Thu, 5 Jul 2001 00:03:51 +0800
On Wednesday 04 July 2001 23:47, Rob Bos wrote:
> > There is a TIME module in patch-o-matic that does EXACTLY that.
> > iptables -m time --help gives:
> > TIME v1.2.2 options:
> > --timestart value --timestop value --days listofdays
> > timestart value : HH:MM
> > timestop value : HH:MM
> > listofdays value: a list of days to apply -> ie.
> > Mon,Tue,Wed,Thu,Fri. Case sensitive
> Oh, cool.
Thank you :) That's because the authors of netfilter made
it extensible. Patch-o-matic is full of cool patches. Most
probably more are to come. As people need more features,
they will implement them, and hopefully put them in patch-o-matic.
> So to permit access from now to ten minutes from now, I could do
> iptables -m time --timestart `date +%H:%M` --timestop `date +%H`:((`date
> +%M + 10`))
> or something similar.
> I'll have to take a look at the patch.. I hope "listofdays" is optional,
Sorry Rob, I haven't made listofdays optional,
but I guess it's easy to modify. For now, if you want the match to match any day,
then simply add them all in the list :)
> but I suppose it could be done. and we'd have to really watch hour and day
I'm interested in people testing it a bit further. I have basically
tested it, but nothing very intensive. Some one already found a bug
in the match a couple of months ago, I was not making the check for
the time boundary properly... it seems to be fixed now.
> It'd be even nicer if --timestart and --timestop used unix epoch.. might be
> easy to add, though. We'll see :)
Well .. here goes the trickky part .. Imagine you enter --timestart h1:m1
--timestop h2:m2 --listofdays Mon
The arrival time of the packet is using the kernel clock, without
giving you any timezone adjustement. For me, I had to remove
3 hours before feeding the hours to the match.
At this point of time, I have coded the match to accept only these hours ...
so for now you will have to do the time zone translation yourself !
Please don't ask me about timezones ... I've never understood anything
about that, that's exactly why I didn't implement this feature.
But you should be able to extend this match quite easily,
provided you know the timezone thinggies that I don't know of :)
Hope this helps,
Have a nice day,
"Silly hacker, root is for administrators"