Frank Lichtenheld points out that -m time --datestart ... sometimes messes up --datestart: $ iptables -A INPUT -m time --datestart 2010-11-24T16:50:00 -j ACCEPT $ iptables-save | grep 11 -A INPUT -m time --datestart 2010-11-24T16:50:00 -j ACCEPT $ iptables-save | iptables-restore $ iptables-save | grep 11 -A INPUT -m time --datestart 2010-11-24T15:50:00 -j ACCEPT --datestart moved by one hour. As the --timestart option does not care about DST, always set dst=0 when parsing --starttime input. Reported-by: Frank Lichtenheld <flichtenheld@xxxxxxxxxx> Signed-off-by: Florian Westphal <fwestphal@xxxxxxxxxx> --- extensions/libxt_time.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/extensions/libxt_time.c b/extensions/libxt_time.c index 9f12266..055e716 100644 --- a/extensions/libxt_time.c +++ b/extensions/libxt_time.c @@ -138,6 +138,7 @@ static time_t time_parse_date(const char *s, bool end) tm.tm_hour = hour; tm.tm_min = minute; tm.tm_sec = second; + tm.tm_isdst = 0; ret = mktime(&tm); if (ret >= 0) return ret; -- 1.7.2.2 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html