Bug 195918

Summary: iptables missing time module
Product: [Fedora] Fedora Reporter: Hesty <hestyp>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: jonstanley
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-08 00:04:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 233475    

Description Hesty 2006-06-19 16:27:01 UTC
Description of problem:
Time module missing from iptables yet is in man page.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Use -m time --timestart or --timestop option in iptables.
Actual results:
iptables v1.3.5: Couldn't load match `time':/lib/iptables/libipt_time.so: cannot
open shared object file: No such file or directory

Expected results:
Works properly.

Additional info:
man iptables shows time module. Either iptables is missing time module or man
page is telling too much.

Comment 1 Fred Trotter 2007-03-22 15:26:01 UTC
This is actually a bug with relation to fwbuilder too. Fwbuilder is a feature
rich GUI for making firewall changes, and it contains the GUI elements needed to
add time restraints to firewall rules. When time restraints are added, the
scripts fail due to the mis-compiled iptables.

Time based rules are a basic feature for any complex firewall. Very often times
rules allow a firewall to open for a once-a-day file transfer, and to have a
constantly open port would be a security hazard. This is a good way to limit the
expose of known-weak ports.

I am surprised that this has not been fixed in FC6 since I assume that the
problem is simply an incorrect compile flag. 

Comment 2 Thomas Woerner 2007-03-22 17:37:08 UTC
The time module is not enabled in the kernel and the header file is therefore
not part of kernel-headers.

Please assign to kernel for inclusion there and then to kernel-headers.

A simple rebuild iptables will then enable it there, too.

Comment 3 Chuck Ebbert 2007-08-29 15:25:17 UTC
There is no config option available for MATCH_TIME. Apparently there have been
some patches floating around but they were never merged into the kernel. How did
that option get into our netfilter package and its manpage?

(Anyone who wants to open and close ports at certain times can do it easily with
a cron job.)

Comment 4 Jon Stanley 2007-12-31 00:43:53 UTC

I'm reviewing this bug as part of the kernel bug triage project, an attempt to
isolate current bugs in the Fedora kernel.


I am CC'ing myself to this bug, however this version of Fedora is no longer

Please attempt to reproduce this bug with a current version of Fedora (presently
Fedora 8). If the bug no longer exists, please close the bug or I'll do so in a
few days if there is no further information lodged.

Thanks for using Fedora!

Comment 5 Jon Stanley 2008-01-08 00:04:55 UTC
Closing per previous comment.  If you can provide the requested information,
please feel free to re-open this bug.