Firewall GUI feature request

I'm quite aware of the fact that OpenWrt is primarily targeted at embedded devices so plenty of you guys might not be able to follow my arguments but still I would like to address this topic.

When OpenWrt is actively being used as a firewall the amount of rules may grow and suddenly the list becomes somewhat confusing or chaotic. It's just really hard to process if you need to check the existing rules. I kind of solved that on my own by just using ansible to deploy rules. That way I can sort them and also have variable objects in Ansible. Yet I believe there should be an purely OpenWrt based solution.

I would love to see features like:

  • Objects / Aliasses like other solutions have them. Define once, use many. Also in case of an IP change you would not have to traverse all the rules and check them individually but just change one object.
  • Move rules around and group them. I like the way pfSense is adressing that.
  • The ability to filter when displaying the rules.

Since OpenWrt is currently working on migrating over to fw4 / nftables, this might be a good time to address those issues. I'm looking forward to responses what you guys think about that. There currently is IP sets but to my knowledge nobody is using them and the GUI doesn't support managing them. Nftables also has them: https://wiki.nftables.org/wiki-nftables/index.php/Sets

Let me point out that this is not a GUI feature request then. You see, the GUI (i.e. LuCI) is written to work directly with the UCI configuration files. In contrast to other manufacturer's web interfaces LuCI is not an abstraction layer between the configuration ant the user. It parses, displays for editing, and modifies the underlying configuration files in a very literal way.

Objects and aliasses are an abstraction layer, and if you want that abstraction layer for LuCI that abstraction layer needs to exist in the underlying configuration files ... and that layer does currently not exist. It would require a rather significant rewrite and/or extension of the structure of the underlying firewall configuration files and the system that parses the configuration files to generate the firewall rules.

You can do that already, that's the purpose of the "three lines" button next to the "edit" and "delete" buttons. Keep in mind that this is not purely visual, it also changes the order of rules as they are applied ... which is significant in a firewall context. The order of rules matters.

Again a layer of abstraction in configuration files that would have to be defined and then supported by the underlying system.

That would be doable, I guess. It currently does not exist, and it would be a bit of work both on both the technical and UX sides, but of all your suggestions this one is probably amongst the easier to achieve.

Edit: I feel like I need to point out that I don't want to shut down your request. It absolutely is sensible to work towards a better user experience and to discuss ways to do that. It is just worth noting that changes in OpenWrt's GUI are very often not contained to the GUI, by definition they have to penetrate the whole system.

6 Likes

...and realistically speaking, requests of this magnitude would require at least working proof of concept code, to be considered. No one is really waiting for suggestions of how to spend the next couple of months to design and implement something from scratch based on a rough description.

Thank you very much for the thorough response. I did not expect this to be an easy one but I don't want to keep potential improvements to myself if I see them.
Sadly I'm not the coder type of guy who can actually deliver a PoC to start with.

Could such objects not be stored in IP sets? They are already there.

I will give it a try.

Probably.

Just a sidenote: fw3 is on the way out.

1 Like

afaik most of this ipset functionality is supported in nftables (the backend of fw4)
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_ipset_to_nftables
but I don't know the status of fw4 support of this functionality

fw4 supports (or rather should support, if not there's a bug) all ipset related uci settings from fw3. That means ability to declare set and initial values as well as referencing sets in rules and redirects.

2 Likes