openwrt-R7800-nss/package/qca-nss/qca-nss-ecm/files/qca-nss-ecm.firewall

#!/bin/sh
#
# Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
# Copyright (c) 2023-2024 Qualcomm Innovation Center, Inc. All rights reserved.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#

iptables -nvL FORWARD | grep -q "physdev" && iptables -Z FORWARD 1
iptables -nvL FORWARD | grep -q "physdev" || iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

if grep -q "fw3" /etc/init.d/firewall; then
	iptables -nvL | grep -q "Chain RATE-LIMIT" && iptables -F RATE-LIMIT
	iptables -nvL | grep -q "Chain RATE-LIMIT" || iptables -N RATE-LIMIT
	iptables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
	iptables -A RATE-LIMIT -j DROP
	iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
elif grep -q "fw4" /etc/init.d/firewall; then
	nft add chain inet fw4 RATE-LIMIT
	nft add rule inet fw4 RATE-LIMIT limit rate 1000/second burst 1000 packets counter return
	nft add rule inet fw4 RATE-LIMIT counter drop
	nft add rule inet fw4 forward_wan ct state new counter jump RATE-LIMIT
fi