On Thursday, March 05, 2015 09:05:09 PM Neal Murphy wrote: > On Thursday, March 05, 2015 03:18:42 PM richard lucassen wrote: > > Apparently the time module now uses UTC by default and the --utc and > > --localtz options have been removed. As I understood from various > > documents on the internet, to have a rule like: > > > > iptables -A FORWARD -s 1.2.3.4 -m time --kerneltz \ > > > > --timestart 06:00 --timestop 06:30 -j REJECT > > > > work properly with localtime, I need to set the kernel timezone > > variable as soon as the system time has been synchronized at boot: > > > > hwclock --systz > > > > and, furthermore, as the variable is not updated by ntp or whatsoever > > on DST, run a cronjob on Sunday at 3:00 AM in the last week of March > > and October (in Europe): > > > > # last week of March and October: set DST kernel timezone > > 0 3 25-31 3,10 0 /sbin/hwclock --systz > > > > As this event only happens twice a year, I'd like to know if this is > > the right way to use iptables time rules in a DST environment. > > > > Right or wrong? > > > > R. > > I was under the impression that a special tool is needed to set the kernel > TZ. What I did for Smoothwall 3.1 is set the hardware clock to localtime > and ensure that the system time is correctly pulled from it. Then ensure > that features that use '-m time' include the --kerneltz option. > > The bit I haven't done yet is implement a way to detect the local time > zone, determine the DST changeovers from the TZDATA package, then schedule > an at job for the two specific times when the kernel TZ must be updated. > Thus, if the system is running at that time, the kernel TZ will be > updated. If the system is not running at that time, the kernel TZ will be > correctly set the next time the system boots. (This means that a system > reboot will ensure the kernel TZ is correct.) > > The program to set the kerneltz is 'setknltz' by David Madore. A cron job > runs at 0159 on 3/8 and 11/1 (for US/Eastern zone). The script that is run > sleeps for 1.02 seconds, then runs setknltz. Next, I believe the rules > that use '-m time' need to be reset so they have the correct offset from > UTC. Apologies. Mr. Madore called his program 'setsystz'. URL: https://lkml.org/lkml/2007/2/19/214 N -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
