From baed4d5a9e4767954e143efccc9f07d8a0e39838 Mon Sep 17 00:00:00 2001
From: Sean Khan <datapronix@protonmail.com>
Date: Mon, 8 Jul 2024 11:12:44 -0400
Subject: [PATCH] nss-ecm: fix logic in rule addition

When using `nft insert rule` the rule is inserted on top of the
`forward_wan` chain, which bypasses any filtering in place. Instead,
append the rule to the end of the chain.

Other changes include renaming chain `RATE-LIMIT` to `ECM-RATE-LIMIT`
for better rule classification, and `shellformat` formatting.

Signed-off-by: Sean Khan <datapronix@protonmail.com>
---
 qca-nss-ecm/files/qca-nss-ecm.firewall | 45 +++++++++++++-------------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/qca-nss-ecm/files/qca-nss-ecm.firewall b/qca-nss-ecm/files/qca-nss-ecm.firewall
index a12325a..465e183 100644
--- a/qca-nss-ecm/files/qca-nss-ecm.firewall
+++ b/qca-nss-ecm/files/qca-nss-ecm.firewall
@@ -3,31 +3,32 @@
 FW_SCRIPT="/etc/init.d/firewall"
 
 if grep -q "fw3" "$FW_SCRIPT"; then
-    if ! iptables -nvL | grep -q "Chain RATE-LIMIT"; then
-        iptables -N RATE-LIMIT
+  if ! iptables -nvL | grep -q "Chain ECM-RATE-LIMIT"; then
+    iptables -N ECM-RATE-LIMIT
+  fi
+
+  iptables -F ECM-RATE-LIMIT
+  iptables -A ECM-RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
+  iptables -A ECM-RATE-LIMIT -j DROP
+  iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j ECM-RATE-LIMIT
+
+  [ -n "$(command -v ip6tables)" ] && {
+    if ! ip6tables -nvL | grep -q "Chain ECM-RATE-LIMIT"; then
+      ip6tables -N ECM-RATE-LIMIT
     fi
 
-    iptables -F RATE-LIMIT
-    iptables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
-    iptables -A RATE-LIMIT -j DROP
-    iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
-    [ -n "$(command -v ip6tables)" ] && {
-    if ! ip6tables -nvL | grep -q "Chain RATE-LIMIT"; then
-        ip6tables -N RATE-LIMIT
-    fi
-
-    ip6tables -F RATE-LIMIT
-    ip6tables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
-    ip6tables -A RATE-LIMIT -j DROP
-    ip6tables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
-    }
+    ip6tables -F ECM-RATE-LIMIT
+    ip6tables -A ECM-RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
+    ip6tables -A ECM-RATE-LIMIT -j DROP
+    ip6tables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j ECM-RATE-LIMIT
+  }
 
 elif grep -q "fw4" "$FW_SCRIPT"; then
-    if ! nft list chain inet fw4 RATE-LIMIT > /dev/null 2>&1; then
-        nft add chain inet fw4 RATE-LIMIT
-    fi
+  if ! nft list chain inet fw4 ecm_rate_limit > /dev/null 2>&1; then
+    nft add chain inet fw4 ecm_rate_limit
+  fi
 
-    nft add rule inet fw4 RATE-LIMIT limit rate 1000/second burst 1000 packets counter return
-    nft add rule inet fw4 RATE-LIMIT counter drop
-    nft insert rule inet fw4 forward_wan ct state new counter jump RATE-LIMIT
+  nft add rule inet fw4 ecm_rate_limit limit rate 1000/second burst 1000 packets counter return
+  nft add rule inet fw4 ecm_rate_limit counter drop
+  nft add rule inet fw4 forward_wan ct state new counter jump ecm_rate_limit comment "!fw4: ECM Rate Limit 1000/pps"
 fi