From 09af0144f400c004a102d1987785da459ab65851 Mon Sep 17 00:00:00 2001
From: Tvlz <Tvlztomato@gmail.com>
Date: Mon, 1 Aug 2016 17:22:23 +0700
Subject: [PATCH] Allow Incoming IPv6 IPSec by default

Thx Tvlz
---
 release/src-rt-6.x.4708/router/rc/firewall.c             | 10 ++++++++++
 release/src-rt-6.x.4708/router/shared/defaults.c         |  1 +
 release/src-rt-6.x.4708/router/www/advanced-firewall.asp |  7 +++++--
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/release/src-rt-6.x.4708/router/rc/firewall.c b/release/src-rt-6.x.4708/router/rc/firewall.c
index bc43f2d5d3..1d9717bbde 100644
--- a/release/src-rt-6.x.4708/router/rc/firewall.c
+++ b/release/src-rt-6.x.4708/router/rc/firewall.c
@@ -1314,6 +1314,16 @@ static void filter_forward(void)
 		ip6t_write("-A FORWARD -p ipv6-icmp --icmpv6-type %i -j %s\n", allowed_icmpv6[i], chain_in_accept);
 	}
 
+	//IPv6 IPSec - RFC 6092
+	if (nvram_match("ipv6_ipsec", "1")) {
+		if (*wan6face) {
+			ip6t_write(
+				"-A FORWARD -i %s -p esp -j ACCEPT\n"				//ESP
+				"-A FORWARD -i %s -p udp --dport 500 -j ACCEPT\n",	//IKE
+				wan6face, wan6face);
+		}
+	}
+
 	//IPv6
 	if (*wan6face) {
 		ip6t_write(
diff --git a/release/src-rt-6.x.4708/router/shared/defaults.c b/release/src-rt-6.x.4708/router/shared/defaults.c
index 137a0584ee..3f39de3d12 100644
--- a/release/src-rt-6.x.4708/router/shared/defaults.c
+++ b/release/src-rt-6.x.4708/router/shared/defaults.c
@@ -164,6 +164,7 @@ struct nvram_tuple router_defaults[] = {
 	{ "ipv6_6rd_ipv4masklen",	"0"				, 0 },	// 6RD IPv4 mask length (0-30) checkme
 	{ "ipv6_vlan",			"0"				, 0 },	// Enable IPv6 on 1=LAN1 2=LAN2 4=LAN3
 	{ "ipv6_pdonly",		"0"				, 0 },	// Request DHCPv6 Prefix Delegation Only
+	{ "ipv6_ipsec",			"1"				, 0 },	// Enable Incoming IPv6 IPSec
 #endif
 
 #ifdef RTCONFIG_FANCTRL
diff --git a/release/src-rt-6.x.4708/router/www/advanced-firewall.asp b/release/src-rt-6.x.4708/router/www/advanced-firewall.asp
index aab36cd89f..30b57496aa 100644
--- a/release/src-rt-6.x.4708/router/www/advanced-firewall.asp
+++ b/release/src-rt-6.x.4708/router/www/advanced-firewall.asp
@@ -26,7 +26,7 @@
 
 <script type='text/javascript'>
 
-//	<% nvram("block_wan,block_wan_limit,block_wan_limit_icmp,block_wan_limit_tr,nf_loopback,ne_syncookies,DSCP_fix_enable,multicast_pass,multicast_lan,multicast_lan1,multicast_lan2,multicast_lan3,lan_ifname,lan1_ifname,lan2_ifname,lan3_ifname,udpxy_enable,udpxy_stats,udpxy_clients,udpxy_port,ne_snat"); %>
+//	<% nvram("block_wan,block_wan_limit,block_wan_limit_icmp,block_wan_limit_tr,nf_loopback,ne_syncookies,DSCP_fix_enable,ipv6_ipsec,multicast_pass,multicast_lan,multicast_lan1,multicast_lan2,multicast_lan3,lan_ifname,lan1_ifname,lan2_ifname,lan3_ifname,udpxy_enable,udpxy_stats,udpxy_clients,udpxy_port,ne_snat"); %>
 
 function verifyFields(focused, quiet)
 {
@@ -77,6 +77,7 @@ function save()
 
 	fom.ne_syncookies.value = E('_f_syncookies').checked ? 1 : 0;
 	fom.DSCP_fix_enable.value = E('_f_DSCP_fix_enable').checked ? 1 : 0;
+	fom.ipv6_ipsec.value = E('_f_ipv6_ipsec').checked ? 1 : 0;
 	fom.multicast_pass.value = E('_f_multicast').checked ? 1 : 0;
 	fom.multicast_lan.value = E('_f_multicast_lan').checked ? 1 : 0;
 	fom.multicast_lan1.value = E('_f_multicast_lan1').checked ? 1 : 0;
@@ -113,6 +114,7 @@ function save()
 <input type='hidden' name='block_wan_limit_tr'>
 <input type='hidden' name='ne_syncookies'>
 <input type='hidden' name='DSCP_fix_enable'>
+<input type='hidden' name='ipv6_ipsec'>
 <input type='hidden' name='multicast_pass'>
 <input type='hidden' name='multicast_lan'>
 <input type='hidden' name='multicast_lan1'>
@@ -133,7 +135,8 @@ createFieldTable('', [
 	{ title: 'Traceroute', indent: 2, name: 'f_icmp_limit_traceroute', type: 'text', maxlen: 3, size: 3, suffix: ' <small> request per second</small>', value: fixInt(nvram.block_wan_limit_tr || 5, 1, 300, 5) },
 	null,
 	{ title: 'Enable SYN cookies', name: 'f_syncookies', type: 'checkbox', value: nvram.ne_syncookies != '0' },
-	{ title: 'Enable DSCP Fix', name: 'f_DSCP_fix_enable', type: 'checkbox', value: nvram.DSCP_fix_enable != '0', suffix: ' <small>Fixes Comcast incorrect DSCP</small>' }
+	{ title: 'Enable DSCP Fix', name: 'f_DSCP_fix_enable', type: 'checkbox', value: nvram.DSCP_fix_enable != '0', suffix: ' <small>Fixes Comcast incorrect DSCP</small>' },
+	{ title: 'IPv6 IPSec Passthrough', name: 'f_ipv6_ipsec', type: 'checkbox', value: nvram.ipv6_ipsec != '0' }
 ]);
 </script>
 </div>
-- 
2.11.4.GIT