Command-line instructions assume too much

The learning curve is too steep for the command-line instructions. There are few, if any comments or supporting text. I'm moderately computer savvy (I work on mainframes) and I can't decipher your command-line instructions. Describing what it's trying to achieve would be extremely helpful.
For context. I have a parental rule to try and kick my son off Steam at bed time but because he's already connected, the rule never applies. There's a section (I think), here: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset#established_connections which also links to a page about reordering firewall rules - why, what does that do that means times now apply, etc

Please add some considered detail for those of us who aren't experts but with a bit of help could get better.

Also missing meta instructions, such as copy and paste this code block onto the command-line (on your router via ssh). It should run and achieve X, Y & Z or create a shell script in /a/dir/OnYourSSHrouterTerm/ containing the instructions in this block and then run it or whatever

Many thanks
Greg

1 Like

The copy/paste would not work directly in 22.03+

The high level function of the document is that dnsmasq fills ipset (nftables set for nftables/fw4) and you can use that to allow clients to only websites they looked up.

Well that's at least trying to describe the goal but assumes we all have your depth of knowledge, which I certainly don't. I can go and look up all the terms you've used but that makes it really difficult with so many layers of abstraction to juggle, digest and you still haven't said what I do with your code blocks. Please just explain, assuming far less prior knowledge than you have. Maybe assume I can write a simple shell script but am not familiar with the other elements

Admit commands look cryptic. You can try to make a comic book version, as current one is outdated.

  • create set in fw4
  • install bigger dnsmasq after uninstalling default, preferably over wired connection
  • configure dnsmasq to fill set(s)
  • use command line to verify sets are filled before...
  • using them in like guest network forward rule(s)

Keep in mind that the wiki is >95% user contributed, its quality and correctness varies and depends on those who use it, find issues and improve them.

While the cli approach is terse, and you really shouldn't follow it blindly, without understanding what each step is doing, doing the equivalent using luci would require a massive amount of screenshots for the user to the get lost in. Each has its own advantages and drawbacks, but for more complex things, a more visual approach generally doesn't work as example (too many things, too many screen, way too convoluted).

My personal approach would be much simpler though…

  • create a dedicated (v)AP/ ESSID for your kids
    • bonus points for filtering as needed
  • use something like luci-app-wifischedule to enable/ disable it as you desire

But… yes, the above works, however kids are creative, motivated, typically have physical access and have time on their hands, so you quickly end up in a losing position. (and with mobile data, you've already lost before you've started).

Can you really keep the key to your liquor cabinet safe from a -hypothetical- 14 year old alcoholic? With trust, understanding and the threat of repercussions, probably - but mostly because a) they might not be an alcoholic :wink: b) you will physically notice when it's been robbed clean and c) there are easier ways to get to the booze among friends, without the immediate threat of being noticed.

Replace the above with car keys, $insert_other_examples_here, or -for the American's- the keys to your gun locker - or -just to end with a lighter touch- simply the cookie jar, as needed .

1 Like

A couple of notes for you.

First, typically, you will get more responses to specific questions in the 'Installing and Using OpenWrt' section of the forum.

As to your specific question about the code in the wiki. Essentially, by default, OpenWrt has a rule which allows established/related connections. The first portion of the code you linked to saves existing rule (if any) for that. The command

RJ_RULE="$(nft -a list chain inet fw4 forward \
| sed -n -e "/\shandle_reject\s/p")"

appears to be saving the 'reject' rule which seems to have the tag 'handle_reject' (I can't tell for sure whether this rule actually exists or not).

Note that nft -a prints rules and their 'handles' which are sort of a numerical IDs for each of the current nftables rules. The handle is the last whitespace-separated string in each line, so ${RJ_RULE##* } extracts that string. When deleting rules, you address them by the handle. When inserting or adding rules, you can optionally specify their position using the handle of an existing rule.

nft delete rule inet fw4 forward handle ${ER_RULE##* }

removes the rstablished/related connections rule, then this code:

if [ -n "${RJ_RULE}" ]
then nft insert rule inet fw4 forward position ${RJ_RULE##* } ${ER_RULE}
else nft add rule inet fw4 forward ${ER_RULE}
fi

recreates it in a specific position. The position of the rule matters because nftables (the firewall backend) processes rules sequentially.

To me it looks like the code assumes the existence of established/related rule and may work incorrectly if that rule does not exist.

There is some more nuance there related to the UCI commands.

To my understanding, you are expected to copy-paste the whole code block into the terminal and hope that it works. Otherwise you could create the file /etc/nftables.d/estab.sh and copy-paste the lines

ER_RULE="$(nft -a list chain inet fw4 forward \
| sed -n -e "/\sestablished,related\saccept\s/p")"
RJ_RULE="$(nft -a list chain inet fw4 forward \
| sed -n -e "/\shandle_reject\s/p")"
nft delete rule inet fw4 forward handle ${ER_RULE##* }
if [ -n "${RJ_RULE}" ]
then nft insert rule inet fw4 forward position ${RJ_RULE##* } ${ER_RULE}
else nft add rule inet fw4 forward ${ER_RULE}
fi

into it, then run the commands:

uci set firewall.estab="include"
uci set firewall.estab.path="/etc/nftables.d/estab.sh"
uci commit firewall
service firewall restart

@slh would be nice if someone with wiki editing rights could use some of the above explanation to improve the wiki page