Opened 3 years ago

Last modified 17 months ago

#1319 new

Access Restriction with MAC-Filter doesn't work in build 13450 on Asus RT-N16

Reported by: WrtFan Owned by: somebody
Keywords: ipt_mac xt_mac Cc:

Description

In kernel 2.6 versions module xt_mac instead of ipt_mac is used for mac filtering. It seems, that this doesn't support the enhancement '-mac-destination', which was added to ipt_mac in october 2007.

Change History (5)

comment:1 follow-up: Changed 3 years ago by phuzi0n

xt_ prefix modules are for ip6tables not iptables. I can not find any evidence to support your statement that a --mac-destination option exists for ipt_mac.

comment:2 Changed 3 years ago by WrtFan

--mac-destination is supported since build 8215 (see http://svn.dd-wrt.com:8000/dd-wrt/changeset/8215) and is also used for filtering on MAC over the Web GUI. These entries are in the file /tmp/.ipt: -A grp_1 -m mac --mac-source xx:xx:xx:xx:xx:xx -j advgrp_1 -A grp_1 -m mac --mac-destination xx:xx:xx:xx:xx:xx -j advgrp_1 And also in iptables -L: Chain grp_1 (1 references) target prot opt source destination advgrp_1 0 -- anywhere anywhere MAC xx:xx:xx:xx:xx: xx advgrp_1 0 -- anywhere anywhere MAC xx:xx:xx:xx:xx: xx If xt_max is for ip6, then the mac filter for ip4 (ipt_mac) is mising in this build.

comment:3 Changed 3 years ago by WrtFan

Sorry for the bad formatting:
--mac-destination is supported since build 8215 (see http://svn.dd-wrt.com:8000/dd-wrt/changeset/8215) and is also used for filtering on MAC over the Web GUI.

These entries are in the file /tmp/.ipt:
-A grp_1 -m mac --mac-source xx:xx:xx:xx:xx:xx -j advgrp_1
-A grp_1 -m mac --mac-destination xx:xx:xx:xx:xx:xx -j advgrp_1

And also in iptables -L:
Chain grp_1 (1 references)
target prot opt source destination
advgrp_1 0 -- anywhere anywhere MAC xx:xx:xx:xx:xx:xx
advgrp_1 0 -- anywhere anywhere MAC xx:xx:xx:xx:xx:xx

If xt_mac is for ip6, then the mac filter for ip4 (ipt_mac) is missing in this build.

comment:4 Changed 3 years ago by sgobi

I also have the same issue. The access restrictions are not functioning with mac address filtering on RT-N16. Even though I have deny access set to just specific time from 6pm to 9pm the RT-N16 always denies internet access (24/7) to the mac address in the list.

comment:5 in reply to: ↑ 1 Changed 17 months ago by Sash

Replying to phuzi0n:

xt_ prefix modules are for ip6tables not iptables.

Are u sure?

Note: See TracTickets for help on using tickets.