When not using UTC time, firewall rules using time [starttime | stoptime] is not parsed correctly.
Steps to reproduce error:
- Define time-zone != from UTC
- Choose a value time [starttime | stoptime], where in local time-zone is valir, but in UTC would be bigger than 24
- Commit
Example:
- Time-zone: Argentina, which is UTC - 3
- Value for time [starttime | stoptime]: any value starting from 21:00:00 ==> That would lead to time bigger than 24 (next day and actually would be 00, in UTC).
### Configuration vyos@vyos:~$ show configuration commands | grep time-zone set system time-zone 'America/Argentina/Buenos_Aires' vyos@vyos:~$ date Fri Feb 2 08:04:51 AM -03 2024 vyos@vyos:~$ vyos@vyos:~$ show config comm | grep firewall set firewall ipv4 input filter rule 1 action 'accept' set firewall ipv4 input filter rule 1 description 'Good' set firewall ipv4 input filter rule 1 time starttime '00:00:00' set firewall ipv4 input filter rule 1 time stoptime '15:00:25' set firewall ipv4 input filter rule 2 action 'accept' set firewall ipv4 input filter rule 2 description 'Good, using latest value accepted' set firewall ipv4 input filter rule 2 time starttime '17:00:01' set firewall ipv4 input filter rule 2 time stoptime '20:59:59' set firewall ipv4 input filter rule 3 action 'accept' set firewall ipv4 input filter rule 3 description 'StopTime 23 plus utc 3 >> than 24. not ok' set firewall ipv4 input filter rule 3 time starttime '06:00:00' set firewall ipv4 input filter rule 3 time stoptime '23:00:00' set firewall ipv4 input filter rule 4 action 'accept' set firewall ipv4 input filter rule 4 description 'Both time would be bigger than 24 in UTC.. Not OK' set firewall ipv4 input filter rule 4 time starttime '21:00:00' set firewall ipv4 input filter rule 4 time stoptime '23:30:00' vyos@vyos:~$
Rules are parsed correctly:
vyos@vyos:~$ cat /run/nftables.conf ... chain VYOS_INPUT_filter { type filter hook input priority filter; policy accept; hour >= "00:00:00" hour < "15:00:25" counter accept comment "ipv4-INP-filter-1" hour >= "17:00:01" hour < "20:59:59" counter accept comment "ipv4-INP-filter-2" hour >= "06:00:00" hour < "23:00:00" counter accept comment "ipv4-INP-filter-3" hour >= "21:00:00" hour < "23:30:00" counter accept comment "ipv4-INP-filter-4" counter accept comment "INP-filter default-action accept" }
And finally, wrong values that are written in nftables:
vyos@vyos:~$ sudo nft -s list chain vyos_filter VYOS_INPUT_filter table ip vyos_filter { chain VYOS_INPUT_filter { type filter hook input priority filter; policy accept; meta hour >= "00:00" meta hour < "15:00:25" counter accept comment "ipv4-INP-filter-1" meta hour >= "17:00:01" meta hour < "20:59:59" counter accept comment "ipv4-INP-filter-2" meta hour >= "06:00" meta hour < "1193045:28:16" counter accept comment "ipv4-INP-filter-3" meta hour >= "1193043:28:16" meta hour < "1193045:58:16" counter accept comment "ipv4-INP-filter-4" counter accept comment "INP-filter default-action accept" } } vyos@vyos:~$