Joined: 01 Feb 2016 Posts: 54 Location: Oregon, U.S.
Posted: Sat Jul 23, 2022 7:53 Post subject: [SOLVED] Problems implementing Access Restrictions
I have a WRT1900ac V1 running R48081.
This is my simple goal - I want all internet traffic for a finite set of devices to be blocked from 9pm thru 6am (21:00:00 thru 06:00:00).
I get that a user cannot use one rule that goes past midnight. Otherwise you are promptly greeted with:
"The end time must be greater than start time."
In so many words you have to create two rules one that goes from a time prior to midnight to midnight, then use a second rule to cover midnight to an end time after midnight.
However, this is not possible with current implementation because you cannot create a rule that actually reaches midnight. There is no 24:00 to select at the end of the day.
24:00 equates to MIDNGIHT at the end of the day and 00:00 means Midnight at the start of the day.
This means I'm relegated to a restriction schedule that starts at 9:00:00pm and ends at 11:59:00pm leaving 11:59pm thru 12:00am with out any restrictions. With a full gigabit connection a lot of data can sent & received in those 60 seconds.
How do I block that last single minute just prior to midngiht?
Last edited by TedCheeze on Sun Jul 24, 2022 22:02; edited 1 time in total
IIRC, the netfilter time module supports seconds, NOT just hour and minutes. I assume that's what AR (Access Restrictions) is using, but maybe not, esp. since the time module was only added in the past few years.
The netfilter time module may be the better option, which means creating your own firewall rules. I was recently helping someone on the Merlin forum who also needed to cross the midnight hour. I had no problem using 00:00 for midnight on both rules (i.e., no gaps).
Code:
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -m time --timestart 20:00 --timestop 00:00 --weekdays Sun,Mon,Tue,Wed,Thu --kerneltz -j REJECT
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j REJECT
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Sat Jul 23, 2022 8:27 Post subject:
eibgrad wrote:
IIRC, the netfilter time module supports seconds, NOT just hour and minutes. I assume that's what AR (Access Restrictions) is using, but maybe not, esp. since the time module was only added in the past few years.
The netfilter time module may be the better option, which means creating your own firewall rules. I was recently helping someone on the Merlin forum who also needed to cross the midnight hour. I had no problem using 00:00 for midnight on both rules (i.e., no gaps).
Code:
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -m time --timestart 20:00 --timestop 00:00 --weekdays Sun,Mon,Tue,Wed,Thu --kerneltz -j REJECT
iptables -I FORWARD -m mac --mac-source 0a:32:13:75:7d:95 -m time --timestart 00:00 --timestop 08:00 --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j REJECT
In the meanwhile you could try to set this via CLI, filter_tod(numberoffilter) values, there maybe another way but I need more coffee and I have a terrible migraine right now.
e.g nvram set filter_tod3="21:0 6:0 0-6" && nvram commit <- between 21:0 pm and 6:0 am, dont forget the double quotes, this is Linux to write a variable with spaces, else it only sets the first value. Leave the last `0-6` alone dont touch it.
I created a 3rd filter so mine is filter_tod3, so yours must match that number of your filter which must already be enabled and set. You can initially set a valid time and then overwrite via CLI, I did mine from 2:0 to 6:0 and then overwrote it via CLI to what I wanted in this test filter.
below is result after I edited via CLI bypassing input validation JS
Matching across days might not do what is expected. For instance,
-m time --weekdays Mo --timestart 23:00 --timestop 01:00 Will match Monday, for one hour from midnight to 1 a.m., and then again for another hour from 23:00 onwards. If this is unwanted, e.g. if you would like 'match for two hours from Monday 23:00 onwards' you need to also specify the --contiguous option in the example above.
Joined: 01 Feb 2016 Posts: 54 Location: Oregon, U.S.
Posted: Sun Jul 24, 2022 23:09 Post subject: Thank you!
Of course the IPTABLES rules would be the most prudent way to implement my goal.
However, I find what the-joker suggests seems to fit my situation very well.
This way I can create my filter rule the way that I want except the timing. Then I manipulate the timing via the CLI. This also makes it very simple to disable or enable the filter rule for that group of devices easily with in the UI. Otherwise I would have to modify two rules for every device in the group.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Mon Jul 25, 2022 8:57 Post subject:
@TedCheeze
let me know if it works, Im assuming there is no further validation after its been manipulated via CLI and saved, so at the designated times, if it processes as intended or not should be verified.
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Mon Jul 25, 2022 9:02 Post subject:
the-joker wrote:
@TedCheeze
let me know if it works, Im assuming there is no further validation after its been manipulated via CLI and saved, so at the designated times, if it processes as intended or not should be verified.
I believe the the UI validation is unnecessary and not correct as it stands, but that's something I must discuss with the main developer and try to find a better solution which allows sane that are valid time periods to be set.
I think it is necessary look back at my earlier postings.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Mon Jul 25, 2022 9:29 Post subject:
Well currently it seems it accounts for start time and end time to be on same day and not start one day and end the next which is what makes sense here assuming we select more than one day.
If we take start time and end time to be same day then the error and validation is correct, otherwise is a little off.
Start one day at X end the next day at Y and rinse and repeat every day or per set days.
But the current logic only allows for a single 24 hour period no matter how many days are selected.
You can never activate the filter between one day and the next.
What kernel supports IDK, but currently when more than one day is selected its crap in crap out.
I think this can be considered a feature request rather than an all out bug.
PS.
start time on mon, tue, wed, thu, fri, sat, sunday -- end time != start day || first day || start time && start day (or something this is likely not sufficient
and then the UI changes to suit.
then we need a checkbox to do current logic daily timer, or multiple day timer and activate the correct fields.
Joined: 08 May 2018 Posts: 14249 Location: Texas, USA
Posted: Mon Jul 25, 2022 10:17 Post subject:
I can't remember if this was a feature in the original WRT54 or E-series Linksys firmware off the top of my head, but this has always been a "bug" in the "feature". We're off to go to my routine check-up. I might remember to look at this later, or not. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Using the filter rule method DNSMASQ goes down if end time is less than start time (i.e starts in one day & ends in next)
DNSMASQ goes down even if the rule is disabled.
DNSMASQ will not restart until the offending rule is corrected or deleted.
How or why DNSMASQ is effected? I do not know, but that is the behavior I observed.
Using IPTABLES method --timestop must not exceed 23:59:59. Otherwise you end up in a soft-brick condition after the first time the --timestart value has been reached.
IPTABLES will not accept 24:00 as a valid --timestop value.(FYI-Cisco IOS uses 24:00 for End of day & 00:00 for start of day.)
So for my next dumb idea...
Can you enable or disable an access rule from the CLI? Then use a cron job to enable or disable a 24hr rule at the scheduled times.
But I can't seem to find the correct syntax for the variables to complete the statement. When the GUI creates rules it looks like the first three, and my attempt to modify rule 5 is a wreck:
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Jul 28, 2022 14:10 Post subject:
So my original suggestion is/was a big flat on the face flop.
You can enable disable anything that is manipulated via nvram which is basically pretty much everything, but you are going sideways with this with adding cron to mix.
You could create two filters, one from 21:00 to 23.59 and the next filter from 0:00 to 6:00 and see how that fairs. This should be doable and pass validation and ultimately achieve what you originally wanted to do.
One day when its possible to modify the kernel module and add a better solution that allows for both the current situation or optionally multiple days start-end time and do it all in one filter.