#!/bin/sh /etc/rc.common
START=70
EXTRA_COMMANDS=clear_leases
SPLASH_INTERFACES=""
LIMIT_DOWN=0
LIMIT_DOWN_BURST=0
LIMIT_UP=0

silent() {
	"$@" 2>/dev/null
}

iface_add() {
	local cfg="$1"
	
	config_get zone "$cfg" zone
	[ -n "$zone" ] || return 0
	
	config_get net "$cfg" network
	[ -n "$net" ] || return 0

	config_get ifname "$net" ifname
	[ -n "$ifname" ] || return 0
	
	config_get ipaddr "$net" ipaddr
	[ -n "$ipaddr" ] || return 0
	
	config_get netmask "$net" netmask
	[ -n "$netmask" ] || return 0
	
	eval "$(ipcalc.sh $ipaddr $netmask)"

	iptables -t nat -A prerouting_${zone} -j luci_splash_prerouting
	iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -p ! tcp -j luci_splash_portal
	iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -d ! "$ipaddr" -j luci_splash_portal
	iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -d "$ipaddr" -p tcp -m multiport ! --dport 22,80,443 -j luci_splash_portal

	qos_iface_add "$ifname"

	append SPLASH_INTERFACES "$ifname"
}

iface_del() {
	config_get zone "$1" zone                                                                
	[ -n "$zone" ] || return 0

	config_get ifname "$1" ifname
	[ -n "$ifname" ] || return 0

	while iptables -t nat -D prerouting_${zone} -j luci_splash_prerouting 2>&-; do :; done

	qos_iface_del "$ifname"
}

blacklist_add() {
	local cfg="$1"
	
	config_get mac "$cfg" mac
	[ -n "$mac" ] && {
		iptables -t filter -I luci_splash_counter -m mac --mac-source "$mac" -j RETURN
		iptables -t nat    -I luci_splash_leases  -m mac --mac-source "$mac" -j DROP
	}
}

whitelist_add() {
	local cfg="$1"
	
	config_get mac "$cfg" mac
	[ -n "$mac" ] && {
		iptables -t filter -I luci_splash_counter -m mac --mac-source "$mac" -j RETURN
		iptables -t nat    -I luci_splash_leases  -m mac --mac-source "$mac" -j RETURN
	}
}

lease_add() {
	local cfg="$1"
	
	config_get mac "$cfg" mac
	config_get ban "$cfg" kicked

	ban=${ban:+DROP}

	[ -n "$mac" ] && {
		local oIFS="$IFS"; IFS=":"
		set -- $mac
		IFS="$oIFS"; unset oIFS
	
		local mac_pre="$1$2"
		local mac_post="$3$4$5$6"
		local handle="$6"

		iptables -t filter -I luci_splash_counter -m mac --mac-source "$mac" -j RETURN
		iptables -t mangle -I luci_splash_mark    -m mac --mac-source "$mac" -j MARK --set-mark 79
		iptables -t nat    -I luci_splash_leases  -m mac --mac-source "$mac" -j "${ban:-RETURN}"

		for i in $SPLASH_INTERFACES; do
			tc filter add dev $i parent 77:0 protocol ip prio 2 handle ::$handle u32 \
				match u16 0x0800 0xFFFF at -2 match u32 0x$mac_post 0xFFFFFFFF at -12 \
				match u16 0x$mac_pre 0xFFFF at -14 flowid 77:10
		done
	}
}

qos_iface_add() {
	local iface="$1"

	# 77 -> download root qdisc
	# 78 -> upload root qdisc
	# 79 -> fwmark

	silent tc qdisc del dev "$iface" root handle 77:

	if [ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ]; then
		tc qdisc add dev "$iface" root handle 77: htb

		# assume maximum rate of 20.000 kilobit for wlan
		tc class add dev "$iface" parent 77: classid 77:1 htb rate 20000kbit

		# set download limit and burst
		tc class add dev "$iface" parent 77:1 classid 77:10 htb \
			rate ${LIMIT_DOWN}kbit ceil ${LIMIT_DOWN_BURST}kbit prio 2

		tc qdisc add dev "$iface" parent 77:10 handle 78: sfq perturb 10

		# adding ingress can result in "File exists" if qos-scripts are active
		silent tc qdisc add dev "$iface" ingress

		# set client upload speed
		tc filter add dev "$iface" parent ffff: protocol ip prio 1 \
			handle 79 fw police rate ${LIMIT_UP}kbit mtu 6k burst 6k drop
	fi	
}

