Firewall - Time not working properly when not using UTC
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	n.fort
	Feb 2 2024, 11:03 AM

Description

When not using UTC time, firewall rules using time [starttime | stoptime] is not parsed correctly.

Steps to reproduce error:

Define time-zone != from UTC
Choose a value time [starttime | stoptime], where in local time-zone is valir, but in UTC would be bigger than 24
Commit

Example:

Time-zone: Argentina, which is UTC - 3
Value for time [starttime | stoptime]: any value starting from 21:00:00 ==> That would lead to time bigger than 24 (next day and actually would be 00, in UTC).

### Configuration
vyos@vyos:~$ show configuration commands | grep time-zone
set system time-zone 'America/Argentina/Buenos_Aires'
vyos@vyos:~$ date
Fri Feb  2 08:04:51 AM -03 2024
vyos@vyos:~$
vyos@vyos:~$ show config comm | grep firewall
set firewall ipv4 input filter rule 1 action 'accept'
set firewall ipv4 input filter rule 1 description 'Good'
set firewall ipv4 input filter rule 1 time starttime '00:00:00'
set firewall ipv4 input filter rule 1 time stoptime '15:00:25'
set firewall ipv4 input filter rule 2 action 'accept'
set firewall ipv4 input filter rule 2 description 'Good, using latest value accepted'
set firewall ipv4 input filter rule 2 time starttime '17:00:01'
set firewall ipv4 input filter rule 2 time stoptime '20:59:59'
set firewall ipv4 input filter rule 3 action 'accept'
set firewall ipv4 input filter rule 3 description 'StopTime 23 plus utc 3 >> than 24. not ok'
set firewall ipv4 input filter rule 3 time starttime '06:00:00'
set firewall ipv4 input filter rule 3 time stoptime '23:00:00'
set firewall ipv4 input filter rule 4 action 'accept'
set firewall ipv4 input filter rule 4 description 'Both time would be bigger than 24 in UTC.. Not OK'
set firewall ipv4 input filter rule 4 time starttime '21:00:00'
set firewall ipv4 input filter rule 4 time stoptime '23:30:00'
vyos@vyos:~$

Rules are parsed correctly:

vyos@vyos:~$ cat /run/nftables.conf
...
    chain VYOS_INPUT_filter {
        type filter hook input priority filter; policy accept;
        hour >= "00:00:00" hour < "15:00:25" counter accept comment "ipv4-INP-filter-1"
        hour >= "17:00:01" hour < "20:59:59" counter accept comment "ipv4-INP-filter-2"
        hour >= "06:00:00" hour < "23:00:00" counter accept comment "ipv4-INP-filter-3"
        hour >= "21:00:00" hour < "23:30:00" counter accept comment "ipv4-INP-filter-4"
        counter accept comment "INP-filter default-action accept"
    }

And finally, wrong values that are written in nftables:

vyos@vyos:~$ sudo nft -s list chain vyos_filter VYOS_INPUT_filter
table ip vyos_filter {
        chain VYOS_INPUT_filter {
                type filter hook input priority filter; policy accept;
                meta hour >= "00:00" meta hour < "15:00:25" counter accept comment "ipv4-INP-filter-1"
                meta hour >= "17:00:01" meta hour < "20:59:59" counter accept comment "ipv4-INP-filter-2"
                meta hour >= "06:00" meta hour < "1193045:28:16" counter accept comment "ipv4-INP-filter-3"
                meta hour >= "1193043:28:16" meta hour < "1193045:58:16" counter accept comment "ipv4-INP-filter-4"
                counter accept comment "INP-filter default-action accept"
        }
}
vyos@vyos:~$

Details

Difficulty level: Unknown (require assessment)
Version: vyos-1.4.0-rc3, 1.5-rolling-202402020022
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

n.fort created this task.Feb 2 2024, 11:03 AM

n.fort updated the task description. (Show Details)

n.fort changed the task status from Open to Confirmed.Feb 2 2024, 11:08 AM

n.fort added a project: VyOS 1.5 Circinus.

n.fort changed Version from vyos-1.4.0-rc3 to vyos-1.4.0-rc3, 1.5-rolling-202402020022.

pasik added a subscriber: pasik.Feb 2 2024, 12:29 PM

n.fort changed the task status from Confirmed to In progress.Feb 5 2024, 10:17 AM

n.fort claimed this task.

dmbaturin triaged this task as High priority.Feb 6 2024, 4:41 PM

HollyGurza added a subscriber: HollyGurza.Feb 12 2024, 11:15 AM

HollyGurza removed a subscriber: HollyGurza.

PR for fix in vyos-build: https://github.com/vyos/vyos-build/pull/501
PR for smoketest (modified because of change in build): https://github.com/vyos/vyos-1x/pull/2991

n.fort changed the task status from In progress to Needs testing.Feb 12 2024, 5:05 PM

n.fort closed this task as Resolved.Feb 16 2024, 10:33 AM

n.fort moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.

n.fort moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.

Firewall - Time not working properly when not using UTCClosed, ResolvedPublicBUGActions

Description

Details

Event Timeline

Firewall - Time not working properly when not using UTC
Closed, ResolvedPublicBUG
Actions