feat: Make WAN access rules persistent across firewall/network restarts (v0.6.0-r34)

- Add firewall include script (/etc/firewall.secubox-wan) for fw4 compatibility - Add hotplug script (/etc/hotplug.d/iface/99-secubox-wan) for WAN interface events - Configure firewall include in postinst (type=script for fw4) - secubox-core bumped to 0.9.0-2 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-08 17:18:05 +01:00 · 2026-01-08 17:18:05 +01:00 · e6749f1b54
commit e6749f1b54
parent 4dc1a6b74c
3 changed files with 54 additions and 1 deletions
--- a/package/secubox/secubox-core/Makefile
+++ b/package/secubox/secubox-core/Makefile
@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=secubox-core
 PKG_VERSION:=0.9.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_ARCH:=all
 PKG_LICENSE:=GPL-2.0
 PKG_MAINTAINER:=SecuBox Team
@ -77,6 +77,13 @@ define Package/secubox-core/install
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-state $(1)/usr/sbin/
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-component $(1)/usr/sbin/
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-sync-registry $(1)/usr/sbin/
+	$(INSTALL_BIN) ./root/usr/sbin/secubox-wan-access $(1)/usr/sbin/
+
+	# WAN Access persistence (firewall include + hotplug)
+	$(INSTALL_DIR) $(1)/etc
+	$(INSTALL_BIN) ./root/etc/firewall.secubox-wan $(1)/etc/
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(INSTALL_BIN) ./root/etc/hotplug.d/iface/99-secubox-wan $(1)/etc/hotplug.d/iface/

 	$(INSTALL_DIR) $(1)/usr/libexec/rpcd
 	$(INSTALL_BIN) ./root/usr/libexec/rpcd/luci.secubox $(1)/usr/libexec/rpcd/
@ -133,6 +140,15 @@ EOF
 	# Register with rpcd
 	/etc/init.d/rpcd restart

+	# Setup firewall include for WAN access persistence (fw4 compatible)
+	if ! uci -q get firewall.secubox_wan_include >/dev/null 2>&1; then
+		uci set firewall.secubox_wan_include=include
+		uci set firewall.secubox_wan_include.path='/etc/firewall.secubox-wan'
+		uci set firewall.secubox_wan_include.type='script'
+		uci commit firewall
+		echo "SecuBox WAN access firewall include configured"
+	fi
+
 	# Sync component registry from catalog
 	if [ -x /usr/sbin/secubox-sync-registry ]; then
 		echo "Syncing component registry..."
--- a/package/secubox/secubox-core/root/etc/firewall.secubox-wan
+++ b/package/secubox/secubox-core/root/etc/firewall.secubox-wan
@ -0,0 +1,16 @@
+#!/bin/sh
+#
+# SecuBox WAN Access - Firewall Include Script
+# This script is called on every firewall reload to ensure WAN access rules persist
+#
+
+# Only run if secubox-wan-access exists
+[ -x /usr/sbin/secubox-wan-access ] || exit 0
+
+# Log the reload
+logger -t secubox-wan "Firewall reload detected - reapplying WAN access rules"
+
+# Apply WAN access rules from UCI config
+/usr/sbin/secubox-wan-access apply >/dev/null 2>&1
+
+exit 0
--- a/package/secubox/secubox-core/root/etc/hotplug.d/iface/99-secubox-wan
+++ b/package/secubox/secubox-core/root/etc/hotplug.d/iface/99-secubox-wan
@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# SecuBox WAN Access - Network Hotplug Script
+# Reapplies WAN access rules when WAN interface comes up
+#
+
+[ "$ACTION" = "ifup" ] || exit 0
+[ "$INTERFACE" = "wan" ] || [ "$INTERFACE" = "wan6" ] || exit 0
+
+# Only run if secubox-wan-access exists
+[ -x /usr/sbin/secubox-wan-access ] || exit 0
+
+logger -t secubox-wan "WAN interface $INTERFACE up - reapplying WAN access rules"
+
+# Small delay to ensure firewall is ready
+sleep 2
+
+# Apply WAN access rules
+/usr/sbin/secubox-wan-access apply >/dev/null 2>&1
+
+exit 0