1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Req Help! Why do my nvram rrules keep dissapearing?

Discussion in 'Tomato Firmware' started by Sean Rhodes, Nov 26, 2013.

  1. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    This seems to happen on all the Shibby versions from 102 to 115 inclusive, so maybe it could be a router issue.

    Current setup:
    Linksys E4200 v1
    Firmware: Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB Mega-VPN (Shibby)

    My nvram rules keep dissapearing, they can be seen in the gui and then they dissappear. When I ssh into the router:
    Code:
    nvram show | egrep "^(rrule|rdev|rres)"
    rrule0=
    rrule1=
    rrule2=
    rrule3=
    rrule4=
    rruleN=0
    rrules_activated=0
    rrules_radio=-1
    rrulewp=80,8080
    They are all empty.

    I made a script to reload them, but I would like to know why this is happening in the first place.

    Can anyone give me any pointers on where to start troubleshooting, since I don't see anything in the syslog.

    Could this be bad nvram? I have even added them and performed a nvram commit, but they still dissapear after a few hours.

    Thanks in advance
     
  2. PetervdM

    PetervdM Network Guru Member

    did you check the amount of free nvram?
     
  3. kthaddock

    kthaddock Network Guru Member

    Last edited: Nov 26, 2013
  4. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    This seems to happen on all the Shibby versions from 102 to 115 inclusive, so maybe it could be a router issue.

    Current setup:
    Linksys E4200 v1
    Firmware: Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB Mega-VPN (Shibby)

    My nvram rules keep dissapearing, they can be seen in the gui and then they dissappear. When I ssh into the router:
    Code:
    nvram show | egrep "^(rrule|rdev|rres)"
    rrule0=
    rrule1=
    rrule2=
    rrule3=
    rrule4=
    rruleN=0
    rrules_activated=0
    rrules_radio=-1
    rrulewp=80,8080
    They are all empty.

    I made a script to reload them, but I would like to know why this is happening in the first place.

    Can anyone give me any pointers on where to start troubleshooting, since I don't see anything in the syslog.

    Could this be bad nvarm? I have even added them and performed a nvram commit, but they still dissapear after a few hours.

    Thanks in advance
     
  5. Sean Rhodes

    Sean Rhodes Networkin' Nut Member

    Thanks for the help guys.

    I have lots of RAM and NVRAM space so I assume its because of the module change. So what exactly is string module instead web module? Is it just manually adding the rules via ssh as opposed to the gui? I can't find any info at all other than the posts above and a one liner on Shibby's change log.
     
  6. koitsu

    koitsu Network Guru Member

    Access Restrictions have a feature that let you block web pages with certain text in them (in the GUI, it's called "HTTP Request").

    This was accomplished using a 100% homebrewn (written by original Tomato author Jon Zarate) iptables module called web which matched against certain HTTP parameters, i.e. the string after GET or POST, in the Host: header, or the body of the HTTP request or response. This module works well for blocking specific types of traffic via HTTP only. The web module also offers the ability to use basic forms of regular expressions (regex / regexp).

    After some years, users began complaining/crying/screaming over the fact that Access Restrictions did not block HTTPS traffic. It was mentioned that there was an iptables module called xt_string (sometimes called string) which could match against the raw payload of a packet, thus allowing for a way to block access to HTTPS sites assuming SNI is used by the web browser (only used by newer browsers). I made myself very clear from the beginning: use of xt_string is dangerous because it literally looks at the raw packet and matches anything in there, while web actually "parsed" some of the HTTP content and was intelligent; i.e. xt_string has a much higher chance of blocking legitimate traffic. xt_string also does not support regex.

    Some firmwares immediately switched from web to xt_string but did not think about the full repercussions of their actions when it came to the syntax of the NVRAM variables. It's entirely up to each firmware author/maintainer to implement this how they see fit, so what you "expect" things to be in the NVRAM world on one firmware may not be the case in another.

    If contents of your rrule* NVRAM variables are changing, that may be by design, and then again it may not be. You need to ask the firmware maintainer what's going on, and if you can try to debug it. I warn you advance: it is not simple to debug, as shown in this thread.

    If you're not using the "content blocking" features of Access Restrictions (e.g. "HTTP Request" in the GUI), then the web vs. xt_string situation should not apply to you, but that doesn't mean some daemon/process (including init (yes, init really does do some things under-the-hood on Tomato)) isn't screwing with your NVRAM variables.

    I cannot help past this point.
     
  7. jerrm

    jerrm Network Guru Member

    For shibby, string vs web would be irrelevant, no change was made to the nvram storage format for the rule, only how they are translated into iptables.
     

Share This Page