#----------------------------------------------------------------------------
# /etc/rc.d/fwrules.pre100.dmz
#
# Creation:     2007-02-18 gdw
# Last Update:  $Id$
#----------------------------------------------------------------------------

add_chain dmz-fwd
add_chain dmz-inp

pf_in_dmz_default () {
    add_rule filter INPUT "if:$orange_dev:any dmz-inp" "DMZ traffic"
}
pf_fwd_dmz_default () {
    add_rule filter FORWARD "if:$orange_dev:any dmz-fwd BIDIRECTIONAL" "DMZ traffic"
}

orange_dev=
[ 0$IP_NET_N -eq 0 ] || for i in `seq 1 $IP_NET_N`
do
    eval type=\$IP_NET_${i}_TYPE
    case $type in
         orange) orange_dev=IP_NET_${i}_DEV ;;
    esac
done

if [ "$orange_dev" ]; then
    case $PF_INPUT_ACCEPT_DEF in
        yes)
            pf_in_add_default pf_in_dmz_default
            ;;
        no)
            [ 0$PF_INPUT_N -eq 0 ] || for idx in `seq 1 $PF_INPUT_N`; do
                var=PF_INPUT_$idx
                eval rule=\$$var
                case "$rule" in
                    dmz-chain)
                        eval $var="'if:$orange_dev:any dmz-inp'"
                        break
                        ;;
                esac
            done
            ;;
    esac

    case $PF_FORWARD_ACCEPT_DEF in
        yes)
            pf_fwd_add_default pf_fwd_dmz_default
            ;;
        no)
            [ 0$PF_FORWARD_N -eq 0 ] || for idx in `seq 1 $PF_FORWARD_N`; do
                var=PF_FORWARD_$idx
                eval rule=\$$var
                case "$rule" in
                    dmz-chain)
                        eval $var="'if:$orange_dev:any dmz-fwd BIDIRECTIONAL'"
                        break
                        ;;
                esac
            done
            ;;
    esac
else
    log_error "DMZ: No orange device found, disabling OPT_DMZ"
    OPT_DMZ=no
fi