I'm using OpenWRT 23.05
What would the best way to define rules based on a list of MAC addresses in a file (eg. triggered by inotify) or from the output of a script?
Generate an ipset with them somehow? Loop and create iptables chains in bash?
Version 23.05 uses nftables.
Create a set populated from a file and an allow traffic rule using that set.
Note that vlanx=>wan forwarding should be disabled.
# /etc/config/firewall
config ipset
option name 'mac_allowlist'
list match 'src_mac'
option loadfile '/root/macs.txt'
config rule
option name 'VLANx-Internet-allowed'
list proto 'all'
option src 'vlanx'
option dest 'wan'
option ipset 'mac_allowlist'
option target 'ACCEPT'
Then you can use inotifywait to update the set upon changes to the source file.
while inotifywait -e close_write "/root/macs.txt"; do nft flush set inet fw4 mac_allowlist; fw4 reload-sets; done >/dev/null 2>&1 &
1 Like