#!/bin/sh
#
# Usage: createipf.sh
# 
# Rule are defined as follows.

#    ----------         -------
#    | INPUT  |-------->| TCP |------> Other protocol rules
#    ----------         -------
#        |
#        |              -------
#        -------------->| UDP |------> Other protocol rules
#                       -------
#
# splitting rule processing in two levels makes it faster
# to execute.

export PATH=/fabos/sbin:/fabos/bin:/bin:/usr/bin:/sbin
# update version whenever script is changed

# IPTABLES variable is not defined, hence will be null
# this variable is kept if script is changed to use a 
# path for iptables,  this variable can be set to proper
# location

export debug_on=0

if [ $# != 2 ]; then
	echo "ERROR: $0, Incorrect number of parameters."
	#Not required.
	#iptab_clear_rules;
	exit 1
fi

export POLICYTYPE=$1
export CPSTATE=$2

version=v1.1
IPTABLES_RULES_CORRUPTION_FIX=1

#NEED TO CREATE IP6TABLES ALSO.
iptab_clear_rules()
{
   	 
	if [ "$POLICYTYPE" = "v4" ]; then
		iptables -P INPUT ACCEPT
    	iptables -P OUTPUT ACCEPT
    	iptables -P FORWARD ACCEPT

    	iptables -F
    	iptables -X
	elif [ "$POLICYTYPE" = "v6" ]; then
		ip6tables -P INPUT ACCEPT
    	ip6tables -P OUTPUT ACCEPT
    	ip6tables -P FORWARD ACCEPT

    	ip6tables -F
    	ip6tables -X
	else
		iptables -P INPUT ACCEPT
    	iptables -P OUTPUT ACCEPT
    	iptables -P FORWARD ACCEPT

    	iptables -F
    	iptables -X
		
		ip6tables -P INPUT ACCEPT
    	ip6tables -P OUTPUT ACCEPT
    	ip6tables -P FORWARD ACCEPT

    	ip6tables -F
    	ip6tables -X
	fi
}

function valid_ip()
{
	local  ip=$1
	local  stat=1
	IP_ADDR_VAL=$(echo "$ip" | grep -Ec '^(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9])')
	if ! [ $IP_ADDR_VAL -eq 0 ]; then
		stat=0	
	fi
	return $stat
}

export -f valid_ip

#USER DEFINED PARAMETERS

export ERRFILE="/dev/null"
export INET_IFACE_ETH0=eth0
export INTERNAL_IFACE=eth1
export INTERNAL_IFACE_BP=eth2
export INTERNAL_IFACE_DP=eth1
export INTERNAL_IFACE_INBD=inbd+
export DCE_IFACE="veth+"
export DCE_VLAN_IFACE="vlan+"
export FC="fc"
export SCRDIR="/fabos/libexec"
export PRIV_NET=10.0.0.0/28 
export PRIV_NET_BP=127.1.0.0/16 
export PRIV_NET_GEN6=127.3.0.0/16 
export PRIV_NET_DP=127.2.0.0/16 
export INTERNAL_IP1=10.0.0.5
export INTERNAL_IP2=10.0.0.6
export BOND_IFACE=bond0
export BOND_IFACE1=bond0:1


if [ $IPTABLES_RULES_CORRUPTION_FIX -eq 1 ]; then
export RULE_FILE_IPv4=/tmp/netfilter.rules.ipv4
export RULE_FILE_IPv6=/tmp/netfilter.rules.ipv6
else
export RULE_FILE=/tmp/netfilter.rules
fi
export PROTO_TCP=tcp
export PROTO_UDP=udp
export PROTO_ICMP=icmp

export R_TCP=tcp0
export R_UDP=udp0
export R_ICMP=icmp0
export R_TELNET=telnet0
export R_SSH=ssh0
export R_HTTP=http0

export R_PRIV_NET=priv_net_rule

rule_chains="tcp0 udp0 telnet0 ssh0 http0"

