Re: Iptables "-m time" option doesn't update when the clock changes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sebastian Arcus <shop@open-t.co.uk>
To: netfilter@vger.kernel.org
Cc: /dev/rob0 <rob0@gmx.co.uk>
Subject: Re: Iptables "-m time" option doesn't update when the clock changes
Date: Tue, 03 Apr 2012 12:31:46 +0100	[thread overview]
Message-ID: <4F7ADFA2.9040507@open-t.co.uk> (raw)
In-Reply-To: <20120402220757.GC3502@harrier.slackbuilds.org>

On 02/04/12 23:07, /dev/rob0 wrote:
> On Mon, Apr 02, 2012 at 08:57:28PM +0100, Sebastian Arcus wrote:
>> On 29/03/12 14:45, /dev/rob0 wrote:
>>> On Thu, Mar 29, 2012 at 11:21:55AM +0100, Sebastian Arcus wrote:
>>>> On 29/03/12 11:00, Jan Engelhardt wrote:
>>>> </snip>
>>>>>   The  caveat  with  the  kernel timezone is that Linux distributions may
>>>>>   ignore to set the kernel timezone, and  instead  only  set  the  system
>>>>>   time.  Even if a particular distribution does set the timezone at boot,
>>>>>   it is usually does not keep the kernel timezone offset - which is  what
>>>>>   changes  on DST - up to date.  ntpd will not touch the kernel timezone,
>>>>>   so running it will not resolve the issue. As such, one may encounter  a
>>>>>   timezone that is always +0000, or one that is wrong half of the time of
>>>>>   the year. As such, using --kerneltz is highly discouraged.
>>>>>
>>>> Thanks for taking the time to give a detailed reply. Just to
>>>> make sure I understand correctly - would this mean that there is
>>>> no reliable way to run time based iptables rules and have them
>>>> keep up with DST changes correctly and automatically - without
>>>> restarting the machine when the DST kicks in or out?
>>>
>>> Restarting the machine? Blasphemy!
>>>
>>> Why not simply reload the firewall rules?
>>>
>>> A simple at(1) job on the DST-to-standard and standard-to-DST
>>> dates to reload the rules, either using your distro's firewall
>>> management tools, or pipe iptables-save to iptables-restore
>>> (substituting for the changed times), ought to do the job just
>      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> fine.
>>
>> Thanks for the suggestion. However, restarting the firewall (which
>> flushes and re-writes the rules) makes absolutely no difference. I
>
> Did you substitute the changed time? I don't see how using different
> times in your rules would make no difference. Indeed, if not changing
> times, reloading the same rules would make no difference.

Sorry - you are right - I didn't substitute the times in the firewall 
rules. On the other hand - a script which would restart the machine is 
easier (in this particular case) - than one which would amend the 
firewall rules and reload them.

I'm happy to run any other tests on Slackware if somebody can figure out 
what needs testing.

next prev parent reply	other threads:[~2012-04-03 11:31 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-03-29  9:10 Iptables "-m time" option doesn't update when the clock changes Sebastian Arcus
2012-03-29  9:12 ` Jan Engelhardt
2012-03-29  9:30   ` Sebastian Arcus
2012-03-29 10:00     ` Jan Engelhardt
2012-03-29 10:21       ` Sebastian Arcus
2012-03-29 10:45         ` Jan Engelhardt
2012-03-29 13:45         ` /dev/rob0
2012-04-02 19:57           ` Sebastian Arcus
2012-04-02 22:07             ` /dev/rob0
2012-04-03 11:31               ` Sebastian Arcus [this message]
2012-04-04  9:35                 ` John Haxby
2012-04-04 13:14                   ` /dev/rob0
2012-04-04 13:52                     ` John Haxby

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F7ADFA2.9040507@open-t.co.uk \
    --to=shop@open-t.co.uk \
    --cc=netfilter@vger.kernel.org \
    --cc=rob0@gmx.co.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.