diff --git a/patches/packages/to-upstream/0001-firewall-accept-and-drop-chains-added-option-to-set-.patch b/patches/packages/to-upstream/0001-firewall-accept-and-drop-chains-added-option-to-set-.patch
new file mode 100644
index 0000000000000000000000000000000000000000..cb61a271ad75931910ff86e8597775b2c13e2b01
--- /dev/null
+++ b/patches/packages/to-upstream/0001-firewall-accept-and-drop-chains-added-option-to-set-.patch
@@ -0,0 +1,245 @@
+From d2205f8c9b36516bcbcd7e3b1a018638dd277fa3 Mon Sep 17 00:00:00 2001
+From: Stepan Henek <stepan.henek@nic.cz>
+Date: Tue, 12 Jun 2018 14:36:58 +0200
+Subject: [PATCH] firewall: accept and drop chains added + option to set uci
+ config directory added
+
+---
+ .../01-accept-and-reject-chains-added.patch | 160 ++++++++++++++++++
+ .../02-uci_config_dir-option-added.patch | 57 +++++++
+ 2 files changed, 217 insertions(+)
+ create mode 100644 package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch
+ create mode 100644 package/network/config/firewall/patches/02-uci_config_dir-option-added.patch
+
+diff --git a/package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch b/package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch
+new file mode 100644
+index 0000000000..1a3970b58e
+--- /dev/null
++++ b/package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch
+@@ -0,0 +1,160 @@
++diff --git a/defaults.c b/defaults.c
++index 11fbf0d..d252301 100644
++--- a/defaults.c
+++++ b/defaults.c
++@@ -24,6 +24,8 @@
++
++ static const struct fw3_chain_spec default_chains[] = {
++ C(ANY, FILTER, UNSPEC, "reject"),
+++ C(ANY, FILTER, UNSPEC, "accept"),
+++ C(ANY, FILTER, UNSPEC, "drop"),
++ C(ANY, FILTER, CUSTOM_CHAINS, "input_rule"),
++ C(ANY, FILTER, CUSTOM_CHAINS, "output_rule"),
++ C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
++@@ -286,6 +288,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
++ fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
++ fw3_ipt_rule_append(r, "reject");
++
+++ r = fw3_ipt_rule_new(handle);
+++ fw3_ipt_rule_target(r, "ACCEPT");
+++ fw3_ipt_rule_append(r, "accept");
+++
+++ r = fw3_ipt_rule_new(handle);
+++ fw3_ipt_rule_target(r, "DROP");
+++ fw3_ipt_rule_append(r, "drop");
+++
++ break;
++
++ case FW3_TABLE_NAT:
++@@ -308,48 +318,47 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
++ }
++ }
++
+++static inline void prepare_tails(struct fw3_ipt_handle *handle,
+++ const char* base_chain_name, enum fw3_flag target_flag) {
+++ char *target_chain_name = NULL;
+++
+++ switch (target_flag) {
+++ case FW3_FLAG_REJECT:
+++ target_chain_name = "reject";
+++ break;
+++ case FW3_FLAG_DROP:
+++ target_chain_name = "drop";
+++ break;
+++ case FW3_FLAG_ACCEPT:
+++ target_chain_name = "accept";
+++ break;
+++ default:
+++ return;
+++ }
+++
+++ struct fw3_ipt_rule *r;
+++ r = fw3_ipt_rule_new(handle);
+++
+++ if (!r)
+++ return;
+++
+++ fw3_ipt_rule_target(r, target_chain_name);
+++ fw3_ipt_rule_append(r, base_chain_name);
+++
+++}
+++
++ void
++ fw3_print_default_tail_rules(struct fw3_ipt_handle *handle,
++ struct fw3_state *state, bool reload)
++ {
++ struct fw3_defaults *defs = &state->defaults;
++- struct fw3_ipt_rule *r;
++
++ if (handle->table != FW3_TABLE_FILTER)
++ return;
++
++- if (defs->policy_input == FW3_FLAG_REJECT)
++- {
++- r = fw3_ipt_rule_new(handle);
++-
++- if (!r)
++- return;
++-
++- fw3_ipt_rule_target(r, "reject");
++- fw3_ipt_rule_append(r, "INPUT");
++- }
++-
++- if (defs->policy_output == FW3_FLAG_REJECT)
++- {
++- r = fw3_ipt_rule_new(handle);
++-
++- if (!r)
++- return;
++-
++- fw3_ipt_rule_target(r, "reject");
++- fw3_ipt_rule_append(r, "OUTPUT");
++- }
++-
++- if (defs->policy_forward == FW3_FLAG_REJECT)
++- {
++- r = fw3_ipt_rule_new(handle);
++-
++- if (!r)
++- return;
++-
++- fw3_ipt_rule_target(r, "reject");
++- fw3_ipt_rule_append(r, "FORWARD");
++- }
+++ prepare_tails(handle, "INPUT", defs->policy_input);
+++ prepare_tails(handle, "OUTPUT", defs->policy_output);
+++ prepare_tails(handle, "FORWARD", defs->policy_forward);
++ }
++
++ static void
++diff --git a/rules.c b/rules.c
++index 5e1d5f3..a62aae4 100644
