#!/bin/sh
# Dragino LPS8NK: configure WAN fallback IP and firewall (fw4)
. /lib/functions/system.sh

board=$(board_name)

case "$board" in
	dragino,lps8nk)
		# LPS8NK WAN physical port is eth0.2. Keep fallback IP on this port
		# regardless of how the logical "wan" interface is reconfigured.
		wan_dev="eth0.2"

		# Persist a dedicated static interface on the WAN device for fallback IP.
		# Using an interface (not a device section) ensures netifd applies the address.
		uci -q batch <<-EOF
			delete network.wan_fallback
			set network.wan_fallback=interface
			set network.wan_fallback.proto='static'
			set network.wan_fallback.device='$wan_dev'
			set network.wan_fallback.ifname='$wan_dev'
			set network.wan_fallback.ipaddr='172.31.255.254'
			set network.wan_fallback.netmask='255.255.255.252'
			set network.wan_fallback.defaultroute='0'
			set network.wan_fallback.peerdns='0'

			delete firewall.wan_fallback_icmp
			set firewall.wan_fallback_icmp=rule
			set firewall.wan_fallback_icmp.name='Allow-Fallback-ICMP'
			set firewall.wan_fallback_icmp.family='ipv4'
			set firewall.wan_fallback_icmp.src='*'
			set firewall.wan_fallback_icmp.src_ip='172.31.255.252/30'
			set firewall.wan_fallback_icmp.proto='icmp'
			add_list firewall.wan_fallback_icmp.icmp_type='echo-request'
			set firewall.wan_fallback_icmp.target='ACCEPT'

			delete firewall.wan_fallback_ssh
			set firewall.wan_fallback_ssh=rule
			set firewall.wan_fallback_ssh.name='Allow-Fallback-SSH'
			set firewall.wan_fallback_ssh.family='ipv4'
			set firewall.wan_fallback_ssh.src='*'
			set firewall.wan_fallback_ssh.src_ip='172.31.255.252/30'
			set firewall.wan_fallback_ssh.proto='tcp'
			set firewall.wan_fallback_ssh.dest_port='22'
			set firewall.wan_fallback_ssh.target='ACCEPT'

			delete firewall.wan_fallback_http
			set firewall.wan_fallback_http=rule
			set firewall.wan_fallback_http.name='Allow-Fallback-HTTP'
			set firewall.wan_fallback_http.family='ipv4'
			set firewall.wan_fallback_http.src='*'
			set firewall.wan_fallback_http.src_ip='172.31.255.252/30'
			set firewall.wan_fallback_http.proto='tcp'
			set firewall.wan_fallback_http.dest_port='80'
			set firewall.wan_fallback_http.target='ACCEPT'

			delete firewall.wan_fallback_https
			set firewall.wan_fallback_https=rule
			set firewall.wan_fallback_https.name='Allow-Fallback-HTTPS'
			set firewall.wan_fallback_https.family='ipv4'
			set firewall.wan_fallback_https.src='*'
			set firewall.wan_fallback_https.src_ip='172.31.255.252/30'
			set firewall.wan_fallback_https.proto='tcp'
			set firewall.wan_fallback_https.dest_port='443'
			set firewall.wan_fallback_https.target='ACCEPT'

			commit network
			commit firewall
		EOF

		;;
esac

exit 0
