Hi all,
is it possible to add an option when creating a traffic rule, to prepend it to the forward chain? Currently all rules are appended, resulting in not being able to give it the highes priority (in my case executing it before RELATED,ESTABLISHED general rule). Either a select of "append"(default)/"prepend" or even a numeric input providing the position (not good for unexperienced people).
Any chance to get this?
Thanks!
Bye
Then use -A instead of -I.
Hi all,
another suggestion would be to give another special option in the source selection like "priority", which will then be added before all other rules. Might be more convenient.
Bye
Huh...Where are you adding these rules?
I know I can create custom rules by iptables command, but I would like to do that from luci-interface when adding forward rules.
OK...I'm lost...because you asked how to Append to the FORWARD table...but you cannot make such a rule in LuCI, as I recall...
So can you better explain the current issue, show the rules in question, etc.?
...or is this a Feature Request? 
Actually I was asking for a way to "prepend" a rule, instead of appending it. In my case, when creating rules from luci-interface, those are appended to the forward chain, after these ones:
[721313:532383136] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[717741:532057837] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1454:108549] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
[14:808] -A FORWARD -i eth5 -m comment --comment "!fw3" -j zone_wan_forward
...
In my case I need to add a rule that is added BEFORE the ones above. This is currently not possible from UI. The only chance I have is to use custom iptables rules and use "iptables -t filter -I FORWARD...". My suggestion was to add an option in UI to define, that the rule should be prepended to forward chain, NOT appended.
And yes, this is a feature request 
Ummmm...This should happen automatically...like on any Linux machine.
Please show the rule from /etc/config/firewall please.
Please make up your mind, append (-A) or prepend (-I).
(Maybe you're confused at which argument places the rule at the top? 
)
Ok, then I will try the opposite way around. Consider this:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls
Works fine, except the last script, which is only there to do exactly what I tried to describe above: add a rule before the FW3 built-in rules. To cut existing connections the only way is to define a rule before the one that handles "related,established" definition. The provided script in my opinion is a hack and causes trouble on systems with more complex rules. Would become obsolete with my suggestion to add an option on UI.
I hope this makes it clearer!
P.S. I am not confused, because I have used "iptables -t filter -I FORWARD 1..." now, but this is not possible via UCI config, only with custom rules.
I guess this means you're not gonna show us...as requested?
Then use -A!
OK, this is a Feature Request.
(Moved to the For Developers section.)
We really seem to have a communication problem. Not sure what exactly is the reason...
I have provided a link above, this one:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls
It shows how one can deactivate internet access in a particular time frame. This works fine for new connections established, but existing ones are still kept. The documentation then (at the end) shows a script, that should solve it:
# Reorder iptables/ip6tables rules
cat << "EOF" > /etc/firewall.estab
for IPT in iptables ip6tables
do ${IPT}-save -c -t filter \
| sed -e "/FORWARD.*ESTABLISHED/d;
/FORWARD.*reject/i $(${IPT}-save -c -t filter \
| sed -n -e "/FORWARD.*ESTABLISHED/p")" \
| ${IPT}-restore -c -T filter
done
EOF
# Enable the reordering script
uci -q delete firewall.estab
uci set firewall.estab="include"
uci set firewall.estab.path="/etc/firewall.estab"
uci set firewall.estab.reload="1"
uci commit firewall
/etc/init.d/firewall restart
# Back up the reordering script
cat << EOF >> /etc/sysupgrade.conf
/etc/firewall.estab
EOF
It simply tries to sort the rules in a way that the parental rule, to block internet, is moved before the built-in FW3 rules. This script causes trouble on my end as other rules are not working any more. To avoid the script, I suggested a change to do that (put rules before built-in rules) in my first and second post.
The rules I am adding are quite simple:
iptables -t filter -A FORWARD -p tcp -m mac --mac-source XX:XX:XX:XX:XX:XX -o wan -m time --timestart 21:00:00 --timestop 07:00:00 --datestop 2038-01-19T03:14:07 --kerneltz -
j REJECT
But those rules have not effect for already established connections, without moving to top of the forward chain (before rule for related,established connections).
