
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2001-04-20  Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#             Moved outbound ICMP rules into this module. Added default
#             value for option (any/0).
# 2001-04-19  Dougal Holmes <dholmes@bigpond.net.au>
#             Initial module for v5.1.1 (based in clients module)
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# accept
#i# cluster novirtual
#n# icmp
#t# servers
#v# accept any/0
#
#   |--------------------------------------------------------------------|
#d# Allow ping and traceroute (using ICMP) to these hosts/networks. Leave
#d# this option set to "any/0" unless you what you're doing.
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

for host in `Option_Value accept $INTOPT icmp servers`
do
	if [ ! "$CLUSTER_NAME" ]
	then
		echo "Accept $INTOPT $NETADDR ICMP Echo Request <-> $host ICMP Echo Reply $LOG_MSG"
		ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $host    echo-reply   -d $NETADDR $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $NETADDR echo-request -d $host    $LOG

		# Type 3: A general error status message; a router along 
		# the path to the destination is unable to deliver the
		# packet to its next destination; used by traceroute.
		#
		echo "Accept $INTOPT $NETADDR <- $host ICMP Dest. Unreachable $LOG_MSG"
		ipchains -A $INCHAIN -j ACCEPT -p icmp -s $host destination-unreachable -d $NETADDR $LOG

		# One of the message sub-types, Fragmentation Needed, is used to 
		# negotiate packet fragment size. If we deny all outgoing type-3,
		# network performance could be affected.
		#
		echo "Accept $INTOPT $NETADDR ICMP Fragmentation Needed -> $host $LOG_MSG"
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $NETADDR fragmentation-needed -d $host $LOG

		echo "Accept $INTOPT $NETADDR ICMP Source Quench <-> $host ICMP Source Quench $LOG_MSG"
		ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $host source-quench    -d $NETADDR $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $NETADDR source-quench -d $host    $LOG

		echo "Accept $INTOPT $NETADDR <- $host ICMP Time Exceeded $LOG_MSG"
		ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $host time-exceeded -d $NETADDR $LOG

		echo "Accept $INTOPT $NETADDR ICMP Param. Problem <-> $host ICMP Param. Problem $LOG_MSG"
		ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $host parameter-problem    -d $NETADDR $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $NETADDR parameter-problem -d $host    $LOG

	elif [ "$CLUSTER_NAME" ]
	then
		echo "Accept $INTOPT $IPADDR ICMP Echo Reply <-> $host ICMP Echo Request $LOG_MSG"
		ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $IPADDR echo-request -d $host   $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $host   echo-reply   -d $IPADDR $LOG

		echo "Accept $INTOPT $IPADDR ICMP Destination Unreachable <- $host $LOG_MSG"
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $host destination-unreachable -d $IPADDR $LOG
		
		echo "Accept $INTOPT $IPADDR ICMP Redirect <-> $host ICMP Redirect $LOG_MSG"
		ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $IPADDR redirect -d $host   $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $host   redirect -d $IPADDR $LOG

		echo "Accept $INTOPT $IPADDR ICMP Time Exceeded <- $host $LOG_MSG"
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $host time-exceeded -d $IPADDR $LOG
	fi
done

unset host
