#!/bin/sh

FW_SCRIPT="/etc/init.d/firewall"

if grep -q "fw3" "$FW_SCRIPT"; then
  if ! iptables -nvL | grep -q "Chain ECM-RATE-LIMIT"; then
    iptables -N ECM-RATE-LIMIT
  fi

  iptables -F ECM-RATE-LIMIT
  iptables -A ECM-RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
  iptables -A ECM-RATE-LIMIT -j DROP
  iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j ECM-RATE-LIMIT

  [ -n "$(command -v ip6tables)" ] && {
    if ! ip6tables -nvL | grep -q "Chain ECM-RATE-LIMIT"; then
      ip6tables -N ECM-RATE-LIMIT
    fi

    ip6tables -F ECM-RATE-LIMIT
    ip6tables -A ECM-RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
    ip6tables -A ECM-RATE-LIMIT -j DROP
    ip6tables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j ECM-RATE-LIMIT
  }

elif grep -q "fw4" "$FW_SCRIPT"; then
  if ! nft list chain inet fw4 ecm_rate_limit > /dev/null 2>&1; then
    nft add chain inet fw4 ecm_rate_limit
  fi

  nft add rule inet fw4 ecm_rate_limit limit rate 1000/second burst 1000 packets counter return
  nft add rule inet fw4 ecm_rate_limit counter drop
  nft add rule inet fw4 forward_wan ct state new counter jump ecm_rate_limit comment '"!fw4: ECM Rate Limit 1000/pps"'
fi