P.S. I am using OpenWRT 19.07.3
Use custom rule chains to insert rules, e.g. this one:
Use custom rule chains to insert rules, e.g. this one:
Can I do that from within luci firewall configuration? Otherwise it is not different from what I am doing here:
iptables -t filter -I FORWARD 1 -p tcp -m mac --mac-source XX:XX:XX:XX:XX:XX -o wan -m time --timestart 21:00:00 --timestop 07:00:00 --datestop 2038-01-19T03:14:07 --kerneltz -j REJECT
Right?
No, not right.
Let me rephrase...Where is this rule inserted in your system so it works on boot?!?!?!
LuCI > Network > Firewall > Custom Rules
Technically, this is also LuCI web-interface, i.e. you don't need to use command-line to edit this config.
No, it will mess your rules sooner or later due to dynamic configuration changes.
Hi guys,
I have inserted the rules into "/etc/firewall.user", which is the file used in "Custom rules" tab in luci interface. I understood now that
I guess the feature request is not interesting for the OpenWRT developers, as the requirement can be still achieved.
Thanks!
Bye
What!?!?
Your post was in the correct section for less than one hour, after I kindly put it there for you (and properly noted the title).
And you fail to answer any questions, saying I don't understand.
No problem.
I really do not know what other information I can provide. I have shown you the exact rule I am adding to /etc/firewall.user:
iptables -t filter -I FORWARD 1 -p tcp -m mac --mac-source XX:XX:XX:XX:XX:XX -o wan -m time --timestart 21:00:00 --timestop 07:00:00 --datestop 2038-01-19T03:14:07 --kerneltz -j REJECT
There is NOTHING MORE I am currently doing. My use case is working, because I have added the iptables-command manually in custom rules, but I wanted this to be possible via the nice configuration interface in luci for forward rules. That's all. Given the fact, that all advises in this thread are more or less pointing to the custom rules (that I am currently using anyways and used before my post), I was assuming that this is the final solution and there is no interest in the feature request. If there still is, I would be happy if that can be integrated, if not, also fine.
THANK YOU!!!!
I asked that multiple times!!! (you never stated where you placed this rule - and you can see it's definitely absent from Post No. 1).
To be clear (I hope you don't claim a communication issue again):
(I'm obviously asking for a reason.)
I already understood this, and also noted this is what the instructions state (it seems like you ignored that for me having a communication issue); but you did say you want a feature request, so the questions must be answered at some point.
Since it's quite logical and zone based...it's boils down to this (I think):
While you answer (so I make sure you understand while elaborating), please be mindful:
Basically...it seems like you want to make something that exempts a PHY, in a zone-based system...on the same layer-of-abstraction???
Can you tell us about some of the security considerations you've had to make in your use case?
EDIT:
-o wan is your rule?
Ok, that are a lot of questions, will try to answer one by one.
Have you been adding this rule in /etc/firewall.user since the issue you describe in Post No. 1...or did you try elsewhere first???
I had this rule added to /etc/firewall.user and working before I posted
Did you try any other method (i.e. RAW rules)
No
Are you simply asking for a button or something to basically say "Place this rule in the Linux default FORWARD table"?
Basically yes. Not exactly in the default FORWARD table, zone "forwarding_rule" would also be fine.
Basically...it seems like you want to make something that exempts a PHY, in a zone-based system...on the same layer-of-abstraction???
Not sure I understand this question correctly. My requirement is to drop established connections when the current time frame matches the configured one in the rule. Preferably the "OpenWRT way".
Can you tell us about some of the security considerations you've had to make in your use case?
No security considerations, as I am blocking additional traffic. Main purpose: "block children devices from the internet during sleep time" 
Are you sure
-o wanis your rule?
I want to block traffic that goes to the internet, so I am assuming this is correct.
Do you intend for this rule to stop the established,related connection that begun with an inbound or (e.g. 1st timer expired and ongoing) UDP too???
I want to block any kind of connection to the internet.
Doesn't a DROP forward from ANY (or MAC) to WAN at the very top of the Traffic Rules work also??? (i.e. zone-based syntax)
I have not tried that, but what would be the difference to a "REJECT" here?
You can specify specific interface in the advanced tab
Interface seems to be not important. I want to block traffic to the WAN zone.
I hope I have answered the questions in a helpful way. I am not an expert on OpenWRT level and also not on networking level, so maybe my knowledge is simply not good enough to discuss on your level. No offense!