Patch for ipt_time (to enable start > stop / crossing midnight)

Patch for ipt_time (to enable start > stop / crossing midnight)

[Heiko Schlittermann]

[-- Attachment #1.1: Type: text/plain, Size: 1135 bytes --]

Hello,

orginally sent to Fabrice but resending it here.  (Fabrice doesn't seem to
have time...., so I just subscribed here.)


(Beside: I was wondering, why ipt_time is not part of the official
2.6. kernel -- did I miss something?)


So I applied the `time' patch from current patch-o-matic (20060101).


But with a rule like:

    iptables -A INPUT -m time --timestart 21:00 --timestop 15:00 -j ...
    (wrapping 'round midnight).

I missed my target :)


To enable times crossing midnight I hacked a bit in ipt_time.c. My diff
is appended (against the patch-o-matic 20060101)..

It would be nice if you could

    1) check it
    2) integrate it into the official patch-o-matic (and kernel tree?)

Thank you ...

    Best regards from Dresden
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -

[-- Attachment #1.2: ipt_time.c.diff --]
[-- Type: text/plain, Size: 1067 bytes --]

--- ipt_time.c.orig	2005-11-03 19:20:25.000000000 +0100
+++ ipt_time.c	2006-01-03 10:14:35.000000000 +0100
@@ -11,6 +11,7 @@
   2001-30-11 Fabrice : added the possibility to use the match in FORWARD/OUTPUT with a little hack,
      added Nguyen Dang Phuoc Dong <dongnd@tlnet.com.vn> patch to support timezones.
   2004-05-02 Fabrice : added support for date matching, from an idea of Fabien COELHO.
+  2006-01-03 Heiko Schlittermann <hs@schlittermann.de> : added support for timestart > timestop
 */
 
 #include <linux/module.h>
@@ -72,11 +73,14 @@
 
 	/* ... check the time now */
 	packet_time = (currenttime.tm_hour * 60) + currenttime.tm_min;
-	if ((packet_time < info->time_start) || (packet_time > info->time_stop))
-		return 0;
 
-	/* here we match ! */
-	return 1;
+	/* .hs now start > stop is possible */
+
+	if (info->time_start > info->time_stop)
+		return (packet_time >= info->time_start) || (packet_time < info->time_stop);
+
+	return (packet_time >= info->time_start) && (packet_time < info->time_stop);
+
 }
 
 static int

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Patch for ipt_time (to enable start > stop / crossing midnight)

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2974 bytes --]



On Wed, 4 Jan 2006, Heiko Schlittermann wrote:

> Hello,
>
> orginally sent to Fabrice but resending it here.  (Fabrice doesn't seem to
> have time...., so I just subscribed here.)
>
>
> (Beside: I was wondering, why ipt_time is not part of the official
> 2.6. kernel -- did I miss something?)
>
>
> So I applied the `time' patch from current patch-o-matic (20060101).
>
>
> But with a rule like:
>
>    iptables -A INPUT -m time --timestart 21:00 --timestop 15:00 -j ...
>    (wrapping 'round midnight).
>
> I missed my target :)
>
>
> To enable times crossing midnight I hacked a bit in ipt_time.c. My diff
> is appended (against the patch-o-matic 20060101)..
>
> It would be nice if you could
>
>    1) check it
>    2) integrate it into the official patch-o-matic (and kernel tree?)

How about this (also attached) one? Untested, but should work.


[NETFILTER] Support for timestart > timestop in ipt_time (eg. 21:00 - 15:00)

Based on a patch from Heiko Schlittermann <hs@schlittermann.de>

Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>

diff -Nur patch-o-matic-ng-20060103-orig/patchlets/time/linux/net/ipv4/netfilter/ipt_time.c patch-o-matic-ng-20060103/patchlets/time/linux/net/ipv4/netfilter/ipt_time.c
--- patch-o-matic-ng-20060103-orig/patchlets/time/linux/net/ipv4/netfilter/ipt_time.c	2005-05-29 20:47:49.000000000 +0200
+++ patch-o-matic-ng-20060103/patchlets/time/linux/net/ipv4/netfilter/ipt_time.c	2006-01-04 16:42:01.000000000 +0100
@@ -81,8 +81,13 @@