CREATECHAINS="createipfchains"

if [ $IPTABLES_RULES_CORRUPTION_FIX -eq 1 ]; then
if [ "$POLICYTYPE"	= "v4" ]; then
	export RULE_FILE=$RULE_FILE_IPv4
else
	export RULE_FILE=$RULE_FILE_IPv6
fi
fi

# Determine the system platform identifier.
SWBD=`/sbin/sin | sed -n -e 's/^.\+\(SWBD\)\([[:digit:]]\{1,\}\).\+$/\2/gp' 2> /dev/null`

# Determine the state-sync transport based on the platform identifier.
if [ $SWBD = 62 -o $SWBD = 77 -o $SWBD = 141 -o $SWBD = 142 -o $SWBD = 165 -o $SWBD = 166 ]; then
	export INET_IFACE="bond0"
elif [ $SWBD = 130 -o $SWBD = 150 ]; then
	export INET_IFACE="eth+"
elif [ $SWBD = 117 ]; then
	export INET_IFACE="eth+"
elif [ $SWBD = 148 ]; then
	export INET_IFACE="eth+"
elif [ $SWBD = 171 ]; then
	export INET_IFACE="eth+"
elif [ $SWBD = 178 ]; then
	export INET_IFACE="eth+"
elif [ $SWBD = 149 ]; then
	export INET_IFACE="eth+"
else
	export INET_IFACE="eth0"
fi

echo_debug()
{
		echo $* 1>&2
}

iptab_create_header()
{
	# Start generating rules file

	echo "# Generated by createiptab $version" > $RULE_FILE
	echo "*filter" >> $RULE_FILE
	echo ":INPUT DROP [0:0]" >> $RULE_FILE
	echo ":FORWARD DROP [0:0]" >> $RULE_FILE
	echo ":OUTPUT ACCEPT [0:0]" >> $RULE_FILE
}



iptab_create_rule_chains()
{
	for rule_item in $rule_chains
	do 
		echo ":$rule_item - [0:0]" >> $RULE_FILE
	done
}


iptab_priv_net_create_rule_chain()
{
	echo ":$R_PRIV_NET - [0:0]" >> $RULE_FILE
}


# get switch type, term/Ulysses and cp type for Ulysses
iptab_get_cp_association()
{

	# Change the names to CPRUL and change it to ACTIVE, STANDBY and PIZZABO
	if [ "$ischassis" = "Yes" ] && [ "$CPSTATE" = "Standby" ]; then
		ACTIVECP=0	# Dual chassis stanby CP
	elif [ "$ischassis" = "Yes" ]; then
		ACTIVECP=1	# Dual chassis active CP 
	else
		ACTIVECP=2	# Single Chassis box 
	fi

	export ACTIVECP
}



iptab_priv_net_put_chain_rules()
{
	# DO check for Active and pizza box
	if [ "$ACTIVECP" = "0" ]; then
		echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE -j $R_PRIV_NET"
		echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE_BP -j $R_PRIV_NET"
		echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET -d $PRIV_NET -j ACCEPT"
		echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET_BP -d $PRIV_NET_BP -j ACCEPT"
		if [ "$SWBD" = 165 ] || [ "$SWBD" = 166 ]; then
		   echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET_GEN6 -d $PRIV_NET_GEN6 -j ACCEPT"
		fi
		echo "$IPTABLES -A $R_PRIV_NET -j REJECT"
	fi
	if [ "$ACTIVECP" = "2" ]; then
		#
		# setup BP/DP interface only on systems where it is available
		#
		if [ $SWBD = 148 ] || [ $SWBD = 171 ] || [ $SWBD = 178 ]; then
			/sbin/ifconfig $INTERNAL_IFACE_DP 1>$ERRFILE 2>$ERRFILE
			if [ $? -eq 0 ]; then
				echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE_DP -j $R_PRIV_NET"
				echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET_DP -d $PRIV_NET_DP -j ACCEPT"
				echo "$IPTABLES -A $R_PRIV_NET -j REJECT"
			fi
		    if [ $SWBD = 178 ]; then
			    /sbin/ifconfig $INTERNAL_IFACE_BP 1>$ERRFILE 2>$ERRFILE
			    if [ $? -eq 0 ]; then
				    echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE_BP -j $R_PRIV_NET"
				    echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET_BP -d $PRIV_NET_BP -j ACCEPT"
				    echo "$IPTABLES -A $R_PRIV_NET -j REJECT"
			    fi
            fi
		else
			/sbin/ifconfig $INTERNAL_IFACE_BP 1>$ERRFILE 2>$ERRFILE
			if [ $? -eq 0 ]; then
				echo "$IPTABLES -A OUTPUT -o $INTERNAL_IFACE_BP -j $R_PRIV_NET"
				echo "$IPTABLES -A $R_PRIV_NET -s $PRIV_NET_BP -d $PRIV_NET_BP -j ACCEPT"
				echo "$IPTABLES -A $R_PRIV_NET -j REJECT"
			fi
		fi
	fi
}


