#!/bin/sh /etc/rc.common
#
# Copyright (C) 2017-2019 Yousong Zhou <yszhou4tech@gmail.com>
#
# This is free software, licensed under the GNU General Public License v3.
# See /LICENSE for more information.
#

USE_PROCD=1
START=99

EXTRA_COMMANDS="rules_up rules_down rules_exist"

. /usr/lib/unbound/iptools.sh

ss_confdir=/var/etc/shadowsocks-rust
ss_bindir=/usr/bin

ssrules_uc="/usr/share/ssr-rules/ss-rules.uc"
ssrules_nft="/etc/nftables.d/90-proxy-ssr-rules.nft"

ss_mkjson_server_conf() {
	local cfgserver

	config_get cfgserver "$cfg" server
	[ -n "$cfgserver" ] || return 1
	eval "$(validate_server_section "$cfg" ss_validate_mklocal)"
	validate_server_section "$cfgserver" || return 1
	[ "$disabled" = 0 ] || return 1
	ss_mkjson_server_conf_ "$cfgserver"
}

ss_mkjson_server_conf_() {
	[ -n "$server_port" ] || return 1
	[ -z "$server" ] || json_add_string server "$server"
	json_add_int server_port "$server_port"
	[ -z "$method" ] || json_add_string method "$method"
	[ -z "$key" ] || json_add_string key "$key"
	[ -z "$password" ] || json_add_string password "$password"
	[ -z "$plugin" ] || json_add_string plugin "$plugin"
	[ -z "$plugin_opts" ] || json_add_string plugin_opts "$plugin_opts"
}

ss_mkjson_ss_local_conf() {
	ss_mkjson_server_conf
}

ss_mkjson_ss_redir_conf() {
	ss_mkjson_server_conf
}

ss_mkjson_ss_server_conf() {
	ss_mkjson_server_conf_
}

ss_mkjson_ss_tunnel_conf() {
	ss_mkjson_server_conf || return 1
	[ -n "$tunnel_address" ] || return 1
	json_add_string tunnel_address "$tunnel_address"
}

ss_xxx() {
	local cfg="$1"
	local cfgtype="$2"
#	local bin="$ss_bindir/${cfgtype/_/-}"
	local bin="$ss_bindir/sslocal"
	local confjson="$ss_confdir/$cfgtype.$cfg.json"

	[ -x "$bin" ] || return
	eval "$("validate_${cfgtype}_section" "$cfg" ss_validate_mklocal)"
	"validate_${cfgtype}_section" "$cfg" || return
	[ "$disabled" = 0 ] || return

	json_init
	ss_mkjson_${cfgtype}_conf || return
	json_add_boolean use_syslog 1
	json_add_boolean ipv6_first "$ipv6_first"
	json_add_boolean fast_open "$fast_open"
	json_add_boolean reuse_port "$reuse_port"
	json_add_boolean no_delay "$no_delay"
	json_add_boolean mptcp "$mptcp"
	[ "$cfgtype" != "ss_local" ] && json_add_string protocol "${cfgtype/ss_/}"
	[ -z "$local_address" ] || json_add_string local_address "$local_address"
	[ -z "$local_port" ] || json_add_int local_port "$local_port"
	[ -z "$local_ipv4_address" ] || json_add_string local_ipv4_address "$local_ipv4_address"
	[ -z "$local_ipv6_address" ] || json_add_string local_ipv6_address "$local_ipv6_address"
	[ -z "$mode" ] || json_add_string mode "$mode"
	[ -z "$mtu" ] || json_add_int mtu "$mtu"
	[ -z "$timeout" ] || json_add_int timeout "$timeout"
	[ -z "$user" ] || json_add_string user "$user"
	[ -z "$acl" ] || json_add_string acl "$acl"
	json_dump -i >"$confjson"