++--- a/rules.c
+++++ b/rules.c
++@@ -377,10 +377,14 @@ static void set_target(struct fw3_ipt_rule *r, struct fw3_rule *rule)
++ fw3_ipt_rule_target(r, "zone_%s_dest_%s", rule->dest.name, name);
++ else if (need_src_action_chain(rule))
++ fw3_ipt_rule_target(r, "zone_%s_src_%s", rule->src.name, name);
++- else if (strcmp(name, "REJECT"))
++- fw3_ipt_rule_target(r, name);
++- else
+++ else if (!strcmp(name, "REJECT"))
++ fw3_ipt_rule_target(r, "reject");
+++ else if (!strcmp(name, "ACCEPT"))
+++ fw3_ipt_rule_target(r, "accept");
+++ else if (!strcmp(name, "DROP"))
+++ fw3_ipt_rule_target(r, "drop");
+++ else
+++ fw3_ipt_rule_target(r, name);
++ }
++
++ static void
++diff --git a/zones.c b/zones.c
++index 505ab20..47cf85b 100644
++--- a/zones.c
+++++ b/zones.c
++@@ -421,7 +421,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
++ };
++
++ #define jump_target(t) \
++- ((t == FW3_FLAG_REJECT) ? "reject" : fw3_flag_names[t])
+++ ((t == FW3_FLAG_DROP) ? "drop" : (t == FW3_FLAG_ACCEPT) ? "accept" : ((t == FW3_FLAG_REJECT) ? "reject" : fw3_flag_names[t]))
++
++ if (handle->table == FW3_TABLE_FILTER)
++ {
++@@ -637,13 +637,13 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
++ r = fw3_ipt_rule_new(handle);
++ fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
++ fw3_ipt_rule_comment(r, "Accept port redirections");
++- fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
+++ fw3_ipt_rule_target(r, jump_target(FW3_FLAG_ACCEPT));
++ fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
++
++ r = fw3_ipt_rule_new(handle);
++ fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
++ fw3_ipt_rule_comment(r, "Accept port forwards");
++- fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
+++ fw3_ipt_rule_target(r, jump_target(FW3_FLAG_ACCEPT));
++ fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
++ }
++
+diff --git a/package/network/config/firewall/patches/02-uci_config_dir-option-added.patch b/package/network/config/firewall/patches/02-uci_config_dir-option-added.patch
+new file mode 100644
+index 0000000000..d1571600eb
+--- /dev/null
++++ b/package/network/config/firewall/patches/02-uci_config_dir-option-added.patch
+@@ -0,0 +1,57 @@
++diff --git a/main.c b/main.c
++index 1410fef..f2eaa5d 100644
++--- a/main.c
+++++ b/main.c
++@@ -38,6 +38,7 @@ static enum fw3_family print_family = FW3_FAMILY_ANY;
++ static struct fw3_state *run_state = NULL;
++ static struct fw3_state *cfg_state = NULL;
++
+++static char *uci_config_dir = "/etc/config/";
++
++ static bool
++ build_state(bool runtime)
++@@ -51,6 +52,7 @@ build_state(bool runtime)
++ error("Out of memory");
++
++ state->uci = uci_alloc_context();
+++ uci_set_confdir(state->uci, uci_config_dir);
++
++ if (!state->uci)
++ error("Out of memory");
++@@ -508,11 +510,11 @@ lookup_zone(const char *zone, const char *device)
++ static int
++ usage(void)
++ {
++- fprintf(stderr, "fw3 [-4] [-6] [-q] print\n");
++- fprintf(stderr, "fw3 [-q] {start|stop|flush|reload|restart}\n");
++- fprintf(stderr, "fw3 [-q] network {net}\n");
++- fprintf(stderr, "fw3 [-q] device {dev}\n");
++- fprintf(stderr, "fw3 [-q] zone {zone} [dev]\n");
+++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-4] [-6] [-q] print\n");
+++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] {start|stop|flush|reload|restart}\n");
+++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] network {net}\n");
+++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] device {dev}\n");
+++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] zone {zone} [dev]\n");
++
++ return 1;
++ }
++@@ -524,7 +526,7 @@ int main(int argc, char **argv)
++ enum fw3_family family = FW3_FAMILY_ANY;
++ struct fw3_defaults *defs = NULL;
++
++- while ((ch = getopt(argc, argv, "46dqh")) != -1)
+++ while ((ch = getopt(argc, argv, "46dqu:h")) != -1)
++ {
++ switch (ch)
++ {
++@@ -544,6 +546,10 @@ int main(int argc, char **argv)
++ if (freopen("/dev/null", "w", stderr)) {}
++ break;
++
+++ case 'u':
+++ uci_config_dir = optarg;
+++ break;
+++
++ case 'h':
++ rv = usage();
++ goto out;
+--
+2.17.1
+