#!/bin/sh

# Source function library
. /etc/init.d/functions

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC=bridge
IFACE=eth0
WIFI_STA=wlan0
WIFI_AP=wlan1

setup_ecmdhcp(){
	ORIGIFS=${IFS}
	local IFS
	IFS=.
	set -- $*
	IFS=${ORIGIFS}

	NW=$(($4 & 0xFFFC))
	REM=$((${NW} + 2))
	BASE=${1}.${2}.${3}

cat <<__EOF__
#ecm0 ${BASE}.${NW} 30
interface=ecm0
dhcp-range=${BASE}.${REM},${BASE}.${REM},255.255.255.252,1h
dhcp-option=3
leasefile-ro
__EOF__
}

default_hotspot(){
	if [ ! -d /etc/dnsmasq.d ];then
		mkdir -p /etc/dnsmasq.d
	fi;

(cat << __EOF__
#IP ${1}/${SN}
interface=${1}
dhcp-range=${DHCP1},${DHCP2},4h
dhcp-option=3,${IP}
leasefile-ro
__EOF__
) > /etc/dnsmasq.d/${1}
}

add_vlan() {
	/sbin/ip link add link ${IFACE} name ${IFACE}.${1} type vlan id ${1}
}

set_ethmode() {
	case ${1} in
		1)/usr/sbin/ethtool -s ethA speed 10 duplex half autoneg off;;
		2)/usr/sbin/ethtool -s ethA speed 10 duplex full autoneg off;;
		4)/usr/sbin/ethtool -s ethA speed 100 duplex half autoneg off;;
		8)/usr/sbin/ethtool -s ethA speed 100 duplex full autoneg off;;
		16)/usr/sbin/ethtool -s ethA speed 1000 duplex half autoneg off;;
		32)/usr/sbin/ethtool -s ethA speed 1000 duplex full autoneg off;;
		*)/usr/sbin/ethtool -s ethA advertise $(printf "0x%03X" ${1}) autoneg on;;
	esac;
}

if [ -e /etc/default/static ];then
        source /etc/default/static
fi;

if [ -e /etc/default/vlans ];then
        source /etc/default/vlans
fi;

if [ ! -e /etc/default/usbcdc ];then
	ECM0=172.31.255.192;
	printf "ECM0=\"%s\";\n" ${ECM0} > /etc/default/usbcdc
else
	source /etc/default/usbcdc
fi;

if [ -e /etc/default/wifi ];then
        source /etc/default/wifi
	if [ ! -e /etc/dnsmasq.d/${WIFI_AP} ];then
		default_hotspot ${WIFI_AP}
	fi;
else
	IP=172.31.255.225
	SN=28
	DHCP1=172.31.255.226
	DHCP2=172.31.255.238
(cat << __EOF__
WIFI_MODE="DEF";
#WIFI_AP_BRIDGE="${IFACE}";
IP="${IP}";
SN="${SN}";
DHCP1="${DHCP1}";
DHCP2="${DHCP2}";
SSID="";
PSK="";
__EOF__
) > /etc/default/wifi
default_hotspot ${WIFI_AP}
fi;


set -e

case $1 in
	start)
		echo "Starting $DESC: "
		if [ -e /dev/rfkill ];then
			/usr/sbin/rfkill unblock wifi
		fi;

		setup_ecmdhcp ${ECM0} > /etc/dnsmasq.d/ecm0

		if [ -d /sys/class/net/ethA ];then
			set_ethmode $((${ETHMODE-0x00F}))
		fi;
		for BRIFACE in ethA ethB ethC ethD;do
			if [ -d /sys/class/net/${BRIFACE} ] && [ ! -d /sys/class/net/$IFACE/brif/${BRIFACE} ];then
				/sbin/ip link set dev ${BRIFACE} master $IFACE
				/sbin/ip link set dev ${BRIFACE} up
			fi;
		done;

		if ! ip6tables -vnL FIREWALL >/dev/null 2>&1;then
			/usr/sbin/ip6tables -N FIREWALL
		fi;
		if ! ip6tables -vnL PPP >/dev/null 2>&1;then
			/usr/sbin/ip6tables -N PPP
		fi;
		if ! ip6tables -vnL IPv6 >/dev/null 2>&1;then
			/usr/sbin/ip6tables -N IPv6
		fi;
		if ! ip6tables -vnL IPv6LOCAL >/dev/null 2>&1;then
			/usr/sbin/ip6tables -N IPv6LOCAL
		fi;

