Time/day of week firewall rules not working correctly

Installing and Using OpenWrt
#1

there seems to be a bug in UCI when applying firewall rules with both time and multiple weekdays specified. it only seems to add a rule for the first day listed.

eg

config rule
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        option name 'some weekday'
        list proto 'all'
        list src_ip '192.168.1.242'
        list src_ip '192.168.1.181'
        option start_time '00:00:00'
        option stop_time '23:59:59'
        option weekdays 'Mon Tue Wed Thu Fri'

results in the following in iptables:

zone_wan_dest_REJECT  all  --  some.ip       anywhere             TIME from 04:00:00 to 08:00:00 on Mon /* !fw3: some weekday */
zone_wan_dest_REJECT  all  --  someother.ip             anywhere             TIME from 04:00:00 to 08:00:00 on Mon /* !fw3: some weekday */
IPv6/v4 Firewall Traffic Rules
#2

https://forum.openwrt.org/search?q=time%20rules%20not%20working

#3

i've already done a forum search and read the topics that seemed relevant, is there a specific post that you think addresses this problem that i've missed?

if you ask me the resulting iptables rules look pretty obviously wrong, as does the fw3 print output:

iptables -t filter -A zone_lan_forward -s 192.168.1.242/255.255.255.255 -m time --timestart 04:00:00 --timestop 08:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: some weekday" -j zone_wan_dest_REJECT
iptables -t filter -A zone_lan_forward -s 192.168.1.181/255.255.255.255 -m time --timestart 04:00:00 --timestop 08:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: some weekday" -j zone_wan_dest_REJECT

fyi for my particular use case I don't care about established connections either, my kids are young and thus unlikely to have active connections at 4am in the morning (i hope!).

IPQ806x NSS Drivers
#4



Time/Date based firewall rules do not work
#5

One user solved his issue after installing ipset.
However when I tried it myself it didn't seem to work, although I have the ipset installed.

#6

appears to just be a bug in FW3 to me, i just disabled the rules i had defined in UCI and inserted them using iptables instead.

#7

You should probably upgrade your system.
I cannot reproduce the issue on OpenWrt 19.07.3.

#8

it could be a regression on master, it can't be much more up to date than something i built about 4 hours ago :).

so on 19.07.3 it produces the right iptables rules?

1 Like
#9 
# iptables-save | grep -e test
-A OUTPUT -p tcp -m time --weekdays Mon,Tue,Wed,Thu,Fri --datestop 2038-01-19T03:14:07 --kerneltz -m comment --comment "!fw3: test" -j ACCEPT
-A OUTPUT -p udp -m time --weekdays Mon,Tue,Wed,Thu,Fri --datestop 2038-01-19T03:14:07 --kerneltz -m comment --comment "!fw3: test" -j ACCEPT

# uci show firewall.test
firewall.test=rule
firewall.test.name='test'
firewall.test.weekdays='Mon Tue Wed Thu Fri'
firewall.test.target='ACCEPT'

# ubus call system board
{
	"kernel": "4.14.180",
	"hostname": "openwrt",
	"system": "Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz",
	"model": "QEMU Standard PC (i440FX + PIIX, 1996)",
	"board_name": "qemu-standard-pc-i440fx-piix-1996",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.3",
		"revision": "r11063-85e04e9f46",
		"target": "x86/64",
		"description": "OpenWrt 19.07.3 r11063-85e04e9f46"
	}
}

# opkg list-installed firewall
firewall - 2019-11-22-8174814a-2
#10

interesting, i have

firewall - 2020-09-05-8c2f9fad-1

so i guess something in those...10 months.

#11

The time interval is much shorter.
It works fine on OpenWrt SNAPSHOT r13850-e363470d1a.

#12

Hi, @facboy,

I am on firewall - 2020-09-05-8c2f9fad-1 too. And, I have exactly your same issue. As you I solved it moving my rules to firewall.user, thought like sharing.

Kind regards.

1 Like
#13

In any case, it's best to report properly:
https://openwrt.org/bugs

2 Likes
#14

a small typo in the end, i submitted a patch.

3 Likes