#!/bin/sh

shopt -s extglob

#
# Startup script to start ftwall
#
# chkconfig: 2345 11 91
#
# description: Extends iptables to allow filtering of Fast Track traffic
# from P2P software such as Kazaa.
#
# by chris@lowth.com, based on the iptables script:
# Script Author:	Chris Lowth <chris@lowth.com>
#
#
# For more detailed documentation about this software, please refer to the
# web site:  http://www.lowth.com/p2pwall

#-----------------------------------------------------------------------------
# Configuration section - make your edits to the next few lines

# The path name of the ftwall program.

FTWALL=/usr/sbin/ftwall


# The size of the buffer used to queue packets from netfilter to ftwall.
# The maximum allowed size is 64k. Note: this will adjust the system's
# global "rmem_max" value if it is lower than the value you give here.
# Be aware that this is a "system wide" change.
# Trying increasing this value if you get "No buffer space" errors.

NETLINK_BUFFER_SIZE=128000


# The number of seconds used for the TCP/IP SYN "timelock" logic. This
# mechanism is described in detail in the documentation on the website.

TIMELOCK_TIMER=120


# What should be logged to syslog? Set the desired combination of options
# to "1" to enable the logging of the specified event types. Beware of
# leaving the dropped packet logging turned on in production - there
# tend to be rather a lot of them!!

LOG_DROPPED_TCP=0		# log dropped TCP/IP packets
LOG_ACCEPTED_TCP=0		# log accepted TCP/IP packets
LOG_DROPPED_UDP=0		# log dropped UDP packets
LOG_ACCEPTED_UDP=0		# log dropped UDP packets
LOG_IDENTIFIED_PEERS=0		# log identified external peers
LOG_IDENTIFIED_CLIENTS=0	# log identified "home" clients


# The name of the file in which "Blocked" external peer addresses
# can be held over reboots. This mechanism is only enabled if the
# following line is uncommented. Use this mechanism if you expect
# to restart ftwall when FastTrack clients are active.

# STOREFILE=/var/lib/ftwall.store


# The name of a directory in which ftwall creates files with names
# that match the IP addresses of active home-network clients. The
# files are created when clients are identified, and removed when
# they become inactive. This mechanism is for logging/reporting
# purposes only. Uncomment the following line to ENABLE this logic.
#
# Warning: This script DELETES this directory at startup, so make
# sure you are happy with the path name given. For safety reasons,
# this script insists that the directory is a child of /var/log

# CLIENT_STATE_DIRECTORY=/var/log/ftwall.clients

#-----------------------------------------------------------------------------

. /etc/init.d/functions

if [ ! -x $FTWALL ]; then
	exit 0
fi

ARGS="-b $NETLINK_BUFFER_SIZE -t $TIMELOCK_TIMER "
if [ "$STOREFILE" != "" ]; then ARGS="$ARGS -f '$STOREFILE' "; fi
LOGGING=""
[ "$LOG_DROPPED_TCP"        != 0 ] && LOGGING="${LOGGING}t"
[ "$LOG_ACCEPTED_TCP"       != 0 ] && LOGGING="${LOGGING}T"
[ "$LOG_DROPPED_UDP"        != 0 ] && LOGGING="${LOGGING}u"
[ "$LOG_ACCEPTED_UDP"       != 0 ] && LOGGING="${LOGGING}U"
[ "$LOG_IDENTIFIED_PEERS"   != 0 ] && LOGGING="${LOGGING}p"
[ "$LOG_IDENTIFIED_CLIENTS" != 0 ] && LOGGING="${LOGGING}c"
[ "$LOGGING" != "" ] && ARGS="$ARGS -l $LOGGING"
[ "$CLIENT_STATE_DIRECTORY" != "" ] && ARGS="$ARGS -c '$CLIENT_STATE_DIRECTORY' "

KERNELMAJ=`uname -r | sed                   -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then
	exit 0
fi

if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 4 ] ; then
	exit 0
fi

start() {
        gprintf "Starting ftwall: "

	VAR=net.core.rmem_max
	NOW=`/sbin/sysctl -n $VAR`
	if [ "$NOW" -lt $NETLINK_BUFFER_SIZE ]; then
		/sbin/sysctl -w $VAR=$NETLINK_BUFFER_SIZE
	fi

	modprobe ip_queue >/dev/null 2>&1

	if [ "$CLIENT_STATE_DIRECTORY" != "" ]; then
		case "$CLIENT_STATE_DIRECTORY" in
			*..*)	# simple check for ".." in the path
				gprintf "Bad CLIENT_STATE_DIRECTORY string\n"
				return 2;
				;;
			/var/log/*) # make sure it's in /var/log
				rm -rf "$CLIENT_STATE_DIRECTORY"
				;;
		esac
	fi

        daemon ftwall $ARGS
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ftwall
	return $RETVAL

}

stop() {
	rmmod ip_queue >/dev/null 2>&1
        gprintf "Stopping ftwall: "
        killproc ftwall
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/ftwall
	return $RETVAL
}

case "$1" in
  start)
	start
	;;

  stop)
	stop
	;;

  restart)
	stop
	start
	;;

  condrestart)
	[ -e /var/lock/subsys/ftwall ] && start
	;;

  *)
	gprintf "Usage: %s {start|stop|restart|condrestart}\n" "$0"
	exit 1
esac

exit 0

