#!/bin/sh
# config: /etc/sysconfig/arptables

# Source 'em up
. /etc/init.d/functions

ARPTABLES_CONFIG=/etc/sysconfig/arptables

arp_table() {
	if fgrep -qsx $1 /proc/net/arp_tables_names; then
		arptables -t "$@"
	fi
}

flush_delete_chains() {
	chains=$(cat /proc/net/arp_tables_names 2>/dev/null)
	echo -n $"Flushing all chains:"
	let ret=0
	for i in $chains; do arptables -t $i -F; let ret+=$?; done
	arptables -F; let ret+=$?
	if [ $ret -eq 0 ]; then
		success
	else
		failure
	fi
	echo

	echo -n $"Removing user defined chains:"
	let ret=0
	for i in $chains; do arptables -t $i -X; let ret+=$?; done
	arptables -X; let ret+=$?
	if [ $ret -eq 0 ]; then
		success
	else
		failure
	fi
	echo
}

start() {
	if [ ! -x /usr/sbin/arptables ]; then
		exit 4
	fi

	# don't do squat if we don't have the config file
	if [ -f $ARPTABLES_CONFIG ]; then
		# If we don't clear these first, we might be adding to
		# pre-existing rules.
                flush_delete_chains

		for i in $(cat /proc/net/arp_tables_names 2>/dev/null); do
			arptables -t $i -Z;
		done

		echo -n $"Applying arptables firewall rules: "
		/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \
			success || \
			failure
		echo
		touch /var/lock/subsys/arptables
	else
		failure
		echo
		echo $"Configuration file /etc/sysconfig/arptables missing"
		exit 6
	fi
}

stop() {
        flush_delete_chains
	echo -n $"Resetting built-in chains to the default ACCEPT policy:"
	arp_table filter -P INPUT ACCEPT && \
		arp_table filter -P OUTPUT ACCEPT && \
		success || \
		failure
	echo
	rm -f /var/lock/subsys/arptables
}

case "$1" in
start)
	start
	;;

stop)
	stop
	;;

restart|reload)
	# "restart" is really just "start" as this isn't a daemon,
	# and "start" clears any pre-defined rules anyway.
	# This is really only here to make those who expect it happy
	start
	;;

condrestart|try-restart|force-reload)
	[ -e /var/lock/subsys/arptables ] && start
	;;

*)
	exit 2
esac

exit 0