From 399136a5ee6fe2d0f1f62102c58963637c641cb6 Mon Sep 17 00:00:00 2001
From: zxlhhyccc <45259624+zxlhhyccc@users.noreply.github.com>
Date: Wed, 13 Mar 2024 22:50:51 +0800
Subject: [PATCH] =?UTF-8?q?qca-nss-ecm=EF=BC=9AFixed=20the=20problem=20tha?=
 =?UTF-8?q?t=20the=20route=20does=20not=20respond=20after=20startup.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 qca-nss-ecm/files/qca-nss-ecm.firewall | 41 +++++++++++++++++++-------
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/qca-nss-ecm/files/qca-nss-ecm.firewall b/qca-nss-ecm/files/qca-nss-ecm.firewall
index 1a2a4b5..a12325a 100644
--- a/qca-nss-ecm/files/qca-nss-ecm.firewall
+++ b/qca-nss-ecm/files/qca-nss-ecm.firewall
@@ -1,14 +1,33 @@
 #!/bin/sh
 
-if grep -q "fw3" /etc/init.d/firewall; then
-	iptables -nvL | grep -q "Chain RATE-LIMIT" && iptables -F RATE-LIMIT
-	iptables -nvL | grep -q "Chain RATE-LIMIT" || iptables -N RATE-LIMIT
-	iptables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
-	iptables -A RATE-LIMIT -j DROP
-	iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
-elif grep -q "fw4" /etc/init.d/firewall; then
-	nft add chain inet fw4 RATE-LIMIT
-	nft add rule inet fw4 RATE-LIMIT limit rate 1000/second burst 1000 packets counter return
-	nft add rule inet fw4 RATE-LIMIT counter drop
-	nft insert rule inet fw4 forward_wan ct state new counter jump RATE-LIMIT
+FW_SCRIPT="/etc/init.d/firewall"
+
+if grep -q "fw3" "$FW_SCRIPT"; then
+    if ! iptables -nvL | grep -q "Chain RATE-LIMIT"; then
+        iptables -N RATE-LIMIT
+    fi
+
+    iptables -F RATE-LIMIT
+    iptables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
+    iptables -A RATE-LIMIT -j DROP
+    iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
+    [ -n "$(command -v ip6tables)" ] && {
+    if ! ip6tables -nvL | grep -q "Chain RATE-LIMIT"; then
+        ip6tables -N RATE-LIMIT
+    fi
+
+    ip6tables -F RATE-LIMIT
+    ip6tables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
+    ip6tables -A RATE-LIMIT -j DROP
+    ip6tables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
+    }
+
+elif grep -q "fw4" "$FW_SCRIPT"; then
+    if ! nft list chain inet fw4 RATE-LIMIT > /dev/null 2>&1; then
+        nft add chain inet fw4 RATE-LIMIT
+    fi
+
+    nft add rule inet fw4 RATE-LIMIT limit rate 1000/second burst 1000 packets counter return
+    nft add rule inet fw4 RATE-LIMIT counter drop
+    nft insert rule inet fw4 forward_wan ct state new counter jump RATE-LIMIT
 fi