Re: nft equivalent of -m time

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 12 Aug 2018 23:05:46 +0200
Florian Westphal <fw@xxxxxxxxx> wrote:

> Neal P. Murphy <neal.p.murphy@xxxxxxxxxxxx> wrote:
> > Does nftables have an equivalent of iptables' "-m time"?  
> 
> No.  Whats the use case?
> -m time is problematic (kernel has no idea what a timezone is).
> 
> It seems simpler to add to or delete from a named set via cron or
> similar.

The use case: define various time spans during which:
  - access is allowed/denied from certain internal hosts and/or to certain external hosts
  - access is allowed/denied to certain ports
  - access is allowed/denied to certain protocols

This is desirable because parents/businesses want to regulate children's/employees' internet access based on time of day (time for homework, time for bed, lunch hour web access, et alia). Businesses may also want to regulate employees' access to certain internal systems based on time of day.

The kernel does have a time zone setting, though it can be difficult to set it correctly. Dave Madore wrote a program, setsystz, back in 2007; it works very well. I still use his program even though /sbin/hwlock now has an option to set the kernel TZ. I have a cron job that gets the date of the change to/from DST (if any, and the dates change change somewhat frequently) and schedules a job one minute before the change. That job basically spins until it detects the timezone change, and then immediately changes the kernel TZ. Cron's imprecision is about the only inacurracy that creeps in. Otherwise, I've had no complaints about timed netfilter rules since I polished this method.

'-m time --kerneltz' works perfectly for Smoothwall, allowing localtime to be used. As soon as time passes into a 'denied' span, all existing targetted connections are rejected/reset upon receipt of the next packet; inbound and outbound directions are handled individually. My philosophy is "not one more packet shall pass in either direction once denied", be it a new or existing conn. Smoothwall originally used a cron-based method, but it wasn't all that accurate, nor could it allow a reasonably 'rich' configuration ('deny this, yet allow that, yet deny them, yet allow us' sort of thing). '-m time' could allow a very rich configuration; it would also allow scheduling future months (such as enter the child's access restrictions for the entire school year).

Neal



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux