#-----------------------------------------------------------------------
# Copyright (C) 2000-2001, Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#-----------------------------------------------------------------------
# $Id: 950-icmp-servers,v 1.3 2001/10/18 03:50:34 dholmes Exp $
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# accept
#i# cluster
#n# icmp
#t# servers
#v# accept any/0
#
#   |--------------------------------------------------------------------|
#d# Allow ping and traceroute (using ICMP) to these hosts/networks. Leave
#d# this option set to "any/0" unless you what you're doing.
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

for host in `Option_Value accept $INTOPT icmp servers`
do
	if [ ! "$CLUSTER_NAME" ]
	then
		if [ "$VIRTUAL" = "no" ]
		then
			echo "Accept $INTOPT $NETADDR ICMP Echo Request <-> $host ICMP Echo Reply $LOG_MSG"
			ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $host    echo-reply   -d $NETADDR $LOG
			ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $NETADDR echo-request -d $host    $LOG
		fi

		# Type 3: A general error status message; a router along 
		# the path to the destination is unable to deliver the
		# packet to its next destination; used by traceroute.
		#
		echo "Accept $INTOPT $NETADDR <- $host ICMP Dest. Unreachable $LOG_MSG"
		ipchains -A $INCHAIN -j ACCEPT -p icmp -s $host destination-unreachable -d $NETADDR $LOG

		# One of the message sub-types, Fragmentation Needed, is used to 
		# negotiate packet fragment size. If we deny all outgoing type-3,
		# network performance could be affected.
		#
		echo "Accept $INTOPT $NETADDR ICMP Fragmentation Needed -> $host $LOG_MSG"
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $NETADDR fragmentation-needed -d $host $LOG

		echo "Accept $INTOPT $NETADDR ICMP Source Quench <-> $host ICMP Source Quench $LOG_MSG"
		ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $host source-quench    -d $NETADDR $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $NETADDR source-quench -d $host    $LOG

		echo "Accept $INTOPT $NETADDR <- $host ICMP Time Exceeded $LOG_MSG"
		ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $host time-exceeded -d $NETADDR $LOG

		echo "Accept $INTOPT $NETADDR ICMP Param. Problem <-> $host ICMP Param. Problem $LOG_MSG"
		ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $host parameter-problem    -d $NETADDR $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $NETADDR parameter-problem -d $host    $LOG

	elif [ "$CLUSTER_NAME" ]
	then
		echo "Accept $INTOPT $IPADDR ICMP Echo Reply <-> $host ICMP Echo Request $LOG_MSG"
		ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $IPADDR echo-request -d $host   $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $host   echo-reply   -d $IPADDR $LOG

		echo "Accept $INTOPT $IPADDR ICMP Destination Unreachable <- $host $LOG_MSG"
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $host destination-unreachable -d $IPADDR $LOG
		
		echo "Accept $INTOPT $IPADDR ICMP Redirect <-> $host ICMP Redirect $LOG_MSG"
		ipchains -A $INCHAIN  -j ACCEPT -p icmp -s $IPADDR redirect -d $host   $LOG
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $host   redirect -d $IPADDR $LOG

		echo "Accept $INTOPT $IPADDR ICMP Time Exceeded <- $host $LOG_MSG"
		ipchains -A $OUTCHAIN -j ACCEPT -p icmp -s $host time-exceeded -d $IPADDR $LOG
	fi
done

unset host

