Bug 195918 - iptables missing time module
iptables missing time module
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 233475
  Show dependency treegraph
 
Reported: 2006-06-19 12:27 EDT by Hesty
Modified: 2008-08-02 19:40 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-07 19:04:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Hesty 2006-06-19 12:27:01 EDT
Description of problem:
Time module missing from iptables yet is in man page.

Version-Release number of selected component (if applicable):
iptables-1.3.5-1.2

How reproducible:
Always

Steps to Reproduce:
1. Use -m time --timestart or --timestop option in iptables.
  
Actual results:
iptables v1.3.5: Couldn't load match `time':/lib/iptables/libipt_time.so: cannot
open shared object file: No such file or directory

Expected results:
Works properly.

Additional info:
man iptables shows time module. Either iptables is missing time module or man
page is telling too much.
Comment 1 Fred Trotter 2007-03-22 11:26:01 EDT
This is actually a bug with relation to fwbuilder too. Fwbuilder is a feature
rich GUI for making firewall changes, and it contains the GUI elements needed to
add time restraints to firewall rules. When time restraints are added, the
scripts fail due to the mis-compiled iptables.

Time based rules are a basic feature for any complex firewall. Very often times
rules allow a firewall to open for a once-a-day file transfer, and to have a
constantly open port would be a security hazard. This is a good way to limit the
expose of known-weak ports.

I am surprised that this has not been fixed in FC6 since I assume that the
problem is simply an incorrect compile flag. 
Comment 2 Thomas Woerner 2007-03-22 13:37:08 EDT
The time module is not enabled in the kernel and the header file is therefore
not part of kernel-headers.

Please assign to kernel for inclusion there and then to kernel-headers.

A simple rebuild iptables will then enable it there, too.
Comment 3 Chuck Ebbert 2007-08-29 11:25:17 EDT
There is no config option available for MATCH_TIME. Apparently there have been
some patches floating around but they were never merged into the kernel. How did
that option get into our netfilter package and its manpage?

(Anyone who wants to open and close ports at certain times can do it easily with
a cron job.)
Comment 4 Jon Stanley 2007-12-30 19:43:53 EST
Hello,

I'm reviewing this bug as part of the kernel bug triage project, an attempt to
isolate current bugs in the Fedora kernel.

http://fedoraproject.org/wiki/KernelBugTriage

I am CC'ing myself to this bug, however this version of Fedora is no longer
maintained.

Please attempt to reproduce this bug with a current version of Fedora (presently
Fedora 8). If the bug no longer exists, please close the bug or I'll do so in a
few days if there is no further information lodged.

Thanks for using Fedora!
Comment 5 Jon Stanley 2008-01-07 19:04:55 EST
Closing per previous comment.  If you can provide the requested information,
please feel free to re-open this bug.

Note You need to log in before you can comment on or make changes to this bug.