1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato RAF Releases

Discussion in 'Tomato Firmware' started by Victek, Dec 28, 2012.

  1. Elfew

    Elfew Addicted to LI Member

    Maybe one suggestion - add an option to load your custom html page or redirect to ..... option after the website is blocked... I dont know how difficult it is to add... With default settings it will shows the text which Victek wrote 2post above.

    Your opinions gentlements? ;)
  2. koitsu

    koitsu Network Guru Member

    You know, I didn't think about that -- you're completely right. It would be solely in the outbound TCP packet (from the client going to a server/destination). So in that regard, content from a web page wouldn't match -- I'm very much wrong in that regard, and you're right.

    However, what would match would be any outbound packets with the string in question -- so for example visiting http://www.somedomain.com/twitter.com would get blocked if you had a "twitter.com" block, since the outbound HTTP request would be something like:

    GET /twitter.com HTTP/1.0
    Host: www.somedomain.com
    {lots of other HTTP headers here, and don't forget cookies}
    {blank line}
    The same goes for cookies that contain a domain name (very common), or anything else submit by the client. I imagine this would (will) cause some complications for end-users, and imagine trying to debug/troubleshoot it with them. Nobody in their right mind would think "maybe Access Restrictions is causing it, because I'm blocking a string called "adult", and now I can't visit http://www.cnn.com/dsfjsdkf/man-sued-for-adult-diapers-in-public.html").

    ipt_web/xt_web explicitly matches against TCP packets, not to mention requires -p tcp (libipt_web.c checks this, and xt_web.c's xt_match struct explicitly specifies the TCP protocol for what netfilter/iptables passes on to the module).

    However, the TCP port number is not checked -- and I believe that's by design. This is so that you can add a block for www.foobar.com and it would block http://www.foobar.com:1234/ (note the arbitrary TCP port number) since the HTTP Host: header would contain www.foobar.com.

    The stuff Jonathan Zarate wrote (especially xt_web.c) is basically uncommented and a bit tricky/difficult to understand (lots of arbitrary integers used with no real explanation for their purpose; you really do have to look at every single line and reverse-engineer it all -- see the match() and match_payload() functions for the biggest complexities). Ideally what's needed is something that's somewhere between ipt_web/xt_web and xt_string.

    I'll point out that the issue of filtering HTTP and HTTPS was brought up over at Slashdot earlier this month, where someone asked how to go about accomplishing this task even on consumer routers. The universal answer: use a proxy server. (The people who said "use a different DNS provider" appear to be very short-sighted and do not understand the nature of the problem). Honestly a proxy daemon really is the best solution, but the issue is that it's not easy/reasonable to accomplish on embedded devices. I've always found proxies, even enterprise-grade stuff (like BlueCoat products) to be slow, given the increase in latency between source/destination and the its-one-step-away-from-being-NAT nature of how they work. You will find that the persons who felt this should be done in iptables/netfilter or the kernel got flamed -- hard. On BSD, we have this capability but through a userland library called libalias (which handles things like rewriting IRC DCC port numbers in the TCP payload, and the same for FTP active mode port number rewriting, all for NAT) -- because the belief is that this kind of stuff should not be done in the kernel. I couldn't care less "where" in the layer it fits, and have no real aversion to it being done in iptables/netfilter.
  3. koitsu

    koitsu Network Guru Member

    I got to thinking about this a bit more -- yes, this may be overkill, but it might be the cleanest/most accurate way to deal with the situation.

    We already have layer 7 support via ipt_layer7/xt_layer7. This could actually be used to accomplish what's needed, specifically:

    * For non-SSL: matching against the HTTP Host: header, matching against any request string (think Request-URI) in a GET/POST/HEAD request, or either/or
    * For SSL/TLS: matching against the SNI header of a TLS packet

    The following patterns are examples which would need to be modified + made into their own patterns for multiple reasons (speed, accuracy, and to not conflict with existing/stock pattern names):

    HTTP: http://l7-filter.sourceforge.net/layer7-protocols/protocols/http.pat
    SSL/TLS: http://l7-filter.sourceforge.net/layer7-protocols/protocols/ssl.pat

    The HTTP pattering match is supposedly quite slow, but that's mainly because it's matching very strictly, and against a whole subset of things. This could be sped up tremendously given that we know exactly what to match against (i.e. the regexs would become a lot simpler).

    The SNI match for SSL/TLS would need to be written to match against an SSL/TLS option header. I could probably write this, but it would take me some time, and a lot of troubleshooting (like I said earlier in this thread, I think -- lots of packet captures from different browsers, and via different OSes. Totally doable, especially via VMs, but is time-consuming)

    The GUI bits would need to be revised somehow. My recommendation would be to introduce a new textarea field for HTTPS (SNI) matching, separate from the existing HTTP domain/query match. I would also suggest introduction of a new textarea for HTTP domains vs. HTTP queries -- the existing model uses ipt_web's --hore flag (match either the HTTP Host: header or the HTTP query/request), which may not be what someone necessarily wants. I believe keeping the textarea model/method is wise, because it allows someone to copy-paste a list of domains/strings/etc. (say from a Notepad window) very easily -- no excessive clicking needed. Of course I don't know how people feel about an interface redesign for it -- say, something similar to the Port Forwarding menu but one entry per match (provided via a pulldown that states if it's a string to be matched against HTTP Host: header, HTTP query string, SNI for HTTPS, or SNI for HTTPS or HTTP Host: header).
  4. josmidiel3

    josmidiel3 Reformed Router Member

    Friends, the 2013 version can be installed on a WRT54GL?
  5. plgvie

    plgvie Reformed Router Member

    After having installed "tomato-E3000-WRT610Nv2-K26USB-1.28.9013MIPSR2R1.1f-RAF-VLAN-VPN-NOCAT-LIGHTY.trx" on 2 Linksys-E3000 both changed their MAC-addresses and share now:
    LAN: 00:01:36:1F:E4:59
    WAN: .......:5A
    WLan1: ....:5B
    WLan2: ....:5C
    Returning to the last stable FW resets the MACs to the original ones.

    Using the E4200-version of the beta-FW did not show this behavior, MACs remained unchanged!

    Kind rgds
  6. quinezhu

    quinezhu Addicted to LI Member


    I've tested the release 1.1 but still got the error "invalid server address" if the sever address contains a pure digits domain name (like 3322.org) in OpenVPN Client Configuration.

  7. koitsu

    koitsu Network Guru Member

    The term "address" implies "IP address", not "hostname" (FQDN). This is purely an English language barrier aspect. The GUI should be modified to say "Server IP Address/Port" to make this more clear.

    That said -- OpenVPN does support use of FQDNs/hostnames as server destinations (i.e. it will do DNS resolution), so there's no real technical reason I can think of that an IP address should be required rather than an IP address or FQDN.
  8. quinezhu

    quinezhu Addicted to LI Member

    Thanks for your reply. I have been using FQDNs/hostnames as OpenVPN server destinations with the firmware of TomatoUSB and TomatoVPN mods. So I thought I could use it the same way with RAF mod.

    But the error "invalid server address" won't occur if I use a hostname "xxx.3322x.org" rather than "xxx.3322.org". So it seems that FQDN is supported partialy in RAF mod.
  9. koitsu

    koitsu Network Guru Member

    It sounds to me like both forms (IP addresses and FQDNs) are supported completely, just that the Javascript code that tries to determine if what you have is a "valid IP" or a "valid FQDN" is broken/faulty -- it's probably doing something stupid/idiotic like "if I see nothing but [0-9] between two dots, assume this is an IP address" (and that's broken logic).

    I don't know why such a check exists at all -- the GUI should accept whatever the user enters, after stripping spaces from beginning-of-line and end-of-line, and ensuring the only permitted characters are [A-Za-z0-9\-\.]. IDN support will have to be something permitted later.

    I'll go see if I can find the code for this and figure out what on earth is going on.
    eviltone likes this.
  10. koitsu

    koitsu Network Guru Member

    The code in question is in release/src-rt/router/www/vpn-client.asp.

    The functions involved are called v_ip() and v_domain(), and call many other functions. Those functions are in release/src-rt/router/www/tomato.js.

    It looks to me like fixIP() has some very idiotic logic, and the _v_hostname() function is a convoluted mess.

    These functions are heavily used through all sorts of bits:

    jdc@debian:~/EasyTomato/release/src-rt/router/www$ grep v_domain *.asp | wc -l
    jdc@debian:~/EasyTomato/release/src-rt/router/www$ grep v_ip *.asp | wc -l
    The scope of this breakage, if you ask me, is extremely large -- meaning it could affect a lot of things, more than just the OpenVPN parts. This same code is used in other firmware (Toastman, Shibby, etc.).

    For now, the workaround is to specify the IP address instead of the FQDN.

    I'll have to find a real-time Javascript debugger/helper so I can do some real-time debugging.
    eviltone likes this.
  11. koitsu

    koitsu Network Guru Member

    I spent some time in Firebug poking about with this, using Toastman's PPTP Client menu section as a way to test (since it has the same if() statement that uses v_ip() and v_domain() tests). I entered xxx.3322.org into the Server Address field and clicked Save -- same error quinezhu gets.

    I used Firebug to step through the code to see what exact error condition it's hitting.

    Without going into the semantics of the call stack and so on (I've attached 2 screenshots showing those details), the error happens as a result of this code in function _v_hostname() failing:

    if (s.search(re) == -1 || s.search(/^\d+$/) != -1) {
          ferror.set(e, 'Invalid hostname. Only "A-Z 0-9" and "-" in the middle are allowed (up to 63 characters).', quiet);
          return null;
    So the questions then become:

    1. What are the contents of s and re when this fails?
    2. Which of the two conditions in the if(), since they're OR'd, causes the failure?

    The answer to #1 is shown in one of the screenshots: s is 3322, and re is a RegExp object matching the regex string/^[a-zA-Z0-9](([a-zA-Z0-9\-]{0,61})[a-zA-Z0-9]){0,1}$/.

    The answer to #2 involves use of Firebug's Console to check things in real-time:
    >>> s.search(re)
    >>> s.search(/^\d+$/)
    s.search(re) returns 0, therefore the first if() conditional isn't true. However, s.search(/^\d+$/) returns 0, and that value != -1, therefore that proves true, hence the if() proves true and the error is thrown + trickles all the way back up the calling stack.

    I do a lot of perl, therefore I'm quite familiar with regular expressions. The /^\d+$/ regex, when written in English, means:

    ^ = match against beginning of string (anchoring)
    \d = numeric digit (0-9)
    + = one or more of the preceding value (numeric digit)
    $ = match against end of string (anchoring)

    Clearly 3322 matches that.

    From this we can determine that the logic in _v_hostname() is flawed -- it makes the idiotic blind assumption that if any "part" of an FQDN consists of only numbers, that the input is invalid. This appears to be based on a very, VERY broken misunderstanding on someone's part (Jon Zarate?), who think that any field within an FQDN cannot be entirely numeric -- that is completely wrong. The only part of an FQDN which cannot be purely numeric is the TLD (see the 4th bulletpoint).

    This flaw would also cause things like 1234.hello.com and i.live.at.666.hope.street.net to fail.

    All of this Javascript "hostname vs. IP" checking nonsense needs to be nuked from orbit -- what we have is a bunch of silly Javascript code that tries to "emulate" proper validation of an IP address or FQDN (without using DNS!), and does so wrongly.

    I would advise nuking most of the code in these functions, however the functions are used heavily throughout tons of GUI portions -- I imagine some may actually be important

    Attached Files:

  12. ilkevinli

    ilkevinli Network Guru Member

    Man Koitsu I love the way you explain things in your posts. They are great reading ! :)
  13. quinezhu

    quinezhu Addicted to LI Member

    Thanks very much for your detailed post. Is it possible to set the OpenVPN server address directly by running "nvram set ***=***" which may avoid checking the validation.
  14. quinezhu

    quinezhu Addicted to LI Member

    I tried and it works.:)
    nvram set vpn_client1_addr=xxx.3322.org
    nvram commit
  15. Victek

    Victek Network Guru Member

    At least we discover bugs from longtime ago ... vpn server is not Zarate's feature but it's good that beta testers can do something for the community. Already corrected for the final release ;)

    zapoqx, gffmac and Elfew like this.
  16. philess

    philess Networkin' Nut Member

    I am having a odd bug in regards to miniupnpd. I only want to enable UPNP/NAT-PMP for my guest-network (br1),
    not for br0. So i select the accord options in the WebUI and miniupnpd is starting.

    I am posting this in this thread because i think it might be related to the FW Mod.

    Apr 25 17:49:44 router daemon.err miniupnpd[9988]: Can't find in which sub network the client is
    Syslog gets spammed with that. Now i found a few threads around the web about it.
    Apparently the notation of the "listening_ip" is wrong.

    By default, Tomato (or atleast Victek Mod) seems to generate the /etc/upnp/config wit this:

    allow 1024-65535 1024-65535
    Now *apparently* that is wrong. It should be (CIDR notation?)
    I have no real clue about these notation, but i tried every way i can think of.
    I created a /etc/upnp/custom.config with just those lines, and after a
    "service upnp restart", the "cat /etc/upnp/config" confirms that it has been appended.
    But i cant get it working properly. makes the daemon unable to start (no such device, cannot assign) the same, no such device

    I have tried this on a RT-N16 using R1.0 Victek, and also on a E4200 with R1.1f, same results.

    Now the odd thing is, when i select br0 and br1 in the WebUI, it generates the config using
    the same pattern as before with only br1, but the errors stop appearing. The same when
    i select only br0. No errors, and the forwardings show up in the WebUI.

    So i am at a loss here. I would really like to have UPNP/NAT-PMP working here.
    What am i doing wrong? Is it not supposed to work on only br1?

    Any input on this is very appreciated. Maybe its not a bug and i am just plain dumb.
  17. kthaddock

    kthaddock Network Guru Member

    Try this set up:
    must be subnet in this form in newer FW. /
  18. philess

    philess Networkin' Nut Member

    Thank you! But then i get:

    Apr 25 18:37:57 router daemon.err miniupnpd[13172]: setsockopt(udp, IP_ADD_MEMBERSHIP): No such device
    Apr 25 18:37:57 router daemon.warn miniupnpd[13172]: Failed to add multicast membership for interface
    Apr 25 18:37:57 router daemon.err miniupnpd[13172]: setsockopt(udp, IPV6_ADD_MEMBERSHIP): No such device
    Apr 25 18:37:57 router daemon.err miniupnpd[13172]: setsockopt(udp_notify, IP_MULTICAST_IF): Cannot assign requested address
    Apr 25 18:37:57 router daemon.err miniupnpd[13172]: Failed to open sockets for sending SSDP notify messages. EXITING
  19. Victek

    Victek Network Guru Member

    Thank you for reporting, I found this bug earlier in a beta test committed by other guy, already fixed for the next release, I hope it will be definitive release too ;)
    This bug is extensive to the main source code, so, I think all tomato's should suffer same issue.

    philess and Elfew like this.
  20. philess

    philess Networkin' Nut Member

    Ah nice to hear Victek! Thanks for the effort, looking forward to your next version.

    Unfortunately that is also bad news for me right now haha. The RT-N16 i am configuring right now
    has to be done in a few days and having miniupnpd working (but only on br1) would have been really
    helpful for that person. Upgrading the firmware later on is almost impossible since the router will be
    used a few hundred kilometers away from me and the owner himself cant do it.

    But i am looking forward to use the next release on my own router tho! :)
  21. Edrikk

    Edrikk Network Guru Member

    Hi Vic,
    Tried looking through the changelog, but it looks like it's not an 'accumulated' one (sorry if I miss-understand that)... I know you've added a LOT of things, but they weren't listed, so that's my assumption.

    With that said, may I ask if the new miniupnpd from the RMerlin (and later Shibby) branches were merged into your code?

    Thanks a lot!
  22. Victek

    Victek Network Guru Member

    @philess, Well ... remote upgrade it's something we (roadkill and me) have in our todo list linked to a cloud config restore managed by the router owner. But prior to it we need to clean more sections in the firmware.

    @ Eddrik, I don't know, better ask them. Any person using tomato repo and including upnp for VLAN bridge is exposed to the bug. About the changelog, I wrote the changelog for release 1.1g and.. it's not released yet.

    Also I have bad news to communicate (or the excuse for some of you to buy a new router ...), E3000 and routers with 8MB flash couldn't be upgrade for full next release with php 5.4.14 +nginx 1.28 (yes.. finaly we switch to nginx due to many good reasons). Nevertheless a standard version without web server will be available.
    Elfew and philess like this.
  23. gffmac

    gffmac Serious Server Member

    Thanks for the update Vic, sad about the e3000 but good news you will have a version without webserver until I eventually get a new router :)
  24. Edrikk

    Edrikk Network Guru Member

    I think you misunderstood me Victek. RMerlin and Shibby have updated to miniupnpd 1.8 about a month ago... I was wondering if you had already done so in your branch as well or not...
  25. Victek

    Victek Network Guru Member

    @ Eddrik, for sure I missunderstood, yes, same version ..
  26. zapoqx

    zapoqx Networkin' Nut Member

    well that confirms upgrading to something more high end. Thx for the info Vic!
  27. Victek

    Victek Network Guru Member

    Yes, btw .. nginx upgraded to release 1.4.0, SPDY will not be included for the moment.. let's wait comments.;)
    Elfew likes this.
  28. Elfew

    Elfew Addicted to LI Member

    About 7hours of testing, everything is stable and no problem so far.

    We will see later, I will flash new f build on monday on my private router in my office. Previous build was really stable, no problem during over 30days of testing under heavy usage.

    Thank you
  29. M0g13r

    M0g13r LI Guru Member

    hi victek

    can u plz add an id to the etherport gifs

    <img src="eth_1000.gif"> to <img id="eth1000" src="eth_1000.gif">

    then we can change the gfx with the theme.css
  30. leshan

    leshan Network Guru Member

    Thank you Victeck for your great RAF builds. The logo is much better than the old tomato.
    Can't wait for the final release.

    Installed 1.1f on my E4200. simply and rawly tested by transfer large file from wired PC.
    5Ghz and 2.4Ghz are faster than the other tomato mods(about 1MB-2MB faster).
    Wired same as the other tomato mods.
  31. Victek

    Victek Network Guru Member

    @leshan, thanks for your feedback, appreciate it ...

    Sure, will do in a moment in this build.... please look how I did ...
    if (port == "DOWN") {
    state = '<img id="eth_off" src="eth_off.gif"><br>';
    state2 = port.replace("DOWN","Unplugged");
    else if ((port == "100FD") || (port == "100HD") || (port == "10FD") || (port == "10HD")) {
    state = '<img id="eth_100" img src="eth_100.gif"><br>';
    state1 = port.replace("HD"," Half-Duplex");
    state2 = state1.replace("FD"," Full-Duplex");
    else if ((port == "1000FD") || (port == "1000HD")) {
    state = '<img id="eth_1000" img src="eth_1000.gif"><br>';
    state1 = port.replace("HD"," Half-Duplex");
    state2 = state1.replace("FD"," Full-Duplex");

    Ok, Beta 1.1g (nearly the end release) with two typos that I have to solve in the coming days .... is ready for RT-N16/RT-N66U/E4200.

    Changelog: It's in the site .. but as always I post something to save you time and decide.. I mention what it's updated or added from Beta 1.1f ;)

    Version 1.1g
    _ DNSmasq 2.67 test from KDB.
    _ rp-pppoe 3.11 (updated from last build done in 2008).
    _ Dropbear 2013.58 (updated from last build made in 2010)
    _ BusyBox ... 1.20.2 release.
    _ NGINX 1.4.0. Web Server with HHTP-HTTPS-SPDY ready. (Last build April 2013)
    _ PHP 5.4.14. PHP-Cli, PHP-Fastcgi. (Last build April 2013)
    _ PCRE 8.32.(Last build March 2013)
    _ Network Traffic Congestion Control (Look at the bottom of QoS Basic menu).
    _ NTPD Server. (From Busybox 1.20.2 new feature).
    _ OpenSSl release 1.0.1c
    _ Ext3 filesystem OOM (Out of Memory) issue fixed.
    octra, Elfew and philess like this.
  32. philess

    philess Networkin' Nut Member

    Thats great news and a lot of awesome additions to 1.1g Victek!! Thank you
    so much for your continued efforts! I will flash 1.1g on E4200 hopefully this week.

    But i wonder how stable the DNSmasq 2.67 test actually is.
  33. zbeyuz

    zbeyuz Serious Server Member

    Do I need to clear nvram and config setting all over again when upgrading to this build ?

