## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/sveasoft/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
## This configlet defines commands executed when iptables script is ran
## with command line argument "stop".
##
## Full-flush mode:   Flushes all rules via reset_all (policies stay at
##                    DROP so the server stays protected).
## Coexistence mode:  Removes only FWF chains and restores policies to
##                    ACCEPT so that other tools' rules (Docker, CrowdSec,
##                    fail2ban) keep working.

stop_action() {
    reset_all

{{if coexistence_v4}}
    # Restore permissive policies so other tools' rules keep working.
    $IPTABLES {{$opt_wait}} -P INPUT   ACCEPT
    $IPTABLES {{$opt_wait}} -P FORWARD ACCEPT
    $IPTABLES {{$opt_wait}} -P OUTPUT  ACCEPT
{{endif}}
{{if coexistence_v6}}
    $IP6TABLES {{$opt_wait}} -P INPUT   ACCEPT
    $IP6TABLES {{$opt_wait}} -P FORWARD ACCEPT
    $IP6TABLES {{$opt_wait}} -P OUTPUT  ACCEPT
{{endif}}

{{if mgmt_access}}
    # backup ssh access
    $IPTABLES {{$opt_wait}} -A INPUT  -p tcp -m tcp  -s {{$ssh_management_address}}  --dport 22  -m state --state NEW,ESTABLISHED -j  ACCEPT
    $IPTABLES {{$opt_wait}} -A OUTPUT  -p tcp -m tcp  -d {{$ssh_management_address}}  --sport 22  -m state --state ESTABLISHED,RELATED -j ACCEPT
{{endif}}
}
