#!/bin/sh /etc/rc.common

START=80
EXTRA_COMMANDS='default_connlimit'

UCI_CONFIG=connlimit_msg
#This default message MUST be consistent with its uci config
DEFAULT_MSG="<html><head><title>Access Denied</title></head><body bgcolor=lightblue><center><h3><br><p><font face=arial color=blue size=5>Your IP:%SIP%</font><br><br><br>have reached the maximum number of permitted Internet sessions.<br><font color=red><p>Please close one or more applications to allow furthur Internet access.<p></font>Contact your system administrator for further information.<br><br><br>[ Powered by <font color=red><i>%RNAME%</i></font> ]<h3></center></body></html>"
SCRIPT_LOCK="/tmp/web_apply_lock/connlimit_msg"

default_connlimit(){
	def_connlimit=$(uci get $UCI_CONFIG.msg_connlimit.use_default_session_limit)
	def_connlimit_session=$(uci get $UCI_CONFIG.msg_connlimit.max_session)
	
	iptables -D FORWARD_CONNLIMIT -m connmark ! --mark 0x00001000/0x00001000 -m mset2 --set2 lan_net_set src --set2 exception_subnet_set src -m connlimit --connlimit-above $def_connlimit_session --connlimit-nomark 1 -j DROP 2>/dev/dull
	if [ "$def_connlimit" = "enable" ]; then
		iptables -A FORWARD_CONNLIMIT -m connmark ! --mark 0x00001000/0x00001000 -m mset2 --set2 lan_net_set src --set2 exception_subnet_set src -m connlimit --connlimit-above $def_connlimit_session --connlimit-nomark 1 -j DROP
		echo 1 > /proc/sys/net/netfilter/nf_conntrack_session_limit
	else
		conn_ena=$(cat /etc/config/connlimit | grep enable -c)
		da_ena=$(uci -q get dataflow.profile.enable)
		if [ "$conn_ena" = "0" -a "$da_ena" = "disable" ]; then
			echo 4 > /proc/sys/net/netfilter/nf_conntrack_session_limit
		fi
	fi
	pid=$(ps | awk '/\/sbin\/dataflow/ {print $1}')
	kill -47 $pid 2>/dev/null >/dev/null
}

boot()
{
  	start
}
start()
{
	#Handle connlimit message, upgrade default message
	default=$(uci get $UCI_CONFIG.msg_connlimit.use_default_message)
	default_msg=$(uci get $UCI_CONFIG.msg_connlimit.default_message)
	if [ "$default" = "enable" ];then
		echo -n "$DEFAULT_MSG" > /sys/module/xt_connlimit/parameters/message_connlimit
		#update default message
		[ ! "$DEFAULT_MSG" = "$default_msg" ] && {
			uci set $UCI_CONFIG.msg_connlimit.default_message="$DEFAULT_MSG"
			uci commit $UCI_CONFIG
		}
	else
	    user_message=$(uci get $UCI_CONFIG.msg_connlimit.user_msg)
		echo -n "$user_message" > /sys/module/xt_connlimit/parameters/message_connlimit
	fi
	
	default_connlimit
}
apply()
{
	#echo -n "connlimit_msg apply S "  >>/tmp/apply_dur.log 2>&1
	#cat /proc/uptime >> /tmp/apply_dur.log 2>&1
	#lock $SCRIPT_LOCK
	#Handle connlimit feedback message
	message_chg=$(uci fchanges modify $UCI_CONFIG message)
    [ -n "$message_chg" ] && {
		default=$(uci get $UCI_CONFIG.msg_connlimit.use_default_message)
		if [ "$default" = "enable" ] ;then
			echo -n "$DEFAULT_MSG" > /sys/module/xt_connlimit/parameters/message_connlimit
		else
			user_message=$(uci get $UCI_CONFIG.msg_connlimit.user_msg)
			echo -n "$user_message" > /sys/module/xt_connlimit/parameters/message_connlimit
		fi
    }

	odef_connlimit_session=$(uci oget $UCI_CONFIG.msg_connlimit.max_session)
	iptables -D FORWARD_CONNLIMIT -m connmark ! --mark 0x00001000/0x00001000 -m mset2 --set2 lan_net_set src --set2 exception_subnet_set src -m connlimit --connlimit-above $odef_connlimit_session --connlimit-nomark 1 -j DROP 2>/dev/dull

	uci commit $UCI_CONFIG
	#lock -u $SCRIPT_LOCK
	#echo -n "connlimit_msg apply E "  >>/tmp/apply_dur.log 2>&1
	#cat /proc/uptime >> /tmp/apply_dur.log 2>&1

	default_connlimit
}