Inconsistent list handling in UCI and LUCI

mirodin · February 21, 2021, 9:10am

Yesterday I updated my router from 18.06 to 19.07. During this I had to recreate all my settings and stumbled upon some peculiar thing:

When I add an interface via LUCI to a firewall zone it creates an entry like this:

firewall.wan.network='wan wan6 vpn'

When I run the add_list command for UCI following https://openwrt.org/docs/guide-user/services/vpn/wireguard/client#firewall it creates this:

firewall.wan.network='wan wan6' 'vpn'

Which causes the vpn interface to become unassigned in LUCI.

Are lists no longer supported? Which one is the "right" solution?

hnyman · February 21, 2021, 9:18am

The easiest way is to just edit the file by hand with an text editor...
(like nano or the old vi)

But the uci add_list behaviour looks strange indeed.

cc @jow

vgaetera · February 21, 2021, 9:23am

Firewall defaults in OpenWrt 19.07.* for the reference:

github.com

openwrt/openwrt/blob/openwrt-19.07/package/network/config/firewall/files/firewall.config#L16-L19


config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'

mirodin · February 21, 2021, 10:07am

Weird, my /etc/config/firewall file looks like this:

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 vpn'

I used the sysupgrade image from the download page and turned off "Keep settings".

vgaetera · February 21, 2021, 1:56pm

I tested this use case and confirm the issue.

Actually, it's the other interfaces that become unassigned.
To be honest, it looks pretty bad and can be considered a security issue.

But the CLI instructions appear to be correct and clear.
So, you can file a ticket on the LuCI bug tracker:
https://github.com/openwrt/luci/issues

hnyman · February 21, 2021, 2:01pm

Why LuCI ?

That looks quite proper after the LuCI action. (the old style of option formatting, not as list items but an one-line list.)

The advice in wiki looks like the one that mangles things. (note the two separately quoted items)

And after there is semi-invalid config line in uci, LuCI then understands it wrongly. But LuCI just interpretes config files and does not actually "unassign" anything.

To me that looks like an error in uci itself.
And that is bad.

Might be that uci handles wrong a "list" command targeted to a non-list option item.
uci add_list firewall.wan.network="${WG_IF}"
vs.

        option network 'wan wan6 vpn'

hnyman · February 21, 2021, 2:17pm

cc @jow
Based on above examples, I wonder if there is a list vs. option item handling bug in uci

uci add_list firewall.wan.network="${WG_IF}"
applied in 19.07.x to option network 'wan wan6'
leading to firewall.wan.network='wan wan6' 'vpn'

My own test in master:

root@router1:~# tail -n 4 /etc/config/firewall
config zone 'test'
        option name 'test'
        option network 'wan henet'

root@router1:~# uci add_list firewall.test.network="ttt"
root@router1:~# uci commit firewall

root@router1:~# tail -n 5 /etc/config/firewall
config zone 'test'
        option name 'test'
        list network 'wan henet'
        list network 'ttt'

Note that the "option" was converted to "list" without breaking the two items to separate lines but the third item was added as a separate item.

vgaetera · February 21, 2021, 2:22pm

Since it's the source of the API breaking change.

Perhaps you can propose a better method?

Note that the current CLI method:

Works fine for incremental modifications.
Doesn't alter unrelated entries.
Matches the firewall defaults.

That's until you mangle the perfectly working config with LuCI.

Looks correct since we cannot be sure that space is an entry delimiter in general case.

hnyman · February 21, 2021, 2:31pm

I tested with LuCI, and you are right, LuCI adds the interfaces to zones with the old "option" style, instead of using the "list" style:

config zone
        option name 'test'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'test2 test3'

And once that has happened, then uci continues to further mangle styles, if you use cli to add new interfaces to the zone.

mirodin · February 21, 2021, 2:42pm

I created a bug report for Luci and OpenWrt referencing each other since I think they are better at figuring out who should fix this than I am. Since I do not have any idea about the inner workings of this I expect one side to close the issue after inspecting it.

hnyman · February 21, 2021, 2:45pm

Looks like there is problem in both LuCI and in uci in the main OpenWrt:

LuCI adds networks wrongly with "option" style.
uci then mangles things further if a "list" command is later used.

I added the details to your LuCI ticket

hnyman · February 21, 2021, 2:49pm

Funnily enough, you might read the reasoning in the year 2013 changing the firewall zone config style to "list"...

Looks like the problem has been recognised then, but LuCI seems to continue using "option". Strange enough, as the committer jow is the main author of LuCI.

vgaetera · February 21, 2021, 3:19pm

Note that using spaces not as delimiter but as part of a single entry is a completely valid use case.
And UCI is doing the right thing when converting option to list:

> uci set x.y.z="a 1"
> uci add_list x.y.z="b 2"
> uci show x.y.z
x.y.z='a 1' 'b 2'

I just hope we don't make it even worse by "fixing" the wrong component.

Looks like the issue has been fixed.

system · March 4, 2021, 8:27pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.