openmptcprouter-feeds/openmptcprouter/files/etc/uci-defaults/1980-omr-firewall

#!/bin/sh

# Set REJECT as default rule if an interface is not in a zone
uci -q batch <<-EOF >/dev/null
	set firewall.@defaults[0].input='REJECT'
	set firewall.@defaults[0].output='REJECT'
	set firewall.@defaults[0].forward='REJECT'
EOF


if [ "$(uci -q get firewall.@zone[2].name)" = "vpn" ]; then
	uci -q batch <<-EOF >/dev/null
		del firewall.@zone[2]
		commit firewall
	EOF
fi

if [ "$(uci -q get firewall.@zone[1].name)" = "wan" ]; then
	uci -q batch <<-EOF >/dev/null
		rename firewall.@zone[1]="zone_wan"
		commit firewall
	EOF
fi
if [ "$(uci -q show firewall.zone_wan | grep wan6)" != "" ] && [ "$(uci -q get network.wan6)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		del_list firewall.zone_wan.network="wan6"
		commit firewall
	EOF
fi

if [ "$(uci -q show firewall.zone_wan | grep wan)" != "" ] && [ "$(uci -q get network.wan)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		del_list firewall.zone_wan.network="wan"
		commit firewall
	EOF
fi
if [ "$(uci -q get firewall.@zone[0].name)" = "lan" ]; then
	uci -q batch <<-EOF >/dev/null
		rename firewall.@zone[0]="zone_lan"
		commit firewall
	EOF
fi

if [ "$(uci -q get firewall.zone_vpn)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		set firewall.zone_vpn=zone
		set firewall.zone_vpn.name=vpn
		add_list firewall.zone_vpn.network=omrvpn
		add_list firewall.zone_vpn.network=omr6in4
		set firewall.zone_vpn.masq=1
		set firewall.zone_vpn.input=REJECT
		set firewall.zone_vpn.forward=ACCEPT
		set firewall.zone_vpn.output=ACCEPT
		commit firewall
	EOF
fi

if [ "$(uci -q get firewall.@rule[5].name)" = "Allow-ICMPv6-Input" ]; then
	uci -q batch <<-EOF >/dev/null
		del firewall.@rule[5]
		commit firewall
	EOF
fi
if [ "$(uci -q get firewall.@rule[6].name)" = "Allow-ICMPv6-Forward" ]; then
	uci -q batch <<-EOF >/dev/null
		del firewall.@rule[6]
		commit firewall
	EOF
fi
if [ "$(uci -q show firewall | grep Allow-All-Ping)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='Allow-All-Ping'
		set firewall.@rule[-1].proto='icmp'
		set firewall.@rule[-1].dest='*'
		set firewall.@rule[-1].src='*'
		set firewall.@rule[-1].icmp_type='echo-request'
		set firewall.@rule[-1].limit='1000/sec'
		commit firewall
	EOF
fi
if [ "$(uci -q show firewall | grep Allow-VPN-ICMP)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='Allow-VPN-ICMP'
		set firewall.@rule[-1].proto='icmp'
		set firewall.@rule[-1].src='vpn'
		commit firewall
	EOF
fi
if [ "$(uci -q show firewall | grep Allow-Lan-to-Wan)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='Allow-Lan-to-Wan'
		set firewall.@rule[-1].dest='wan'
		set firewall.@rule[-1].src='lan'
		set firewall.@rule[-1].proto='all'
		commit firewall
	EOF
fi

if [ "$(uci -q show firewall | grep ICMPv6-Lan-to-OMR)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		add firewall rule
		set firewall.@rule[-1].enabled='1'
		set firewall.@rule[-1].target='ACCEPT'
		set firewall.@rule[-1].name='ICMPv6-Lan-to-OMR'
		set firewall.@rule[-1].src='lan'
		set firewall.@rule[-1].family='ipv6'
		set firewall.@rule[-1].proto='icmp'
		set firewall.@rule[-1].limit='1000/sec'
		set firewall.@rule[-1].icmp_type='echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded'
		commit firewall
	EOF
fi
#uci -q batch <<-EOF >/dev/null
#	del_list firewall.zone_wan.masq_dest='!10.0.0.0/8'
#	del_list firewall.zone_wan.masq_dest='!172.16.0.0/12'
#	del_list firewall.zone_wan.masq_dest='!192.168.0.0/16'
#	add_list firewall.zone_wan.masq_dest='!10.0.0.0/8'
#	add_list firewall.zone_wan.masq_dest='!172.16.0.0/12'
#	add_list firewall.zone_wan.masq_dest='!192.168.0.0/16'
#EOF
if [ "$(ubus call system board | jsonfilter -e '@.board_name')" = "bananapi,bpi-r2" ] || [ "$(ubus call system board | jsonfilter -e '@.board_name' | grep -i wrt)" != "" ]; then
	uci -q batch <<-EOF >/dev/null
	set firewall.@defaults[0].flow_offloading='1'
	set firewall.@defaults[0].flow_offloading_hw='1'
	EOF
fi