		/usr/sbin/ip6tables -A INPUT -j REJECT -m rt --rt-type 0 --reject-with icmp6-adm-prohibited
		/usr/sbin/ip6tables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
		/usr/sbin/ip6tables -A INPUT -j REJECT -m state --state INVALID --reject-with icmp6-adm-prohibited
		/usr/sbin/ip6tables -A INPUT -j FIREWALL -m state --state NEW
		/usr/sbin/ip6tables -A INPUT -j IPv6
		/usr/sbin/ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -i ppp0
		/usr/sbin/ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -i wwan0
		/usr/sbin/ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -i usb0
		/usr/sbin/ip6tables -A INPUT -j PPP
		/usr/sbin/ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited

		/usr/sbin/ip6tables -A FIREWALL -j ACCEPT -p icmpv6  --icmpv6-type echo-request

		#Link local traffic
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -s fe80::/64 -d fe80::/64
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -s fe80::/64 -p icmpv6

		#Router/Neighbour Discovery
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -d fe80::/64 -p icmpv6 --icmpv6-type 133
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -d fe80::/64 -p icmpv6 --icmpv6-type 134
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -d fe80::/64 -p icmpv6 --icmpv6-type 134
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -d fe80::/64 -p icmpv6 --icmpv6-type 136

		#Link local multicast
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -s fe80::/64 -d ff00::/8

		#Local Multicast ff01 ff02 ff03 ff04 ff05
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -d ff00::/13

		#Organisation Multicast
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -d ff08::/16

		#Global Multicast
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -d ff0E::/16

		#Allow sockets to close gracefully
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -p tcp --tcp-flags SYN,ACK,FIN,RST FIN,ACK

		#Loopback
		/usr/sbin/ip6tables -A IPv6 -j ACCEPT -i lo -s ::1/128 -d ::1/128

		/usr/sbin/iptables -A PREROUTING -t raw -p tcp --dport 5060 -j CT --helper sip
		/usr/sbin/iptables -A PREROUTING -t raw -p udp --dport 5060 -j CT --helper sip
		/usr/sbin/iptables -A PREROUTING -t raw -p udp --dport 69 -j CT --helper tftp
		/usr/sbin/iptables -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp

		/usr/sbin/iptables -N FIREWALL
		/usr/sbin/iptables -N PPP
		/usr/sbin/iptables -t nat -N WG

		/usr/sbin/iptables -t nat -I POSTROUTING -j MASQUERADE -o $IFACE
		/usr/sbin/iptables -t nat -I POSTROUTING -j MASQUERADE -o ppp0
		/usr/sbin/iptables -t nat -I POSTROUTING -j MASQUERADE -o wwan0
		/usr/sbin/iptables -t nat -I POSTROUTING -j MASQUERADE -o usb0
		/usr/sbin/iptables -t nat -I POSTROUTING -j WG

		/usr/sbin/iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
		/usr/sbin/iptables -A INPUT -j DROP -m state --state INVALID
		/usr/sbin/iptables -A INPUT -j FIREWALL -m state --state NEW
		/usr/sbin/iptables -A INPUT -j ACCEPT -p ipv6
		/usr/sbin/iptables -A INPUT -j PPP
		/usr/sbin/iptables -A INPUT -j DROP -i ppp0
		/usr/sbin/iptables -A INPUT -j DROP -i wwan0

		/usr/sbin/iptables -A INPUT -j DROP -i usb0

		/usr/sbin/iptables -A FIREWALL -j ACCEPT -p icmp --icmp-type echo-request
		if ! /bin/grep -q -s "PermitEmptyPasswords=yes" /etc/default/ssh;then
			/usr/sbin/iptables -A FIREWALL -j ACCEPT -p tcp --dport 22
			/usr/sbin/ip6tables -A FIREWALL -j ACCEPT -p tcp --dport 22
		fi;

		if [ "${VLANS}" ];then
			for vlanid in ${VLANS};do
				add_vlan ${vlanid}
			done;
		fi;

		echo 1 > /proc/sys/net/ipv4/ip_forward
	;;
	stop)
		echo -n "Stopping $DESC: "
		/usr/sbin/rfkill block wifi
		/sbin/ip addr flush dev $IFACE scope global
	;;
	restart|force-reload)
		$0 stop
		sleep 1
		$0 start
	;;
	status)
		status ${DAEMON} || exit $?
	;;
	*)
		N=/etc/init.d/bridge
		echo "Usage: $N {start|stop|restart|force-reload|status}" >&2
		exit 1
	;;
esac

exit 0
