## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/sveasoft/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
## This configlet defines commands executed when iptables script is ran
## with command line argument "stop".  The rule set is flushed and the
## built-in chain policies are reset to ACCEPT so the machine keeps
## responding (matching fwbuilder behaviour).  In coexistence mode this
## also allows other tools' rules (Docker, CrowdSec, fail2ban) to keep
## working.

stop_action() {
    reset_all

    $IPTABLES {{$opt_wait}} -P OUTPUT  ACCEPT
    $IPTABLES {{$opt_wait}} -P INPUT   ACCEPT
    $IPTABLES {{$opt_wait}} -P FORWARD ACCEPT
    $IP6TABLES {{$opt_wait}} -P OUTPUT  ACCEPT
    $IP6TABLES {{$opt_wait}} -P INPUT   ACCEPT
    $IP6TABLES {{$opt_wait}} -P FORWARD ACCEPT

{{if mgmt_access}}
    # backup ssh access
    $IPTABLES {{$opt_wait}} -A INPUT  -p tcp -m tcp  -s {{$ssh_management_address}}  --dport 22  -m state --state NEW,ESTABLISHED -j  ACCEPT
    $IPTABLES {{$opt_wait}} -A OUTPUT  -p tcp -m tcp  -d {{$ssh_management_address}}  --sport 22  -m state --state ESTABLISHED,RELATED -j ACCEPT
{{endif}}
}