if [ "$(uci -q get firewall.omr_server)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		set firewall.omr_server=include
		set firewall.omr_server.path=/etc/firewall.omr-server
		set firewall.omr_server.reload=1
		commit firewall
	EOF
fi

if [ "$(uci -q get firewall.gre_tunnel)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		set firewall.gre_tunnel=include
		set firewall.gre_tunnel.path=/etc/firewall.gre-tunnel
		set firewall.gre_tunnel.reload=0
		commit firewall
	EOF
fi
if [ "$(uci -q get firewall.ttl)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		set firewall.ttl=include
		set firewall.ttl.path=/etc/firewall.ttl
		set firewall.ttl.reload=1
		commit firewall
	EOF
fi
if [ "$(uci -q get firewall.fwlantovpn)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		set firewall.zone_lan.auto_helper='0'
		set firewall.fwlantovpn=forwarding
		set firewall.fwlantovpn.src='lan'
		set firewall.fwlantovpn.dest='vpn'
		commit firewall
	EOF
fi

if [ "$(uci -q get firewall.blockquicproxy)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		set firewall.blockquicproxy=rule
		set firewall.blockquicproxy.name='Block QUIC Proxy'
		set firewall.blockquicproxy.proto='udp'
		set firewall.blockquicproxy.dest_port='443'
		set firewall.blockquicproxy.target='DROP'
		set firewall.blockquicproxy.src='lan'
		set firewall.blockquicall=rule
		set firewall.blockquicall.name='Block QUIC All'
		set firewall.blockquicall.proto='udp'
		set firewall.blockquicall.src='*'
		set firewall.blockquicall.dest='*'
		set firewall.blockquicall.dest_port='443'
		set firewall.blockquicall.target='DROP'
		commit firewall
	EOF
fi

if [ "$(uci -q get firewall.allowicmpipv6)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		set firewall.allowicmpipv6=rule
		set firewall.allowicmpipv6.proto='icmp'
		set firewall.allowicmpipv6.target='ACCEPT'
		set firewall.allowicmpipv6.src='wan'
		set firewall.allowicmpipv6.name='Allow IPv6 ICMP'
		set firewall.allowicmpipv6.family='ipv6'
		set firewall.@rule[-1].limit='1000/sec'
		set firewall.allowicmpipv6.icmp_type='neighbour-advertisement neighbour-solicitation router-advertisement router-solicitation'
		commit firewall
	EOF
fi

if [ "$(uci -q get firewall.allowdhcpv6546)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		set firewall.allowdhcpv6546=rule
		set firewall.allowdhcpv6546.target='ACCEPT'
		set firewall.allowdhcpv6546.src='wan'
		set firewall.allowdhcpv6546.proto='udp'
		set firewall.allowdhcpv6546.dest_port='547'
		set firewall.allowdhcpv6546.name='Allow DHCPv6 (546-to-547)'
		set firewall.allowdhcpv6546.family='ipv6'
		set firewall.allowdhcpv6546.src_port='546'
		set firewall.allowdhcpv6547=rule
		set firewall.allowdhcpv6547.target='ACCEPT'
		set firewall.allowdhcpv6547.src='wan'
		set firewall.allowdhcpv6547.proto='udp'
		set firewall.allowdhcpv6547.dest_port='546'
		set firewall.allowdhcpv6547.name='Allow DHCPv6 (547-to-546)'
		set firewall.allowdhcpv6547.family='ipv6'
		set firewall.allowdhcpv6547.src_port='547'
		commit firewall
	EOF
fi