    I am on 1.1f - E4200 v1.
  34. Victek

    Victek Network Guru Member

    I can't test IPv6 .. in IPv4 one week, stable.

    @zbeyuz, no need to clear nvram.

    Elfew and philess like this.
  35. macgyver

    macgyver Reformed Router Member

    First off thanks for all your work on this great firmware...I have been running 9013 on E3000 without issue, but attempt to flash the 1.1f beta results in wrong mac as Peter has posted...I get the same mac addresses for my router which was fixed by flashing back to 9013.1.0
  36. shibby20

    shibby20 Network Guru Member

    may we know when you will push code to git repository?
    M_ars likes this.
  37. Victek

    Victek Network Guru Member

    Hi shibby, when the definitive release will be published. I will be very sad if one Tomato RAF bug creates problems to other distributions .....

  38. M0g13r

    M0g13r LI Guru Member

    thx Victek ! screenshot1.jpg eth_100.gif the gif i used ....
  39. Victek

    Victek Network Guru Member

    That's a very nice information!, so going back to 9013v1.0 solved this issue? then it's easy to track what is wrong. Thanks

    @M0g13r ... ;) Love your gif ...
  40. macgyver

    macgyver Reformed Router Member

    yes reverting to Tomato Firmware v1.28.9013 MIPSR2-R1.0--RAF K26 USB VLAN-VPN-NOCAT has fixed the mac address issue...I also had the same mac as Peter posted specifically 00:01:36:1F:E4:59
  41. M0g13r

    M0g13r LI Guru Member

    last 1.1g on RT-N66U
    if i hit the save button on Basic / Network

    it shows .... The field "ppp_username" is invalid. Please report this problem.

    what i now did ;)

    saving the setting with an nvram set & commit works .....

    on Bandwidth & B/W Limiter and sub pages in header is shown Tomato without RAF (geko engine)

    Edit: on IE 8 Raf is only missing on B/W Limitter
  42. 4char

    4char Network Guru Member

    Flashed the 1.1g 64K build to RT-N66U. Now I see a yellow box with "iptables-restore: line 76 failed" in it on the Access Restriction page after I add a rule to block three MAC addresses (all day, everyday, all internet access). Even after I reload the page.

    EDIT: I also see this error msg on the Port Forwarding page.

    Also, Doesn't seems the time is set correct in the log (time is correct in the overview page), I also see this in the log too:
    Dec 31 16:30:01 HomeNet user.err rcheck[1172]: Iptables: activating chain "rres01" failed. Retrying in 15 minutes.

    From iptables -vL:
    Chain rres01 (1 references)
    pkts bytes target prot opt in out source destination
    26021 4549K rstr01 tcp -- any any anywhere anywhere multiport dports domain,www,https
  43. kyrios

    kyrios Serious Server Member

    I've ever encountered same problem with Shibby build. Restart the router does solve the problem.
    You shall try
  44. M0g13r

    M0g13r LI Guru Member

    Victek have u some time to waste ?! *G*

    Old QOS - not IMQ based

    it would be nice to have this as configurable gui
  45. M_ars

    M_ars LI Guru Member

    Victek can you share your code in git?
  46. M0g13r

    M0g13r LI Guru Member

    can u wait if he finished his work ?
  47. 4char

    4char Network Guru Member

    No. Restart did not work. Still see the error msg

    Send from my phone
  48. Victek

    Victek Network Guru Member

    Erase nvram and please do not use restore files from other firmware, this error is created by something you add, I can't reproduce it ;)

    @M_ars , look my previous answer to this subject, to push untested code and constantly updates hurts people confidence in Tomato firmware and also in the mod. I release Betas, then test, then upgrade and when everything works I'l push. But.. try my firmware, give feedback and when everything works then I'll upload .. ;)

    @M0g13r, As many of you know I'm not a QoS fan, I create the BW limiter based in TC shaping and HTB, more robust and keeps the switch clean for good bandwidth. What's wrong with QoS when you request to go back to the old code? Thanks!
    philess likes this.
  49. piotrpiano

    piotrpiano Serious Server Member

    Shibby was looking into this problem and, hopefully, has found a solution. You might want to get in touch with him and ask about it. If he hasn't, maybe both of you could work it out then.
  50. Victek

    Victek Network Guru Member

    The problem as I said it's created by traces of previous nvram values or restoring file from other distribution ... the countermeasure as other guy posted was to erase nvram (to erase these values) and start a clean setting.
  51. Kevin Darbyshire-Bryant

    Kevin Darbyshire-Bryant Networkin' Nut Member


    At the present time, I'm the person keeping Tomato's dnsmasq in-step with Simon's dnsmasq release path. You can see what changes Simon puts into dnsmasq here http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=summary and the version I put into Tomato's dnsmasq tries to copy the tagging. Simon is pretty active at the moment, and as is typical, just as he releases v 2.66 after being through several test versions & several release candidates, someone spots a fairly corner case bug, I discover an error in the tomato helper code, so that's why we're at something like 2.67test2. There's been really very little change between dnsmasq 2.66 and 2.67test'n'.

    To be blunt, when I first upgraded from 2.61 to 2.66test'n' I didn't even realise that there was specific tomato helper code, effectively undocumented and 'hidden' away. I have at least wrapped all the tomato stuff around a compile time switch, similar to other dnsmasq features, so that whoever maintains this in the future at least has a fighting chance of noticing Tomato's version is subtly different.