iptab_create_common_rules()
{

	declare -a ipfcarr
	ipfcarr=( `/sbin/ifconfig | grep 'Link encap' | awk '{ print $1 }' | grep $FC`)                #  Loads contents
	element_count=${#ipfcarr[*]}

	# default policy or all, eth1 should always be allowed because
	# two CPs talk on this. Terminator does not need eth1 rule.

	if [ "$POLICYTYPE" = "v4" ]; then
		if [ "$CPSTATE" = "Active" ]; then
		#       detaching FC IP address FC interface, and no specific interface is specified. 
		#       defect # 25011 - because of ARP cache corruption, this association can not be
		#       enforced,. ARP cache is corrupted because of Linux behaviour where it does
		#       not support two physical interfaces on same subnet.

			for (( i=0; i<${element_count}; i++ ));
			do
					echo "$IPTABLES -A INPUT -p $PROTO_TCP -i ${ipfcarr[$i]} -j $R_TCP"
					echo "$IPTABLES -A INPUT -p $PROTO_UDP -i ${ipfcarr[$i]} -j $R_UDP"
			done
		fi

		echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP1 --icmp-type 8 -j DROP"
		echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP2 --icmp-type 8 -j DROP"
		if [ $SWBD = 83 -o $SWBD = 62 -o $SWBD = 77 -o $SWBD = 141 -o $SWBD = 142 -o $SWBD = 165 -o $SWBD = 166 ]; then
			echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_INBD -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP1 --icmp-type 8 -j DROP"
			echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_INBD -p $PROTO_ICMP -m $PROTO_ICMP -d $INTERNAL_IP2 --icmp-type 8 -j DROP"
		fi
		# Explain about the ping request and responses which ping and try to find out
		echo "$IPTABLES -A INPUT -p $PROTO_ICMP -m $PROTO_ICMP --icmp-type 0 -j ACCEPT"
		echo "$IPTABLES -A INPUT -p $PROTO_ICMP -m $PROTO_ICMP --icmp-type 8 -j ACCEPT"
		# Defect 221041, allow fragmentation-needed ICMP packets so we can tunnel management traffic
		echo "$IPTABLES -A INPUT -p $PROTO_ICMP --icmp-type fragmentation-needed -j ACCEPT"
	elif [ "$POLICYTYPE" = "v6" ]; then
		# Limiting IPv6 RA's to avoid the switch panic while RA DoS attack 
		echo "$IPTABLES -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m limit --limit 20/m --limit-burst 3 -j ACCEPT"
		echo "$IPTABLES -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP"
		# echo "$IPTABLES -A INPUT -p icmpv6 -j LOG"
		# Future work: find about exact icmp types
		echo "$IPTABLES -A INPUT -p icmpv6 -j ACCEPT"
	fi

