[Bug 1737] meta hour error with different time-zones

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Mar 19 20:33:02 CET 2024 

https://bugzilla.netfilter.org/show_bug.cgi?id=1737

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Simon G. Trajkovski from comment #3)
> (In reply to nicolasfort1988 from comment #0)
> > When using meta hour, and also using different time zone (for example
> > Australia/Sydney), rules are written correctly, but they do not match as
> > expected.
> > 
> > 
> > ### Config and date
> > For example:
> > 
> > table ip vyos_filter {
> >         chain VYOS_OUTPUT_filter {
> >                 type filter hook output priority filter; policy accept;
> >                 ip daddr 1.1.1.1 meta hour >= "03:01" meta hour < "08:00"
> > counter packets 1 bytes 84 accept comment "ipv4-OUT-filter-10"
> >                 ip daddr 8.8.8.8 meta hour >= "03:01" meta hour < "14:00"
> > counter packets 0 bytes 0 accept comment "ipv4-OUT-filter-20"
> 
> use a range:
> 
>                  ip daddr 8.8.8.8 meta hour "03:01"-"08:00" counter packets
> 1 bytes 84 accept comment "ipv4-OUT-filter-10"
> 
> and it works fine; but listing displays this :
> 
>                  ip daddr 8.8.8.8 meta hour != "14:00"-"03:01" counter
> packets 1 bytes 84 accept comment "ipv4-OUT-filter-10"
> 
> not knowledgeable of this code, but nftables/src/evaluate.c has special
> handling  for this.

Thanks for disentangling this bug report.

I made this patch:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240319192609.218891-1-pablo@netfilter.org/

so it is the implicit cross-day handling that is reversing an interval what it
is missing in this ruleset.

So, basically, 14:00-03:01 triggers a cross-day interval swap in AEDT time,
since kernel handles time in UTC.

To improve usability, I have completed the remaining code in the listing path
and I have documented that use of ranges is recommended.

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240319192609.218891-1-pablo@netfilter.org/

it should be possible to make this change to swap this opencoded range
notation:

    meta hour >= "03:01" meta hour < "14:00"

but it is still more efficient to express this with a range expression.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240319/14a6c52f/attachment-0001.html>

More information about the netfilter-buglog mailing list