Anybody got ipac-ng and iptables TIME extension to work ?
Hi,
I have a problem using ipac-ng (v1.31) with the iptables (v1.2.11)
"Time" extension on Debian Sarge(i386).
The following ipac-ng rule
offpeak|ipac~o|ppp0|all|||time --timestop 7:0|
does NOT produce the expected "iptables -L" line
all -- anywhere anywhere TIME to 7:0 on all days
but instead produces the following "iptables -L" line which has a "0:0"
end time
all -- anywhere anywhere TIME to 0:0 on all days
This could be because:
- I am not using the correct compile options for ipac-ng.
- There is a bug in ipac-ng.
- There is a bug in the Time extension.
- There is a bug in iptables.
- I haven't used the iptables "patch-o-matic" utility correctly
to patch the kernel.
- Something else I have not thought of.
- All of the above :)
I would much appreciate suggestions on how to fix this. Please see below
for more details on the problem.
Many thanks,
Declan
More Details:
I am using the ipac-ng v1.31 source from the ipac-ng developers, not the
Debian version of the source. As Sarge includes an earlier version of
ipac-ng, not "v1.31".
I have built ipac-ng with a "configure" of
./configure \
--enable-default-storage=postgre \
--enable-debug-ipacsum=no \
--enable-debug-database=no \
--with-postgresql-inc=/usr/include/postgresql
The CFLAGS within the resultant Makefile are
-g -O2 -Wall -I/usr/include/postgresql
The debian iptables package is version "1.2.11-8". Its iptables command
is able to correctly use the Time extension. Eg
iptables -A INPUT -m time --timestop 7:0
works as expected and produces the following "iptables -L" line:
all -- anywhere anywhere TIME to 7:0 on all days
The kernel is built from Debian's "2.4.27-8" source code, patched with
the Time extension by using the iptables patch-o-matic that comes with
the iptables version "1.2.11-8" source code package.
Some code debug info:
Within the ipac-ng "agents/iptables.c" source file the
m->parse(c - m->option_offset,
d->extension, invert,
&m->mflags,
&fw, &fw.nfcache, &m->m)
function call (see line 1367,in "prepare_entry()") seems to be
incorrectly setting the contents of "m->m->data[]".
For the Time extension, "m->m->data[]" has a data structure of
struct ipt_time_info {
u_int8_t days_match;
u_int16_t time_start;
u_int16_t time_stop;
u_int8_t kerneltime;
time_t date_start;
time_t date_stop;
};
When "m->parse()" is called with a "d->extension" of
"fetchipac", "-m", "time", "--timestart", "1:0",
"--timestop", "7:0", "--days", "Mon"
and a first parameter of 49 (ie c=305 and m->option_offset=256) to
process the "--timestart" "1:0" args
"time_start" is incorrectly set to zero and "time_stop"
set to 1439, however "m->flags" is correctly set to 1
and when "m->parse()" is next called with a first parameter of 50 (ie
c=306 and m->option_offset=256) to process the "--timestop" "7:0" aregs
"time_start" is again incorrectly set to zero and "time_stop" set to
zero, however "m->mflags" is correctly set to 3
and when "m->parse()" is next called with a first parameter of 51 (ie
c=307 and m->option_offset=256) to process the "--days" "Mon"
"time_start" is still set to zero and "time_stop" is still set to
zero, however "m->mflags" is correctly set to 3 and "days_match"
is correctly set to 0x20
Regards,
Declan
Reply to: