[PATCH] libxt_time: add support to ignore day transition

[PATCH] libxt_time: add support to ignore day transition

[Florian Westphal]

Currently, if you want to do something like:
"match Monday, starting 23:00, for two hours"
You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00.
The rule
--weekdays Mo --timestart 23:00  --timestop 01:00
looks correct, but it will first match on monday from midnight to 1 a.m.
and then again for another hour from 23:00 onwards.

This permits userspace to explicitly ignore the day transition and
match for a single, continuous time period instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 extensions/libxt_time.c           |   20 ++++++++++++++++++++
 extensions/libxt_time.man         |   12 ++++++++++++
 include/linux/netfilter/xt_time.h |    1 +
 3 files changed, 33 insertions(+), 0 deletions(-)

diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c
index 44c05b8..9c5bda8 100644
--- a/extensions/libxt_time.c
+++ b/extensions/libxt_time.c
@@ -22,6 +22,7 @@ enum {
 	O_DATE_STOP,
 	O_TIME_START,
 	O_TIME_STOP,
+	O_TIME_CONTIGUOUS,
 	O_MONTHDAYS,
 	O_WEEKDAYS,
 	O_LOCAL_TZ,
@@ -30,6 +31,7 @@ enum {
 	F_LOCAL_TZ  = 1 << O_LOCAL_TZ,
 	F_UTC       = 1 << O_UTC,
 	F_KERNEL_TZ = 1 << O_KERNEL_TZ,
+	F_TIME_CONTIGUOUS = 1 << O_TIME_CONTIGUOUS,
 };
 
 static const char *const week_days[] = {
@@ -41,6 +43,7 @@ static const struct xt_option_entry time_opts[] = {
 	{.name = "datestop", .id = O_DATE_STOP, .type = XTTYPE_STRING},
 	{.name = "timestart", .id = O_TIME_START, .type = XTTYPE_STRING},
 	{.name = "timestop", .id = O_TIME_STOP, .type = XTTYPE_STRING},
+	{.name = "contiguous", .id = O_TIME_CONTIGUOUS, .type = XTTYPE_NONE},
 	{.name = "weekdays", .id = O_WEEKDAYS, .type = XTTYPE_STRING,
 	 .flags = XTOPT_INVERT},
 	{.name = "monthdays", .id = O_MONTHDAYS, .type = XTTYPE_STRING,
@@ -273,6 +276,9 @@ static void time_parse(struct xt_option_call *cb)
 	case O_TIME_STOP:
 		info->daytime_stop = time_parse_minutes(cb->arg);
 		break;
+	case O_TIME_CONTIGUOUS:
+		info->flags |= XT_TIME_CONTIGUOUS;
+		break;
 	case O_LOCAL_TZ:
 		fprintf(stderr, "WARNING: --localtz is being replaced by "
 		        "--kerneltz, since \"local\" is ambiguous. Note the "
@@ -403,6 +409,8 @@ static void time_print(const void *ip, const struct xt_entry_match *match,
 	}
 	if (!(info->flags & XT_TIME_LOCAL_TZ))
 		printf(" UTC");
+	if (info->flags & XT_TIME_CONTIGUOUS)
+		printf(" contiguous");
 }
 
 static void time_save(const void *ip, const struct xt_entry_match *match)
@@ -429,6 +437,17 @@ static void time_save(const void *ip, const struct xt_entry_match *match)
 	time_print_date(info->date_stop, "--datestop");
 	if (info->flags & XT_TIME_LOCAL_TZ)
 		printf(" --kerneltz");
+	if (info->flags & XT_TIME_CONTIGUOUS)
+		printf(" --contiguous");
+}
+
+static void time_check(struct xt_fcheck_call *cb)
+{
+	const struct xt_time_info *info = (const void *) cb->data;
+	if ((cb->xflags & F_TIME_CONTIGUOUS) &&
+	     info->daytime_start < info->daytime_stop)
+		xtables_error(PARAMETER_PROBLEM,
+			"time: --contiguous only makes sense when stoptime is smaller than starttime");
 }
 
 static struct xtables_match time_match = {
@@ -442,6 +461,7 @@ static struct xtables_match time_match = {
 	.print         = time_print,
 	.save          = time_save,
 	.x6_parse      = time_parse,
+	.x6_fcheck     = time_check,
 	.x6_options    = time_opts,
 };
 
diff --git a/extensions/libxt_time.man b/extensions/libxt_time.man
index 1d677b9..4c0cae0 100644
--- a/extensions/libxt_time.man
+++ b/extensions/libxt_time.man
@@ -30,6 +30,10 @@ Only match on the given weekdays. Possible values are \fBMon\fP, \fBTue\fP,
 to \fB7\fP, respectively. You may also use two-character variants (\fBMo\fP,
 \fBTu\fP, etc.).
 .TP
+\fB\-\-contiguous\fP
+When \fB\-\-timestop\fP is smaller than \fB\-\-timestart\fP value, match
+this as a single time period instead distinct intervals.  See EXAMPLES.
+.TP
 \fB\-\-kerneltz\fP
 Use the kernel timezone instead of UTC to determine whether a packet meets the
 time regulations.
@@ -84,3 +88,11 @@ The fourth Friday in the month:
 (Note that this exploits a certain mathematical property. It is not possible to
 say "fourth Thursday OR fourth Friday" in one rule. It is possible with
 multiple rules, though.)
+.PP
+Matching across days might not do what is expected.  For instance,
+.IP
+\-m time \-\-weekdays Mo \-\-timestart 23:00  \-\-timestop 01:00
+Will match Monday, for one hour from midnight to 1 a.m., and then
+again for another hour from 23:00 onwards.  If this is unwanted, e.g. if you
+would like 'match for two hours from Montay 23:00 onwards' you need to also specify
+the \-\-contiguous option in the example above.
diff --git a/include/linux/netfilter/xt_time.h b/include/linux/netfilter/xt_time.h
index 7c37fac..a21d5bf 100644
--- a/include/linux/netfilter/xt_time.h
+++ b/include/linux/netfilter/xt_time.h
@@ -16,6 +16,7 @@ struct xt_time_info {
 enum {
 	/* Match against local time (instead of UTC) */
 	XT_TIME_LOCAL_TZ = 1 << 0,
+	XT_TIME_CONTIGUOUS = 1 << 1,
 
 	/* Shortcuts */
 	XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,
-- 
1.7.8.6

[PATCH] netfilter: xt_time: add support to ignore day transition

[Florian Westphal]

Currently, if you want to do something like:
"match Monday, starting 23:00, for two hours"
You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00.
The rule
--weekdays Mo --timestart 23:00  --timestop 01:00
looks correct, but it will first match on monday from midnight to 1 a.m.
and then again for another hour from 23:00 onwards.

This permits userspace to explicitly ignore the day transition and
match for a single, continuous time period instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/linux/netfilter/xt_time.h |    7 +++++++
 net/netfilter/xt_time.c           |   24 +++++++++++++++++++++++-
 2 files changed, 30 insertions(+), 1 deletions(-)

diff --git a/include/linux/netfilter/xt_time.h b/include/linux/netfilter/xt_time.h
index 7c37fac..39cc3c4 100644
--- a/include/linux/netfilter/xt_time.h
+++ b/include/linux/netfilter/xt_time.h
@@ -17,6 +17,9 @@ enum {
 	/* Match against local time (instead of UTC) */
 	XT_TIME_LOCAL_TZ = 1 << 0,
 
+	/* treat timestart > timestop (e.g. 23:00-01:00) as single period */
+	XT_TIME_CONTIGUOUS = 1 << 1,
+
 	/* Shortcuts */
 	XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,
 	XT_TIME_ALL_WEEKDAYS  = 0xFE,
@@ -24,4 +27,8 @@ enum {
 	XT_TIME_MAX_DAYTIME   = 24 * 60 * 60 - 1,
 };
 
+#ifdef __KERNEL__
+#define XT_TIME_ALL_FLAGS (XT_TIME_LOCAL_TZ|XT_TIME_CONTIGUOUS)
+#endif
+
 #endif /* _XT_TIME_H */
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index c48975f..0ae55a3 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -42,6 +42,7 @@ static const u_int16_t days_since_leapyear[] = {
  */
 enum {
 	DSE_FIRST = 2039,
+	SECONDS_PER_DAY = 86400,
 };
 static const u_int16_t days_since_epoch[] = {
 	/* 2039 - 2030 */
@@ -78,7 +79,7 @@ static inline unsigned int localtime_1(struct xtm *r, time_t time)
 	unsigned int v, w;
 
 	/* Each day has 86400s, so finding the hour/minute is actually easy. */
-	v         = time % 86400;
+	v         = time % SECONDS_PER_DAY;
 	r->second = v % 60;
 	w         = v / 60;
 	r->minute = w % 60;
@@ -199,6 +200,18 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		if (packet_time < info->daytime_start &&
 		    packet_time > info->daytime_stop)
 			return false;
+
+		/** if user asked to ignore 'next day', then e.g.
+		 *  '1 PM Wed, August 1st' should be treated
+		 *  like 'Tue 1 PM July 31st'.
+		 *
+		 * This also causes
+		 * 'Monday, "23:00 to 01:00", to match for 2 hours, starting
+		 * Monday 23:00 to Tuesday 01:00.
+		 */
+		if ((info->flags & XT_TIME_CONTIGUOUS) &&
+		     packet_time <= info->daytime_stop)
+			stamp -= SECONDS_PER_DAY;
 	}
 
 	localtime_2(&current_time, stamp);
@@ -227,6 +240,15 @@ static int time_mt_check(const struct xt_mtchk_param *par)
 		return -EDOM;
 	}
 
