#! /bin/bash
if [[ "`/sbin/pidof -x $(basename $0) -o %PPID`" ]]; then
    echo "$(date_time) [WARNING] $(basename $0) script is already running with PID `/sbin/pidof -x $(basename $0) -o %PPID`"
    exit 0
fi

source /usr/src/m2/framework/bash_functions.sh
k_iptables_locking_option

config="/etc/m2/system.conf"
block_scanners_active=$(sed 's/ //g' $config |  awk -F"=" '/block_scanners_active/{print $2}')
block_scanners_list=$(sed 's/ //g' $config |  awk -F"=" '/block_scanners_list/{print $2}')
CHAIN="M2-BLOCK-SCANNERS"


if [[ -z $block_scanners_active || $block_scanners_active != 1 ]]; then
    echo -e "$(date_time) [NOTICE] block_scanners is not active. Exiting"
    exit 1
fi

if [[ -z $block_scanners_list ]]; then
    echo -e "$(date_time) [NOTICE] block_scaners_list is empty. Exiting"
    exit 1
fi

# create blocking CHAIN if it does not exist
if ! /sbin/iptables $l_opt -L -n | grep -Fq "Chain $CHAIN"; then
    /sbin/iptables $l_opt -N $CHAIN
fi

# add blocking cHAIN to INPUT chain if it is not there
if ! /sbin/iptables $l_opt -L INPUT -n | grep -Fq "$CHAIN"; then
    /sbin/iptables $l_opt -A INPUT  -j $CHAIN
fi

SCANNERS_IN_IPTABLES=()
collect_scanners_in_iptables() {
    local scanner=""
    while read -r scanner; do
        SCANNERS_IN_IPTABLES+=("$scanner")
    done < <(/sbin/iptables $l_opt -L$CHAIN -n |  perl -ne '/.*udp.*STRING\s+match\s+"(.+?)"/ && print "$1\n"';)
}

scanner_in_iptables() {
   local scanner=""
   while read -r scanner; do
      if [[ $scanner == "$1" ]]; then
         return 0
      fi
   done < <(/sbin/iptables $l_opt -L$CHAIN -n |  perl -ne '/.*udp.*STRING\s+match\s+"(.+?)"/ && print "$1\n"';)
}


SCANNERS_IN_IPTABLES=()
collect_scanners_in_iptables

SCANNERS_IN_CONFIG=()
IFS=, read -ra SCANNERS_IN_CONFIG <<< "$block_scanners_list"

update_needed() {
    if [[ $(echo "${SCANNERS_IN_IPTABLES[@]}" "${SCANNERS_IN_CONFIG[@]}" | tr ' ' '\n' | sort | uniq -u | wc -l ) != 0  ]]; then
        return 0
    else
        return 1
    fi
}

if update_needed; then
    /sbin/iptables $l_opt -F $CHAIN
    /sbin/iptables $l_opt -A $CHAIN -j RETURN

    for scanner in "${SCANNERS_IN_CONFIG[@]}"; do
        #if ! scanner_in_iptables "$scanner"; then
            /sbin/iptables $l_opt -I $CHAIN -j DROP -p tcp --dport 5060:5070 -m string --string "$scanner" --algo bm
            /sbin/iptables $l_opt -I $CHAIN -j DROP -p udp --dport 5060:5070 -m string --string "$scanner" --algo bm
        #fi
    done
fi