Time/day of week firewall rules not working correctly

Installing and Using OpenWrt
1

there seems to be a bug in UCI when applying firewall rules with both time and multiple weekdays specified. it only seems to add a rule for the first day listed.

eg

config rule
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        option name 'some weekday'
        list proto 'all'
        list src_ip '192.168.1.242'
        list src_ip '192.168.1.181'
        option start_time '00:00:00'
        option stop_time '23:59:59'
        option weekdays 'Mon Tue Wed Thu Fri'

results in the following in iptables:

zone_wan_dest_REJECT  all  --  some.ip       anywhere             TIME from 04:00:00 to 08:00:00 on Mon /* !fw3: some weekday */
zone_wan_dest_REJECT  all  --  someother.ip             anywhere             TIME from 04:00:00 to 08:00:00 on Mon /* !fw3: some weekday */
2

https://forum.openwrt.org/search?q=time%20rules%20not%20working

3

i've already done a forum search and read the topics that seemed relevant, is there a specific post that you think addresses this problem that i've missed?

if you ask me the resulting iptables rules look pretty obviously wrong, as does the fw3 print output:

iptables -t filter -A zone_lan_forward -s 192.168.1.242/255.255.255.255 -m time --timestart 04:00:00 --timestop 08:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: some weekday" -j zone_wan_dest_REJECT
iptables -t filter -A zone_lan_forward -s 192.168.1.181/255.255.255.255 -m time --timestart 04:00:00 --timestop 08:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: some weekday" -j zone_wan_dest_REJECT

fyi for my particular use case I don't care about established connections either, my kids are young and thus unlikely to have active connections at 4am in the morning (i hope!).

4
5

One user solved his issue after installing ipset.
However when I tried it myself it didn't seem to work, although I have the ipset installed.

6

appears to just be a bug in FW3 to me, i just disabled the rules i had defined in UCI and inserted them using iptables instead.

7

You should probably upgrade your system.
I cannot reproduce the issue on OpenWrt 19.07.3.

8

it could be a regression on master, it can't be much more up to date than something i built about 4 hours ago :).

so on 19.07.3 it produces the right iptables rules?

1 Like
9 
# iptables-save | grep -e test
-A OUTPUT -p tcp -m time --weekdays Mon,Tue,Wed,Thu,Fri --datestop 2038-01-19T03:14:07 --kerneltz -m comment --comment "!fw3: test" -j ACCEPT
-A OUTPUT -p udp -m time --weekdays Mon,Tue,Wed,Thu,Fri --datestop 2038-01-19T03:14:07 --kerneltz -m comment --comment "!fw3: test" -j ACCEPT

# uci show firewall.test
firewall.test=rule
firewall.test.name='test'
firewall.test.weekdays='Mon Tue Wed Thu Fri'
firewall.test.target='ACCEPT'

# ubus call system board
{
	"kernel": "4.14.180",
	"hostname": "openwrt",
	"system": "Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz",
	"model": "QEMU Standard PC (i440FX + PIIX, 1996)",
	"board_name": "qemu-standard-pc-i440fx-piix-1996",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.3",
		"revision": "r11063-85e04e9f46",
		"target": "x86/64",
		"description": "OpenWrt 19.07.3 r11063-85e04e9f46"
	}
}

# opkg list-installed firewall
firewall - 2019-11-22-8174814a-2
10

interesting, i have

firewall - 2020-09-05-8c2f9fad-1

so i guess something in those...10 months.

11

The time interval is much shorter.
It works fine on OpenWrt SNAPSHOT r13850-e363470d1a.

12

Hi, @facboy,

I am on firewall - 2020-09-05-8c2f9fad-1 too. And, I have exactly your same issue. As you I solved it moving my rules to firewall.user, thought like sharing.

Kind regards.

1 Like
13

In any case, it's best to report properly:
https://openwrt.org/bugs

2 Likes
14

a small typo in the end, i submitted a patch.

3 Likes
15

I'm experiencing this issue as well. Is a fix available yet upstream?

I'm building from master

16

it was fixed in Dec 2020: https://github.com/openwrt/firewall3/commit/12f6f143106257e0921c6ebbca2fe329cbeb3de6

afaik master is not using firewall3 anyway. it still works for me (on firewall4). though the kids just started watching 'live' tv instead so i ended up using a smart switch (they haven't worked that out yet).

2 Likes
17

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.