	# These two rules should not be removed at all, as this rule redirects
	# all incoming packets to tcp and udp chains.   
	if [ $SWBD = 148 ] || [ $SWBD = 171 ] || [ $SWBD = 178 ]; then
		echo "$IPTABLES -A INPUT -i $INET_IFACE_ETH0 -p $PROTO_TCP -j $R_TCP"
		echo "$IPTABLES -A INPUT -i $INET_IFACE_ETH0 -p $PROTO_UDP -j $R_UDP"
	else
		echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_TCP -j $R_TCP"
		echo "$IPTABLES -A INPUT -i $INET_IFACE -p $PROTO_UDP -j $R_UDP"
	fi
	echo "$IPTABLES -A INPUT -i $BOND_IFACE -p $PROTO_TCP -j $R_TCP"
	echo "$IPTABLES -A INPUT -i $BOND_IFACE -p $PROTO_UDP -j $R_UDP"
	echo "$IPTABLES -A INPUT -i $BOND_IFACE1 -p $PROTO_TCP -j $R_TCP"
	echo "$IPTABLES -A INPUT -i $BOND_IFACE1 -p $PROTO_UDP -j $R_UDP"

	#
	# setup BP/DP interface only on systems where it is available
	#

	if [ "$POLICYTYPE" = "v4" ]; then
		if [ $SWBD = 148 ] || [ $SWBD = 171 ] || [ $SWBD = 178 ]; then
			if /sbin/ifconfig $INTERNAL_IFACE_DP 1>$ERRFILE 2>$ERRFILE; then
				echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_DP -j ACCEPT"
				echo "$IPTABLES -A FORWARD -o $INTERNAL_IFACE_DP -j REJECT"
				echo "$IPTABLES -A FORWARD -i $INTERNAL_IFACE_DP -j REJECT"
			fi
		    if [ $SWBD = 178 ]; then
			    if /sbin/ifconfig $INTERNAL_IFACE_BP 1>$ERRFILE 2>$ERRFILE; then
				    echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_BP -j ACCEPT"
				    echo "$IPTABLES -A FORWARD -o $INTERNAL_IFACE_BP -j REJECT"
				    echo "$IPTABLES -A FORWARD -i $INTERNAL_IFACE_BP -j REJECT"
			    fi
            fi
		else
			if /sbin/ifconfig $INTERNAL_IFACE_BP 1>$ERRFILE 2>$ERRFILE; then
				echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_BP -j ACCEPT"
				echo "$IPTABLES -A FORWARD -o $INTERNAL_IFACE_BP -j REJECT"
				echo "$IPTABLES -A FORWARD -i $INTERNAL_IFACE_BP -j REJECT"
			fi
		fi

	fi

#
# setup to always receive anything on DCE interfaces
#
        echo "$IPTABLES -A INPUT -i $DCE_IFACE -j ACCEPT" >> $RULE_FILE
        echo "$IPTABLES -A INPUT -i $DCE_VLAN_IFACE -j ACCEPT" >> $RULE_FILE

	if [ "$ACTIVECP" != "2" ]; then
		# set up forwarding rules, no forwarding from/to eth1
		echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE -j ACCEPT"
		echo "$IPTABLES -A FORWARD -o $INTERNAL_IFACE -j REJECT"
		echo "$IPTABLES -A FORWARD -i $INTERNAL_IFACE -j REJECT"

	#	echo "$IPTABLES -A INPUT -s $PRIV_NET -j REJECT"
	#	echo "$IPTABLES -A INPUT -d $PRIV_NET -j REJECT"
	fi

	echo "$IPTABLES -A INPUT -i lo -j ACCEPT"

	if [ $SWBD = 83 -o $SWBD = 62 -o $SWBD = 77 -o $SWBD = 141 -o $SWBD = 142 -o $SWBD = 165 -o $SWBD = 166 ]; then
		#
		# set up inbd rule for INPUT, inbd0 or inbd1 interface will not be up yet
		#
		echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_INBD -p $PROTO_TCP -j $R_TCP"
		echo "$IPTABLES -A INPUT -i $INTERNAL_IFACE_INBD -p $PROTO_UDP -j $R_UDP"
	fi

