Option to block outgoing internet access for devices in firewall

Author: danielvijge

config/firewall

@@ -199,3 +199,14 @@ config rule
 {% endif %}
 {% endfor %}
 
+{% if firewall is defined and firewall.block_wan_access is defined %}
+config rule
+	option name 'Blocked-Devices'
+	option src '*'
+	option dest 'wan'
+	option target 'REJECT'
+	list proto 'all'
+{% for blocked_device in firewall.block_wan_access %}
+	list src_mac '{{ blocked_device }}'
+{% endfor %}
+{% endif %}

inventory-sample.yaml

@@ -269,3 +269,6 @@ openwrt:
             - 1.0.0.3
           hosts:
             - DD:45:4F:4A:2E:99
+    firewall:
+      block_wan_access:
+        - DD:45:4F:4A:2E:99 # Block internet access for this device, but allow connecting to internal network