Bug 233475

Summary: The iptables time module is not enabled in the kernel
Product: [Fedora] Fedora Reporter: Fred Trotter <fred.trotter>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED UPSTREAM QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-26 05:18:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 195918    
Bug Blocks:    

Description Fred Trotter 2007-03-22 17:58:06 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070313 Fedora/1.5.0.10-5.fc6 Firefox/1.5.0.10

Description of problem:
This was originally a bug against iptables, but the fix is in the kernel.>>
The problem is that iptables will not accept time related rules out-of-the-box even though that is pretty basic firewall functionality. From Thomas Woerners last comment>

>The time module is not enabled in the kernel and the header file is therefore
>not part of kernel-headers.
>
>Please assign to kernel for inclusion there and then to kernel-headers.
>
>A simple rebuild iptables will then enable it there, too.



Version-Release number of selected component (if applicable):
kernel-2.6.20-1.2925.fc6

How reproducible:
Always


Steps to Reproduce:
1. Create a time based rule in iptables like this one.
$IPTABLESCOMMAND -A OUTPUT -m time  --timestart 09:00  --timestop 17:00  --days Mon,Tue,Wed,Thu,Fri 
2. Get error like this one...
iptables v1.3.5: Couldn't load match `time':/lib/iptables/libipt_time.so: cannot open shared object file: No such file or directory

3.

Actual Results:
iptables v1.3.5: Couldn't load match `time':/lib/iptables/libipt_time.so: cannot open shared object file: No such file or directory


Expected Results:
rule should have become part of current firewall 

Additional info:

Comment 1 Chuck Ebbert 2007-03-23 17:26:41 UTC
I don't know what the "time" module is in iptables.

What kernel option needs to be enabled?



Comment 2 Dave Jones 2007-03-26 05:18:38 UTC
iptables userspace moves faster than kernelspace.  There's no way we're going to
start merging iptables modules before they get upstream due to there being so
many of them, and the uncertainty of the length of time we'd have to carry them.

This will get fixed when the module gets into upstream kernel.org kernels, and
the Fedora kernel rebases.

Comment 3 Fred Trotter 2007-03-26 05:47:44 UTC
Ok. This is a big problem. This means that in order to get basic firewall
functionality out of Fedora I have to recompile the kernel. Further it makes me
wonder just which modules that the iptables man page mentions are also missing.
Can I rely on anything working there that I have not tested myself? I am very
willing to be the squeeky wheel on this but I still do not who to push. What I
need is something like. "Talk to (Insert Name here) over at (insert project
here) once they fix it we will too. 

Comment 4 Dave Jones 2007-03-26 06:20:48 UTC
Recompiling the kernel isn't going to help you. The module _is not there_ to be
built.  If it was included, I'd have enabled it.

talk to the netfilter guys to get their module upstream.