The PR author never finalised the changes requested.
And like @fantom-x says, the time based restriction functionality is already available in firewall both in master and 17.01. Even in Luci. Just edit a traffic rule and you see this:
times are specified in UTC unless the –kerneltz switch is used
How and where is the –kerneltz switch is used?
@hnyman Where would I add a rule in LuCI?
Open ports on router - No, I don't want to open a port.
New forward rule - No, I don't want to forward a port either.
Source NAT - that's the only one remaining.
-> Enter: Name / To source IP: IP to be restricted -> Add + Edit
Would that be correct so far?
The OpenWrt wiki states further:
Using firewall v3 and later the example becomes
How do I know the version of the firewall?
LuCI -> Software -> filter for firewall -> 2017-01-13-37cb4cb4-1
That's not exactly looking like v3, nor like any other version.
"New forward rule" is not about forwarding ports: it is about forwarding from one zone (lan, guest) to another (wan, or some other zone). This is where your parental rule should live.
Yes, you want to forward (or actually, prevent) traffic between lan and wan.
Not just one port, but all traffic from a source IP.
Forwarding is the general term in iptables lingo for traffic between firewall zones.
Add a new forwarding rule, from lan to wan
I haven't tried that time-based blocking for ages, but let's try. It will likely take a few minutes to figure out the exact parameter to the details page.
Basic outline is to
select the MAC of the host to be blocked
set the forbidden time limit
Or alternatively add two rules: first one to allow lan-wan forward during time X-Y for host Z, then a second rule to block all lan-wan forwarding for host Z that takes care of the other times.
Select the "Source MAC address" of the host to be blocked.
Set "Action" to be "Reject"
Select the weekdays / month days when block is active
set the blocked "start time" and "end time" in 24-hours format like "21:30:00"
With firewall 2017-05-09 and later: If you want UTC time, use the field "Time in UTC"
With older firewall than 2017-05-09: Above weekdays / month days selection is "Extra arguments" field. Enter there "--kerneltz" to be able to set the time limits in local time instead of UTC
The final result is a rule like this in /etc/config/firewall:
With an older firewall than 2017-05-09 you need also this:
option extra '--kerneltz'
The previous rule blocks traffic for host '78:BB:AA:3A:88:14' during 21:30-22:00 on Sundays. It gives "reject" action which makes most browsers to return an "Unable to connect" error for the user.
Note that you can enable/disable the rule on the Firewall "Traffic Rules" page.
In that sense the whole functionality of that "Internet Access Control" packages is already here, expect that it provides a global switch for toggling all this kind of time block rules that have been created by it. (The package also created the time limits and weekday entries in format that conflicted with the firewall's own implementation, so rules created by it would look invalid to the "Traffic rules" page editing functions, and vice versa. That was at least the situation when I last looked at the PR to import that package)
Better to put the new example also into that general firewall config advice page.
(and in LEDE we only have firewall3, so the previous example is quite outdated.)
I know "--contiguous" was required for the old example when the time period for the block crossed midnight. Is this also required for the new example?
From the iptables man:
Matching across days might not do what is expected. For instance,
-m time --weekdays Mo --timestart 23:00 --timestop 01:00 Will match Monday, for one hour from midnight to 1 a.m., and then again for another hour from 23:00 onwards. If this is unwanted, e.g. if you would like 'match for two hours from Montay 23:00 onwards' you need to also specify the --contiguous option in the example above.
I notified @jow by email about the details the "UTC time" option handling. Looks like it is not a LuCI bug, but a bug in the options handling in the firewall3 itself, as the option fails also when manually applied to /etc/config/firewall.
Firewall has been fixed in such a way that it always automatically adds the kerneltz argument to time fields, unless you specifically want UTC in firewall (by using that UTC time option).
However, iptables chokes on having several kerneltz parameters on the same line, so having it also in the "extra argument" field will break things.
So, old rules that include kerneltz extra argument will need to be checked and possibly changed.
The change was made on firewall version 2017-05-09. Both LEDE master and 17.01 branch have the update, so it will also get into the 17.01.2 release.
Any interest in a vastly superior parental controls integrated across all devices, apps and services? About to launch opensource apis/sdks to connect to a centralized powerful platform for “parental freedom”.
Let me know if anyone would be interested in helping integrate? Check out https://Allow2.github.io and let me know if interested.