    Sometime in the next couple of test releases I'd like to document in the code just what the tomato dnsmasq helper code does and why. This will break tradition wildly from the existing code tree which is an absolutely undocumented mucking fuddle, with hack built upon tweak built upon workaround.
    RMerlin, Victek and philess like this.
  52. piotrpiano

    piotrpiano Serious Server Member

    I don't want to argue with you on this as I am a complete linux ignorant compared to yourself but as far as my experience with this problem goes, it is not related to "dirty" nvram as in my case (on Shibby 105 and 108 builds and RT-N66U), what seems to trigger it, is configuring and enabling of the ftp server (no iptables error before this step). And it's done on a completely fresh install with erased nvram.
    It's been reported on the Polish forum and I know Shibby was looking into it. So hopefully he found the culprit and was able to fix it.
  53. 4char

    4char Network Guru Member

    I flashed the 1.1f on to my new RT-N66U (of course 30-30-30 reset). and I did not restore settings from any files. Only using 'nvram set ...' in Tool -> System to set the port forwarding and static IP settings since I have few of them and don't want to enter manually :p, then upgrade to 1.1g (no reset) and manually entered one more Access Restriction rule.
    Also, I did not enable the ftp server either.
  54. Victek

    Victek Network Guru Member

    @ KDB, right, only the creator of Tomato knows what he did and this is the reason since many year ago that I distribute firmware to people like to test and then when it seems everything ok then share. In any case I thank you very much for sharing your findings and thought in the forum. :)

    @ piotrpiano thanks for your help in the subject but;
    1st, I can't reproduce the issue and
    2nd, According what @4char explained is not related with ftp server also.

    I'm trying my best to reproduce without success till now. This issue happened longtime ago.. checking my notes it was related to IMQ .. go to review again pushing to force ;) .

    @ 4 char, would you try the last beta? 1.1g is available since three days ago but the links in my web are pointing to previous beta still, my mistake, I update right now. Thanks.
  55. M0g13r

    M0g13r LI Guru Member

    i think there is something wrong with the gui input checks

    if i hit the save button on Basic / Network

    it shows .... a yellow box near save button

    The field "ppp_username" is invalid. Please report this problem.

    what i now did ;)

    saving the setting with an nvram set & commit works .....
  56. philess

    philess Networkin' Nut Member

    Thank you for that insight and all your efforts on dnsmasq! :)
  57. 4char

    4char Network Guru Member

    Thanks Victek. Will try it when I get home.
  58. Victek

    Victek Network Guru Member

    @ M0g13r .. would you post me a private message with more details , really, I tried now and it works!!

    Router model and firmware version please .... :confused:
  59. 4char

    4char Network Guru Member

    I reflash the 1.1g image (date May 1), and it still has this problem. This is how it triggers it:
    with only one rule in the Access Restriction It's OK. but if I add another one rule then the error shown up.

    There's no error before adding the rule:


    Adding following rule (I did try several different MAC address):


    After Save:

  60. shibby20

    shibby20 Network Guru Member

    but Vic, this can take you lot of months. We all (others devs) are pushing changes to git very quick. If we miss/broke something, then another person can fix it or report the problem (on forum, pm, email). This allow us work faster. Well IMO "not publish sources" it`s not fair for others devs.

    If you really don`t want publish not-ended sources, then you can push only this part of changes that you are 100% sure is completed. But this is only my opinion.
    M_ars likes this.
  61. Elfew

    Elfew Addicted to LI Member

    Hey shibby, but you push commits to your git after you release new final build... But Victek releases only beta test builds... I understand, but it takes time and why to publish something with bugs or errors... just wait for final release.

    Waste of time port something from beta builds because everything could be changed...

    Thats my opinion
  62. M_ars

    M_ars LI Guru Member

    I have to agree. Shibby, Toastman, and many more push their changes even if its a "beta". Black-box-testing is ok - but i would like to see what has changed. And someone may can help to improve the code...
    Providing beta-code does not hurt in my opinion. Like you sayed, there will never be a final version/code :)
    If someone makes a custom image it is not your responsibility in my opinion

    best regards
  63. shibby20

    shibby20 Network Guru Member

    correct. Teddy_bear released 54 versions and all was beta version. @Elfew you are trying to say me, that teddy should not be released his sources because it was not released a final/stable/bugs-free version?

    but i always publish sources and i never said it`s a final release. I`m not a monkey. I do not take some diff, merge, compile and release untested changes. I`m always testing new changes myself. I want just look for changes, fixes and improvements. I`m not interested new features like sip or php at the moment. Thats all.
  64. Victek

    Victek Network Guru Member

    Hi all, thanks for your opinion about sources.
    @ Mar_s, shibby and all interested people to see the code, the code has been available always in the download area after each beta. When the beta will be released as stable It will be pushed.

    4char and M0g13r, I detected what you did and the problem will be solved in next beta release 'h' available today. The bug reason? .. some (many) changes in the length of values in nvram and when you overpass the length the gui shows this error, cured and uploading new versions. (I never seen ppp user with 40 characters length!!! :confused:)

    Edit: shibby, I read your last comment, if you need to know what I changed specifically instead of diff all the code ask me and I can provide short summary of changes. ;) In fact is what I wrote already.. new versions for the modules.

