Hi, I think I've found a bug in iptables. I use iptables to block Facebook during specific hours and days. Since some several weeks Facebook is always blocked, while the config stayed the same. I'll give some examples which lead to my conclusion. I have 2 rules, one for during the week and one for in the weekend. I noticed the rule for during the week always blocked traffic. Even when it was weekend and suppose to allow access to Facebook. I tweaked the --timestop and --timestart to find what triggered the bug to no avail. Then I started tweaking the days, for some reason Thursday in the rule for during the week is creating the problems for the weekend rules. When I remove Thursday from the rule for during the week it worked as intended again. I also have the same rules running on my Raspberry Pi's VPN tunnels, the bug isn't triggered there. However, I can reproduce the bug on another machine running the same distro. During the week filtering: -A facebook -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m comment --comment "Reject Facebook during the week" -m time --timestart 00:00:00 --timestop 00:00:00 --weekdays Mon,Tue,Wed,Thu,Fri --datestop 2038-01-19T03:14:07 -j REJECT --reject- with icmp-port-unreachable During the weekend filtering: -A facebook -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m comment --comment "Reject Facebook during the weekend" -m time --timestart 03:00:00 --timestop 17:00:00 -- weekdays Sat,Sun --datestop 2038-01-19T03:14:07 -j REJECT --reject-with icmp-port-unreachable My Debian system where it works runs Linux 4.14.79-v7+ with iptables 1.6.0+snapshot20161117-6 My workstation running Fedora, where it doesn't work, runs 4.20.8- 200.fc29.x86_64 with iptables 1.8.0-3.fc29.x86_64 Can someone verify this problem? Of course it doesn't have to block Facebook, it can be anything, as long as you use the time parameters. -- Met vriendelijke groet, Kees de Jong De informatie opgenomen in deze e-mail kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde(n). Indien u deze e-mail onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door de e-mail te retourneren. Aan deze e-mail inclusief de bijlagen kunnen geen rechten ontleend worden, tenzij schriftelijk anders wordt overeengekomen. -- The information contained in this e-mail may be confidential and is intended to be exclusively for the addressee(s). Should you receive this e-mail unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. This e-mail including the attachments are not legally binding, unless otherwise agreed upon in writing. -- OpenPGP fingerprint: 0x0E45C98AB51428E6
Attachment:
signature.asc
Description: This is a digitally signed message part
