####### Extra Traffic Filter Role Configuration ########

# Define default values for configuration options if not set in local.cfg
#!ifndef ETFR_BAN_DURATION
#!define ETFR_BAN_DURATION 1800
#!endif

# Define Bad User-Agent Patterns
#!ifndef ETFR_BAD_UA_PATTERNS
#!define ETFR_BAD_UA_PATTERNS "friendly-scanner|sipcli|sipsak|VaxSIPUserAgent|iWar|CSipSimple|sipvicious|sip-scan|svmap|VaxIPUserAgent|sundayddr|sipv|smap|PSYCHO|iPing|DiSipell|WebSipp|masscan|zmap|SIPBot|friendly-request|siparmyknife"
#!endif
#!substdef "!ETFR_SUBST_BAD_UA_PATTERNS!$def(ETFR_BAD_UA_PATTERNS)!g"

# Define SQL Injection Patterns
#!ifndef ETFR_SQL_INJECTION_PATTERNS
#!define ETFR_SQL_INJECTION_PATTERNS "([';]+|(--)+|(%27)+|(%23)+|(%24)+|[;]+|[']+)"
#!endif

# Initialize htable for banned IPs
#!substdef "!ETFR_SUBST_BAN_DURATION!$def(ETFR_BAN_DURATION)!g"
modparam("htable", "htable", "etfr_banned_ips=>size=8;autoexpire=ETFR_SUBST_BAN_DURATION")

# Main Request Route Enhancements
# Place this code at the appropriate place in your main request_route

route[EXTRA_FILTER_REQUEST] {
    # Check if the source IP is banned
    if ($sht(etfr_banned_ips=>$si)) {
        xlog("L_WARN", "$ci|Fail2Ban| Dropping request from banned IP: $si\n");
        exit;
    }
    
    # Proceed with INVITE filtering
    if (is_method("INVITE")) {
        # Extract the domain from the Request URI
        $var(domain) = $rd;

        # Check if the domain is an IP address
        if ($var(domain) =~ "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$") {
            # Check if the source IP is in the carrier group
            if (!(allow_source_address(1) || allow_source_address(10))) {
                # Source IP is not a carrier, ban the IP
                xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: INVITE with IP domain from untrusted source\n");
                route(ETFR_BAN_IP);
            } else {
                xlog("L_WARN", "$ci|ETFR| Allowing Carrier IP: $si\n");
                return;
            }
        }

        # Check if the Request URI contains user '1000'
        if ($rU == "1000") {
            xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: Attempt to call user 1000\n");
            route(ETFR_BAN_IP);
        }
    }

    # Check for known bad User-Agents
    if ($ua =~ "(ETFR_SUBST_BAD_UA_PATTERNS)") {
        xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: Known bad User-Agent: $ua\n");
        route(ETFR_BAN_IP);
    }

    # Check for SQL injection patterns in SIP message
    if ($rb =~ "(ETFR_SQL_INJECTION_PATTERNS)" || $ru =~ "(ETFR_SQL_INJECTION_PATTERNS)") {
        xlog("L_ALERT", "$ci|Fail2Ban| Banned IP: $si Reason: SQL injection attempt\n");
        route(ETFR_BAN_IP);
    }

    return;
}

# Ban IP Route
route[ETFR_BAN_IP] {
    # Add source IP to banned IPs table with auto-expire
    $sht(etfr_banned_ips=>$si) = $Ts;

    # Log the event for Fail2Ban
    xlog("L_ALERT", "$ci|end| Added IP $si to etfr_banned_ips htable\n");

    # Drop the request
    exit;
}