#!/bin/sh
#
# *********************************************************************
# This script is used with IPFilter if the ruleset (/etc/ipf.rules)
# contains an explicit drop rule that masks a rule added at the end.
# It expects block rules for both input and output filters. This
# works e.g. with rule sets generated by fwbuilder.
#
# The script will insert it's rule before the drop rule. The drop rules
# are expected to look like the $inblock and $outblock variables
# defined below.
#
# Note that it does not use locking, so concurrent accesses may
# interfere with each other.
# *********************************************************************
#
#  file "ipf_add.before_block"
#  IPFilter add script, called by "doormand". 
#  This add two "pass in quick" rules to the firewall.
#
#  Called with five arguments:
#
# $1 : name of the interface (e.g. ne0)
# $2 : source IP; i.e. dotted-decimal address of the 'knock' client
# $3 : source port; when this script is called for the first time
#      for a connection (man 8 doormand), this argument will be set
#      to a single "0" (0x30) character.  This means that the source
#      port is not yet known, and a broad rule allowing any source
#      port is required.
# $4 : destination IP; that is, the IP address of the interface 
#      in argument 1.
# $5 : The port number of the requested service (e.g. 22 for ssh, etc.)
#

# This script expects the IPFilter ruleset to have two rules like this:
inblock="block in log quick on $1 from any to any"
outblock="block out log quick on $1 from any to any"
# The new rules will be inserted just before these blocking rules.

if [ $3 = 0 ]; then
     inrule="pass in  quick on $1 proto TCP from $2           to $4 port = $5"
    outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2"
else
     inrule="pass in  quick on $1 proto TCP from $2 port = $3 to $4 port = $5"
    outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3"
fi

#
# acquire lock (not implemented)
#

# Find the rule numbers of the block rules.
inruleno=`ipfstat -in | sed -n -e "s/@\([0-9]*\) $inblock/\1/p"`
outruleno=`ipfstat -on | sed -n -e "s/@\([0-9]*\) $outblock/\1/p"`

# Insert new rules.
ret=`(echo @$inruleno $inrule; echo @$outruleno $outrule) | /sbin/ipf -f - 2>&1`

#
# release lock (not implemented)
#

if [ -z "$ret" ]; then
    echo 0
else
    echo -1 3 $ret
fi