[Bug 903] New: Second rule is not getting executed when we give different timeouts for the same ip address.

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Feb 11 09:49:22 CET 2014


           Summary: Second rule is not getting executed when we give
                    different timeouts for the same ip address.
           Product: iptables
           Version: unspecified
          Platform: i386
        OS/Version: Ubuntu
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: pradiptakumarrout01 at gmail.com
   Estimated Hours: 0.0

Hi ,
I got following issue in my project.. I have added the iptables timeout support
in my project.
But having following issue.

Description : Steps To Reproduce:
1.try following command to block a client form 13 to 16
iptables -A INPUT -s -m time --kerneltz --datestart 2014-2-11T13
--datestop 2014-2-11T16 -j DROP
2.Try the following command to accept the same client from 13.30 to 14
iptables -A INPUT -s -m time --kerneltz --datestart 2014-2-11T13:30
--datestop 2014-2-11T14 -j ACCEPT
Actual Result:
First rule only got executed. (i.e) the client ip is blocked from 2/11/2014 13
to 2/11/2014 16.
Second rule not executed.
Expected Result:
Since the 2 rules differs with timeout, both rules should get executed.
(i.e)the client ip should be blocked from 2/11/2014 13 to 2/11/2014 13:30 and
2/11/2014 14 to 2/11/2014 16 It should be accessible in the time period
2/11/2014 13:00 to 2/11/2014 13.30
Kindly tell the cause why the second rule did not executed.
I know it filter the packets.but what makes a packet unique like the ip,port or
what . My understanding is once a packet get executed.iptables will not execute
any rules for same packet.
But what makes a packet for iptables. and how can we tell this rule is not
executed due to this reason..

Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list