  	/* ... check the time now */
  	packet_time = (currenttime.tm_hour * 60) + currenttime.tm_min;
-	if ((packet_time < info->time_start) || (packet_time > info->time_stop))
-		return 0;
+	if (info->time_start < info->time_stop) {
+		if ((packet_time < info->time_start) || (packet_time > info->time_stop))
+			return 0;
+	} else {
+		if ((packet_time < info->time_start) && (packet_time > info->time_stop))
+			return 0;
+	}

  	/* here we match ! */
  	return 1;
diff -Nur patch-o-matic-ng-20060103-orig/patchlets/time/linux-2.6/net/ipv4/netfilter/ipt_time.c patch-o-matic-ng-20060103/patchlets/time/linux-2.6/net/ipv4/netfilter/ipt_time.c
--- patch-o-matic-ng-20060103-orig/patchlets/time/linux-2.6/net/ipv4/netfilter/ipt_time.c	2005-11-03 19:20:25.000000000 +0100
+++ patch-o-matic-ng-20060103/patchlets/time/linux-2.6/net/ipv4/netfilter/ipt_time.c	2006-01-04 16:35:25.000000000 +0100
@@ -72,8 +72,13 @@

  	/* ... check the time now */
  	packet_time = (currenttime.tm_hour * 60) + currenttime.tm_min;
-	if ((packet_time < info->time_start) || (packet_time > info->time_stop))
-		return 0;
+	if (info->time_start < info->time_stop) {
+		if ((packet_time < info->time_start) || (packet_time > info->time_stop))
+			return 0;
+	} else {
+		if ((packet_time < info->time_start) && (packet_time > info->time_stop))
+			return 0;
+	}

  	/* here we match ! */
  	return 1;


Best regards,

 				Krzysztof Olędzki

[-- Attachment #2: Type: TEXT/PLAIN, Size: 2038 bytes --]


[NETFILTER] Support for timestart > timestop in ipt_time (eg. 21:00 - 15:00)

Based on a patch from Heiko Schlittermann <hs@schlittermann.de>

Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>

diff -Nur patch-o-matic-ng-20060103-orig/patchlets/time/linux/net/ipv4/netfilter/ipt_time.c patch-o-matic-ng-20060103/patchlets/time/linux/net/ipv4/netfilter/ipt_time.c
--- patch-o-matic-ng-20060103-orig/patchlets/time/linux/net/ipv4/netfilter/ipt_time.c	2005-05-29 20:47:49.000000000 +0200
+++ patch-o-matic-ng-20060103/patchlets/time/linux/net/ipv4/netfilter/ipt_time.c	2006-01-04 16:42:01.000000000 +0100
@@ -81,8 +81,13 @@
 
 	/* ... check the time now */
 	packet_time = (currenttime.tm_hour * 60) + currenttime.tm_min;
-	if ((packet_time < info->time_start) || (packet_time > info->time_stop))
-		return 0;
+	if (info->time_start < info->time_stop) {
+		if ((packet_time < info->time_start) || (packet_time > info->time_stop))
+			return 0;
+	} else {
+		if ((packet_time < info->time_start) && (packet_time > info->time_stop))
+			return 0;
+	}
 
 	/* here we match ! */
 	return 1;
diff -Nur patch-o-matic-ng-20060103-orig/patchlets/time/linux-2.6/net/ipv4/netfilter/ipt_time.c patch-o-matic-ng-20060103/patchlets/time/linux-2.6/net/ipv4/netfilter/ipt_time.c
--- patch-o-matic-ng-20060103-orig/patchlets/time/linux-2.6/net/ipv4/netfilter/ipt_time.c	2005-11-03 19:20:25.000000000 +0100
+++ patch-o-matic-ng-20060103/patchlets/time/linux-2.6/net/ipv4/netfilter/ipt_time.c	2006-01-04 16:35:25.000000000 +0100
@@ -72,8 +72,13 @@
 
