I tried to add new firewall rule using curl command:
curl -X POST -d '{"jsonrpc":"2.0","id":1,"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"root","password":"my-password"}]}' http://192.168.1.1/ubus | jq
curl -X POST -d '{"jsonrpc":"2.0","id":2,"method":"call","params":["my-token","uci","add",{"config":"firewall","type":"rule","values":{"name":"Block Device","src":"lan","dest":"wan","src_mac":"F6:32:19:EE:31:F9","target":"REJECT"}}]}' http://192.168.1.1/ubus | jq
Output:
{
"jsonrpc": "2.0",
"id": 2,
"result": [
0,
{
"section": "cfg1292bd"
}
]
}
But I can't commit the change, it shows -32002 Access denied error:
curl -X POST -d '{"jsonrpc":"2.0","id":3,"method":"call","params":["my-token","uci","commit",{"config":"firewall"}]}' http://192.168.1.1/ubus | jq
Output:
{
"jsonrpc": "2.0",
"id": 3,
"error": {
"code": -32002,
"message": "Access denied"
}
}
My router is TP-Link Archer AX23 with openwrt version 24.10.0.
Im using root user, which has full read and write permissions. In /etc/config/rpcd file.
config rpcd
option socket /var/run/ubus/ubus.sock
option timeout 30config login
option username 'root'
option password '$p$root'
list read ''
list write ''
My ACL defination in /usr/share/rpcd/acl.d/luci-app-firewall.json
{
"luci-app-firewall": {
"description": "Grant access to firewall configuration",
"read": {
"file": {
"/etc/firewall.user": [
"read"
]
},
"ubus": {
"file": [
"read"
],
"luci": [
"getConntrackHelpers"
]
},
"uci": [
"firewall"
]
},
"write": {
"file": {
"/etc/firewall.user": [
"write"
]
},
"ubus": {
"file": [
"write"
]
},
"uci": [
"firewall"
]
}
}
}
ubus call session list
{
"ubus_rpc_session": "00000000000000000000000000000000",
"timeout": 0,
"expires": 0,
"acls": {
"access-group": {
"unauthenticated": [
"read"
]
},
"ubus": {
"luci": [
"getFeatures"
],
"session": [
"access",
"login"
]
}
},
"data": {}
}
Please advise.