Bug #345

500 error on Traffic Rules page

Added by Rich Brown about 1 year ago. Updated about 1 year ago.

Status:Closed Start date:03/16/2012
Priority:Normal Due date:
Assignee:Dave Täht % Done:

0%
Category:UI Spent time: 3.50 hours
Target version:1st Public Cerowrt release

Description

Using CeroWrt 3.3-rc7-5 on WNDR3700v2... I installed without incident, and was clicking around through the tabs and observed this problem on the Network -> Firewall -> Traffic Rules page. The message says:

---
This page contains the following errors:
error on line 261 at column 57: expected '>'
Below is a rendering of the page up to the first error.
---

CeroWrt_Traffic_Rules_500_error.png (43.8 kB) Rich Brown, 03/16/2012 06:53 pm

Cerowrt_500err_traf_rules.png (30.5 kB) Luke H, 04/08/2012 08:25 am

firewall (1.9 kB) Dave Täht, 04/08/2012 05:14 pm

History

#1
Updated by Luke H about 1 year ago

I was about to report the same issue - but in my case I am using the newer build r31204 (Apr 6) with the 3.3.1 kernel. Same error though:

#2
Updated by Dave Täht about 1 year ago

The syntax expected by the web interface and the syntax in the file have diverged.

On my todo list is to rebuild the firewall rules from scratch to handle ipv6 and the guest zone and mesh networking concepts well.

If you'd like to take a crack at it, grab the firewall rules file and put it somewhere,
take the existing one in an editor (both vi and zile are available)
and eliminate all the rules, and then re-enter them via the web interface...

Attached a syntactally correct version, that may or may not be logically correct.
I would appreciate testing. It MAY need the /etc/firewall.user file explicitly included
and that file needs work too.

#3
Updated by Dave Täht about 1 year ago

I note that the Device naming scheme is designed to make it possible to create much more effecient firewall rules, but the gui will not accept the syntax required, so it has a tendency to create
O(n) sorts of rules that scale really badly.

The original 'dream' of syntax was you'd use the inherent iptables + pattern match to create a zone.

iptables -I FORWARD -i g+ -o s+ -g do_some_secure processing
iptables -I FORWARD -j ACCEPT # default free zone

is about 12 more rules efficient than the default rules generated which rapidly gets worse with vlans or ipv6 in the mix. (it scales O(n))

Similarly the rules don't sort by traffic pattern but by logic, so the default openwrt rules currently send everything through an enormous and unneeded icmp chain instead of first matching on the most common protocols.

Regrettably a gui programmer hasn't shown up that can do that. Writing a script for it is straightforward, but then I lose the gui audience. Alternate solutions are highly desired.

There are also some issues along the lines of bugs #195 and #352 .

#4
Updated by Dave Täht about 1 year ago

While we made great progress today towards getting the gui to work and ipv6 to work, I needed to put up some documentation on what I'd wanted to do in the first place, which is called CeroWall. I have ENOTIME to make CeroWall work, but when you look at the default openwrt firewall rules, the simplicity I describe with this alternative (with a few clever pattern matches) seems appealing.

#5
Updated by Dave Täht about 1 year ago

The next build (3.3.2-3) will have working firewall rules viewable in the web browser.

They may not be perfect... and suggestions are highly desired.

#6
Updated by Dave Täht about 1 year ago

  • Category set to UI
  • Status changed from New to Closed
  • Assignee set to Dave Täht
  • Target version set to 1st Public Cerowrt release

fixed in 3.3.2

Also available in: Atom PDF