Limitations

We should not add/remove the rules directly in firewall.c file since it is common to all other boards
We can do by enabling DISTRO_FEATURE . But again we should be knowing the exact rules to remove/add . This should not affect the basic functionalities like board bring up , components bring up , routing packets, etc.,

Steps to persist the new rules

Create a script and place it under ./meta-rdk-broadband/recipes-ccsp/util/utopia
Add and install in utopia.bb file
SRC_URI += "file://iptables.sh"
install -m 755 ${WORKDIR}/iptables.sh ${D}${sysconfdir}
In firewall.c file , create your function to invoke the script instead of service_start(); in main()
static int new_firewall()
{
system("sh /etc/iptables.sh");
return 0;
}

Install your script under /etc
Invoke your script from firewall_log_handle.sh file
/fss/gw/usr/bin/GenFWLog -c
/fss/gw/usr/bin/firewall $*
/etc/fw_iptables.sh
/fss/gw/usr/bin/GenFWLog -gc
In script , the rules has to be cleared/flushed before adding . During firewall restarts , if the rules are not cleared before adding , the same rules will be listed multiple times in "iptables -L / -S" .

Place all your new rules in a script under /nvram
In firewall_log_handle.sh file , add a condition as below
if [ -f /nvram/<file>.sh ] then
. /nvram/<file>.sh
fi
Suppose , if any script already running with few set of ip rules (from source code ) which is invoked in firewall_log_handle.sh file , follow the below steps
copy the existing script from /<original-path> to /nvram
The changes (adding new rules manually) should be done in the script under /nvram
In firewall_log_handle.sh file , add the condition as
if [ -f /nvram/<file>.sh ] then
. /nvram/<file>.sh
else
. /<original-path>/<file>.sh
fi
Once the complete verification is done , the script file from /nvram has to be deleted .