# Fix firewall config from some old config
allintf=$(uci -q get firewall.zone_wan.network)
uci -q del firewall.zone_wan.network
for intf in $allintf; do
	uci -q add_list firewall.zone_wan.network="${intf}"
done
allintf=$(uci -q get firewall.zone_vpn.network)
uci -q del firewall.zone_vpn.network
for intf in $allintf; do
	uci -q add_list firewall.zone_vpn.network="${intf}"
done

uci -q batch <<-EOF >/dev/null
	set firewall.zone_lan.mtu_fix='1'
	set firewall.zone_vpn.mtu_fix='1'
	set firewall.@include[0].reload='1'
	commit firewall
EOF
if [ "$(uci -q get openmptcprouter.settings.sipalg)" = "" ]; then
	uci -q batch <<-EOF >/dev/null
		set openmptcprouter.settings.sipalg='1'
		commit openmptcprouter
	EOF
fi
if [ "$(uci -q get openmptcprouter.settings.sipalg)" = "0" ]; then
	uci -q batch <<-EOF >/dev/null
		set firewall.zone_lan.auto_helper='0'
		set firewall.zone_wan.auto_helper='0'
		set firewall.zone_vpn.auto_helper='0'
		commit firewall
	EOF
	rmmod nf_nat_sip 2>&1 >/dev/null
	rmmod nf_conntrack_sip 2>&1 >/dev/null
fi

rm -f /tmp/luci-indexcache

exit 0
Allow ping from anywhere by default 2018-03-21 10:04:29 +00:00			`#!/bin/sh`

Set REJECT as default for firewall config 2020-06-26 13:02:48 +00:00			`# Set REJECT as default rule if an interface is not in a zone`
			`uci -q batch <<-EOF >/dev/null`
			`set firewall.@defaults[0].input='REJECT'`
			`set firewall.@defaults[0].output='REJECT'`
			`set firewall.@defaults[0].forward='REJECT'`
			`EOF`


Use firewall zone name 2018-06-07 14:53:32 +00:00			`if [ "$(uci -q get firewall.@zone[2].name)" = "vpn" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`del firewall.@zone[2]`
			`commit firewall`
			`EOF`
			`fi`

Rename zone wan and lan to zone_wan and zone_lan in fw 2021-02-25 13:25:18 +00:00			`if [ "$(uci -q get firewall.@zone[1].name)" = "wan" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`rename firewall.@zone[1]="zone_wan"`
Doesn't remove wan & wan6 from firewall if they exist in network 2021-04-07 17:29:45 +00:00			`commit firewall`
			`EOF`
			`fi`
			`if [ "$(uci -q show firewall.zone_wan \| grep wan6)" != "" ] && [ "$(uci -q get network.wan6)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
Rename zone wan and lan to zone_wan and zone_lan in fw 2021-02-25 13:25:18 +00:00			`del_list firewall.zone_wan.network="wan6"`
			`commit firewall`
			`EOF`
			`fi`
Doesn't remove wan & wan6 from firewall if they exist in network 2021-04-07 17:29:45 +00:00
			`if [ "$(uci -q show firewall.zone_wan \| grep wan)" != "" ] && [ "$(uci -q get network.wan)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`del_list firewall.zone_wan.network="wan"`
			`commit firewall`
			`EOF`
			`fi`
Rename zone wan and lan to zone_wan and zone_lan in fw 2021-02-25 13:25:18 +00:00			`if [ "$(uci -q get firewall.@zone[0].name)" = "lan" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`rename firewall.@zone[0]="zone_lan"`
			`commit firewall`
			`EOF`
			`fi`

Use firewall zone name 2018-06-07 14:53:32 +00:00			`if [ "$(uci -q get firewall.zone_vpn)" = "" ]; then`
Better indentation 2020-10-30 18:30:46 +00:00			`uci -q batch <<-EOF >/dev/null`
			`set firewall.zone_vpn=zone`
			`set firewall.zone_vpn.name=vpn`
Add omr6in4 in vpn firewall zone 2021-07-04 05:21:22 +00:00			`add_list firewall.zone_vpn.network=omrvpn`
			`add_list firewall.zone_vpn.network=omr6in4`
Better indentation 2020-10-30 18:30:46 +00:00			`set firewall.zone_vpn.masq=1`
			`set firewall.zone_vpn.input=REJECT`
			`set firewall.zone_vpn.forward=ACCEPT`
			`set firewall.zone_vpn.output=ACCEPT`
			`commit firewall`
			`EOF`
Use firewall zone name 2018-06-07 14:53:32 +00:00			`fi`

