3 ways to Apply Settings from CLI for Access Restrictions

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
jimj
DD-WRT Novice


Joined: 18 Oct 2015
Posts: 35
Location: Sioux Falls SD

PostPosted: Thu Jul 22, 2021 2:22    Post subject: 3 ways to Apply Settings from CLI for Access Restrictions Reply with quote
I successfully use Access Restrictions with my R7800 router running "DD-WRT v3.0-r47074 std (07/20/21)". I use all 20 Access Restrictions policies. Instead of spending 20 minutes simply entering them all by hand via the GUI I decided it'd be more efficient to spend 20 hours learning how to enter them via the CLI. Smile

I'm happy to report that I can now enter my policies via the command line by using commands like this (to create policy 13 in this example):
Code:
nvram set filter_rule13="\$STAT:1\$NAME:Midnight block\$DENY:1\$IF:Any\$\$"
nvram set filter_ip_grp13="0 0 0 0 0 0 10.1.1.224-10.1.1.239 10.2.1.224-10.2.1.239"
nvram set filter_tod13="0:0 4:0 0-6"
nvram set filter_tod_buf13=7
nvram set filter_p2p_grp13=0

So everything looks good, I can verify everything is set correctly via the web GUI.

The only problem is that the new policy doesn't take effect after I enter the "nvram set" commands above. By running 'iptables -vnL grp_13' I can see the firewall iptables commands haven't been generated:
Code:
root@r7800:~# iptables -vnL grp_13
Chain grp_13 (0 references)
 pkts bytes target     prot opt in     out     source               destination
<BLANK>

I have found three ways to activatee my policies entered via the CLI:
1. Click the "Apply Settings" on the "Access Restrictions" or "Administration" page (and maybe others, I didn't test all the page's "Apply Settings" button)
2. Run 'restart firewall' from the CLI
3. Reboot the router (i.e. run 'reboot' from the CLI)

Taking any one of the three actions above activates my new policy which I can verify like this:
Code:
root@r7800:~# iptables -vnL grp_13
Chain grp_13 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       10.1.1.224/28        0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.1.1.224/28   
    0     0 DROP       all  --  *      *       10.2.1.224/28        0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.2.1.224/28

One other thing I tried was running 'nvram commit', but as far as I can tell this doesn't do anything (it didn't help with this problem anyway).

23JUL2021 update: 'nvram commit' ensures your 'nvram set' commands are saved to NVRAM, but other actions also do this, more details in this thread and in kernel-panic69's posts below.

Is there a better way to activate Access Restrictions from the command line? Is there a way to do a true "Apply Settings" from the CLI?

_________________
R7800 v3.0-r47086 std (07/22/21)
set "tcp_tw_recycle" to 0


Last edited by jimj on Tue Jul 27, 2021 1:38; edited 5 times in total
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Jul 22, 2021 2:34    Post subject: Reply with quote
It's called 'reboot' after your 'nvram commit'.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
jimj
DD-WRT Novice


Joined: 18 Oct 2015
Posts: 35
Location: Sioux Falls SD

PostPosted: Thu Jul 22, 2021 3:06    Post subject: Reply with quote
kernel-panic69 wrote:
It's called 'reboot' after your 'nvram commit'.

Reboot is my 3rd option listed above, it does work, however as far as I can tell 'nvram commit' doesn't do anything so I never use it.

_________________
R7800 v3.0-r47086 std (07/22/21)
set "tcp_tw_recycle" to 0
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Jul 22, 2021 3:42    Post subject: Reply with quote
Anything you do with 'nvram set' should be followed by an 'nvram commit'; you will not see the effect until you 'reboot'. I guess I should've been more precise.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
jimj
DD-WRT Novice


Joined: 18 Oct 2015
Posts: 35
Location: Sioux Falls SD

PostPosted: Thu Jul 22, 2021 3:54    Post subject: Reply with quote
kernel-panic69 wrote:
Anything you do with 'nvram set' should be followed by an 'nvram commit'; you will not see the effect until you 'reboot'. I guess I should've been more precise.


I understand what you're saying (and I see quite a few reference to 'nvram commit' in this forum), but I haven't yet found a scenario when it does anything (noticeable) on my r7800 router. Could you explain what it does? Just running 'nvram set' followed by 'reboot' works fine. I.e. I can reboot without using 'nvram commit' and my policies will take affect (I could also instead of rebooting click "Apply Settings" or run 'restart firewall' without running 'nvram commit' and either of those will activate my policies).

_________________
R7800 v3.0-r47086 std (07/22/21)
set "tcp_tw_recycle" to 0
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Thu Jul 22, 2021 4:01    Post subject: Reply with quote
It's a failsafe step. If you see no need to do it, that is entirely up to you whether or not you use it.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
jimj
DD-WRT Novice


Joined: 18 Oct 2015
Posts: 35
Location: Sioux Falls SD

PostPosted: Thu Jul 22, 2021 4:19    Post subject: Reply with quote
kernel-panic69 wrote:
It's a failsafe step. If you see no need to do it, that is entirely up to you whether or not you use it.


Thanks, that makes sense. https://wiki.dd-wrt.com/wiki/index.php/Hardware also explicitly states (multiple times) that 'nvram set' commands aren't saved until you run 'nvram commit', but that's never been my experience. However I don't set a lot of things from the command line, so maybe I've just gotten lucky with the variables I've edited.

I broke my 'nvram commit' questions out into a separate thread here:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1241735

_________________
R7800 v3.0-r47086 std (07/22/21)
set "tcp_tw_recycle" to 0
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum