luci-app-diag-devinfo: remove from repo

[project/luci.git] / contrib / package / freifunk-p2pblock / files / freifunk-p2pblock.init

#!/bin/sh /etc/rc.common

START=82
ME="freifunk-p2pblock"
LOCK='/var/run/p2pblock.lock'

# helper-scripts
ipt_add() {
        logger -t "$ME" "set 'iptables -I $1'"
        iptables -I $1
        echo "iptables -D $1" >> $LOCK
}

start() {
        /etc/init.d/freifunk-p2pblock enabled || return

        if [ ! -s "$LOCK" ]; then
                logger -s -t "$ME" 'starting p2pblock...'

                config_load network
                config_get wan wan ifname

                if [ -n "$wan" ]; then
                        config_load freifunk_p2pblock
                        config_get layer7 p2pblock layer7
                        config_get ipp2p p2pblock ipp2p
                        config_get portrange p2pblock portrange
                        config_get blocktime p2pblock blocktime
                        config_get whitelist p2pblock whitelist

                        # load modules
                        insmod ipt_ipp2p 2>&-
                        insmod ipt_layer7 2>&-
                        insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&-

                        # create new p2p-chain
                        iptables -N p2pblock
                        # pipe all incoming FORWARD with source-/destination-port 1024-65535 throu p2p-chain
                        ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock"
                        ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock"

                        # if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535)
                        ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP"
                        ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:"

                        # create layer7-rules
                        for proto in $layer7; do
                                ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK"
                                ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
                        done

                        # create ipp2p-rules
                        for proto in $ipp2p; do
                                ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK"
                                ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
                        done

                        # insert whitelisted ips
                        for ip in $whitelist; do
                                ipt_add "p2pblock -d $ip -j RETURN"
                        done

                        logger -s -t "$ME" 'Done.'; return 0
                else
                        logger -s -t "$ME" 'No wan interface present.'; return 0
                fi
        else
                logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2
        fi
}

stop() {
        if [ -s "$LOCK" ]; then
                logger -s -t "$ME" 'stopping p2pblock...'

                # unset all rules in $LOCK-file
                cat $LOCK | sed -ne '1!G;h;$p' | while read line; do
                        logger -t "$ME" "unset $line"
                        while eval $line 2>&-; do :; done
                done; : > "$LOCK"

                # flush and delete the p2p-chain
                iptables -F p2pblock
                iptables -X p2pblock
                logger -s -t "$ME" 'Done.'; return 0

        else
                logger -s -t "$ME" 'WARNING! not running - Aborting!'; return 2

        fi
}

restart() {
        stop; sleep 1; start
}