manually playing with the iptables would not really work, since I want to be able to change it, as if it was done via the gui so the changes are in sync.
I managed it in the end, roughly as above.
I configure the rule in GUI, then enable or disable it remotely by setting the above rule variable and just changing the $STAT:1 or $STAT:0 part, depending on if it's enabled or not.
Works a treat
Only odd part was stop/start on the firewall after I change the setting. stop works, but I need to call start twice;
first call always give the error;
cannot open /proc/sys/net/ipv4/conf/br0/loop
But second time works...?? odd.
FYI, the reason I want this is I have OpenHab for home automation and want the wife to have a wife-friendly was to turn each kids internet off when she wants, so I have rules for each kid taking in their phones and pc's and all their devices, and a button in openhan that uses ssh to enable/disable the rule... works great!! thanks to dd-wrt!