	procd_open_instance "$cfgtype.$cfg"
	procd_set_param command "$bin" -c "$confjson"
	[ "$verbose" = 0 ] || procd_append_param command -v
	if [ -n "$bind_address" ]; then
		echo "$cfgtype $cfg: uci option bind_address deprecated, please switch to local_address" >&2
		procd_append_param command -b "$bind_address"
	fi
	procd_set_param file "$confjson"
	procd_set_param respawn
	procd_close_instance
	ss_rules_cb
}

ss_omr_servers() {
	add_ip() {
		local ip="$1"
		[ -n "$ip" ] && [ -z "$(echo \"$ss_redir_servers\" | grep \"$ip\")" ] && ss_redir_servers="$ss_redir_servers $ip"
	}
	config_list_foreach "$1" ip add_ip
}

ss_rules_cb() {
	local cfgserver server

	if [ "$cfgtype" = ss_redir ]; then
		config_get cfgserver "$cfg" server
		config_get server "$cfgserver" server
		if [ -z "$ss_redir_servers" ]; then
			ss_redir_servers="$server"
		else
			ss_redir_servers="$ss_redir_servers $server"
		fi
		if [ "$mode" = tcp_only -o "$mode" = "tcp_and_udp" ]; then
			eval "ss_rules_redir_tcp_$cfg=$local_port"
		fi
		if [ "$mode" = udp_only -o "$mode" = "tcp_and_udp" ]; then
			eval "ss_rules_redir_udp_$cfg=$local_port"
		fi
	fi
}

ss_redir_ports() {
	port=$(uci -q get shadowsocks-rust.$1.local_port)
	server=$(uci -q get shadowsocks-rust.$1.server)
	disabled=$(uci -q get shadowsocks-rust.$1.disabled)
	if [ "$disabled" != "1" ] && ([ "$server" = "$2" ] || [ "$2" = "" ]); then
		if [ "$port" -lt "$min_ss_redir_ports" ]; then
			min_ss_redir_ports=$port
		fi
		if [ "$port" -gt "$max_ss_redir_ports" ]; then
			max_ss_redir_ports=$port
		fi
	fi
}

ss_rules_nft_gen() {
	local cfg="ss_rules"
	local cfgtype
	local local_port_tcp local_port_udp
	local remote_servers
	[ -s "$ssrules_uc" ] || return 1
	config_get cfgtype "$cfg" TYPE
	[ "$cfgtype" = ss_rules ] || return 1
	eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)"
	validate_ss_rules_section "$cfg" || return 1
	[ "$disabled" = 0 ] || return 2

	config_get server "$cfg" server
	[ "$(uci -q get shadowsocks-rust.${server}.disabled)" = "1" ] && return 2

	if [ "$ss_rules_redir_tcp_$redir_tcp" = "all" ]; then
		min_ss_redir_ports="65535"
		max_ss_redir_ports="0"
		config_load shadowsocks-rust
		config_foreach ss_redir_ports ss_redir $cfgrulesserver
		if [ "$min_ss_redir_ports" != "$max_ss_redir_ports" ]; then
			all_ss_redir_ports=$min_ss_redir_ports-$max_ss_redir_ports
		else
			all_ss_redir_ports=$min_ss_redir_ports
		fi
		local_port_tcp="$all_ss_redir_ports"
		if [ "$ss_rules_redir_udp_$redir_udp" = "all" ] || [ "$ss_rules_redir_udp_$redir_udp" = "hi1" ]; then
			local_port_udp="$min_ss_redir_ports"
		fi
	else
		eval local_port_tcp="\$ss_rules_redir_tcp_$redir_tcp"
		eval local_port_udp="\$ss_rules_redir_udp_$redir_udp"
	fi