Remove some firewall IPv6 default rules 2020-06-03 15:19:15 +00:00			`if [ "$(uci -q get firewall.@rule[5].name)" = "Allow-ICMPv6-Input" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`del firewall.@rule[5]`
			`commit firewall`
			`EOF`
			`fi`
			`if [ "$(uci -q get firewall.@rule[6].name)" = "Allow-ICMPv6-Forward" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`del firewall.@rule[6]`
			`commit firewall`
			`EOF`
			`fi`
Fix for packages updates and versions updates 2018-05-23 08:56:23 +00:00			`if [ "$(uci -q show firewall \| grep Allow-All-Ping)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`add firewall rule`
			`set firewall.@rule[-1].enabled='1'`
			`set firewall.@rule[-1].target='ACCEPT'`
			`set firewall.@rule[-1].name='Allow-All-Ping'`
			`set firewall.@rule[-1].proto='icmp'`
			`set firewall.@rule[-1].dest='*'`
			`set firewall.@rule[-1].src='*'`
			`set firewall.@rule[-1].icmp_type='echo-request'`
Fix https://github.com/Ysurac/openmptcprouter/issues/2453 and add a limit on ICMP 2022-08-07 18:10:15 +00:00			`set firewall.@rule[-1].limit='1000/sec'`
Fix for packages updates and versions updates 2018-05-23 08:56:23 +00:00			`commit firewall`
			`EOF`
			`fi`
Allow ICMP from VPN to OMR 2018-05-31 13:44:40 +00:00			`if [ "$(uci -q show firewall \| grep Allow-VPN-ICMP)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`add firewall rule`
			`set firewall.@rule[-1].enabled='1'`
			`set firewall.@rule[-1].target='ACCEPT'`
			`set firewall.@rule[-1].name='Allow-VPN-ICMP'`
			`set firewall.@rule[-1].proto='icmp'`
			`set firewall.@rule[-1].src='vpn'`
			`commit firewall`
			`EOF`
			`fi`
Allow Lan to Wan 2018-05-28 15:27:14 +00:00			`if [ "$(uci -q show firewall \| grep Allow-Lan-to-Wan)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`add firewall rule`
			`set firewall.@rule[-1].enabled='1'`
			`set firewall.@rule[-1].target='ACCEPT'`
			`set firewall.@rule[-1].name='Allow-Lan-to-Wan'`
			`set firewall.@rule[-1].dest='wan'`
			`set firewall.@rule[-1].src='lan'`
Fix some firewall warnings 2021-06-26 06:15:14 +00:00			`set firewall.@rule[-1].proto='all'`
Allow Lan to Wan 2018-05-28 15:27:14 +00:00			`commit firewall`
			`EOF`
			`fi`
Accept ICMPv6 from LAN to router 2018-07-14 05:25:08 +00:00
			`if [ "$(uci -q show firewall \| grep ICMPv6-Lan-to-OMR)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`add firewall rule`
			`set firewall.@rule[-1].enabled='1'`
			`set firewall.@rule[-1].target='ACCEPT'`
			`set firewall.@rule[-1].name='ICMPv6-Lan-to-OMR'`
			`set firewall.@rule[-1].src='lan'`
			`set firewall.@rule[-1].family='ipv6'`
			`set firewall.@rule[-1].proto='icmp'`
			`set firewall.@rule[-1].limit='1000/sec'`
			`set firewall.@rule[-1].icmp_type='echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded'`
			`commit firewall`
			`EOF`
			`fi`
Remove masquerade 2021-03-03 10:28:08 +00:00			`#uci -q batch <<-EOF >/dev/null`
			`# del_list firewall.zone_wan.masq_dest='!10.0.0.0/8'`
			`# del_list firewall.zone_wan.masq_dest='!172.16.0.0/12'`
			`# del_list firewall.zone_wan.masq_dest='!192.168.0.0/16'`
			`# add_list firewall.zone_wan.masq_dest='!10.0.0.0/8'`
			`# add_list firewall.zone_wan.masq_dest='!172.16.0.0/12'`
			`# add_list firewall.zone_wan.masq_dest='!192.168.0.0/16'`
			`#EOF`
Force nat offload on wrt 2019-07-15 20:35:38 +00:00			`if [ "$(ubus call system board \| jsonfilter -e '@.board_name')" = "bananapi,bpi-r2" ] \|\| [ "$(ubus call system board \| jsonfilter -e '@.board_name' \| grep -i wrt)" != "" ]; then`
Add HNAT by default for BPI-R2 2018-10-16 06:21:03 +00:00			`uci -q batch <<-EOF >/dev/null`
			`set firewall.@defaults[0].flow_offloading='1'`
			`set firewall.@defaults[0].flow_offloading_hw='1'`
			`EOF`
			`fi`
No masq for local IP 2018-08-16 14:57:53 +00:00
Fixes and set VPS IPv6 in settings 2020-01-02 20:03:38 +00:00			`if [ "$(uci -q get firewall.omr_server)" = "" ]; then`
Fix firewall update from router to server 2019-12-17 17:23:59 +00:00			`uci -q batch <<-EOF >/dev/null`
Fixes and set VPS IPv6 in settings 2020-01-02 20:03:38 +00:00			`set firewall.omr_server=include`
			`set firewall.omr_server.path=/etc/firewall.omr-server`
			`set firewall.omr_server.reload=1`
Fix firewall update from router to server 2019-12-17 17:23:59 +00:00			`commit firewall`
			`EOF`
			`fi`

