#!/bin/sh
### BEGIN INIT INFO
# Provides:          bastion
# Required-Start:    $syslog $creoled
# Required-Stop:     $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# X-Interactive:     true
# Short-Description: Start/stop le firewall de amon
### END INIT INFO
#
# description:  Lance le firewall
# config: /etc/init.d/bastion
# la commande start execute le script zephir-bastion.pl
# la commande stop passe le firewall en mode forteresse
#
#

RETVAL=0
[ "$TERM" = "dumb" ] && export TERM=eole
. /lib/lsb/init-functions
#. ParseDico
export TPUT=/usr/bin/tput
export EXPR=/usr/bin/expr
#test si TPUT est utilisable
if [ ! "$TERM" = "" ] && $TPUT hpa 60 >/dev/null 2>&1 && $TPUT setaf 1  >/dev/null 2>&1; then
    FANCYTTY=1
    COLS=`$TPUT cols`
    if [ "$COLS" ] && [ "$COLS" -gt 6 ]; then
        COL=`$EXPR $COLS - 7`
    else
    COLS=80
        COL=73
    fi
    export COL
else
    FANCYTTY=0
fi

INITQOS='/etc/init.d/qoseole'
CONFQOS='/etc/qoseole.conf'
LOCKQOS='/var/lock/qoseole'
INITRVP='/etc/init.d/ipsec'
INITRVP_AMON='/etc/init.d/rvp'
install_rvp=$(CreoleGet install_rvp non)
if [ "$install_rvp" = "oui" ]
then
    if [ "$(CreoleGet sw_database_mode)" = "oui" ]
    then
    CONFRVP='/etc/ipsec.d/ipsec.db'
    else
    CONFRVP='/etc/ipsec.secrets'
    fi
else
    CONFRVP=''
fi
LOCKRVPDIR='/var/lock/subsys'
LOCKRVP=$LOCKRVPDIR'/ipsec'
INITAGR='/etc/init.d/agregation'
CONFAGR='/etc/agregation.conf'
LOCKAGR='/var/lock/agregation'

[ "$TERM" = "dumb" ] && export TERM="eole"

logit() {
    # log dans syslog
    /usr/bin/logger -t "bastion" -p local2.info "$1"
}
logit2(){
    # log dans syslog et sur la console
    logit "$1"
    log_begin_msg "$1"
}
test_iptables(){
    if [ ! -x /sbin/iptables ];then
        logit "Erreur : /sbin/iptables non exécutable !"
        log_failure_msg "Erreur : /sbin/iptables non exécutable !"
        exit 1
    fi
    iptables -nL >/dev/null
    if [ $? -ne 0 ];then
        logit "Erreur iptables, vérifiez le noyau Linux utilisé par le serveur"
        log_failure_msg "Erreur iptables, vérifiez le noyau Linux utilisé par le serveur"
        exit 1
    fi
}

start() {
    [ ! -d $LOCKRVPDIR ] && mkdir -p $LOCKRVPDIR
    MSG="Starting firewall: bastion"
    logit $MSG
    echo -n " * $MSG"

    if [ ! -x /usr/share/eole/firewall.start ]
    then
        logit2 "Pas de scripts permettant la prise en compte des règles de parefeu"
        logit2 "Rien à faire"
        return 1
    else
        test_iptables
        . /usr/share/eole/firewall.start
    fi
    RETVAL=$?
    log_end_msg $RETVAL
    [ $RETVAL -eq 0 ] && touch /var/lock/bastion

    #lancement de la qos si activée
    if [ -e $CONFQOS ] && [ -x $INITQOS ]
    then
        logit "Mise en place des regles de QOS"
         $INITQOS start
    fi
    #lancement de l'agrégation si activée
    if [ -e $CONFAGR ] && [ -x $INITAGR ]
    then
        logit "Mise en place des regles d'agrégation"
        $INITAGR start
    fi
    #lancement du rvp si activé
    ## LE RVP DOIT ETRE LANCE EN DERNIER !!!
    if [ -e $CONFRVP ] && [ "$install_rvp" = "oui" ]
    then
        logit "Mise en place des regles RVP"
        if [ -e $INITRVP_AMON ]
        then
            $INITRVP_AMON start
        else
            $INITRVP start
        fi
    fi
    /sbin/iptables-save > /etc/eole/iptables
    return $RETVAL
}

stopother() {
    # arrêt des autres programmes gérés par bastion
    if [ -e $LOCKQOS ]
    then
        $INITQOS stop
    fi
    if [ -e $LOCKAGR ]
    then
        $INITAGR stop
    fi
    ## LE RVP DOIT ETRE ARRETE EN DERNIER (juste avant le flush iptables)
    if [ -e $LOCKRVP ]
    then
        if [ -e $INITRVP_AMON ]
        then
            $INITRVP_AMON stop
        else
            $INITRVP stop
        fi
    fi
    logit2 "Stopping firewall: bastion"
    log_end_msg 0
}

stop() {
    logit2 "Stopping firewall: bastion"
    if [ ! -x /usr/share/eole/firewall.stop ]
    then
        logit2 "pas de scripts permettant la suppression des règles de parefeu"
        logit2 "Rien à faire"
        return 1
    else
        test_iptables
        . /usr/share/eole/firewall.stop
    fi
    RETVAL=$?
    log_end_msg $RETVAL
    [ $RETVAL -eq 0 ] && rm -f /var/lock/bastion
    stopother
    return $RETVAL
}

case "$1" in
  start)
    start
    ;;

  stop)
    stop
    ;;

  restart|reload)
    # "restart" is really just "start" as this isn't a daemon,
    #  and "start" clears any pre-defined rules anyway.
    #  This is really only here to make those who expect it happy
    stopother
    start
    ;;

  status)
    tables=`cat /proc/net/ip_tables_names 2>/dev/null`
    for table in $tables; do
        echo "Table: $table"
        iptables -t $table --list
    done
    ;;

  *)
    echo "Usage: $0 {start|stop|restart|status}"
    exit 1
esac

exit 0