	#
	# allow AH, ESP and IKE packets
	#
	echo "$IPTABLES -A INPUT -p udp --dport 500 --j ACCEPT"
	if [ "$POLICYTYPE" = "v6" ]; then
		# dhclient
		echo "$IPTABLES -A INPUT -p udp --dport 546 --j ACCEPT"
	fi
	echo "$IPTABLES -A INPUT -p esp -j ACCEPT"
	echo "$IPTABLES -A INPUT -p ah -j ACCEPT"
	echo "$IPTABLES -A OUTPUT -p udp --dport 500 --j ACCEPT"
	echo "$IPTABLES -A OUTPUT -p esp -j ACCEPT"
	echo "$IPTABLES -A OUTPUT -p ah  -j ACCEPT"
	if [ "$POLICYTYPE" = "v6" ]; then
		# This rule is required for skybolt, Gen6 and later platforms
		if [ `uname -r` = "2.6.34.6" ]; then
			# Rule to accept no "Next Header" required for IPv6 Core Conformance.
			# The counter for the first ipv6header match rule (below) also tracks the packets that has IANA unassigned values 
			# in the "next header" field, the acceptance logic exists in ipv6 netfilter stack in the kernel.
			echo "$IPTABLES -A INPUT -m ipv6header --header none --soft --j ACCEPT"
		fi
	fi

	# this is necessary so clients do not hang waiting for response.
	# this was discovered with firmwaredownload
	echo "$IPTABLES -A INPUT -j REJECT"

	# This is a policy to drop all incoming packets which will not hit.
	echo "$IPTABLES -P INPUT DROP"

} # iptab_create_common_rules

#///////////////////////////////
################################
# start of this script
################################
#///////////////////////////////
POLICYFILE="/etc/fabos/ipfpolicy."$POLICYTYPE"."$CPSTATE".txt"
BACKUP_POLICYFILE="/tmp/ipfpolicy."$POLICYTYPE"."$CPSTATE".txt"
POLICYFILE_OLD="/tmp/old_ipfpolicy."$POLICYTYPE"."$CPSTATE".txt"

NEW_IPFCFILE="/etc/fabos/ipfc.txt"
OLD_IPFCFILE="/tmp/oldipfc.txt"
OLD_4RULESFILE="/tmp/oldip4rule.txt"
OLD_6RULESFILE="/tmp/oldip6rule.txt"


# check if text policy file exists. If not, exit.
if [ ! -f $POLICYFILE ]; then
    exit 1
fi

/fabos/cliexec/ipaddripfcshow >>$NEW_IPFCFILE

if [ -f $POLICYFILE_OLD ]; then
   HASH_NEW=`/usr/bin/md5sum $POLICYFILE`
   HASH_NEW=${HASH_NEW%% *}
   HASH_OLD=`/usr/bin/md5sum $POLICYFILE_OLD`
   HASH_OLD=${HASH_OLD%% *}
   if [ "$HASH_NEW" = "$HASH_OLD" ]; then

	if [ ! -f $OLD_IPFCFILE ]; then
		exit 0	
	fi	
	IPFCHASH_NEW=`/usr/bin/md5sum $NEW_IPFCFILE`
	IPFCHASH_NEW=${IPFCHASH_NEW%% *}
	IPFCHASH_OLD=`/usr/bin/md5sum $OLD_IPFCFILE`
	IPFCHASH_OLD=${IPFCHASH_OLD%% *}
	if [ "$IPFCHASH_NEW" = "$IPFCHASH_OLD" ]; then
		exit 0
	fi
   fi
fi

chassis_info=`getchassisconfig`

export ischassis=`echo $chassis_info | sed -n -e 's/.*Chassis based system: //p' | \
    sed -n -e 's/ .*//p'`

iptab_netfilter_rule_create()
{
iptab_create_header;

