Bug 195918 - iptables missing time module
Summary: iptables missing time module
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 233475
TreeView+ depends on / blocked
 
Reported: 2006-06-19 16:27 UTC by Hesty
Modified: 2008-08-02 23:40 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-08 00:04:55 UTC


Attachments (Terms of Use)

Description Hesty 2006-06-19 16:27:01 UTC
Description of problem:
Time module missing from iptables yet is in man page.

Version-Release number of selected component (if applicable):
iptables-1.3.5-1.2

How reproducible:
Always

Steps to Reproduce:
1. Use -m time --timestart or --timestop option in iptables.
  
Actual results:
iptables v1.3.5: Couldn't load match `time':/lib/iptables/libipt_time.so: cannot
open shared object file: No such file or directory

Expected results:
Works properly.

Additional info:
man iptables shows time module. Either iptables is missing time module or man
page is telling too much.

Comment 1 Fred Trotter 2007-03-22 15:26:01 UTC
This is actually a bug with relation to fwbuilder too. Fwbuilder is a feature
rich GUI for making firewall changes, and it contains the GUI elements needed to
add time restraints to firewall rules. When time restraints are added, the
scripts fail due to the mis-compiled iptables.

Time based rules are a basic feature for any complex firewall. Very often times
rules allow a firewall to open for a once-a-day file transfer, and to have a
constantly open port would be a security hazard. This is a good way to limit the
expose of known-weak ports.

I am surprised that this has not been fixed in FC6 since I assume that the
problem is simply an incorrect compile flag. 

Comment 2 Thomas Woerner 2007-03-22 17:37:08 UTC
The time module is not enabled in the kernel and the header file is therefore
not part of kernel-headers.

Please assign to kernel for inclusion there and then to kernel-headers.

A simple rebuild iptables will then enable it there, too.

Comment 3 Chuck Ebbert 2007-08-29 15:25:17 UTC
There is no config option available for MATCH_TIME. Apparently there have been
some patches floating around but they were never merged into the kernel. How did
that option get into our netfilter package and its manpage?

(Anyone who wants to open and close ports at certain times can do it easily with
a cron job.)

Comment 4 Jon Stanley 2007-12-31 00:43:53 UTC
Hello,

I'm reviewing this bug as part of the kernel bug triage project, an attempt to
isolate current bugs in the Fedora kernel.

http://fedoraproject.org/wiki/KernelBugTriage

I am CC'ing myself to this bug, however this version of Fedora is no longer
maintained.

Please attempt to reproduce this bug with a current version of Fedora (presently
Fedora 8). If the bug no longer exists, please close the bug or I'll do so in a
few days if there is no further information lodged.

Thanks for using Fedora!

Comment 5 Jon Stanley 2008-01-08 00:04:55 UTC
Closing per previous comment.  If you can provide the requested information,
please feel free to re-open this bug.


Note You need to log in before you can comment on or make changes to this bug.