+	if (info->flags & ~XT_TIME_ALL_FLAGS) {
+		pr_info("unknown flags 0x%x\n", info->flags & ~XT_TIME_ALL_FLAGS);
+		return -EINVAL;
+	}
+
+	if ((info->flags & XT_TIME_CONTIGUOUS) &&
+	     info->daytime_start < info->daytime_stop)
+		return -EINVAL;
+
 	return 0;
 }
 
-- 
1.7.8.6

Re: [PATCH] netfilter: xt_time: add support to ignore day transition

[Jan Engelhardt]

On Monday 2012-09-17 12:23, Florian Westphal wrote:

>Currently, if you want to do something like:
>"match Monday, starting 23:00, for two hours"
>You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00.
>The rule
>--weekdays Mo --timestart 23:00  --timestop 01:00
>looks correct, but it will first match on monday from midnight to 1 a.m.
>and then again for another hour from 23:00 onwards.

I think stop < start should be outright rejected in the user interface 
because of its confusion potential. Given what it currently does, it 
does not seem like it was ever desired.

Re: [PATCH] netfilter: xt_time: add support to ignore day transition

[Florian Westphal]

Jan Engelhardt <jengelh@inai.de> wrote:
> >Currently, if you want to do something like:
> >"match Monday, starting 23:00, for two hours"
> >You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00.
> >The rule
> >--weekdays Mo --timestart 23:00  --timestop 01:00
> >looks correct, but it will first match on monday from midnight to 1 a.m.
> >and then again for another hour from 23:00 onwards.
> 
> I think stop < start should be outright rejected in the user interface 
> because of its confusion potential. Given what it currently does, it 
> does not seem like it was ever desired.

No, it works fine the way it is; in fact, the kernel
explicitly tests for stop < start to make things work.

Only when --weekdays is used with a stop < start rule
the behaviour gets weird.

Re: [PATCH] netfilter: xt_time: add support to ignore day transition

[Pablo Neira Ayuso]

On Mon, Sep 17, 2012 at 12:23:09PM +0200, Florian Westphal wrote:
> Currently, if you want to do something like:
> "match Monday, starting 23:00, for two hours"
> You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00.
> The rule
> --weekdays Mo --timestart 23:00  --timestop 01:00
> looks correct, but it will first match on monday from midnight to 1 a.m.
> and then again for another hour from 23:00 onwards.
> 
> This permits userspace to explicitly ignore the day transition and
> match for a single, continuous time period instead.

Applied with one minor glitch.

> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  include/linux/netfilter/xt_time.h |    7 +++++++
>  net/netfilter/xt_time.c           |   24 +++++++++++++++++++++++-
>  2 files changed, 30 insertions(+), 1 deletions(-)
> 
> diff --git a/include/linux/netfilter/xt_time.h b/include/linux/netfilter/xt_time.h
> index 7c37fac..39cc3c4 100644
> --- a/include/linux/netfilter/xt_time.h
> +++ b/include/linux/netfilter/xt_time.h
> @@ -17,6 +17,9 @@ enum {
>  	/* Match against local time (instead of UTC) */
>  	XT_TIME_LOCAL_TZ = 1 << 0,
>  
> +	/* treat timestart > timestop (e.g. 23:00-01:00) as single period */
> +	XT_TIME_CONTIGUOUS = 1 << 1,
> +
>  	/* Shortcuts */
>  	XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,
>  	XT_TIME_ALL_WEEKDAYS  = 0xFE,
> @@ -24,4 +27,8 @@ enum {
>  	XT_TIME_MAX_DAYTIME   = 24 * 60 * 60 - 1,
>  };
>  
> +#ifdef __KERNEL__
> +#define XT_TIME_ALL_FLAGS (XT_TIME_LOCAL_TZ|XT_TIME_CONTIGUOUS)
> +#endif

I've removed this conditional definition. IMO that ifdef is too much
for just hidding one mask from user-space. Moreover it uses two flags
that are exposed to user-space.

There's is still one rare case we may use it, which is adding one rule
with recent iptables using the contiguous thing and dumping the
rule-set with one old iptables binary. But that's really rare.

Well, this is just to avoid a bit the ifdef pollution we have all
around our code.

Re: [PATCH] libxt_time: add support to ignore day transition

[Pablo Neira Ayuso]

On Mon, Sep 17, 2012 at 12:23:08PM +0200, Florian Westphal wrote:
> Currently, if you want to do something like:
> "match Monday, starting 23:00, for two hours"
> You need two rules, one for Mon 23:00 to 0:00 and one for Tue 0:00-1:00.
> The rule
> --weekdays Mo --timestart 23:00  --timestop 01:00
> looks correct, but it will first match on monday from midnight to 1 a.m.
> and then again for another hour from 23:00 onwards.
> 
> This permits userspace to explicitly ignore the day transition and
> match for a single, continuous time period instead.

Applied to the iptables-linux-3.7 branch.

Will merge this to master once linux-3.7-rc1 is released.

Thanks Florian.