# get switch type, term/Ulysses and cp type for Ulysses
iptab_get_cp_association;

# create rule chain names
iptab_create_rule_chains ;

#SAGAR:Required only for ipv4 Stack
if [ "$POLICYTYPE"	= "v4" ]; then
	iptab_priv_net_create_rule_chain;
fi

$SCRDIR/$CREATECHAINS $POLICYTYPE $CPSTATE;

/bin/sync

if [ "$?" != "0" ]; then
	iptab_clear_rules;
	exit 1
fi

if [ "$POLICYTYPE" = "v4" ]; then
	iptab_priv_net_put_chain_rules >> $RULE_FILE
fi

iptab_create_common_rules >> $RULE_FILE

/bin/sync

echo "COMMIT" >> $RULE_FILE
echo "# Completed" >> $RULE_FILE
}
iptable_netfilter_rule_ssh()
{
/sbin/iptables -F 
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT
}

if [ $IPTABLES_RULES_CORRUPTION_FIX -eq 1 ]; then
retry_count=0
fi
iptab_netfilter_rule_create

if [ "$POLICYTYPE"	= "v4" ]; then
if [ $IPTABLES_RULES_CORRUPTION_FIX -eq 1 ]; then
	while [ $retry_count -lt 3 ]; do
		/sbin/iptables-restore -t < $RULE_FILE 1> /dev/null 2>&1
		if [ $? -ne 0 ]; then
			/bin/mv $RULE_FILE $RULE_FILE$retry_count
			retry_count=`expr $retry_count + 1`
			iptab_netfilter_rule_create
	    	else
		    break;
		fi
	done
fi
    /sbin/iptables-restore < $RULE_FILE 1> /dev/null 2>&1
else
if [ $IPTABLES_RULES_CORRUPTION_FIX -eq 1 ]; then
	while [ $retry_count -lt 3 ]; do
		/sbin/ip6tables-restore -t < $RULE_FILE 1> /dev/null 2>&1
		if [ $? -ne 0 ]; then
			/bin/mv $RULE_FILE $RULE_FILE$retry_count
			retry_count=`expr $retry_count + 1`
			iptab_netfilter_rule_create
	    	else
		    break;
	    	fi
	done
fi
    /sbin/ip6tables-restore < $RULE_FILE 1> /dev/null 2>&1
fi
if [ $? != 0 ]; then
	iptab_clear_rules;
	echo "ERROR: Failed to enforce new iptables rules"

	if [ -f $RULE_FILE ]; then
		ERRFILE="/tmp/oldrules.`/bin/date +\"%s\"`.txt"
		if [ "$POLICYTYPE"	= "v4" ]; then
			/sbin/iptables-restore < $RULE_FILE >> $ERRFILE 
			/bin/mv $RULE_FILE $OLD_4RULESFILE
		else
		 	/sbin/ip6tables-restore < $RULE_FILE >> $ERRFILE
			/bin/mv $RULE_FILE $OLD_6RULESFILE
		fi
	fi
	iptable_netfilter_rule_ssh;
	exit 1
fi


/bin/mv $POLICYFILE $POLICYFILE_OLD
if [ $? != 0 ]; then
if [ $IPTABLES_RULES_CORRUPTION_FIX -eq 1 ]; then
	echo "Retrying with backup of policy file"
	/bin/cp $BACKUP_POLICYFILE $POLICYFILE_OLD
	if [ $? != 0 ]; then
		echo "Restoring from backup policy file failed"
	fi
fi
fi
/bin/mv $NEW_IPFCFILE $OLD_IPFCFILE

exit 0
# add forwarding rule, let it be commented, can be uncommented when needed
# if uncommented, FORWARD rule also must be changed to ACCEPT
# echo "1" > /proc/sys/net/ipv4/ip_forward
