Firewall rules that are installed by default, and provide no documentation as to why it exists, or what benefit it provides a user/admin, is absolutely a bug.
I'd prefer that the bug be fixed with documentation, but removing the undocumented rules would also be acceptable in my opinion.
REC-22 In their DEFAULT operating mode, IPv6 gateways MUST NOT
prohibit the forwarding of packets, to and from legitimate
node addresses, with an upper-layer protocol of type
"Encapsulating Security Payload (ESP)" [RFC4303] in their
outer IP extension header chain.
REC-24 In their DEFAULT operating mode, IPv6 gateways MUST NOT
prohibit the forwarding of any UDP packets, to and from
legitimate node addresses, with a destination port of 500,
i.e., the port reserved by IANA for the Internet Key Exchange
(IKE) Protocol [RFC5996].
[quote="jonesmz, post:11, topic:2220"]
However, documentation in the form of # style comments doesn't show up in LUCI.
[/quote]No, it doesn't. (And actually editing the config file with either LuCI or uci removes the # comments from the config file.)
Openwrt & LEDE have always been size-constrained and have tried to store as little as possible in the precious flash memory. So most of the documentation is no included in the flashed firmware. (And note that there are hundreds or thousands of settings included. You shouldn't expect to find docs about all of them to be included in the firmware...)
Bluntly said, you need to trust that the default settings are sensible, but if you want actual proof about that, you need to dig into the source code to see the relevant commits that usually contain explanations about the changes.
What missing documentation? It's already clearly written in the default rules what it suppose to do. If you want to know more about the rule just Google it!
And if it's bothering you so much just add the god damn option name line and be done with it.
There are far more important things that needs fixing, I don't think anyone has time for this.
By missing documentation, maybe I should instead be saying
Things that show up by default in LUCI shouldn't be allowed to have no human readable text explaining why it's there
Hnyman kindly indicates that the default # style documentation is:
# allow IPsec/ESP and ISAKMP passthrough
Changing that to
option name 'Allow-ESP-Forward'
and
option name 'Allow-L2TP/IPSec-Forward'
Respectively is a change of (31+38+indentation*2)-50, or an increase of
19 bytes + indentation*2
Surely we can sacrifice that many bytes in the default installer, pre-compression?
As for whether I should just add the "god damn option name line and be done with it"
If everyone just "did the thing and be done with it" on their own without consulting the broader community, there wouldn't be much of a community would there? It may be that you find this to be a trivial non-issue, but I don't. Maybe there are no other people in the LEDE-Project community that care about this, and if that's the case, great, just leave the bug that I opened in flyspray open indefinitely or close it as wont-fix. But surely you at least acknowledge that this is a specific, constrained well defined complaint that can be "fixed" with a 3-5ish line patch?
Perhaps the next time you have to change a default-installed configuration file to add basic information as to what it's even doing, you'll consider fixing it for everyone, instead of only yourself?
@jonesmz is absolutely correct. I don't understand why some people feel the need to make up silly excuses for what is obviously a bug. If you look in that same file, there are many other rules with option name lines (Allow-Ping, Allow-DHCPv6, etc.)
The reason why those two rules don't have names is that they used to be just commented-out examples. They wouldn't show up in LuCI anyway, so there was no need for a name. Later, they were uncommented, and the fact that they didn't have a name was overlooked.
Argued with person who closed the bug, finally got him/her to agree that it was a problem worth fixing.
Fix landed in git a week after my conversation on flyspray.
Not much of a community-driven project if even trivial-to-fix problems get responses such as "I don't think anyone has time for this.", or other comments that dismiss the complaint (too numerous to list, but just read this thread), or the reported bug gets marked as "wontfix".
I'd like to claim the status of "not a moron". I work as a software engineer for a living, I'm not new to submitting bugs to open source projects. Most of the time when I report bugs, I don't get responses anywhere near as hostile as I did in this thread.
Then again, a lot of the time, I just get ignored, which isn't either better or worse. So shrug.