qos_iface_del() {
	local iface="$1"

	silent tc qdisc del dev "$iface" root handle 77:
	silent tc qdisc del dev "$iface" root handle 78:
	silent tc filter del dev "$iface" parent ffff: protocol ip prio 1 handle 79 fw
}

boot() {
	### Setup splash-relay
	uci get lucid.splashr || {
uci batch <<EOF
	set lucid.splashr=daemon
	set lucid.splashr.slave=httpd
	add_list lucid.splashr.address=8082
	add_list lucid.splashr.publisher=splashredir
	set lucid.splashr.enabled=1

	set lucid.splashredir=Redirector
	set lucid.splashredir.name=Splashd
	set lucid.splashredir.virtual='/'
	set lucid.splashredir.physical=':80/luci/splash'

	commit lucid
EOF
	}

	### We are started by the firewall include
	exit 0
}

start() {
	### Read chains from config
	include /lib/network
	scan_interfaces
	config_load luci_splash
	
	### Find QoS limits
	config_get LIMIT_UP general limit_up
	config_get LIMIT_DOWN general limit_down
	config_get LIMIT_DOWN_BURST general limit_down_burst

	LIMIT_UP="${LIMIT_UP:-0}"
	LIMIT_DOWN="${LIMIT_DOWN:-0}"
	LIMIT_DOWN_BURST="${LIMIT_DOWN_BURST:-$(($LIMIT_DOWN * 2))}"

	### Load required modules
	[ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
		silent insmod cls_fw
		silent insmod cls_u32
		silent insmod sch_htb
		silent insmod sch_ingress
	}

	### Create subchains
	iptables -t filter -N luci_splash_counter
	iptables -t nat    -N luci_splash_portal
	iptables -t nat    -N luci_splash_leases
	iptables -t nat    -N luci_splash_prerouting

	[ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && \
		iptables -t mangle -N luci_splash_mark

	### Build the main and portal rule
	config_foreach iface_add iface
	config_foreach blacklist_add blacklist
	config_foreach whitelist_add whitelist
	config_foreach lease_add lease
	
	### Build the portal rule
	iptables -t filter -I INPUT      -j luci_splash_counter
	iptables -t filter -I FORWARD    -j luci_splash_counter

	[ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && \
		iptables -t mangle -I PREROUTING -j luci_splash_mark
	
	iptables -t nat -A luci_splash_portal -p udp --dport 33434:33523 -j RETURN
	iptables -t nat -A luci_splash_portal -p icmp -j RETURN
	iptables -t nat -A luci_splash_portal -p udp --dport 53 -j RETURN
	iptables -t nat -A luci_splash_portal -j luci_splash_leases
	
	### Build the leases rule
	iptables -t nat -A luci_splash_leases -p tcp --dport 80 -j REDIRECT --to-ports 8082
	iptables -t nat -A luci_splash_leases -j DROP
	
	### Add crontab entry
	test -f /etc/crontabs/root || touch /etc/crontabs/root
	grep -q luci-splash /etc/crontabs/root || {
		echo '*/5 * * * * 	/usr/sbin/luci-splash sync' >> /etc/crontabs/root
	}
}

stop() {
	### Clear interface rules
	config_load luci_splash
	config_foreach iface_del iface

	silent iptables -t filter -D INPUT      -j luci_splash_counter
	silent iptables -t filter -D FORWARD    -j luci_splash_counter
	silent iptables -t mangle -D PREROUTING -j luci_splash_mark
        
	### Clear subchains
	silent iptables -t nat    -F luci_splash_leases
	silent iptables -t nat    -F luci_splash_portal
	silent iptables -t nat    -F luci_splash_prerouting
	silent iptables -t filter -F luci_splash_counter
	silent iptables -t mangle -F luci_splash_mark
	
	### Delete subchains
	silent iptables -t nat    -X luci_splash_leases
	silent iptables -t nat    -X luci_splash_portal
	silent iptables -t nat    -X luci_splash_prerouting
	silent iptables -t filter -X luci_splash_counter
	silent iptables -t mangle -X luci_splash_mark
	
	sed -ie '/\/usr\/sbin\/luci-splash sync/d' /var/spool/cron/crontabs/root
}

	
clear_leases() {
	stop
	while uci -P /var/state del luci_splash.@lease[0] 2>&-;do :; done
	start
}