    When I release a code in the git has been always final version.

    In resume, I know what GPL means and my target is to avoid the big number of complaints for people testing Tomato. If you 'shibby' release a bug it's a virus for all the other people interested applying it. This is what I would like to avoid in Tomato, it's a message for all people pushing in the git.
    Elfew likes this.
  65. shibby20

    shibby20 Network Guru Member

    I visited your website a lots of time and i didn`t see sources. i saw only souces from January. Thanks and sorry.

    btw congratulations about new domain tomatoraf.com :)
  66. 4char

    4char Network Guru Member

    Thanks Victek. Will try the 1.1h tonight.
  67. gffmac

    gffmac Serious Server Member

    I presume nothing past f will work on e3000...
  68. Victek

    Victek Network Guru Member

    Oppssss!! all Poland visits was you? LOL .. Dear shibby, as always let's sum efforts instead of excuses, it will make Tomato stronger ... I don't like races in the git and confusing versions every week changing the release number with patches for bugs. It's almost impossible for one human been to test the firmware with all the options present in the firmware and the configurations used by the user, this is the reason for betas. Thanks.

    gffmac, Don't worry, final version wll need a more closer look and we'll decide the features to pass to E3000, but the router will use the definitve release 1.2
    Elfew and zbeyuz like this.
  69. Elfew

    Elfew Addicted to LI Member

    It is only your opinion, I can live with that, dont worry ;) But everybody knows why Victek hasnt published latest changes in Beta. I am happy that Victek releases public beta versions for testing purposes, many bugs were fixed thanks to beta builds. Tomato is open source under GPL licence - latest official stable build and its sources are public and everybody can download them, so where is the problem?

    and if you dont understand, just read this again before you write something:
  70. M0g13r

    M0g13r LI Guru Member

    hi victek ... perfect ... thx
  71. 4char

    4char Network Guru Member

    Victek, I just tried the 1.1h (Built on Thu, 02 May 2013 17:56:27 +0200) on RT-N66U and the error ("iptables-restore: line 75 failed", well, yesterday it's "line 76", today it's "line 75") still shows. I didn't do nvram reset (from 1.1g to 1.1h, should be OK, right?!)
  72. Riddlah

    Riddlah Networkin' Nut Member

    confirmed the same happens. mine is "iptables-restore: line 68 failed" this was a clean flash through recovery mode on an RT-N16
  73. RMerlin

    RMerlin Network Guru Member

    Victek, Elfew and philess like this.
  74. M0g13r

    M0g13r LI Guru Member

    for me adding rules to access restriction works, added 4 different rules with different matches, times and so on .... strange
    RT-N66U last 1.1h 64k
  75. 4char

    4char Network Guru Member

    Another data point is that the same error message ("iptables-restore: line 75 failed") appears/disappears on both Access Restriction and Port Forwarding->Basic page for me.
    I also added couple more Access Restriction rules (different days/times/MACs) just to see if the error message goes away, but it still shows.
  76. Victek

    Victek Network Guru Member

    @ 4char && Riddlah thanks for reporting, but a clear nvram in release h is needed if you came from release f to accept new values, I think this erratic behavior (appears/dissapear) have some link with it, please try and feedback. If @M0g13r solved with h release then your version should solve it too OR do you have rules longer than 4096 Bits?

    @RMerlin, thanks I'll take a look when all present features in RAF will be stable and before definitive release. ;)
  77. M0g13r

    M0g13r LI Guru Member

    victek .... why u limiting inputs in gui ?!
  78. Victek

    Victek Network Guru Member

    :rolleyes: .. you'll see in coming releases ... just testing nvram alternatives ....sorry for inconveniences.

    @RMerlin, you have a message for one open issue in your distribution, I hope it may help. Shibby you're cc.
  79. M0g13r

    M0g13r LI Guru Member

    sounds interesting :cool:
  80. Kevin Darbyshire-Bryant

    Kevin Darbyshire-Bryant Networkin' Nut Member

    You may laugh but my PPP username for an ISP I used to use had a stupidly long username, I remember politely emailing Jon & asking if he could permit more characters in the GUI whilst I manually set the variable in NVRAM. I'm pleased to say he did so.
  81. Victek

    Victek Network Guru Member

    No, sorry, I'm not laughing, just learned something to take in mind before touching a simple value. ;)

  82. were55

    were55 Addicted to LI Member

    Testing v1.28.9013 MIPSR2-RAF-v1.1h K26 USB VLAN-VPN-NOCAT-NGINX in RT-N16, everything is working fine so far. One question, how may I can label ethernet ports? I canĀ“t figure out what needs to be midified.

  83. Victek

    Victek Network Guru Member

    Well... I did not thought about it, it's hardwired in the code, not difficult to modify but again .. more values in nvram ;), instead of it I prefer to work labeling Device List instead of Ports Monitor.

    By the way, you have new release beta 9013V1.1'i' in the beta section uploaded few minutes ago. Solves IPv6 issues.

