#!/bin/bash
set -e
#Copyright (c) 1999, William L. Stearns <wstearns@pobox.com>
#See top of Mason script for copyright and licensing information.

MASONDIR=${MASONDIR:-"/var/lib/mason/"}
MASONCONF=${MASONCONF:-"/etc/masonrc"}
MASONLIB=${MASONLIB:-"${MASONDIR}masonlib"}
MASONLIB=${MASONLIB:-"${MASONDIR}masonlib"}	#Remove 

if [ -f $MASONLIB ]; then
	. $MASONLIB
else
	echo Missing $MASONLIB library file.  Please get a complete copy of Mason from >/dev/stderr
	echo http://www.pobox.com/~wstearns/mason/ .  Exiting. >/dev/stderr
	exit
fi
if [ -f $MASONCONF ]; then
	. $MASONCONF
fi
checksys
checkconf

trap "killall -9 tail ; echo ; echo Exiting - you may need to reset the firewall... ; exit" SIGINT		#Ctrl-C generates this

EXITCONTROL="NO"
ISLEARNING="NO"
while [ ! "${EXITCONTROL}" = "YES" ]; do
	clear
	echo "---- Mason firewall builder for Linux                         ----"
	echo "---- Learning shell for Mason.                                ----"
	echo "---- see http://www.pobox.com/~wstearns/mason/ for more info. ----"
	echo "---- William Stearns <wstearns@pobox.com>                     ----"
#FIXME - use a /var/run file to hold status
	if [ "$ISLEARNING" = "YES" ]; then
		echo Mason is currently in learn mode.
	else
		echo Mason IS NOT currently learning.
	fi
	echo
	echo BL: Begin Learning.
	echo EL: End Learning.
	echo EB: Edit Base firewall rule file.	#=> end learn
	echo EN: Edit New firewall rule file.	#=> end learn, ask to merge rulefiles when done
	echo MR: Merge Rules from new to base.
	echo CS: Change Mason settings.			#=> sigusr1 mason when done
	echo LC: Lock this terminal and display new rules.
	echo Q: Quit.
	read CHOICE
	case `echo $CHOICE |tr A-Z a-z` in
	bl)	
		echo Begin Learning.
		echo 
		flushfirewall
		runlearnfirewall
		nohup tail -f --lines=0 $PACKETLOGFILE | $MASONEXE >>$NEWRULEFILE &
		BACKPID=$!
		ISLEARNING="YES"
		echo Mason is now running in the background.  I will be showing the log 
		echo output.  Press Enter when you want to return to the main menu - Mason
		echo will continue to run in the background until you choose \"EL\" from the
		echo main menu.
		tail -f --lines=0 $PACKETLOGFILE $NEWRULEFILE &
		echo Press ENTER to return to the main menu
		read JUNK
		kill -9 $BACKPID
																;;
	el)
		echo End Learning.
		if [ `ps axf | grep 'tail ' | grep -v grep | wc -l` -gt 0 ]; then
			killall -9 tail
		fi
		if [ `ps axf | grep 'mason ' | grep -v grep | wc -l` -gt 0 ]; then
			killall -HUP mason
		fi
		ISLEARNING="NO"
		flushfirewall
		runstandardfirewall
																;;
	eb)
		echo Edit Base rule file.
		if [ -z "$EDITOR" ]; then
			echo EDITOR was not set in your environment
			echo Please set it with something like \"export EDITOR=mcedit\"
		else
			cp -pf $BASERULEFILE ${BASERULEFILE}.bak
			$EDITOR $BASERULEFILE
			if diff $BASERULEFILE ${BASERULEFILE}.bak >/dev/null ; then
				echo No changes made.
			else
				echo Changes made, restarting firewall
				flushfirewall
				if [ "$ISLEARNING" = "YES" ]; then
					runlearnfirewall
				else
					runstandardfirewall
				fi
			fi
		fi
																;;
	en)		
		echo Edit the new rule file.
		if [ -z "$EDITOR" ]; then
			echo EDITOR was not set in your environment
			echo Please set it with something like \"export EDITOR=mcedit\"
		else
			if [ "$ISLEARNING" = "YES" ]; then
				echo Ending the learn process.
				if [ `ps axf | grep 'tail ' | grep -v grep | wc -l` -gt 0 ]; then
					killall -9 tail
				fi
				if [ `ps axf | grep 'mason ' | grep -v grep | wc -l` -gt 0 ]; then
					killall -HUP mason
				fi
				ISLEARNING="NO"
			fi
			cp -pf $NEWRULEFILE ${NEWRULEFILE}.bak
			cat $NEWRULEFILE | sort -t '#' +1 | uniq >${NEWRULEFILE}.sorted
			cat ${NEWRULEFILE}.sorted >${NEWRULEFILE}			#This preserves the permissions of fwrules
			rm -f ${NEWRULEFILE}.sorted
			$EDITOR $NEWRULEFILE
