From: Sebastian Arcus <shop@open-t.co.uk>
To: netfilter@vger.kernel.org
Cc: /dev/rob0 <rob0@gmx.co.uk>
Subject: Re: Iptables "-m time" option doesn't update when the clock changes
Date: Mon, 02 Apr 2012 20:57:28 +0100 [thread overview]
Message-ID: <4F7A04A8.8020901@open-t.co.uk> (raw)
In-Reply-To: <20120329134557.GK4603@harrier.slackbuilds.org>
On 29/03/12 14:45, /dev/rob0 wrote:
> On Thu, Mar 29, 2012 at 11:21:55AM +0100, Sebastian Arcus wrote:
>> On 29/03/12 11:00, Jan Engelhardt wrote:
>> </snip>
>>> The caveat with the kernel timezone is that Linux distributions may
>>> ignore to set the kernel timezone, and instead only set the system
>>> time. Even if a particular distribution does set the timezone at boot,
>>> it is usually does not keep the kernel timezone offset - which is what
>>> changes on DST - up to date. ntpd will not touch the kernel timezone,
>>> so running it will not resolve the issue. As such, one may encounter a
>>> timezone that is always +0000, or one that is wrong half of the time of
>>> the year. As such, using --kerneltz is highly discouraged.
>>>
>> Thanks for taking the time to give a detailed reply. Just to make
>> sure I understand correctly - would this mean that there is no
>> reliable way to run time based iptables rules and have them keep up
>> with DST changes correctly and automatically - without restarting
>> the machine when the DST kicks in or out?
>
> Restarting the machine? Blasphemy!
>
> Why not simply reload the firewall rules?
>
> A simple at(1) job on the DST-to-standard and standard-to-DST dates
> to reload the rules, either using your distro's firewall management
> tools, or pipe iptables-save to iptables-restore (substituting for
> the changed times), ought to do the job just fine.
>
Thanks for the suggestion. However, restarting the firewall (which
flushes and re-writes the rules) makes absolutely no difference. I have
to actually restart the machine for the rules to behave according to the
correct time. Maybe there is something wrong with the way Slackware
updates the kernel TZ - as per Jan's post. I've posted to the Slackware
list on linuxquestions.org to see if anybody knows more.
Sebastian
PS I agree with your position on restarting servers :-) but I don't seem
to get any choice in this matter
next prev parent reply other threads:[~2012-04-02 19:57 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-29 9:10 Iptables "-m time" option doesn't update when the clock changes Sebastian Arcus
2012-03-29 9:12 ` Jan Engelhardt
2012-03-29 9:30 ` Sebastian Arcus
2012-03-29 10:00 ` Jan Engelhardt
2012-03-29 10:21 ` Sebastian Arcus
2012-03-29 10:45 ` Jan Engelhardt
2012-03-29 13:45 ` /dev/rob0
2012-04-02 19:57 ` Sebastian Arcus [this message]
2012-04-02 22:07 ` /dev/rob0
2012-04-03 11:31 ` Sebastian Arcus
2012-04-04 9:35 ` John Haxby
2012-04-04 13:14 ` /dev/rob0
2012-04-04 13:52 ` John Haxby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F7A04A8.8020901@open-t.co.uk \
--to=shop@open-t.co.uk \
--cc=netfilter@vger.kernel.org \
--cc=rob0@gmx.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).