Fix gre tunnels 2020-07-22 13:44:12 +00:00			`if [ "$(uci -q get firewall.gre_tunnel)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`set firewall.gre_tunnel=include`
			`set firewall.gre_tunnel.path=/etc/firewall.gre-tunnel`
Reload all firewall config less often 2021-03-23 08:51:21 +00:00			`set firewall.gre_tunnel.reload=0`
Fix gre tunnels 2020-07-22 13:44:12 +00:00			`commit firewall`
			`EOF`
			`fi`
Add ttl setting support 2021-08-30 19:35:27 +00:00			`if [ "$(uci -q get firewall.ttl)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`set firewall.ttl=include`
			`set firewall.ttl.path=/etc/firewall.ttl`
			`set firewall.ttl.reload=1`
			`commit firewall`
			`EOF`
			`fi`
Allow forward to VPN 2020-10-09 15:38:31 +00:00			`if [ "$(uci -q get firewall.fwlantovpn)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
Rename zone wan and lan to zone_wan and zone_lan in fw 2021-02-25 13:25:18 +00:00			`set firewall.zone_lan.auto_helper='0'`
Allow forward to VPN 2020-10-09 15:38:31 +00:00			`set firewall.fwlantovpn=forwarding`
			`set firewall.fwlantovpn.src='lan'`
			`set firewall.fwlantovpn.dest='vpn'`
			`commit firewall`
			`EOF`
			`fi`
Block QUIC by default 2020-10-28 12:09:26 +00:00
			`if [ "$(uci -q get firewall.blockquicproxy)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`set firewall.blockquicproxy=rule`
			`set firewall.blockquicproxy.name='Block QUIC Proxy'`
			`set firewall.blockquicproxy.proto='udp'`
			`set firewall.blockquicproxy.dest_port='443'`
			`set firewall.blockquicproxy.target='DROP'`
			`set firewall.blockquicproxy.src='lan'`
			`set firewall.blockquicall=rule`
			`set firewall.blockquicall.name='Block QUIC All'`
			`set firewall.blockquicall.proto='udp'`
			`set firewall.blockquicall.src='*'`
			`set firewall.blockquicall.dest='*'`
			`set firewall.blockquicall.dest_port='443'`
			`set firewall.blockquicall.target='DROP'`
			`commit firewall`
			`EOF`
			`fi`

Make omr-tracker compatible with WAN IPv6 2021-01-16 07:14:09 +00:00			`if [ "$(uci -q get firewall.allowicmpipv6)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`set firewall.allowicmpipv6=rule`
			`set firewall.allowicmpipv6.proto='icmp'`
			`set firewall.allowicmpipv6.target='ACCEPT'`
			`set firewall.allowicmpipv6.src='wan'`
			`set firewall.allowicmpipv6.name='Allow IPv6 ICMP'`
			`set firewall.allowicmpipv6.family='ipv6'`
Fix https://github.com/Ysurac/openmptcprouter/issues/2453 and add a limit on ICMP 2022-08-07 18:10:15 +00:00			`set firewall.@rule[-1].limit='1000/sec'`
Make omr-tracker compatible with WAN IPv6 2021-01-16 07:14:09 +00:00			`set firewall.allowicmpipv6.icmp_type='neighbour-advertisement neighbour-solicitation router-advertisement router-solicitation'`
			`commit firewall`
			`EOF`
			`fi`