	[ -n "$local_port_tcp" -o -n "$local_port_udp" ] || return 1

	if [ -z "$(echo $ss_redir_servers | grep ' ')" ]; then
		valid_ip4=$( valid_subnet4 $ss_redir_servers)
		valid_ip6=$( valid_subnet6 $ss_redir_servers)
		if [ "$valid_ip4" = "ok" ] || [ "$valid_ip6" = "ok" ]; then
			remote_servers=$ss_redir_servers
		fi
	fi
	[ -z "$remote_servers" ] && remote_servers="$(echo $ss_redir_servers \
		| tr ' ' '\n' \
		| sort -u \
		| xargs -n 1 resolveip \
		| sort -u)"

	local tmp="/tmp/ssrrules"
	json_init
	json_add_string o_remote_servers "$remote_servers"
	json_add_string o_redir_tcp_port "$local_port_tcp"
	json_add_string o_redir_udp_port "$local_port_udp"
	json_add_string o_ifnames "$ifnames"
	json_add_string o_local_default "$local_default"
	json_add_string o_src_bypass "$src_ips_bypass"
	json_add_string o_src_forward "$src_ips_forward"
	json_add_string o_src_checkdst "$src_ips_checkdst"
	json_add_string o_src_default "$src_default"
	json_add_string o_dst_bypass "$dst_ips_bypass"
	json_add_string o_dst_forward "$dst_ips_forward"
	json_add_string o_dst_bypass_file "$dst_ips_bypass_file"
	json_add_string o_dst_forward_file "$dst_ips_forward_file"
	json_add_string o_dst_default "$dst_default"
	json_add_string o_nft_tcp_extra "$nft_tcp_extra"
	json_add_string o_nft_udp_extra "$nft_udp_extra"
	json_dump -i >"$tmp.json"

	if utpl -S -F "$tmp.json" "$ssrules_uc" >"$tmp.nft" \
		&& ! cmp -s "$tmp.nft" "$ssrules_nft"; then
		echo "table inet chk {include \"$tmp.nft\";}" >"$tmp.nft.chk"
		if nft -f "$tmp.nft.chk" -c; then
			mv "$tmp.nft" "$ssrules_nft"
			fw4 -q restart
		fi
		rm -f "$tmp.nft.chk"
	fi
	rm -f "$tmp.json"
	rm -f "$tmp.nft"
}

ss_rules_nft_reset() {
	if [ -f "$ssrules_nft" ] || [ -f "${ssrules_nft}.down" ]; then
		rm -f "$ssrules_nft"
		rm -f "${ssrules_nft}.down"
		fw4 -q restart
	fi
}

ss_rules() {
	if ! ss_rules_nft_gen; then
		ss_rules_nft_reset
	fi
}

rules_up() {
	if [ -f "${ssrules_nft}.down" ]; then
		mv -f "${ssrules_nft}.down" "$ssrules_nft"
		fw4 -q restart
	fi
}

rules_down() {
	if [ -f "${ssrules_nft}" ]; then
		mv -f "$ssrules_nft" "${ssrules_nft}.down"
		fw4 -q restart
	fi
}

rules_exist() {
	if [ -f "$ssrules_nft" ]; then
		return 0
	else
		return 1
	fi
}



start_service() {
	local cfgtype
	[ -n "$(uci -q get firewall.ssr_rules)" ] && {
		uci -q del firewall.ssr_rules
		uci -q commit firewall
	}
	mkdir -p "$ss_confdir"
	config_load shadowsocks-rust
	for cfgtype in ss_local ss_redir ss_server ss_tunnel; do
		config_foreach ss_xxx "$cfgtype" "$cfgtype"
	done
	if [ -n "$(uci show openmptcprouter)" ]; then
		config_load openmptcprouter
		config_foreach ss_omr_servers server
	fi
	ss_rules
}

stop_service() {
	ss_rules_nft_reset
	rm -rf "$ss_confdir"
}

restart_service() {
	stop
	start
}

reload_service() {
	stop
	start
}

service_triggers() {
	procd_add_reload_interface_trigger wan
	procd_add_reload_trigger shadowsocks-rust
	procd_open_validate
	validate_server_section
	validate_ss_local_section
	validate_ss_redir_section
	validate_ss_rules_section
	validate_ss_server_section
	validate_ss_tunnel_section
	procd_close_validate
}

