Due to a huge number of fixes and diverging development histories, I decided
to completely merge the current LuCI master into the 18.06 release branch to
have a common code base for upcoming maintenance releases.
Some LuCI apps have minor style glitches yet but I do not deem them to be
release critical as non-default components need to be opkg-installed anyway
and the package repositories are continuously refreshed, so we do not need
to fix everything for OpenWrt 18.06.0-rc2.
The most important changes introduced by this merge are:
1) New HTTP handling library in C
The new library should vastly reduce the required RAM for processing
large POST bodies while implementing some slightly more strict parsing
logic.
2) Apply/Rollback workflow
The ubus rpcd based apply/rollback handling will automatically revert
config changes if access to the device is lost for a certain period
of time, this is mainly intended for preventing issues with bad
config settings and the like.
The feature is not 100% error-proof yet but it successfully prevents a
large number of issues already. For final, the handling of the firewall
conntrack cache needs to be fixed yet as adding "lockout" firewall rules
is not yet catched due to the open HTTP session allowed by netfilter
conntrack
3) Template markup and theme style modifications
A large number of changes have been made to the markup in the various
templates, mainly to allow for responsive styling of tables.
The only theme currently making full use of that is the non-default
OpenWrt theme which will break table rows into disjunct boxes on
very narrow screens.
The changes have been tested on IE 11, MS Edge, Firefox, Chrome, an
iPhone 5s, iPhone 6 and iPad Air.
4) Initial LuCI support for displaying virtual dynamic network interfaces
Some protocol handlers will spawn purely dynamic sub-interfaces which
are not present in UCI. Such interfaces have been invisible in LuCI so
far which caused confusion especialy wrt. missing IP addresses etc.
LuCI will now display such dynamic interfaces on the interface overview.
5) Initial LuCI support for display interface runtime error information
LuCI will now expose interface error information stored in the ubus
runtime information by protocol handlers.
This is mainly useful to get notified of low level problems like
bad SIM codes are missing APN information.
6) Various XSS and CSRF bypass fixes
A number of code places performing inadequate markup escaping have been
fixed and the dispatcher CSRF token enforcement rules have been reworked
to actually catch all POST security cases.
7) Initial support for running under nginx
Various bugs have been fixed to allow LuCI to function under nginx using
a FastCGI wrapper.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
"Content-Type: text/plain; charset=UTF-8" was wrote twice in each
of base.po and firewall.po, and one was an incorrect place which
was the cause of the errors.
And, The escape in abbr HTML tag was incorrect, so I fixed it.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
When creating a forwarding rule with protocol set to other, a user is
forwarded to the configuration page. The URL for the configuration page
contained a typo - the user was forwarded to
admin/network/firewall/redirect/cfg... and not
admin/network/firewall/forwards/cfg..., leading to a 404.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
It's currently possible to generate nonsensical firewall rules by inputting
combinations which include:
i) protocols other than UDP/TCP
ii) source and destination ports.
There is some discussion of the issue on the forum here and the issue is
here; #1850.
This patch makes fields like src_port and dest_port depend on protocol being
tcp, udp or "tcp udp" in the input, forwarding and source NAT forms.
Signed-off-by: Tom Hodder <tom@limepepper.co.uk>
[reword commit message, squash commits]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Along with 74be6f397
("treewide: switch firewall zone, network and iface lists to dropdown code"),
this change allows luci-app-firewall to recognize OUTPUT rules.
Fixes#1457.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Also switch one usage of raw '<%_ ... %>' interpolation to '<%: ... %>' in
order to avoid issues with translations using apostrophes.
Globally resnyc translations after the fix.
Fixes#1866.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Also switch the weekday and monthday lists in the firewall rule details to
cbi dropdowns, vastly uncluttering the form.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Mostly convert HTML tables to div based markup to allow for easier styling
in the future. Also change JS accessor code accordingly.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Expose options related to routing/NAT flow offloading
feature in firewall3. Offloading is available in kernel 4.14+
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit 177224c14a)
Expose options related to routing/NAT flow offloading
feature in firewall3. Offloading is available in kernel 4.14+
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
This fixes an inconsistency because on the interface configuration if
you press Save&Apply it will go back to overview page. It is also the
case with "Firewall - Traffic Rules" details. On firewall zone it only
goes back to firewall zone-detail. Same behaviour on all pages is a good
user experience.
Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Change the preselection for the src zone to wan and the dest zon to lan
because this is the normal situation.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Current the append traffic rules for "port forwarding" and "port opening"
to the router are only shown if 'wan' and 'lan' zone are defined at
once.
For "port opening" to the router only need a 'wan' zone. Removing
'lan' zone dependency for 'port opening' reflect this behavior.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
