From 956d45fcf26efdb8baf8e1de371affda1fc589a0 Mon Sep 17 00:00:00 2001
From: hanwckf <hanwckf@vip.qq.com>
Date: Thu, 1 Dec 2022 02:39:31 +0800
Subject: [PATCH] firewall: add support for brcm fullconenat

---
 package/network/config/firewall/Makefile      |  2 +-
 .../patches/101-bcm-fullconenat.patch         | 60 +++++++++++++++++++
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 package/network/config/firewall/patches/101-bcm-fullconenat.patch

diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile
index 23d6007c60..d7470f23b3 100644
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall
-PKG_RELEASE:=1.1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git
diff --git a/package/network/config/firewall/patches/101-bcm-fullconenat.patch b/package/network/config/firewall/patches/101-bcm-fullconenat.patch
new file mode 100644
index 0000000000..9cea4a57bf
--- /dev/null
+++ b/package/network/config/firewall/patches/101-bcm-fullconenat.patch
@@ -0,0 +1,60 @@
+--- a/defaults.c
++++ b/defaults.c
+@@ -49,7 +49,7 @@ const struct fw3_option fw3_flag_opts[]
+ 	FW3_OPT("synflood_rate",       limit,    defaults, syn_flood_rate),
+ 	FW3_OPT("synflood_burst",      int,      defaults, syn_flood_rate.burst),
+ 	
+-	FW3_OPT("fullcone",           bool,     defaults, fullcone),
++	FW3_OPT("fullcone",           int,     defaults, fullcone),
+ 	
+ 	FW3_OPT("tcp_syncookies",      bool,     defaults, tcp_syncookies),
+ 	FW3_OPT("tcp_ecn",             int,      defaults, tcp_ecn),
+--- a/options.h
++++ b/options.h
+@@ -98,6 +98,13 @@ enum fw3_reject_code
+ 	__FW3_REJECT_CODE_MAX
+ };
+ 
++enum fullcone_code
++{
++	FULLCONE_DISABLED = 0,
++	FULLCONE_CHION = 1,
++	FULLCONE_BCM = 2,
++};
++
+ extern const char *fw3_flag_names[__FW3_FLAG_MAX];
+ 
+ 
+@@ -297,7 +304,7 @@ struct fw3_defaults
+ 	enum fw3_reject_code any_reject_code;
+ 
+ 	bool syn_flood;
+-	bool fullcone;
++	int fullcone;
+ 	struct fw3_limit syn_flood_rate;
+ 
+ 	bool tcp_syncookies;
+--- a/zones.c
++++ b/zones.c
+@@ -757,7 +757,7 @@ print_zone_rule(struct fw3_ipt_handle *h
+ 					r = fw3_ipt_rule_new(handle);
+ 					fw3_ipt_rule_src_dest(r, msrc, mdest);
+ 					/*FIXME: Workaround for FULLCONE-NAT*/
+-					if(defs->fullcone)
++					if(defs->fullcone == FULLCONE_CHION)
+ 					{
+ 						warn("%s will enable FULLCONE-NAT", zone->name);
+ 						fw3_ipt_rule_target(r, "FULLCONENAT");
+@@ -767,6 +767,12 @@ print_zone_rule(struct fw3_ipt_handle *h
+ 						fw3_ipt_rule_target(r, "FULLCONENAT");
+ 						fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
+ 					}
++					else if (defs->fullcone == FULLCONE_BCM)
++					{
++						fw3_ipt_rule_target(r, "MASQUERADE");
++						fw3_ipt_rule_extra(r, "--mode fullcone");
++						fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
++					}
+ 					else
+ 					{
+ 						fw3_ipt_rule_target(r, "MASQUERADE");