====== Scripting Access Restrictions ======

Access Restriction rules are coded as strings separated by pipe ( | ) symbols. These are stored in NVRAM as variables named //rrule0//, //rrule1//, //rrule2// and so on.

 \\

To see what's in the first rule, we can issue the following command at a FreshTomato shell prompt:

 \\

<code ->
nvram get rrule0
</code>

\\

The returned string might look something like this:

 \\

<code ->
1|540|1140|62|||block-site.com$|0|New Rule 1
</code>

\\

Let's look more closely at what each of these fields separated by a pipe ( | ) symbol means.

**Field 1:** indicates whether the rule is currently enabled (1) or disabled (0).

**Field 2:** specifies the start time, (time to start applying this rule), in minutes elapsed since midnight.

In this case, start time is 5:40 AM, so the router should enforce this rule starting at 9:00 AM.

**Field 3:**  is the end time, (time to stop applying this rule). This is coded similarly to the start time.

Both the second and third fields will be -1 if you select the //‘All Day’// option in the Access Restrictions menu.

**Field 4:** specifies on which days the rule will be applied.

It is coded in binary:

  * 1 = Sunday
  * 2 = Monday
  * 4 = Tuesday
  * 8 = Wednesday
  * 16 = Thursday
  * 32 = Friday
  * 64 = Saturday

 \\

For multiple days, simply add together the corresponding numbers for each day.

In the above example, the fourth field is 62, which is equal to 2 + 4 + 8 + 16 + 32 . This means the rule should be active on Mon, Tue, Wed, Thu, and Fri. That is, only on weekdays. If you had checked the //Everyday// option, the value would have been 127.

**Field 5:** shows the IP or MAC Address range on your network for which the rule should be applied.

**Field 6:** has the //Port/Application// information coded in it. In other words, which port numbers and protocols. This rule should block Layer 7 and p2p applications.

**Field 7:**  contains the Domains/URLs to block. It partially supports regular expressions.

In the example above, domain names ending with "block-site.com" are blocked.

**Field 8:**  stores a binary coded value if ActiveX, Flash or Java are set to be blocked.

  * A "1" will block ActiveX. 
  * A "2" will block Flash.
  * A "4" will block Java.

 \\

**Field 9:**  stores the name that you gave to the rule being edited.

 \\ Now that we have a basic sense of how Access Restriction rules work, we can write shell scripts to control the rules. The script below will enable or disable a rule. Two values are passed on the command line – the rule number and either a "0" or "1" to disable or enable the service.

\\

<code ->
#!/bin/sh

#Wait if any service is currently being restarted

nvstat=`nvram get action_service`
while [ "$nvstat" != "" ]; do
echo
done

#Assume we are going to enable the rule
enable=1

#Was a 1 or 0 passed on the command line?
[ "$2" != "" ] && enable=$2

#Get the current setting of the rule.
#Rule number is passed as the first parameter on the command line.
rr=`nvram get rrule$1`

#Set the first field to the value in variable $enable
rr=$(echo $rr|sed "s/^./$enable/")
echo $rr

#Replace the old rule with the new value
nvram set rrule$1="$rr"

#Prepare to restart the service by killing the init process
nvram set action_service=restrict-restart

#kill the init process
kill -USR1 1

#Wait for the service to restart
while [ "`nvram get action_service`" == "restrict-restart" ]; do
echo
done
</code>

\\

If you have JFFS enabled in FreshTomato, you can copy the script under the jffs directory and schedule it to run as a cron job, if you wish.

 \\

 \\


===== Credits =====

[[http://web.archive.org/web/20160321090715/http://infinilogix.com/wordpress/network-programming/routers/how-to-control-access-restriction-rules-in-tomato-by-a-shell-script|Credit: Justin from "infinilogix.com" - original page which is now only accessible via archive.org]]