			if diff $NEWRULEFILE ${NEWRULEFILE}.bak >/dev/null ; then
				echo No changes made.
			else
				if [ "$ISLEARNING" = "YES" ]; then
					echo Changes made, restarting firewall
					flushfirewall
					runlearnfirewall
				else
					echo Changes made, but no need to restart firewall.
				fi
			fi
		fi
																;;
	mr)
		echo Do you want to merge some, all, or none of the rules in this file
		echo to the base rule file?  Enter \"some\", \"all\", or \"none\".
		read WHATTOMERGE
		case $WHATTOMERGE in
		all)
			cp -pf $BASERULEFILE ${BASERULEFILE}.bak
			cp -pf $NEWRULEFILE ${NEWRULEFILE}.bak
			cat $NEWRULEFILE | sort -t '#' +1 | uniq >${NEWRULEFILE}.sorted
			cat ${NEWRULEFILE}.sorted >${NEWRULEFILE}			#This preserves the permissions of fwrules
			rm -f ${NEWRULEFILE}.sorted
			echo "#Rules merged from the new rule file:"	>>$BASERULEFILE
			#cat $NEWRULEFILE | sed -e 's/^/#/'				>>$BASERULEFILE #Use this version if you want to force them commented
			cat $NEWRULEFILE								>>$BASERULEFILE
			cat /dev/null >$NEWRULEFILE
			echo You will probably want to edit the base rule file next.
																	;;
		some)
			echo What string identifies the rules to merge?
			read MERGEID
			echo There are `cat $NEWRULEFILE | grep "$MERGEID" | wc -l` rules with that ID, and
			echo `cat $NEWRULEFILE | grep -v "$MERGEID" | wc -l` lines without it, `cat $NEWRULEFILE | wc -l` total.
			echo Do you want to continue \(yes/no\)?
			read YESNO
			case $YESNO in
			yes|YES|y|Y)
				cp -pf $BASERULEFILE ${BASERULEFILE}.bak
				cp -pf $NEWRULEFILE ${NEWRULEFILE}.bak
				cat $NEWRULEFILE | sort -t '#' +1 | uniq >${NEWRULEFILE}.sorted
				cat ${NEWRULEFILE}.sorted >${NEWRULEFILE}			#This preserves the permissions of fwrules
				rm -f ${NEWRULEFILE}.sorted
				echo "#Rules merged from the new rule file:"	>>$BASERULEFILE
				#cat $NEWRULEFILE | grep "$MERGEID" | sed -e 's/^/#/'	>>$BASERULEFILE
				cat $NEWRULEFILE | grep "$MERGEID"						>>$BASERULEFILE
				cat $NEWRULEFILE | grep -v "$MERGEID" >${NEWRULEFILE}.tmp
				cat ${NEWRULEFILE}.tmp >$NEWRULEFILE
				rm -f ${NEWRULEFILE}.tmp
				echo You will probably want to edit the base rule file next.
																		;;
			*)	echo Aborting merge.									;;
			esac
																	;;
		esac
																;;
	cs)
		if [ -z "$EDITOR" ]; then
			echo EDITOR was not set in your environment
			echo Please set it with something like \"export EDITOR=mcedit\"
		else
			echo Here are the non-comment lines in ${MASONCONF}:
			echo
			cat ${MASONCONF} | sed -e 's/#.*//' | grep -v '^$' | uniq
			echo
			echo Press enter to edit this file
			read JUNK
			cp -pf $MASONCONF ${MASONDIR}masonrc.bak
			$EDITOR $MASONCONF
			if diff $MASONCONF ${MASONDIR}masonrc.bak >/dev/null ; then
				echo No changes made.
				rm -f ${MASONDIR}masonrc.bak
			else
				if [ -f $MASONCONF ]; then
					. $MASONCONF
				fi
				checkconf
				if [ "$ISLEARNING" = "YES" ]; then
					echo Changes made, signalling mason to reread configuration.
					if [ `ps axf | grep 'mason ' | grep -v grep | wc -l` -gt 0 ]; then
						killall -USR1 mason
					fi
				else
					echo Changes made.
				fi
			fi
		fi
																;;
	lc)
		if [ `type -path vlock` = "" ]; then
			echo The vlock utility is not on this system.
			echo It is required to be able to lock the console.
			echo Once installed, this option will be available again.
			sleep 15
		else
			if [ "$ISLEARNING" = "YES" ]; then
				tail -f --lines=0 $PACKETLOGFILE $NEWRULEFILE &
			fi	
			vlock
			if [ "$ISLEARNING" = "YES" ]; then
				kill -9 $!
			fi
		fi
																;;
	q)
		EXITCONTROL="YES"
		echo Exiting.  Returning to the standard firewall.
		killall -9 tail
		killall -HUP mason
		flushfirewall
		runstandardfirewall
																;;
	*)	echo Unknown choice.  Please enter the one or two character code.
																;;
	esac

done


