That was still too late to fix the problem. /cfg isn’t mounted until after kmods are loaded.
What did work though was in post-cfg adding to the lan zone (is that always 0? If not need to extract it) :
uci set firewall.@zone[0].auto_helper='0'
uci set firewall.@zone[0].helper='amanda ftp RAS Q.931 irc pptp snmp tftp'
uci commit
/etc/init.d/firewall reload
It takes a list, and those are all the ones but sip that were previously active.
To see what’s enabled:
root@route10:~# iptables -traw -vL |grep helper
2220 344K zone_lan_helper all -- br-lan any anywhere anywhere /* !fw3: lan CT helper assignment */
16 1040 zone_lan_helper all -- br-lan_2 any anywhere anywhere /* !fw3: lan CT helper assignment */
87 11634 zone_lan_helper all -- br-lan_3 any anywhere anywhere /* !fw3: lan CT helper assignment */
131 31281 zone_lan_helper all -- br-lan_4 any anywhere anywhere /* !fw3: lan CT helper assignment */
Chain zone_lan_helper (4 references)
0 0 CT udp -- any any anywhere anywhere /* !fw3: Amanda backup and archiving proto */ udp dpt:10080 CT helper amanda
0 0 CT tcp -- any any anywhere anywhere /* !fw3: FTP passive connection tracking */ tcp dpt:ftp CT helper ftp
0 0 CT udp -- any any anywhere anywhere /* !fw3: RAS proto tracking */ udp dpt:1719 CT helper RAS
0 0 CT tcp -- any any anywhere anywhere /* !fw3: Q.931 proto tracking */ tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- any any anywhere anywhere /* !fw3: IRC DCC connection tracking */ tcp dpt:ircd CT helper irc
0 0 CT tcp -- any any anywhere anywhere /* !fw3: PPTP VPN connection tracking */ tcp dpt:1723 CT helper pptp
0 0 CT udp -- any any anywhere anywhere /* !fw3: SNMP monitoring connection tracking */ udp dpt:snmp CT helper snmp
0 0 CT udp -- any any anywhere anywhere /* !fw3: TFTP connection tracking */ udp dpt:tftp CT helper tftp