Trying to see if there's an API or command I can run through SSH to temporarily turn off a ruleset for GL-iNet's Parental control, and reverse it again.
I know I can do this through the gl-inet app, but it still requires a bunch of clicks and I'm wondering if there's a more efficient way to do this.
I only need to be able to run this locally on my network.
Can you give me an example of a parental rule that you want to disable ? Perhaps with screenshot .
It's just a profile for work to only allow company devices to have internet access during work hours.
The problem is that sometimes I need to use the laptop after work hours and going to the router page or app and temporarily enabling a ruleset to allow internet connection takes too much time.
Here's an example screenshot:
Got it. I can help you with that. Do you want to do it from SSH by logging into the modem, or just from a remote shell (without logging)?
I’m fine with logging in via SSH to the router. Looking for that route as well since I’m probably going to do this through the shortcuts app on iOS.
Since GL's development website has been down for a long time, you can access a copy of it on archive.org, where all parental-control APIs are listed in there:
GL.iNet SDK4.0 API-DOCS
I created two different profiles on my modem as follow:
~~ EXECUTING CURL FROM ANOTHER SYSTEM ~~~
Each defined profile (e.g. WORK, HOME ...etc) within the internal system is named as groupxxxxxxx. To fetch all profiles execute this curl command after replacing the SID string below with your valid SID:
curl --path-as-is -i -s -k -X $'POST' --data-binary $'{\"jsonrpc\":\"2.0\",\"id\":11,\"method\":\"call\",\"params\":[\"9hWWULsgh3r2BktYQOqy4MKWuvJ0Ov0X\",\"parental-control\",\"get_status\",{}]}' $'https://192.168.8.1/rpc'
HTTP/1.1 200 OK
Server: nginx/1.17.7
Date: Sat, 15 Jun 2024 17:14:37 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
{"id":11,"jsonrpc":"2.0","result":{"groups":[{"id":"group2129416","rule":"drop","brief":false},{"id":"group7342748","rule":"accept","brief":false}],"time_valid":true}}
As you can see from the HTTP response above, I have two group strings: group2129416 and group7342748. These groups correspond to the WORK and HOME profiles that I defined.
Now let's say I want to ALLOW/BLOCK the internet access for my WORK profile (group7342748), I just need to set the enable key from true to false and vice versa:
curl --path-as-is -i -s -k -X $'POST' --data-binary $'{\"jsonrpc\":\"2.0\",\"id\":16,\"method\":\"call\",\"params\":[\"9hWWULsgh3r2BktYQOqy4MKWuvJ0Ov0X\",\"parental-control\",\"set_brief\",{\"enable\":true,\"manual_stop\":false,\"rule_id\":\"drop\",\"group_id\":\"group7342748\",\"time\":\"\"}]}' $'https://192.168.8.1/rpc'
HTTP/1.1 200 OK
Server: nginx/1.17.7
Date: Sat, 15 Jun 2024 17:31:57 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
{"id":16,"jsonrpc":"2.0","result":[]}
Hint! You can ping from a client added to the profile you're testing while executing the curl commands (switching true to false and vice versa) to observe how the traffic gets blocked and re-enabled again. All other useful APIs can be found in the provided link at the beginning.
~~ FROM AN SSH SESSION ~~~
Now let's say you would like to perform the same actions but after SSHing into the box. The same curl command but you do not need the Session ID (SID) string and you need to add the glinet header and finally connect to localhost:
root@GL-X3000:~# curl --path-as-is -i -s -k -X $'POST' -H $'glinet: 1' --data-binary $'{\"jsonrpc\":\"2.0\",\"id\":16,\"method\":\"call\",\"params\":[\"\",\"parental-control\",\"set_brief\",{\"enable\":false,\"manual_stop\":false,\"rule_id\":\"drop\",\"group_id\":\"group7342748\",\"time\":\"\"}]}' $'https://127.0.0.1/rpc'
HTTP/1.1 200 OK
Server: nginx/1.17.7
Date: Sat, 15 Jun 2024 17:20:46 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
{"id":16,"jsonrpc":"2.0","result":[]}
Bonus!
If you need to authenticate using a shell from a remote system without bothering to go to the web login interface, just issue this one-liner:
h=$(echo -n ftp:'$1$BFFWqh5G$9sUDYjMMdcUabCmegmU/B0':$(curl -s -k -H 'Content-Type: application/json;charset=utf-8' -d '{"jsonrpc": "2.0", "id": 1, "method": "challenge", "params": {"username": "ftp"}}' 'https://192.168.8.1/rpc'|cut -d '"' -f18) |md5sum|cut -d' ' -f1) && curl -s -k -H 'Content-Type: application/json;charset=utf-8' -d '{"jsonrpc": "2.0", "id": 1, "method": "login", "params": {"username": "ftp", "hash":"'$h'"}}' 'https://192.168.8.1/rpc'
{"id":1,"jsonrpc":"2.0","result":{"username":"ftp","sid":"zcRdYgOpVMTtSFb2s5iq0KSxuio60WcU"}}
Let's say you want to use your iPhone's iSH app to authenticate, you can just replace all ftp instances with root, and also replace the ($1$6QuFeZMO$bCvyRzqC0a0jFnoz9p0cR/) string with the root's one (can be found in sahdow file). Now when invoking it, it will get you authenticated, and you will receive a valid SID to be used with other curl commands from the remote system!
Thanks, this worked perfectly!
I was looking for this info on their development site and was wondering why it's no available. Really appreciate the detailed information, and for pointing me in the right direction!
This has also been a pretty good learning experiencing with jsonrpc as it's the first time I've heard about this.
Glad I was able to help!
When you can’t reach the developer website, you can alternatively intercept with Firefox the request you want to perform from ssh.
For example, let’s say you want to block the Internet for the WORK profile. Just open Firefox development tools, go to the Network tab then perform the task you want to intercept. Once you capture it, you can right click on it and copy it as curl! Just a little hint 
Yeah, I saw the API calls but wasn't sure how the authentication process worked, especially for the curl header for local calls on the router itself after SSH. Really thankful you included that info!