 	/* ... check the time now */
 	packet_time = (currenttime.tm_hour * 60) + currenttime.tm_min;
-	if ((packet_time < info->time_start) || (packet_time > info->time_stop))
-		return 0;
+	if (info->time_start < info->time_stop) {
+		if ((packet_time < info->time_start) || (packet_time > info->time_stop))
+			return 0;
+	} else {
+		if ((packet_time < info->time_start) && (packet_time > info->time_stop))
+			return 0;
+	}
 
 	/* here we match ! */
 	return 1;

Re: Patch for ipt_time (to enable start > stop / crossing midnight)

[Brad Fisher]

I've also sent a couple of patches to add this functionality to Fabrice 
and the dev list.  I'd like to see it implemented at some point, 
regardless of the patch used :)  Another thing I know was an issue in 
the past for me was a restriction on which hooks the time match was 
allowed in.  I believe my most recent patch (send on 12/3/2003 i think) 
removed those restrictions and allowed it in all hooks as well as 
allowing the time range to cross the midnight boundary.  Perhaps that 
issue has been resolved in the meantime though, I haven't checked the 
code recently.  I see there have also been a few others who have sent 
patches to  the mailing list to address this issue as well.

-Brad

Re: Patch for ipt_time (to enable start > stop / crossing midnight)

[Heiko Schlittermann]

[-- Attachment #1: Type: text/plain, Size: 1622 bytes --]

Hello Krzysztof & *,

Krzysztof Oledzki <olenf@ans.pl> (Mi 04 Jan 2006 16:47:43 CET):
> 
> How about this (also attached) one? Untested, but should work.
> [NETFILTER] Support for timestart > timestop in ipt_time (eg. 21:00 - 15:00)
> 
> Based on a patch from Heiko Schlittermann <hs@schlittermann.de>

My "compound return" looked shorter :) but I admit, that your's is
better readable.  I don't know, which one is faster or if good gcc
optimimzes both the same way ...  (I learned to save every bit ;-)

> -	if ((packet_time < info->time_start) || (packet_time > info->time_stop))
> -		return 0;
> +	if (info->time_start < info->time_stop) {
> +		if ((packet_time < info->time_start) || (packet_time > info->time_stop))
> +			return 0;
> +	} else {
> +		if ((packet_time < info->time_start) && (packet_time > info->time_stop))
> +			return 0;
> +	}


But I'd like to see:

	if (info->time_start < info->time_stop) {
		if ((packet_time < info->time_start) || (packet_time >= info->time_stop))
			return 0;
	} else {
		if ((packet_time < info->time_start) && (packet_time >= info->time_stop))
			return 0;
	}

    
To match --timestart 12:07 --timestop 13:10 really from 12:07:00 to 13:09:59.



    Best regards from Dresden
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Patch for ipt_time (to enable start > stop / crossing midnight)

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1830 bytes --]



On Wed, 4 Jan 2006, Heiko Schlittermann wrote:

> Hello Krzysztof & *,
>
> Krzysztof Oledzki <olenf@ans.pl> (Mi 04 Jan 2006 16:47:43 CET):
>>
>> How about this (also attached) one? Untested, but should work.
>> [NETFILTER] Support for timestart > timestop in ipt_time (eg. 21:00 - 15:00)
>>
>> Based on a patch from Heiko Schlittermann <hs@schlittermann.de>
>
> My "compound return" looked shorter :) but I admit, that your's is
> better readable.

It would also allow to extend ipt_time checks in the future.

>  I don't know, which one is faster or if good gcc
> optimimzes both the same way ...  (I learned to save every bit ;-)

Hm, there is also another version, totally unreadable but highly 
optimized:

         if ((info->time_start < info->time_stop) + (packet_time < info->time_start) + (packet_time > info->time_stop) >= 2 )
                         return 0;

;)


>> -	if ((packet_time < info->time_start) || (packet_time > info->time_stop))
>> -		return 0;
>> +	if (info->time_start < info->time_stop) {
>> +		if ((packet_time < info->time_start) || (packet_time > info->time_stop))
>> +			return 0;
>> +	} else {
>> +		if ((packet_time < info->time_start) && (packet_time > info->time_stop))
>> +			return 0;
>> +	}
>
>
> But I'd like to see:
>
> 	if (info->time_start < info->time_stop) {
> 		if ((packet_time < info->time_start) || (packet_time >= info->time_stop))
> 			return 0;
> 	} else {
> 		if ((packet_time < info->time_start) && (packet_time >= info->time_stop))
> 			return 0;
> 	}
>
>
> To match --timestart 12:07 --timestop 13:10 really from 12:07:00 to 13:09:59.