ss_validate_mklocal() {
	local tuple opts

	shift 2
	for tuple in "$@"; do
		opts="${tuple%%:*} $opts"
	done
	[ -z "$opts" ] || echo "local $opts"
}

ss_validate() {
	uci_validate_section shadowsocks-rust "$@"
}

validate_common_server_options_() {
	local cfgtype="$1"; shift
	local cfg="$1"; shift
	local func="$1"; shift
	local stream_methods='"none", "plain", "chacha20-ietf-poly1305"'
	local aead_methods='"aes-128-gcm", "aes-256-gcm","2022-blake3-aes-128-gcm", "2022-blake3-aes-256-gcm", "chacha20-ietf-poly1305", "2022-blake3-chacha20-poly1305","2022-blake3-chacha8-poly1305"'


	"${func:-ss_validate}" "$cfgtype" "$cfg" "$@" \
		'disabled:bool:0' \
		'server:host' \
		'server_port:port' \
		'password:string' \
		'key:string' \
		"method:or($stream_methods, $aead_methods)" \
		'plugin:string' \
		'plugin_opts:string'
}

validate_common_client_options_() {
	validate_common_options_ "$@" \
		'server:uci("shadowsocks-rust", "@server")' \
		'local_address:ipaddr:0.0.0.0' \
		'local_port:port'
}

validate_common_options_() {
	local cfgtype="$1"; shift
	local cfg="$1"; shift
	local func="$1"; shift

	"${func:-ss_validate}" "$cfgtype" "$cfg" "$@" \
		'disabled:bool:0' \
		'fast_open:bool:0' \
		'ipv6_first:bool:0' \
		'no_delay:bool:0' \
		'reuse_port:bool:0' \
		'mptcp:bool:0' \
		'verbose:bool:0' \
		'mode:or("tcp_only", "udp_only", "tcp_and_udp"):tcp_only' \
		'mtu:uinteger' \
		'timeout:uinteger' \
		'user:string'
}

validate_server_section() {
	validate_common_server_options_ server "$1" "$2"
}

validate_ss_local_section() {
	validate_common_client_options_ ss_local "$1" "$2" \
		'acl:file'
}

validate_ss_redir_section() {
	validate_common_client_options_ ss_redir "$1" "$2"
}

validate_ss_rules_section() {
	"${2:-ss_validate}" ss_rules "$1" \
		'disabled:bool:0' \
		'redir_tcp:or(uci("shadowsocks-rust", "@ss_redir"),"all")' \
		'redir_udp:or(uci("shadowsocks-rust", "@ss_redir"),"all")' \
		'src_ips_bypass:or(ipaddr,cidr)' \
		'src_ips_forward:or(ipaddr,cidr)' \
		'src_ips_checkdst:or(ipaddr,cidr)' \
		'dst_ips_bypass_file:file' \
		'dst_ips_bypass:or(ipaddr,cidr)' \
		'dst_ips_forward_file:file' \
		'dst_ips_forward:or(ipaddr,cidr)' \
		'src_default:or("bypass", "forward", "checkdst"):checkdst' \
		'dst_default:or("bypass", "forward"):bypass' \
		'local_default:or("bypass", "forward", "checkdst"):bypass' \
		'nft_tcp_extra:string' \
		'nft_udp_extra:string' \
		'ifnames:maxlength(15)'
}

validate_ss_server_section() {
	validate_common_server_options_ ss_server "$1" \
		validate_common_options_ \
		"$2" \
		'local_address:ipaddr' \
		'local_ipv4_address:ip4addr' \
		'local_ipv6_address:ip6addr' \
		'bind_address:ipaddr' \
		'acl:file'
}

validate_ss_tunnel_section() {
	validate_common_client_options_ ss_tunnel "$1" \
		"$2" \
		'tunnel_address:regex(".+\:[0-9]+")'
}
