Precision Network Control for Routers: MAC Address Timed Filtering Solution in Embedded Environments

This article focuses on the precision network control needs of embedded devices like routers, presenting a MAC address-based timed filtering solution using the K2P router with Padavan firmware as an example. Addressing core pain points in embedded environments—such as iptables timezone limitations, poor Shell syntax compatibility, and trimmed module functions—the solution achieves device-specific internet access control by time and weekday through designs like automatic local-to-UTC time conversion, minimal syntax adaptation, and rule persistence. Supporting both command-line and web backend deployment, it forms a complete functional loop and is reusable across devices, providing actionable technical references for network control in embedded systems.

I. Requirement Background and Embedded Environment Pain Points

1. Core Requirements

Implement timed internet access control for specific devices (identified by MAC address): allow access from 16:00-17:30 on workdays and 20:01-22:00 on weekends, block access during other periods, support rule saving and startup auto-loading, and ensure long-term stable operation.

2. Core Pain Points in Embedded Environments

The Padavan firmware on the K2P router is a streamlined embedded system with distinct limitations compared to general Linux environments:

• iptables timezone restriction: The xt_time module mandates UTC timezone, creating an 8-hour difference from China's CST timezone (UTC+8). Directly configuring local time leads to reversed rule activation times.

• Poor Shell syntax compatibility: Uses BusyBox ash Shell, which does not support complex arithmetic operations or string splitting syntax, easily triggering errors like "arithmetic syntax error".

• Trimmed module functions: To reduce firmware size, iptables modules may remove extended parameters such as --kerneltz (timezone adaptation), retaining only basic functions like --timestart/--timestop.

• Difficulty in rule persistence: iptables rules are cleared by default after embedded system restarts, requiring manual implementation of rule saving and auto-loading mechanisms.

II. Solution Design Philosophy

Tailored to the uniqueness of embedded environments, the solution centers on "compatibility adaptation + minimal function implementation" with the following core design ideas:

• Timezone adaptation: Adopt an automatic conversion mechanism of "local time - 8 hours = UTC time". Users input local time directly, and the script handles timezone conversion in the background to bypass iptables' mandatory UTC restriction.

• Syntax compatibility: Abandon complex Shell features, using natively supported tools like awk and sed for time splitting and format validation to avoid syntax compatibility issues.

• Core function focus: Implement core features of "MAC identification + time filtering + weekday control" based on basic iptables parameters, removing unnecessary extended parameters to enhance stability.

• Complete function loop: Integrate rule addition, deletion, viewing, and loading functions, supporting permanent rule file saving and startup auto-loading to meet long-term usage needs.

III. Solution Implementation Details

1. Core Technical Architecture

The solution is built on a "application layer script + kernel layer iptables" architecture, implementing functions in layers:

• Application layer: Shell scripts handle parameter parsing, time conversion, rule management, and user interaction, adapting to Padavan ash Shell syntax.

• Kernel layer: Leverages the iptables xt_time module (time matching) and xt_mac module (MAC identification) to achieve underlying network control.

• Data layer: Saves configurations via a rule file (mac_filter_rules.conf) for rule persistence.

2. Key Function Implementations

(1) Automatic Timezone Conversion Mechanism

To address the UTC-CST time difference, a minimal time conversion function is designed to avoid complex calculations:

local_to_utc() {
  local local_time="$1" # Only supports HH:MM format
  # Embedded-compatible time splitting
  local hh=$(echo "$local_time" | awk -F: '{print $1}')
  local mm=$(echo "$local_time" | awk -F: '{print $2}')
  # Remove leading zeros to avoid octal parsing errors
  hh=$(echo "$hh" | sed 's/^0//' | grep . || echo 0)
  mm=$(echo "$mm" | sed 's/^0//' | grep . || echo 0)
  # Subtract 8 hours from local time, handle cross-day cases
  hh=$((hh - 8))
  [ "$hh" -lt 0 ] && hh=$((hh + 24))
  # Zero-pad format to meet iptables requirements
  printf "%02d:%02d:00" "$hh" "$mm"
}

Users input local time (e.g., 16:00-17:30), and the script automatically converts it to UTC time (08:00-09:30) to ensure correct rule activation.

(2) Embedded Shell Syntax Adaptation

Targeting ash Shell compatibility limitations, the following optimizations are made:

• Avoid using IFS for string splitting; instead, use awk with specified delimiters for parsing.

• Retain only basic $((...)) syntax for arithmetic operations, no nested calculations.

• Force non-null validation after variable assignment to avoid syntax errors from empty values.

• Remove nested function calls to simplify execution flow.