So please use --timestart 12:07 --timestop 13:09. We need ">" not ">=" to 
match a single minute, eg. --timestart 12:07 --timestop 12:07.

Best regards,

 			Krzysztof Olędzki

Re: Patch for ipt_time (to enable start > stop / crossing midnight)

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1165 bytes --]



On Wed, 4 Jan 2006, Brad Fisher wrote:

> I've also sent a couple of patches to add this functionality to Fabrice and 
> the dev list.  I'd like to see it implemented at some point, regardless of 
> the patch used :)  Another thing I know was an issue in the past for me was a 
> restriction on which hooks the time match was allowed in.  I believe my most 
> recent patch (send on 12/3/2003 i think) removed those restrictions and 
> allowed it in all hooks as well as allowing the time range to cross the 
> midnight boundary.  Perhaps that issue has been resolved in the meantime 
> though, I haven't checked the code recently.  I see there have also been a 
> few others who have sent patches to  the mailing list to address this issue 
> as well.

Currently, according to the code, ipt_time is allowed in PREROUTING, 
INPUT, FORWARD and OUTPUT. I believe the restriction can be relaxed in 
2.6.x version now since it always gets timestamp only if packets does not 
contain one. We can fix 2.4.x version in the same way. Which other hooks 
are also useful? There is only one left - POSTROUTING. ;)

Best regards,

 				Krzysztof Olędzki

Re: Patch for ipt_time (to enable start > stop / crossing midnight)

[Brad Fisher]

Krzysztof Oledzki wrote:

>
>
> On Wed, 4 Jan 2006, Brad Fisher wrote:
>
>> I've also sent a couple of patches to add this functionality to 
>> Fabrice and the dev list.  I'd like to see it implemented at some 
>> point, regardless of the patch used :)  Another thing I know was an 
>> issue in the past for me was a restriction on which hooks the time 
>> match was allowed in.  I believe my most recent patch (send on 
>> 12/3/2003 i think) removed those restrictions and allowed it in all 
>> hooks as well as allowing the time range to cross the midnight 
>> boundary.  Perhaps that issue has been resolved in the meantime 
>> though, I haven't checked the code recently.  I see there have also 
>> been a few others who have sent patches to  the mailing list to 
>> address this issue as well.
>
>
> Currently, according to the code, ipt_time is allowed in PREROUTING, 
> INPUT, FORWARD and OUTPUT. I believe the restriction can be relaxed in 
> 2.6.x version now since it always gets timestamp only if packets does 
> not contain one. We can fix 2.4.x version in the same way. Which other 
> hooks are also useful? There is only one left - POSTROUTING. ;)
>
> Best regards,
>
>                 Krzysztof Olędzki

I recall having problems in the mangle table, so it was probably with 
the POSTROUTING chain.  My rules depended on the dst IP after NAT was 
performed.
-Brad

Re: Patch for ipt_time (to enable start > stop / crossing midnight)

[Heiko Schlittermann]

[-- Attachment #1: Type: text/plain, Size: 1056 bytes --]

Hello Krzysztof,

> It would also allow to extend ipt_time checks in the future.

Hm .... but then it be rewritten anyway, can't it?

> >To match --timestart 12:07 --timestop 13:10 really from 12:07:00 to 
> >13:09:59.
> 
> So please use --timestart 12:07 --timestop 13:09. We need ">" not ">=" to 
> match a single minute, eg. --timestart 12:07 --timestop 12:07.

But isn't it a bit counter-intuitive?

If something happens from 7 to 10 I'd understand, that it starts at 7:00
and ends at 9:59.  Same with minutes, if some event should happen from
12:07 to 13:10 I'd understand that it happens first at 12:07:00 and last
at 13:09:59....

Or?



    Best regards from Dresden
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]