netfilter buglog - Feb 2014 - [Bug 903] New: Second rule is not getting executed when we give different timeouts for the same ip address.

https://bugzilla.netfilter.org/show_bug.cgi?id=903

           Summary: Second rule is not getting executed when we give
                    different timeouts for the same ip address.
           Product: iptables
           Version: unspecified
          Platform: i386
        OS/Version: Ubuntu
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: pradiptakumarrout01 at gmail.com
   Estimated Hours: 0.0


Hi ,
I got following issue in my project.. I have added the iptables timeout support
in my project.
But having following issue.


Description : Steps To Reproduce:
1.try following command to block a client form 13 to 16
iptables -A INPUT -s 10.0.6.191 -m time --kerneltz --datestart 2014-2-11T13
--datestop 2014-2-11T16 -j DROP
2.Try the following command to accept the same client from 13.30 to 14
iptables -A INPUT -s 10.0.6.191 -m time --kerneltz --datestart 2014-2-11T13:30
--datestop 2014-2-11T14 -j ACCEPT
Actual Result:
First rule only got executed. (i.e) the client ip is blocked from 2/11/2014 13
to 2/11/2014 16.
Second rule not executed.
Expected Result:
Since the 2 rules differs with timeout, both rules should get executed.
(i.e)the client ip should be blocked from 2/11/2014 13 to 2/11/2014 13:30 and
2/11/2014 14 to 2/11/2014 16 It should be accessible in the time period
2/11/2014 13:00 to 2/11/2014 13.30
Kindly tell the cause why the second rule did not executed.
I know it filter the packets.but what makes a packet unique like the ip,port or
what . My understanding is once a packet get executed.iptables will not execute
any rules for same packet.
But what makes a packet for iptables. and how can we tell this rule is not
executed due to this reason..

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

https://bugzilla.netfilter.org/show_bug.cgi?id=903

Phil Oester <netfilter at linuxace.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |netfilter at linuxace.com
         Resolution|                            |INVALID

--- Comment #1 from Phil Oester <netfilter at linuxace.com> 2014-02-11
17:34:59 CET ---
Once a DROP (or ACCEPT) rule is matched, the packet stops looking at additional
rules in the chain.  This is very basic iptables knowledge.  If you have
further questions on this, please ask on the netfilter mailing list.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.