Add DHCPv6 wan firewall rules 2021-01-21 18:01:30 +00:00			`if [ "$(uci -q get firewall.allowdhcpv6546)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`set firewall.allowdhcpv6546=rule`
			`set firewall.allowdhcpv6546.target='ACCEPT'`
			`set firewall.allowdhcpv6546.src='wan'`
			`set firewall.allowdhcpv6546.proto='udp'`
			`set firewall.allowdhcpv6546.dest_port='547'`
			`set firewall.allowdhcpv6546.name='Allow DHCPv6 (546-to-547)'`
			`set firewall.allowdhcpv6546.family='ipv6'`
			`set firewall.allowdhcpv6546.src_port='546'`
			`set firewall.allowdhcpv6547=rule`
			`set firewall.allowdhcpv6547.target='ACCEPT'`
			`set firewall.allowdhcpv6547.src='wan'`
			`set firewall.allowdhcpv6547.proto='udp'`
			`set firewall.allowdhcpv6547.dest_port='546'`
			`set firewall.allowdhcpv6547.name='Allow DHCPv6 (547-to-546)'`
			`set firewall.allowdhcpv6547.family='ipv6'`
			`set firewall.allowdhcpv6547.src_port='547'`
			`commit firewall`
			`EOF`
			`fi`

Fix firewall zone from some update 2020-11-01 09:03:47 +00:00			`# Fix firewall config from some old config`
Rename zone wan and lan to zone_wan and zone_lan in fw 2021-02-25 13:25:18 +00:00			`allintf=$(uci -q get firewall.zone_wan.network)`
			`uci -q del firewall.zone_wan.network`
Fix firewall zone from some update 2020-11-01 09:03:47 +00:00			`for intf in $allintf; do`
Cleaner firewall config 2022-06-28 12:09:16 +00:00			`uci -q add_list firewall.zone_wan.network="${intf}"`
Fix firewall zone from some update 2020-11-01 09:03:47 +00:00			`done`
Fix firewall from update 2020-11-27 17:13:36 +00:00			`allintf=$(uci -q get firewall.zone_vpn.network)`
			`uci -q del firewall.zone_vpn.network`
			`for intf in $allintf; do`
Cleaner firewall config 2022-06-28 12:09:16 +00:00			`uci -q add_list firewall.zone_vpn.network="${intf}"`
Fix firewall from update 2020-11-27 17:13:36 +00:00			`done`
Fix firewall zone from some update 2020-11-01 09:03:47 +00:00
Set mtu fix by default 2019-05-21 19:37:45 +00:00			`uci -q batch <<-EOF >/dev/null`
Rename zone wan and lan to zone_wan and zone_lan in fw 2021-02-25 13:25:18 +00:00			`set firewall.zone_lan.mtu_fix='1'`
Set mtu fix by default 2019-05-21 19:37:45 +00:00			`set firewall.zone_vpn.mtu_fix='1'`
Reload custom firewall rules when fw reload 2021-02-23 14:12:00 +00:00			`set firewall.@include[0].reload='1'`
Allow forward to VPN 2020-10-09 15:38:31 +00:00			`commit firewall`
Set mtu fix by default 2019-05-21 19:37:45 +00:00			`EOF`
Fix SIP ALG 2022-08-27 05:50:12 +00:00			`if [ "$(uci -q get openmptcprouter.settings.sipalg)" = "" ]; then`
			`uci -q batch <<-EOF >/dev/null`
			`set openmptcprouter.settings.sipalg='1'`
Small SIP ALG fixes 2022-08-29 18:08:59 +00:00			`commit openmptcprouter`
Fix SIP ALG 2022-08-27 05:50:12 +00:00			`EOF`
			`fi`
			`if [ "$(uci -q get openmptcprouter.settings.sipalg)" = "0" ]; then`
Add option to enable/disable SIP ALG 2022-05-18 19:06:09 +00:00			`uci -q batch <<-EOF >/dev/null`
			`set firewall.zone_lan.auto_helper='0'`
			`set firewall.zone_wan.auto_helper='0'`
Fix https://github.com/Ysurac/openmptcprouter/issues/2453 and add a limit on ICMP 2022-08-07 18:10:15 +00:00			`set firewall.zone_vpn.auto_helper='0'`
Add option to enable/disable SIP ALG 2022-05-18 19:06:09 +00:00			`commit firewall`
			`EOF`
			`rmmod nf_nat_sip 2>&1 >/dev/null`
			`rmmod nf_conntrack_sip 2>&1 >/dev/null`
			`fi`
Set mtu fix by default 2019-05-21 19:37:45 +00:00
Allow ping from anywhere by default 2018-03-21 10:04:29 +00:00			`rm -f /tmp/luci-indexcache`

			`exit 0`