#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org


START=70

ddos_config()
{
	local status
	local block_syn_flood
	local syn_flood_threshold
	local syn_flood_timeout
	local block_udp_flood
	local udp_flood_threshold
	local udp_flood_timeout
	local block_icmp_flood
	local icmp_flood_threshold
	local icmp_flood_timeout
	local block_port_scan
	local port_scan_threshold
	local block_ip_options
	local block_land
	local block_smurf
	local block_trace_route
	local block_syn_fragment
	local block_fraggle_attack
	local block_teardrop
	local block_ping_of_death
	local block_icmp_fragment
	local block_unknow_protocol
	
	config_get status $1 status
	config_get block_syn_flood $1 block_syn_flood
	config_get syn_flood_threshold $1 syn_flood_threshold
	config_get syn_flood_timeout $1 syn_flood_timeout
	config_get block_udp_flood $1 block_udp_flood
	config_get udp_flood_threshold $1 udp_flood_threshold
	config_get udp_flood_timeout $1 udp_flood_timeout
	config_get block_icmp_flood $1 block_icmp_flood
	config_get icmp_flood_threshold $1 icmp_flood_threshold
	config_get icmp_flood_timeout $1 icmp_flood_timeout
	config_get block_port_scan $1 block_port_scan
	config_get port_scan_threshold $1 port_scan_threshold
	config_get block_ip_options $1 block_ip_options
	config_get block_land $1 block_land
	config_get block_smurf $1 block_smurf
	config_get block_trace_route $1 block_trace_route
	config_get block_syn_fragment $1 block_syn_fragment
	config_get block_fraggle_attack $1 block_fraggle_attack
	config_get block_teardrop $1 block_teardrop
	config_get block_ping_of_death $1 block_ping_of_death
	config_get block_icmp_fragment $1 block_icmp_fragment
	config_get block_unknow_protocol $1 block_unknow_protocol
	
	if [ "$status" == "disable" ];then
		echo 0 > /proc/sys/net/ipv4/ddos_admin	
	else
		echo 1 > /proc/sys/net/ipv4/ddos_admin	
	fi
	
	if [ "$block_syn_flood" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_syn_flood
		echo $syn_flood_threshold >  /proc/sys/net/ipv4/ddos_flood_synThreshold
		echo $syn_flood_timeout >  /proc/sys/net/ipv4/ddos_flood_synTimeout
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_syn_flood	
	fi
	
	if [ "$block_udp_flood" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_udp_flood
		echo $udp_flood_threshold >  /proc/sys/net/ipv4/ddos_flood_udpThreshold
		echo $udp_flood_timeout >  /proc/sys/net/ipv4/ddos_flood_udpTimeout
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_udp_flood	
	fi
	
	if [ "$block_icmp_flood" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_icmp_flood
		echo $icmp_flood_threshold >  /proc/sys/net/ipv4/ddos_flood_icmpThreshold
		echo $icmp_flood_timeout >  /proc/sys/net/ipv4/ddos_flood_icmpTimeout
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_icmp_flood	
	fi
	
	if [ "$block_port_scan" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_port_scan
		echo $port_scan_threshold >  /proc/sys/net/ipv4/ddos_flood_portscanThreshold
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_port_scan	
	fi
	
	if [ "$block_ip_options" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_ip_option
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_ip_option	
	fi
	
	if [ "$block_land" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_land
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_land	
	fi
	
	if [ "$block_smurf" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_smurf
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_smurf	
	fi
	
	if [ "$block_trace_route" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_tracert
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_tracert	
	fi
	
	if [ "$block_syn_fragment" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_syn_frag
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_syn_frag	
	fi
	
	if [ "$block_fraggle_attack" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_fraggle
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_fraggle	
	fi
	
	if [ "$block_teardrop" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_teardrop
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_teardrop	
	fi
	
	if [ "$block_ping_of_death" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_pingdeath
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_pingdeath	
	fi
	
	if [ "$block_icmp_fragment" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_icmp_frag
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_icmp_frag	
	fi
	
	if [ "$block_unknow_protocol" == "enable" ];then
		echo  1 > /proc/sys/net/ipv4/ddos_block_unknow_pro
	else
		echo  0 > /proc/sys/net/ipv4/ddos_block_unknow_pro	
	fi
	
}

ddos_bypass_config()
{
	local web_port
	local telnet_port
	local ssh_port
	local https_port
	local L2_threshold
	local L2_timeout
	
	config_get web_port $1 web_port
	config_get telnet_port $1 telnet_port
	config_get ssh_port $1 ssh_port
	config_get https_port $1 https_port
	
	echo $web_port > /proc/sys/net/ipv4/ddos_bypass_web_port
	echo $telnet_port > /proc/sys/net/ipv4/ddos_bypass_telnet_port
	echo $ssh_port > /proc/sys/net/ipv4/ddos_bypass_ssh_port
	echo $https_port > /proc/sys/net/ipv4/ddos_bypass_https_port
	
	#Default values for TCP syn flood L2 threshold
	L2_threshold=30
	L2_timeout=5
	echo $L2_threshold > /proc/sys/net/ipv4/ddos_L2_flood_synThreshold
	echo $L2_timeout > /proc/sys/net/ipv4/ddos_L2_flood_synTimeout
}

boot()
{
	start
}

start()
{
	config_load ddos
	config_foreach ddos_config profile
	
	ddos_status=$(uci get ddos.ddos_config.status)
	if [ "$ddos_status" = "enable" ] ;then
		config_load acc_ctrl
		config_foreach ddos_bypass_config acc_ctrl
	fi
	
	uci commit ddos
	/sbin/led_control dos
}

stop
{
	echo 0 > /proc/sys/net/ipv4/ddos_admin	
}