From 91bdd6b3e08bd119c5f371e7cc653b462acc5724 Mon Sep 17 00:00:00 2001
From: LEAN-ESX <coolsnowwolf@gmail.com>
Date: Sun, 26 May 2019 10:26:57 -0700
Subject: [PATCH] firewall: add Fullcone-NAT option

---
 package/network/config/firewall/Makefile      | 14 +---
 .../config/firewall/files/firewall.config     |  1 +
 .../config/firewall/patches/fullconenat.patch | 68 +++++++++++++++----
 3 files changed, 57 insertions(+), 26 deletions(-)

diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile
index 134afd5dc..3be32958d 100644
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall
-PKG_RELEASE:=2
+PKG_RELEASE:=5
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git
@@ -28,19 +28,9 @@ define Package/firewall
   SECTION:=net
   CATEGORY:=Base system
   TITLE:=OpenWrt C Firewall
-  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat +PACKAGE_firewall-FULLCONENAT:iptables-mod-fullconenat
+  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat +iptables-mod-fullconenat
 endef
 
-define Package/firewall/config
-if PACKAGE_firewall
-	config PACKAGE_firewall-FULLCONENAT
-		bool "Use FULLCONENAT"
-		default y
-endif		
-endef
-
-TARGET_CFLAGS += $(if $(CONFIG_PACKAGE_firewall-FULLCONENAT),-DUSE_FULLCONENAT,)
-
 define Package/firewall/description
  This package provides a config-compatible C implementation of the UCI firewall.
 endef
diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index 8874e9882..7c2b58ab6 100644
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -3,6 +3,7 @@ config defaults
 	option input		ACCEPT
 	option output		ACCEPT
 	option forward		REJECT
+	option fullcone	1
 # Uncomment this line to disable ipv6 rules
 #	option disable_ipv6	1
 
diff --git a/package/network/config/firewall/patches/fullconenat.patch b/package/network/config/firewall/patches/fullconenat.patch
index 0e05b6b2a..d69e7129e 100644
--- a/package/network/config/firewall/patches/fullconenat.patch
+++ b/package/network/config/firewall/patches/fullconenat.patch
@@ -1,23 +1,63 @@
+index 85a3750..9fac9b1 100644
+--- a/defaults.c
++++ b/defaults.c
+@@ -46,7 +46,9 @@ const struct fw3_option fw3_flag_opts[] = {
+ 	FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
+ 	FW3_OPT("synflood_rate",       limit,    defaults, syn_flood_rate),
+ 	FW3_OPT("synflood_burst",      int,      defaults, syn_flood_rate.burst),
+-
++	
++	FW3_OPT("fullcone",           bool,     defaults, fullcone),
++	
+ 	FW3_OPT("tcp_syncookies",      bool,     defaults, tcp_syncookies),
+ 	FW3_OPT("tcp_ecn",             int,      defaults, tcp_ecn),
+ 	FW3_OPT("tcp_window_scaling",  bool,     defaults, tcp_window_scaling),
+diff --git a/options.h b/options.h
+index 6edd174..c02eb97 100644
+--- a/options.h
++++ b/options.h
+@@ -267,6 +267,7 @@ struct fw3_defaults
+ 	bool drop_invalid;
+ 
+ 	bool syn_flood;
++	bool fullcone;
+ 	struct fw3_limit syn_flood_rate;
+ 
+ 	bool tcp_syncookies;
 diff --git a/zones.c b/zones.c
-index 505ab20..44500d5 100644
+index 2aa7473..57eead0 100644
 --- a/zones.c
 +++ b/zones.c
-@@ -708,8 +708,18 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
+@@ -627,6 +627,7 @@ print_zone_rule(struct fw3_ipt_handle *h
+ 	struct fw3_address *msrc;
+ 	struct fw3_address *mdest;
+ 	struct fw3_ipt_rule *r;
++	struct fw3_defaults *defs = &state->defaults;
+ 
+ 	if (!fw3_is_family(zone, handle->family))
+ 		return;
+@@ -712,8 +713,22 @@ print_zone_rule(struct fw3_ipt_handle *h
  				{
  					r = fw3_ipt_rule_new(handle);
  					fw3_ipt_rule_src_dest(r, msrc, mdest);
-+#ifdef USE_FULLCONENAT
-+					fw3_ipt_rule_target(r, "FULLCONENAT");
-+#else
- 					fw3_ipt_rule_target(r, "MASQUERADE");
-+#endif
- 					fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
-+#ifdef USE_FULLCONENAT
-+					r = fw3_ipt_rule_new(handle);
-+					fw3_ipt_rule_src_dest(r, msrc, mdest);
-+					fw3_ipt_rule_target(r, "FULLCONENAT");
-+					fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
-+#endif
+-					fw3_ipt_rule_target(r, "MASQUERADE");
+-					fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
++					/*FIXME: Workaround for FULLCONE-NAT*/
++					if(defs->fullcone)
++					{
++						warn("%s will enable FULLCONE-NAT", zone->name);
++						fw3_ipt_rule_target(r, "FULLCONENAT");
++						fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
++						r = fw3_ipt_rule_new(handle);
++						fw3_ipt_rule_src_dest(r, msrc, mdest);
++						fw3_ipt_rule_target(r, "FULLCONENAT");
++						fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
++					}
++					else
++					{
++						fw3_ipt_rule_target(r, "MASQUERADE");
++						fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
++					}
  				}
  			}
  		}