From fcff889b0eff65dab779da6bb016183f65c5ece8 Mon Sep 17 00:00:00 2001
From: coolsnowwolf <coolsnowwolf@gmail.com>
Date: Thu, 3 Jan 2019 20:38:08 +0800
Subject: [PATCH] firewall: bump to new version

---
 package/network/config/firewall/Makefile      | 12 +++++++++-
 .../config/firewall/patches/fullconenat.patch | 23 +++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 package/network/config/firewall/patches/fullconenat.patch

diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile
index 669973520..5315c856f 100644
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -28,9 +28,19 @@ define Package/firewall
   SECTION:=net
   CATEGORY:=Base system
   TITLE:=OpenWrt C Firewall
-  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat
+  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat +PACKAGE_firewall-FULLCONENAT:iptables-mod-fullconenat
 endef
 
+define Package/firewall/config
+if PACKAGE_firewall
+	config PACKAGE_firewall-FULLCONENAT
+		bool "Use FULLCONENAT"
+		default y
+endif		
+endef
+
+TARGET_CFLAGS += $(if $(CONFIG_PACKAGE_firewall-FULLCONENAT),-DUSE_FULLCONENAT,)
+
 define Package/firewall/description
  This package provides a config-compatible C implementation of the UCI firewall.
 endef
diff --git a/package/network/config/firewall/patches/fullconenat.patch b/package/network/config/firewall/patches/fullconenat.patch
new file mode 100644
index 000000000..0e05b6b2a
--- /dev/null
+++ b/package/network/config/firewall/patches/fullconenat.patch
@@ -0,0 +1,23 @@
+diff --git a/zones.c b/zones.c
+index 505ab20..44500d5 100644
+--- a/zones.c
++++ b/zones.c
+@@ -708,8 +708,18 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
+ 				{
+ 					r = fw3_ipt_rule_new(handle);
+ 					fw3_ipt_rule_src_dest(r, msrc, mdest);
++#ifdef USE_FULLCONENAT
++					fw3_ipt_rule_target(r, "FULLCONENAT");
++#else
+ 					fw3_ipt_rule_target(r, "MASQUERADE");
++#endif
+ 					fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
++#ifdef USE_FULLCONENAT
++					r = fw3_ipt_rule_new(handle);
++					fw3_ipt_rule_src_dest(r, msrc, mdest);
++					fw3_ipt_rule_target(r, "FULLCONENAT");
++					fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
++#endif
+ 				}
+ 			}
+ 		}