#!/bin/bash
set -e
#Copyright (c) 1999, William L. Stearns <wstearns@pobox.com>
#See top of Mason script for copyright and licensing information.

CKPTMGT=" mgt: Ground0" ; #ckpt $CKPTMGT

MASONDIR=${MASONDIR:-"/var/lib/mason/"}
MASONCONF=${MASONCONF:-"/etc/masonrc"}
MASONLIB=${MASONLIB:-"${MASONDIR}masonlib"}
#MASONLIB=${MASONLIB:-"${MASONDIR}masonlib"}	#My editor of choice (mcedit) gets quoting backwards if there is an odd number of these.

if [ -f $MASONLIB ]; then
	. $MASONLIB
else
	echo Missing $MASONLIB library file.  Please get a complete copy of Mason from >/dev/stderr
	echo http://www.pobox.com/~wstearns/mason/ .  Exiting. >/dev/stderr
	exit
fi

trap preexit 0

if [ -f $MASONCONF ]; then
	. $MASONCONF
fi

CKPTMGT=" mgt: start" ; #ckpt $CKPTMGT

checksys
checkconf

CKPTMGT=" mgt: trap" ; #ckpt $CKPTMGT

mgtcleanup () {
	if [ -n "$VIEWTAILPID" ]; then	kill -TERM $VIEWTAILPID 2>/dev/null || true ;	VIEWTAILPID="" ;			fi
	if [ -n "$MASONTAILPID" ]; then	kill -TERM $MASONTAILPID 2>/dev/null || true ;	MASONTAILPID="" ; sleep 1 ;	fi
	if [ -n "$MASONPID" ]; then
		kill -HUP $MASONPID 2>/dev/null || true
		sleep 2
		kill -TERM $MASONPID 2>/dev/null || true
		MASONPID=""
	fi
	CKPTMGT=""
	echo
	echo Exiting - you may need to reset the firewall...
	exit
}
trap mgtcleanup SIGINT		#Ctrl-C generates this

EXITCONTROL="NO"
MASONPID=""
MASONTAILPID=""
VIEWTAILPID=""

