Page MenuHomeVyOS Platform
Create Task
Maniphest T6009

Firewall - Time not working properly when not using UTC
Closed, ResolvedPublicBUG
Actions

Description

When not using UTC time, firewall rules using time [starttime | stoptime] is not parsed correctly.

Steps to reproduce error:

  • Define time-zone != from UTC
  • Choose a value time [starttime | stoptime], where in local time-zone is valir, but in UTC would be bigger than 24
  • Commit

Example:

  • Time-zone: Argentina, which is UTC - 3
  • Value for time [starttime | stoptime]: any value starting from 21:00:00 ==> That would lead to time bigger than 24 (next day and actually would be 00, in UTC).
### Configuration
vyos@vyos:~$ show configuration commands | grep time-zone
set system time-zone 'America/Argentina/Buenos_Aires'
vyos@vyos:~$ date
Fri Feb  2 08:04:51 AM -03 2024
vyos@vyos:~$
vyos@vyos:~$ show config comm | grep firewall
set firewall ipv4 input filter rule 1 action 'accept'
set firewall ipv4 input filter rule 1 description 'Good'
set firewall ipv4 input filter rule 1 time starttime '00:00:00'
set firewall ipv4 input filter rule 1 time stoptime '15:00:25'
set firewall ipv4 input filter rule 2 action 'accept'
set firewall ipv4 input filter rule 2 description 'Good, using latest value accepted'
set firewall ipv4 input filter rule 2 time starttime '17:00:01'
set firewall ipv4 input filter rule 2 time stoptime '20:59:59'
set firewall ipv4 input filter rule 3 action 'accept'
set firewall ipv4 input filter rule 3 description 'StopTime 23 plus utc 3 >> than 24. not ok'
set firewall ipv4 input filter rule 3 time starttime '06:00:00'
set firewall ipv4 input filter rule 3 time stoptime '23:00:00'
set firewall ipv4 input filter rule 4 action 'accept'
set firewall ipv4 input filter rule 4 description 'Both time would be bigger than 24 in UTC.. Not OK'
set firewall ipv4 input filter rule 4 time starttime '21:00:00'
set firewall ipv4 input filter rule 4 time stoptime '23:30:00'
vyos@vyos:~$

Rules are parsed correctly:

vyos@vyos:~$ cat /run/nftables.conf
...
    chain VYOS_INPUT_filter {
        type filter hook input priority filter; policy accept;
        hour >= "00:00:00" hour < "15:00:25" counter accept comment "ipv4-INP-filter-1"
        hour >= "17:00:01" hour < "20:59:59" counter accept comment "ipv4-INP-filter-2"
        hour >= "06:00:00" hour < "23:00:00" counter accept comment "ipv4-INP-filter-3"
        hour >= "21:00:00" hour < "23:30:00" counter accept comment "ipv4-INP-filter-4"
        counter accept comment "INP-filter default-action accept"
    }

And finally, wrong values that are written in nftables:

vyos@vyos:~$ sudo nft -s list chain vyos_filter VYOS_INPUT_filter
table ip vyos_filter {
        chain VYOS_INPUT_filter {
                type filter hook input priority filter; policy accept;
                meta hour >= "00:00" meta hour < "15:00:25" counter accept comment "ipv4-INP-filter-1"
                meta hour >= "17:00:01" meta hour < "20:59:59" counter accept comment "ipv4-INP-filter-2"
                meta hour >= "06:00" meta hour < "1193045:28:16" counter accept comment "ipv4-INP-filter-3"
                meta hour >= "1193043:28:16" meta hour < "1193045:58:16" counter accept comment "ipv4-INP-filter-4"
                counter accept comment "INP-filter default-action accept"
        }
}
vyos@vyos:~$

Details

Version
vyos-1.4.0-rc3, 1.5-rolling-202402020022
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

n.fort created this task.Feb 2 2024, 11:03 AM
n.fort updated the task description. (Show Details)
n.fort changed the task status from Open to Confirmed.Feb 2 2024, 11:08 AM
n.fort added a project: VyOS 1.5 Circinus.
n.fort changed Version from vyos-1.4.0-rc3 to vyos-1.4.0-rc3, 1.5-rolling-202402020022.
pasik subscribed.Feb 2 2024, 12:29 PM
n.fort changed the task status from Confirmed to In progress.Feb 5 2024, 10:17 AM
n.fort claimed this task.
dmbaturin triaged this task as High priority.Feb 6 2024, 4:41 PM
HollyGurza subscribed.Feb 12 2024, 11:15 AM
HollyGurza unsubscribed.
n.fort added a comment.Feb 12 2024, 12:44 PM

PR for fix in vyos-build: https://github.com/vyos/vyos-build/pull/501
PR for smoketest (modified because of change in build): https://github.com/vyos/vyos-1x/pull/2991

n.fort changed the task status from In progress to Needs testing.Feb 12 2024, 5:05 PM
n.fort closed this task as Resolved.Feb 16 2024, 10:33 AM
n.fort moved this task from Open to Finished on the VyOS 1.5 Circinus board.
n.fort moved this task from Open to Finished on the VyOS 1.4 Sagitta board.