Modify

Opened 8 years ago

Closed 7 years ago

#7019 closed defect (fixed)

luci-app-firewall creates broken firewall configs

Reported by: joda Owned by: jow
Priority: low Milestone: Backfire 10.03.1
Component: luci Version: backfire 10.03 RC1
Keywords: Cc:

Description

hi

LUCI: Admin -> Network -> Firewall -> Traffic Control
or: http://router/luci/admin/network/firewall/rule/

Problem: add a new rule "http" with protocol tcp and set sport to "*" and dport to 80. This rule won't work as '*' is parsed incorrectly and breaks the /etc/config/firewall entry

The reason why I found it a logical choice to enter "*" was that the status page of Traffic Control displays "*" as wildcard matching port.

Result in the firewall file:
cat /etc/config/firewall:

[...]
config 'rule'

option 'target' 'ACCEPT'
option 'src' 'wan'
option 'proto' 'tcp'
option 'dest_port' '80'
option '_name' 'http'
option 'src_port' '*'

config 'rule'

option 'target' 'ACCEPT'
option '_name' 'https'
option 'src' 'wan'
option 'proto' 'tcp'
option 'dest_port' '443'

iptables -L zone_wan:

Chain zone_wan (1 references)
target prot opt source destination
input_wan all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:443
DROP icmp -- anywhere anywhere icmp echo-request length !0:84
zone_wan_DROP all -- anywhere anywhere

Desired solution: Report an error in the GUI that a rule was not activated or prevent broken rule to be created. I'd really like to see any parsing errors of the config files, in case someone broke them on shell level - just as a note to the patcher.

Attachments (0)

Change History (3)

comment:1 in reply to: ↑ description Changed 8 years ago by joda

fixed formatting / need account :-P

LUCI: Admin -> Network -> Firewall -> Traffic Control
or: http://router/luci/admin/network/firewall/rule/

Problem: add a new rule "http" with protocol tcp and set sport to "*" and dport to 80. This rule won't work as '*' is parsed incorrectly and breaks the /etc/config/firewall entry

The reason why I found it a logical choice to enter "*" was that the status page of Traffic Control displays "*" as wildcard matching port.

Result in the firewall file:

cat /etc/config/firewall

[...]
config 'rule'
        option 'target' 'ACCEPT'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'dest_port' '80'
        option '_name' 'http'
        option 'src_port' '*'

config 'rule'
        option 'target' 'ACCEPT'
        option '_name' 'https'
        option 'src' 'wan'
        option 'proto' 'tcp'
        option 'dest_port' '443'

iptables -L zone_wan:

Chain zone_wan (1 references)
target     prot opt source               destination
input_wan  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:443
DROP       icmp --  anywhere             anywhere            icmp echo-request length !0:84
zone_wan_DROP  all  --  anywhere             anywhere

Desired solution: Report an error in the GUI that a rule was not activated or prevent broken rule to be created. I'd really like to see any parsing errors of the config files, in case someone broke them on shell level - just as a note to the patcher.

comment:2 Changed 8 years ago by thepeople

  • Owner set to jow
  • Status changed from new to assigned

comment:3 Changed 7 years ago by jow

  • Resolution set to fixed
  • Status changed from assigned to closed

Recent LuCI versions do realtime input validation and should not allow you to enter "*" in the first place.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.