Bug #345

500 error on Traffic Rules page

Added by Rich Brown on Mar 16, 2012. Updated on Apr 19, 2012.
Closed Normal Dave Täht

Description

Using CeroWrt 3.3-rc7-5 on WNDR3700v2… I installed without incident, and was clicking around through the tabs and observed this problem on the Network Firewall> Traffic Rules page. The message says:


This page contains the following errors:
error on line 261 at column 57: expected ‘>‘

Below is a rendering of the page up to the first error.

Attachments

  • firewall (application/octet-stream; 1.9 kiB) Dave Täht Apr 8, 2012

History

Updated by Luke H on Apr 8, 2012.
I was about to report the same issue - but in my case I am using the newer build r31204 (Apr 6) with the 3.3.1 kernel. Same error though:
Updated by Dave Täht on Apr 8, 2012.
The syntax expected by the web interface and the syntax in the file have diverged.

On my todo list is to rebuild the firewall rules from scratch to handle ipv6 and the guest zone and mesh networking concepts well.

If you’d like to take a crack at it, grab the firewall rules file and put it somewhere,
take the existing one in an editor (both vi and zile are available)
and eliminate all the rules, and then re-enter them via the web interface…

Attached a syntactally correct version, that may or may not be logically correct.
I would appreciate testing. It MAY need the /etc/firewall.user file explicitly included
and that file needs work too.

Updated by Dave Täht on Apr 8, 2012.
I note that the Device naming scheme is designed to make it possible to create much more effecient firewall rules, but the gui will not accept the syntax required, so it has a tendency to create
O (n) sorts of rules that scale really badly.

The original ‘dream’ of syntax was you’d use the inherent iptables + pattern match to create a zone.

iptables -I FORWARD -i g+ -o s+ -g do_some_secure processing
iptables -I FORWARD -j ACCEPT # default free zone

is about 12 more rules efficient than the default rules generated which rapidly gets worse with vlans or ipv6 in the mix. (it scales O (n))

Similarly the rules don’t sort by traffic pattern but by logic, so the default openwrt rules currently send everything through an enormous and unneeded icmp chain instead of first matching on the most common protocols.

Regrettably a gui programmer hasn’t shown up that can do that. Writing a script for it is straightforward, but then I lose the gui audience. Alternate solutions are highly desired.

There are also some issues along the lines of bugs #195 and #352 .

Updated by Dave Täht on Apr 9, 2012.
While we made great progress today towards getting the gui to work and ipv6 to work, I needed to put up some documentation on what I’d wanted to do in the first place, which is called CeroWall. I have ENOTIME to make CeroWall work, but when you look at the default openwrt firewall rules, the simplicity I describe with this alternative (with a few clever pattern matches) seems appealing.
Updated by Dave Täht on Apr 14, 2012.
The next build (3.3.2-3) will have working firewall rules viewable in the web browser.

They may not be perfect… and suggestions are highly desired.

Updated by Dave Täht on Apr 19, 2012.
fixed in 3.3.2

This is a static export of the original bufferbloat.net issue database. As such, no further commenting is possible; the information is solely here for archival purposes.
RSS feed

Recent Updates

Dec 2, 2024 Wiki page
What Can I Do About Bufferbloat?
Dec 1, 2024 Wiki page
Bufferbloat FAQs
Jul 21, 2024 Wiki page
cake-autorate
Jul 21, 2024 Wiki page
Tests for Bufferbloat
Jul 1, 2024 Wiki page
RRUL Chart Explanation

Find us elsewhere

Bufferbloat Mailing Lists
#bufferbloat on Twitter
Google+ group
Archived Bufferbloat pages from the Wayback Machine

Sponsors

Comcast Research Innovation Fund
Nlnet Foundation
Shuttleworth Foundation
GoFundMe

Bufferbloat Related Projects

OpenWrt Project
Congestion Control Blog
Flent Network Test Suite
Sqm-Scripts
The Cake shaper
AQMs in BSD
IETF AQM WG
CeroWrt (where it all started)

Network Performance Related Resources


Jim Gettys' Blog - The chairman of the Fjord
Toke's Blog - Karlstad University's work on bloat
Voip Users Conference - Weekly Videoconference mostly about voip
Candelatech - A wifi testing company that "gets it".