while [ ! "$EXITCONTROL" = "YES" ]; do
	clear
	echo "---- Mason firewall builder for Linux                         ----"
	echo "---- Learning shell for Mason.                                ----"
	echo "---- see http://www.pobox.com/~wstearns/mason/ for more info. ----"
	echo "---- William Stearns <wstearns@pobox.com>                     ----"
#FIXME - use a /var/run file to hold status
	if [ -n "$MASONPID$MASONTAILPID" ]; then
		echo Mason is currently in learn mode.
		echo
		echo EL: End Learning.
	else
		echo Mason IS NOT currently learning.
		echo
		echo BL: Begin Learning.
	fi
	echo EB: Edit Base firewall rule file.	#=> end learn
	echo EN: Edit New firewall rule file.	#=> end learn, ask to merge rulefiles when done
	echo MR: Merge Rules from new to base.
	echo CS: Change Mason settings.			#=> sigusr1 mason when done
	echo LC: Lock this terminal and display new rules.
	echo Q: Quit.
	CKPTMGT=" mgt: Waiting for main menu choice" ; #ckpt $CKPTMGT
	read CHOICE
	CKPTMGT=" mgt: Calling $CHOICE" ; #ckpt $CKPTMGT
	case $CHOICE in
	[Bb][Ll])
		echo Begin Learning.
		echo 
		flushfirewall
		runlearnfirewall
		( nohup tail -f --lines=0 $PACKETLOGFILE | $MASONEXE >>$NEWRULEFILE ) &
		MASONTAILPID="$MASONTAILPID `ps axf | grep -v grep | grep -A 1 $! | tail -1 | awk '{print $1}'`"	#I am open to ideas on better ways to figure out the pid of the tail command.  Anyone?  Bueller?
		MASONPID="$MASONPID `ps axf | grep -v grep | grep -A 2 $! | tail -1 | awk '{print $1}'`"
		echo Mason is now running in the background.  I will be showing the log 
		echo output.  Press Enter when you want to return to the main menu - Mason
		echo will continue to run in the background until you choose \"EL\" from the
		echo main menu.
		#tail -f --lines=0 $PACKETLOGFILE $NEWRULEFILE &
		tail -f --lines=0 $NEWRULEFILE &
		VIEWTAILPID="$VIEWTAILPID $!"
		echo Press ENTER to return to the main menu
		read JUNK
		kill -TERM $VIEWTAILPID 2>/dev/null || true ; VIEWTAILPID=""
																;;
	[Ee][Ll])
		echo End Learning.
		if [ -n "$MASONTAILPID" ]; then	kill -TERM $MASONTAILPID 2>/dev/null || true ;	MASONTAILPID="" ; sleep 1 ;	fi
		if [ -n "$MASONPID" ]; then		kill -HUP $MASONPID 2>/dev/null || true ;		MASONPID="" ;				fi
		flushfirewall
		runstandardfirewall
																;;
	[Ee][Bb])
		echo Edit Base rule file.
		if [ -z "$EDITOR" ]; then
			echo EDITOR was not set in your environment
			echo Please set it with something like \"export EDITOR=mcedit\"
		else
			cp -pf $BASERULEFILE $BASERULEFILE.bak
			$EDITOR $BASERULEFILE
#FIXME - more accurate check
			if diff $BASERULEFILE $BASERULEFILE.bak >/dev/null ; then
				echo No changes made.
			else
				echo Changes made, restarting firewall
				flushfirewall
				if [ -n "$MASONPID$MASONTAILPID" ]; then
					runlearnfirewall
				else
					runstandardfirewall
				fi
			fi
		fi
																;;
	[Ee][Nn])		
		echo Edit the new rule file.
		if [ -z "$EDITOR" ]; then
			echo EDITOR was not set in your environment
			echo Please set it with something like \"export EDITOR=mcedit\"
		else
			if [ -n "$MASONPID$MASONTAILPID" ]; then echo Ending the learn process. ;										fi
			if [ -n "$MASONTAILPID" ]; then kill -TERM $MASONTAILPID 2>/dev/null || true ;	MASONTAILPID="" ; sleep 1 ; fi
			if [ -n "$MASONPID" ]; then		kill -HUP $MASONPID 2>/dev/null || true ;		MASONPID="" ;				fi
			uniqrulefile $NEWRULEFILE
			$EDITOR $NEWRULEFILE
			if diff $NEWRULEFILE $NEWRULEFILE.bak >/dev/null ; then
				echo No changes made.
			else
				if [ -n "$MASONPID$MASONTAILPID" ]; then
					echo Changes made, restarting firewall
					flushfirewall
					runlearnfirewall
				else
					echo Changes made, but no need to restart firewall.
				fi
			fi
		fi
																;;
	[Mm][Rr])
		echo Do you want to merge some, all, or none of the rules in this file
		echo to the base rule file?  Enter \"some\", \"all\", or \"none\".
		read WHATTOMERGE
		case $WHATTOMERGE in
		[Aa][Ll][Ll])
			cp -pf $BASERULEFILE $BASERULEFILE.bak
			uniqrulefile $NEWRULEFILE
			echo "#Rules merged from the new rule file:"	>>$BASERULEFILE
			#cat $NEWRULEFILE | sed -e 's/^/#/'				>>$BASERULEFILE #Use this version if you want to force them commented
			cat $NEWRULEFILE								>>$BASERULEFILE
			cat /dev/null >$NEWRULEFILE
			echo You will probably want to edit the base rule file next.
																	;;
		[Ss][Oo][Mm][Ee])
			echo What string identifies the rules to merge?
			read MERGEID
			echo There are `grep "$MERGEID" $NEWRULEFILE | wc -l` rules with that ID, and
			echo `grep -v "$MERGEID" $NEWRULEFILE | wc -l` lines without it, `cat $NEWRULEFILE | wc -l` total.
			echo Do you want to continue \(yes/no\)?
			read YESNO
			case $YESNO in
			[Yy][Ee][Ss]|[Yy])
				cp -pf $BASERULEFILE $BASERULEFILE.bak
				uniqrulefile $NEWRULEFILE
				echo "#Rules merged from the new rule file:"	>>$BASERULEFILE
				#cat $NEWRULEFILE | grep "$MERGEID" | sed -e 's/^/#/'	>>$BASERULEFILE
				cat $NEWRULEFILE | grep "$MERGEID"						>>$BASERULEFILE
				cat $NEWRULEFILE | grep -v "$MERGEID" >$NEWRULEFILE.tmp
				cat $NEWRULEFILE.tmp >$NEWRULEFILE
				rm -f $NEWRULEFILE.tmp
				echo You will probably want to edit the base rule file next.
																		;;
			*)	echo Aborting merge.									;;
			esac
																	;;
		esac
																;;
	[Cc][Ss])
		if [ -z "$EDITOR" ]; then
			echo EDITOR was not set in your environment
			echo Please set it with something like \"export EDITOR=mcedit\"
		else
			#echo Here are the non-comment lines in $MASONCONF:
			#echo
			#cat $MASONCONF | sed -e 's/#.*//' | grep -v '^$' | uniq
			#echo
			#echo Press enter to edit this file
			#read JUNK
			cp -pf $MASONCONF ${MASONDIR}masonrc.bak
			$EDITOR $MASONCONF
			if diff $MASONCONF ${MASONDIR}masonrc.bak >/dev/null ; then
				echo No changes made.
				rm -f ${MASONDIR}masonrc.bak
			else
				if [ -f $MASONCONF ]; then
					. $MASONCONF
				fi
				checkconf
				if [ -n "$MASONPID$MASONTAILPID" ]; then
					echo Changes made, signalling mason to reread configuration.
					killall -USR1 mason 2>/dev/null || true
				else
					echo Changes made.
				fi
			fi
		fi
																;;
	[Ll][Cc])
		if [ `type -path vlock` = "" ]; then
			echo The vlock utility is not on this system.
			echo It is required to be able to lock the console.
			echo Once installed, this option will be available again.
			sleep 15
		else
			if [ -n "$MASONPID$MASONTAILPID" ]; then
				#tail -f --lines=0 $PACKETLOGFILE $NEWRULEFILE &
				tail -f --lines=0 $NEWRULEFILE &
				VIEWTAILPID="$VIEWTAILPID $!"
			else
				echo Mason is not currently learning, but I will lock this terminal anyways.
			fi	
			vlock
			if [ -n "$VIEWTAILPID" ]; then	kill -TERM $VIEWTAILPID 2>/dev/null || true ; VIEWTAILPID="" ;			fi
		fi
																;;
	[Qq])
		EXITCONTROL="YES"
		echo Exiting.  Returning to the standard firewall.
		if [ -n "$VIEWTAILPID" ]; then	kill -TERM $VIEWTAILPID 2>/dev/null || true ;	VIEWTAILPID="" ;			fi
		if [ -n "$MASONTAILPID" ]; then	kill -TERM $MASONTAILPID 2>/dev/null || true ;	MASONTAILPID="" ; sleep 1 ;	fi
		if [ -n "$MASONPID" ]; then		kill -HUP $MASONPID 2>/dev/null || true ;		MASONPID="" ;				fi
		flushfirewall
		runstandardfirewall
																;;
	*)	echo Unknown choice.  Please enter the one or two character code.
																;;
	esac

	sleep 2
done

CKPTMGT=""

