# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only.

# can override in config :
NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009}
NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}"

alloc_dnum DNUM_NFQWS_MY1
alloc_qnum QNUM_NFQWS_MY1
NFQWS_MY1_SET_NAME=my1nfqws4

zapret_custom_daemons()
{
	# $1 - 1 - run, 0 - stop

	local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1"
	do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
}

zapret_custom_firewall()
{
	# $1 - 1 - run, 0 - stop

	local f
	local first_packets_only="$ipt_connbytes 1:3"
	local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS)
	local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst"
	local subnet

	local DISABLE_IPV6=1

	[ "$1" = 1 ] && {
		ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
		ipset flush $NFQWS_MY1_SET_NAME
		for subnet in $NFQWS_MY1_SUBNETS; do
			echo add $NFQWS_MY1_SET_NAME $subnet
		done | ipset -! restore
	}

	f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT"
	fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1

	[ "$1" = 1 ] || {
		ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null
	}
}

zapret_custom_firewall_nft()
{
	# stop logic is not required

	local f
	local first_packets_only="$nft_connbytes 1-3"
	local dest_set="ip daddr @$NFQWS_MY1_SET_NAME"
	local subnets

	local DISABLE_IPV6=1

	make_comma_list subnets $NFQWS_MY1_SUBNETS
	nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
	nft_flush_set $NFQWS_MY1_SET_NAME
	nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets"

	f="udp dport {$NFQWS_MY1_PORTS}"
	nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
}

zapret_custom_firewall_nft_flush()
{
	# this function is called after all nft fw rules are deleted
	# however sets are not deleted. it's desired to clear sets here.

	nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null
}