  84. FattysGoneWild

    FattysGoneWild LI Guru Member

    Not pushing and just curious. Are you getting closer to a final release soon?
  85. 4char

    4char Network Guru Member

    Hi Victek, I won't be able to try it during the weekend to reset everything and manually enter all the values. I'll try later when I can shut down network for a longer period of time.
    No. I don't have any nvram setting is longer than 2000 Bytes ("4096 Bits" you talk about is Bytes, right?)

    What about the timestamps in the log? My log all have "Dec 31" as date.
  86. Victek

    Victek Network Guru Member

    ;) Always depends on requests and bugs but let's say that I can close the race now fixing two unfinished features and release a stable version and tomorrow release a new beta.. ;) as you know i'ts always a WIP if you like code as a hobby.

    @4char. Timestamp in my log shows actual time once the router sync with ntp servers. Are you behind a network with other router?.
    May 4 03:00:01 RT-N16 syslog.info root: -- MARK --
    May 4 04:00:01 RT-N16 syslog.info root: -- MARK --
    May 4 05:00:01 RT-N16 syslog.info root: -- MARK --
    May 4 06:00:01 RT-N16 syslog.info root: -- MARK --
    May 4 07:00:01 RT-N16 syslog.info root: -- MARK --
    May 4 08:00:01 RT-N16 syslog.info root: -- MARK --
    May 4 09:00:01 RT-N16 syslog.info root: -- MARK --
  87. FattysGoneWild

    FattysGoneWild LI Guru Member

    Nice. When you are finished. What version would you advise for me? E4200 v1. I am a basic user that has other pcs at home and game consoles. Just want a few extra features that stock firmware does not have and Tomato offers. Example. The automatic dl of a mvps hosts file. Love that script. Its been so long since I have used Tomato again. The last time I used it was with a WRT54GL v1.1 and it was your firmware. Also. I use dhcp. Is that automatically on in your firmware? If I recall. Toastman turns that off in his version.

  88. Victek

    Victek Network Guru Member

    Beta release 'j' for E4200v1 updated with last fixes ready. Features are restricted to FLASH RAM capacity, dhcp always enabled in Tomato RAF.
    Direct link... http://goo.gl/LfhPh
  89. M0g13r

    M0g13r LI Guru Member

    hi Victek

    hitting the save button on web server page does nothing :\
    nvram set and commit works

    there is something wrong with nvram global_rate
    if i set this with nvram commit .. it does not schow in page

    last 1.1j 64k on RT-N66U
  90. Victek

    Victek Network Guru Member

    @M0g13r, thanks, I know, webserver is work in progress still, it's a beta ;)

    edit: to run as a test it's easy, please type following from the cli:
    nvram set nginx_enable="1"
    nvram commit
    service enginex start

    and then type in the browser your routerIP:85 .. it will show test page. We have to finish webgui and external path location for docroot fles.
  91. M0g13r

    M0g13r LI Guru Member

  92. shibby20

    shibby20 Network Guru Member

    my sugestion: add textarea for custom configuration of nginx and lighttpd. This will be good solution for more advanced users.

    Best Regards.
  93. Victek

    Victek Network Guru Member

    Thanks shibby, at the moment only nginx is added, lighttpd was removed due to infinite user combinations and wishes, nginx is fully compiled. textarea can be added but it points to configuration file and as I said it's fully compiled now. ;)
    M0g13r read my edit in the post before your reply ;)

    edit: btw .. new beta release 'k' ready... what a day!!! Changelog: Appliying dnsmasq IPv6 patches to run. If you're not using IPv6 or not interested forget it.
  94. occamsrazor

    occamsrazor Network Guru Member

    Hi all, just wanted to say it seems like there's some exciting developments coming very soon, and to thank you all for your work, it's good to see Tomato advancing forward. Had a read of Victek's changelog & beta page and noticed the addition of Siproxd. As a frequent SIP user (via Linksys/Cisco SPA-3102 ATA box, as well as iPhone SIP clients) I'm very interested in this. Just wondering if anyone has been beta-testing this and whether it is considered an effective solution...
  95. M0g13r

    M0g13r LI Guru Member

    victek websever runs fine :)
    but is damn slow :\
  96. Elfew

    Elfew Addicted to LI Member

    Yes, speeds are not the highest but it is really useful for easy to use web server... I OCed my asus and the speeds are a little bit higher
  97. Victek

    Victek Network Guru Member

    ;) it can run like a speed of light but I restricted the process priority over other tomato modules, don't worry. The module priority (interrupts) can be adjusted (will be one option more to add to webui... yep), when gui will run you can test and select priority to the feature.

    Thanks for the feedback!
  98. Elfew

    Elfew Addicted to LI Member

    So is possible to adjust it for more speed?
  99. jerrm

    jerrm Network Guru Member

  100. Victek

    Victek Network Guru Member

    We released the SIP module in first beta releases but unfortunately we did'nt got any feedback, then we put features in sleep mode and now we try to release one by one, now is sleeping until web server will be finish, I'll advice in the changelog what features are active and can be tested.


    edits while I was answering first question...

    @Elfew, yes, kernel have priority -5 and the web server is now in priority 10, (higher priority means low reaction time, less interrupts to CPU), so it's really sloooow. ;) .. but I just did to test and see logs. You can adjust depending of demand and hardware performance in your router.
    @jerrm, ... I was thinking something better... please read what you can do with nginx; http://nginx.org/en/
    Elfew likes this.

Share This Page