fix: Prevent infinite loop in secubox-wan-access (v0.6.0-r35)

- Add apply-noreload command that skips firewall reload
- Firewall include now uses apply-noreload to avoid loop
- apply command still reloads firewall for manual use

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

package/secubox/secubox-core/root/etc/firewall.secubox-wan

@@ -10,7 +10,7 @@
 # Log the reload
 logger -t secubox-wan "Firewall reload detected - reapplying WAN access rules"
 
-# Apply WAN access rules from UCI config
-/usr/sbin/secubox-wan-access apply >/dev/null 2>&1
+# Apply WAN access rules from UCI config (noreload to avoid infinite loop)
+/usr/sbin/secubox-wan-access apply-noreload >/dev/null 2>&1
 
 exit 0

package/secubox/secubox-core/root/usr/sbin/secubox-wan-access

@@ -84,7 +84,10 @@ add_rule() {
 }
 
 # Apply rules based on secubox config
+# Note: noreload parameter skips firewall reload (used by firewall include to avoid loops)
 apply_rules() {
+	local noreload="$1"
+
 	config_load secubox
 
 	local enabled https_enabled https_port http_enabled http_port ssh_enabled ssh_port
@@ -122,7 +125,11 @@ apply_rules() {
 	fi
 
 	uci commit firewall
-	/etc/init.d/firewall reload >/dev/null 2>&1
+
+	# Only reload firewall if not called from firewall include (avoid infinite loop)
+	if [ "$noreload" != "noreload" ]; then
+		/etc/init.d/firewall reload >/dev/null 2>&1
+	fi
 
 	echo "WAN access rules applied"
 }
@@ -210,6 +217,10 @@ case "$1" in
 	apply)
 		apply_rules
 		;;
+	apply-noreload)
+		# Called from firewall include - skip firewall reload to avoid loop
+		apply_rules "noreload"
+		;;
 	remove)
 		remove_rules
 		uci commit firewall
@@ -229,7 +240,7 @@ case "$1" in
 		json_status
 		;;
 	*)
-		echo "Usage: $0 {apply|remove|enable|disable|status|json}"
+		echo "Usage: $0 {apply|apply-noreload|remove|enable|disable|status|json}"
 		exit 1
 		;;
 esac