT"
			action_out_jump="ACCEPT"
			;;
	esac

	if [ "$CLUSTER_NAME" ]
	then
		inchain="$OUTCHAIN"
		outchain="$INCHAIN"
	else
		inchain="$INCHAIN"
		outchain="$OUTCHAIN"
	fi

	for host in `Option_Value $action $INTOPT icmp clients`
	do
		echo "$action_msg $INTOPT $IPADDR ICMP Echo Reply <-> $host ICMP Echo Request $LOG_MSG"
		ipchains -A $inchain  -j $action_in_jump  -p icmp -s $host echo-request -d $IPADDR $LOG
		ipchains -A $outchain -j $action_out_jump -p icmp -s $IPADDR echo-reply -d $host   $LOG

		echo "$action_msg $INTOPT $IPADDR ICMP Destination Unreachable -> $host $LOG_MSG"
		ipchains -A $outchain -j $action_out_jump -p icmp -s $IPADDR destination-unreachable -d $host $LOG
		
		echo "$action_msg $INTOPT $IPADDR ICMP Redirect <-> $host ICMP Redirect $LOG_MSG"
		ipchains -A $inchain  -j $action_in_jump  -p icmp -s $host   redirect -d $IPADDR $LOG
		ipchains -A $outchain -j $action_out_jump -p icmp -s $IPADDR redirect -d $host   $LOG

		echo "$action_msg $INTOPT $IPADDR ICMP Time Exceeded -> $host $LOG_MSG"
		ipchains -A $outchain -j $action_out_jump -p icmp -s $IPADDR time-exceeded -d $host $LOG
	done
done
unset action action_msg action_in_jump action_out_jump inchain outchain host