(3) Rule Management and Persistence

• Rule saving: When adding permanent rules, configurations are written to /home/root/mac_filter_rules.confin the format "IP|MAC|local time|date type".

• Startup auto-loading: Use custom scripts in the Padavan backend to automatically load rules via iptables-restore < /etc/iptables/mac_rules.rulesafter restart, restoring configurations.

• Rule validation: Check for duplicates and verify parameter formats when adding rules; adapt to dynamic changes in iptables rule serial numbers when deleting rules.

Supplementary Deployment Steps for K2P (Web Backend Configuration, One-Time Setup for Permanent Effect)

1. Log in to the K2P router's Padavan web backend (default address: 192.168.2.1) using admin credentials.

2. Navigate to "Parameter Settings" → "Scripts" (or "Advanced Settings" → "Custom Scripts" for some firmware versions).

3. Locate the input box labeled "Execute after firewall rules start" (this timing ensures the firewall is ready, enabling more stable rule loading).

4. Paste the following command (loads permanent rules and executes silently without logging):

if [ -f /home/root/mac_filter.sh ]; then
/home/root/mac_filter.sh load >/dev/null 2>&1
fi

5. Click "Apply Settings" to save configurations automatically (no manual restart required; the router will execute the script on subsequent restarts).

Supplementary Notes

• Advantage: Compared to "execute on startup" scripts, "execute after firewall rules start" avoids conflicts between rules and the firewall caused by early loading, ensuring higher stability.

• Compatibility: This deployment method works with all Padavan firmware versions, complementing the command-line deployment; users can choose based on operational habits.

• Verification: After configuration, manually restart the router and execute ./mac_filter.sh listto check if rules are loaded automatically.

Alternatively, rules can be viewed or added directly in the router's web panel: System Management → Console, by entering /home/root/mac_filter.sh list.

3. Core Function Command Examples

(1) Adding Timed Rules

Replace the IP/MAC with the target device's information:

# Allow access 16:00-17:30 local time on workdays (auto-converted to UTC 08:00-09:30)
./mac_filter.sh add 192.168.2.143 16:00-17:30 weekday
# Allow access 20:01-22:00 local time on weekends (auto-converted to UTC 12:01-14:00)
./mac_filter.sh add 58:2a:a1:c3:ab:88 20:01-22:00 weekend

(2) Rule Management and Verification

# View rules (including local time to UTC conversion mapping)
./mac_filter.sh list
# Delete rules (supports IP or MAC input)
./mac_filter.sh delete 192.168.2.143
# Load rules after restart
./mac_filter.sh load

IV. Solution Verification and Effects

1. Function Verification

• Timezone adaptation: Local time 16:30 (CST) corresponds to UTC 08:30, allowing normal internet access; local time 17:31 (CST) corresponds to UTC 09:31, blocking access.

• Weekday control: Weekend rules only take effect on Sat/Sun, and workday rules only on Mon-Fri, with no cross-triggering.

• Stability: Ran continuously for 30 days without abnormalities; rules are automatically restored after restart with no loss or corruption.

2. Compatibility Verification

The solution is compatible with K2P routers running Padavan firmware and iptables 1.8.7. It can be directly reused on other routers with streamlined embedded systems like Padavan/OpenWrt, requiring only adjustments to IP segments (default 192.168.2.0/24) and timezone offset parameters.

V. Practical Insights for Network Control in Embedded Devices

• Minimal design adapts to embedded characteristics: With limited resources and poor syntax compatibility, embedded systems should abandon "over-engineering", focus on core functions, and use native tools and basic syntax to avoid reliance on extended features.

• Layered verification for problem localization: When encountering functional abnormalities, first verify module availability by manually executing underlying commands (e.g., adding rules directly via iptables) before troubleshooting application-layer scripts, avoiding blind optimization.

• User experience adapts to real scenarios: Embedded device users may not be technical professionals; simplify operation processes (e.g., automatic timezone conversion, dual IP/MAC input support) and provide clear log feedback to lower usage thresholds.

• Rule persistence is indispensable: Embedded devices restart frequently; design reliable rule saving and auto-loading mechanisms to ensure configuration retention for long-term use.

VI. Summary

The proposed network control solution for embedded devices addresses the uniqueness of the K2P router's Padavan firmware through core designs like automatic timezone conversion, Shell syntax adaptation, and rule persistence. It achieves precision network control based on MAC address, time, and weekday. Beyond meeting specific application needs, the solution extracts general practical methods for network control in embedded environments, providing reusable technical references for network management of embedded devices such as routers and gateways, with strong practical value.

#networksecurity #embedded #networkcontrol #router #k2p #solution #Padavan