#!/bin/sh

# Pass your args here
ARGS=""

ENABLED=yes
PROCS=youtubeUnblock
PATH=/opt/sbin:/opt/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
IPV6=1

ACTION=$1
CALLER=$2

# . /opt/etc/nfqws/nfqws.conf

ansi_red="\033[1;31m";
ansi_white="\033[1;37m";
ansi_green="\033[1;32m";
ansi_yellow="\033[1;33m";
ansi_blue="\033[1;34m";
ansi_bell="\007";
ansi_blink="\033[5m";
ansi_std="\033[m";
ansi_rev="\033[7m";
ansi_ul="\033[4m";

is_running() {
	PID_RUNNING=$(pgrep -nx "$PROCS" 2>/dev/null)
	
	if [ -z "$PID_RUNNING" ]; then
		return 1
	fi
	
	return 0
}

start() {
	if [ "$CALLER" = "cron" -a "$ENABLED" != yes ]; then
		return 8
	fi

	if is_running; then
		echo -e "$ansi_white $PROCS is already running $ansi_std" >&2
		return 1
	fi
	
	kernel_modules_load

	if [ $IPV6 -eq 0 ]; then
		ARGS="$ARGS --no-ipv6"
	fi
	
	$PROCS $ARGS >/dev/null 2>&1 &
	
	firewall_start_v4
	firewall_start_v6
	system_config
	
        echo -e "$ansi_white Started $PROCS $ansi_std"
}

stop() {
        echo -e "$ansi_white Shutting down $PROCS $ansi_std"

	firewall_stop_v4
	firewall_stop_v6
	
	killall $PROCS 2> /dev/null
}

_iptables()
{
	ARG="$@"	
	CMD=$1 # iptables or ip6tables
	ACTION=$2 # -I, -A, -D
	shift; shift;
	RULE="$@"

	$CMD -C $RULE 2>/dev/null
	exists=$(( ! $? ))

	if [ "$ACTION" = "-A" -o "$ACTION" = "-I" ]
	then
		if [ $exists -eq 0 ]; then
			$ARG || exit 1
		fi
	else # -D
		if [ $exists -ne 0 ]; then
			$ARG
		fi
	fi
}

firewall_start_v4() {
	iptables -t mangle -N YOUTUBEUNBLOCK >/dev/null 2>&1
	_iptables iptables -A YOUTUBEUNBLOCK -t mangle -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
	_iptables iptables -A YOUTUBEUNBLOCK -t mangle -p udp -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:8 -j NFQUEUE --queue-num 537 --queue-bypass
	_iptables iptables -A POSTROUTING -t mangle -j YOUTUBEUNBLOCK
	_iptables iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT
}

firewall_stop_v4() {
	_iptables iptables -D YOUTUBEUNBLOCK -t mangle -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
	_iptables iptables -D YOUTUBEUNBLOCK -t mangle -p udp -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:8 -j NFQUEUE --queue-num 537 --queue-bypass
	_iptables iptables -D POSTROUTING -t mangle -j YOUTUBEUNBLOCK
	_iptables iptables -D OUTPUT -m mark --mark 32768/32768 -j ACCEPT
	iptables -t mangle -X YOUTUBEUNBLOCK >/dev/null 2>&1
}

firewall_start_v6() {
	if [ $IPV6 -eq 0 ]; then
		return 0
	fi

	ip6tables -t mangle -N YOUTUBEUNBLOCK >/dev/null 2>&1
	_iptables ip6tables -A YOUTUBEUNBLOCK -t mangle -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
	_iptables ip6tables -A YOUTUBEUNBLOCK -t mangle -p udp -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:8 -j NFQUEUE --queue-num 537 --queue-bypass
	_iptables ip6tables -A POSTROUTING -t mangle -j YOUTUBEUNBLOCK
	_iptables ip6tables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT
}

firewall_stop_v6() {
	if [ $IPV6 -eq 0 ]; then
		return 0
	fi

	_iptables ip6tables -D YOUTUBEUNBLOCK -t mangle -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass
	_iptables ip6tables -D YOUTUBEUNBLOCK -t mangle -p udp -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:8 -j NFQUEUE --queue-num 537 --queue-bypass
	_iptables ip6tables -D POSTROUTING -t mangle -j YOUTUBEUNBLOCK
	_iptables ip6tables -D OUTPUT -m mark --mark 32768/32768 -j ACCEPT
	ip6tables -t mangle -X YOUTUBEUNBLOCK >/dev/null 2>&1
}

kernel_modules_load() {
	KERNEL=$(uname -r)

	connbytes_mod_path=$(find /lib/modules/$(uname -r) -name "xt_connbytes.ko*")
	if [ ! -z "$connbytes_mod_path" ]; then
		insmod "$connbytes_mod_path" >/dev/null 2>&1 && echo "xt_connbytes.ko loaded"
	fi

	nfqueue_mod_path=$(find /lib/modules/$(uname -r) -name "xt_NFQUEUE.ko*")
	if [ ! -z "$nfqueue_mod_path" ]; then
		insmod "$nfqueue_mod_path" >/dev/null 2>&1 && echo "xt_NFQUEUE.ko loaded"
	fi

	(modprobe xt_connbytes --first-time >/dev/null 2>&1 && echo "xt_connbytes loaded") || true
	(modprobe xt_NFQUEUE --first-time >/dev/null 2>&1 && echo "xt_NFQUEUE loaded") || true
}

system_config() {
	sysctl -w net.netfilter.nf_conntrack_checksum=0 >/dev/null 2>&1
	sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal=1 >/dev/null 2>&1
}

status() {
	if is_running; then
		echo "running"
  	else
		echo "stopped"
  	fi
}

case $ACTION in
	start)
		start
		;;
	stop)
		stop
		;;
	status)
		status
		;;
	restart)
		stop
		start
		;;
	firewall-load)
		firewall_start_v4
		firewall_start_v6
		;;
	firewall-stop)
		firewall_stop_v4
		firewall_stop_v6
		;;
	firewall_stop_v4)
		firewall_stop_v4
		;;
	firewall_start_v4)
		firewall_start_v4
		;;
	firewall_stop_v6)
		firewall_stop_v6
		;;
	firewall_start_v6)
		firewall_start_v6
		;;
	init-system)
		kernel_modules_load
		system_config
		;;
	*)
		echo "Usage: $0 {start|stop|restart|status|firewall-load|firewall-stop|init-system}"
esac