Bugreport - Conflict between Parental control & Network Services Filter

[FireWire76]

Hi.

I posted an issue about Network Services filter not working in:
http://forums.smallnetbuilder.com/showthread.php?t=12399

After resetting the router and configuration I finally found what is causing the issue. When parental control is enabled, the network services filter doesn´t work any more. If parental control is disabled, the network services filter immediately start working.
This isn´t an issue in the .270 firmware, but was introduced in .372 firmware and is still an issue in .374. I only tried the Merlin versions of these firmwares, so I don´t know if it´s the same in the Asus original firmware, but I would guess so.

@Merlin, any possibility to fix this issue or can you somehow report this to Asus, so they will be aware of this bug.

Best regards,
FireWire

 

[RMerlin]

Hi.

I posted an issue about Network Services filter not working in:
http://forums.smallnetbuilder.com/showthread.php?t=12399

After resetting the router and configuration I finally found what is causing the issue. When parental control is enabled, the network services filter doesn´t work any more. If parental control is disabled, the network services filter immediately start working.
This isn´t an issue in the .270 firmware, but was introduced in .372 firmware and is still an issue in .374. I only tried the Merlin versions of these firmwares, so I don´t know if it´s the same in the Asus original firmware, but I would guess so.

@Merlin, any possibility to fix this issue or can you somehow report this to Asus, so they will be aware of this bug.

Best regards,
FireWire

The two features are indeed incompatible as their design conflict. I thought I had changed the webui code a few months ago to ensure that they couldn't both be enabled at the same time, I might have missed a spot, or accidentally had my patch reverted in an Asus GPL merge at some point.

Not sure it can be worked around however.

 

[FireWire76]

The two features are indeed incompatible as their design conflict. I thought I had changed the webui code a few months ago to ensure that they couldn't both be enabled at the same time, I might have missed a spot, or accidentally had my patch reverted in an Asus GPL merge at some point.

Not sure it can be worked around however.

Ok, nice to get an explanation on why it´s not working. I don´t know if you remember I posted earlier about the parental control and that I didn´t like the current behaviour that it blocks all network activity.
For me I would have liked a possibility to set each device in parental control to be blocked to network or internet only. But for this to be efficient, this setting should be able to be set per device and not as a global option. That way network services filter wouldn´t be needed in situations when parental control needs to be enabled.
The problem as I see it is that Parental control is lacking the possibility to block IE access only. And Network Services Filter is lacking the possibility to add time schedule for each device. If the last one would be possible, then Parental Control wouldn´t even be needed.
Any possibility to change Network Services Filter to behave like this? To set scheduled time for each device?

 

[RMerlin]

Ok, nice to get an explanation on why it´s not working. I don´t know if you remember I posted earlier about the parental control and that I didn´t like the current behaviour that it blocks all network activity.
For me I would have liked a possibility to set each device in parental control to be blocked to network or internet only. But for this to be efficient, this setting should be able to be set per device and not as a global option. That way network services filter wouldn´t be needed in situations when parental control needs to be enabled.
The problem as I see it is that Parental control is lacking the possibility to block IE access only. And Network Services Filter is lacking the possibility to add time schedule for each device. If the last one would be possible, then Parental Control wouldn´t even be needed.
Any possibility to change Network Services Filter to behave like this? To set scheduled time for each device?

I have no plan to make any major changes to either Parental Control or Network Filtering at this time. This would break backward compatibility, and it would also involve a lot of work which I lack the time to do on top of everything else.

 

[DRY411S]

Is this hard to fix?

Noobie here.

I'm using the vanilla ASUS firmware [3.0.0.4.374_979] on an RT-66U.

My own testing of this issue shows that if Parental Controls is OFF, then any Network Services Rules are added to the FORWARD iptables chain. And they work for all devices.

If Parental Controls is ON, then any Network Services Rules are added to the PControls iptables chain.

Switching Parental Controls ON and OFF causes the Network Services Rules to be moved between the PControls and FORWARD chains respectively.

Unfortunately, the PControls CHAIN is only effective for devices that have been added to the Parental Controls, and therefore when Parental Controls are switched on, the Network Services Rules are only applied to devices that have Parental Controls set up. i.e they don't stop working per se, they only work for devices that have Parental Controls set.

It seems to me that if the code could be modified to leave the Network Services rules permanently in the FORWARD chain (or their own chain), then this would be straightforward to fix.

Or have I missed something from my analysis that makes it more difficult to fix than it seems?