netfilter buglog - Feb 2024 - [Bug 1737] New: meta hour error with different time-zones

https://bugzilla.netfilter.org/show_bug.cgi?id=1737

            Bug ID: 1737
           Summary: meta hour error with different time-zones
           Product: nftables
           Version: 1.0.x
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: nicolasfort1988 at gmail.com

When using meta hour, and also using different time zone (for example
Australia/Sydney), rules are written correctly, but they do not match as
expected.


### Config and date
For example:

table ip vyos_filter {
        chain VYOS_OUTPUT_filter {
                type filter hook output priority filter; policy accept;
                ip daddr 1.1.1.1 meta hour >= "03:01" meta hour
< "08:00"
counter packets 1 bytes 84 accept comment "ipv4-OUT-filter-10"
                ip daddr 8.8.8.8 meta hour >= "03:01" meta hour
< "14:00"
counter packets 0 bytes 0 accept comment "ipv4-OUT-filter-20"
                counter packets 76 bytes 5652 log prefix
"[ipv4-OUT-filter-default-A]" accept comment "OUT-filter
default-action accept"
        }
}

vyos at TEST:~$ date
Fri Feb 23 07:19:16 AM AEDT 2024
###

And after running ping to both hosts, we can check on logs that second rule was
not hit, and we get log for last rule.

### Log 
Feb 23 07:19:33 TEST kernel: [ipv4-OUT-filter-default-A]IN= OUT=eth0
SRC=192.168.0.151 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30358 DF
PROTO=ICMP TYPE=8 CODE=0 ID=48824 SEQ=1 
####


- nftables version: 1.0.9-1

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240222/982d7e10/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1737

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
1.0.9 is lacking this fix, which is already in git HEAD.

Does this fix your issue?

commit d392ddf243dcbf8a34726c777d2c669b1e8bfa85
Author: Florian Westphal <fw at strlen.de>
Date:   Thu Nov 2 15:34:13 2023 +0100

    meta: fix hour decoding when timezone offset is negative

    Brian Davidson says:

     meta hour rules don't display properly after being created when the
     hour is on or after 00:00 UTC. The netlink debug looks correct for
     seconds past midnight UTC, but displaying the rules looks like an
     overflow or a byte order problem. I am in UTC-0400, so today, 20:00
     and later exhibits the problem, while 19:00 and earlier hours are
     fine.

    meta.c only ever worked when the delta to UTC is positive.
    We need to add in case the second counter turns negative after
    offset adjustment.

    Also add a test case for this.

    Fixes: f8f32deda31d ("meta: Introduce new conditions 'time',
'day' and
'hour'")
    Reported-by: Brian Davidson <davidson.brian at gmail.com>
    Signed-off-by: Florian Westphal <fw at strlen.de>

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240222/dcf1fec5/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1737

--- Comment #2 from nicolasfort1988 at gmail.com ---
I forgot to mention that such fix is already included in my scenario. Before
it,  rules were not written as expected, and as described in that task.

Now rules are written correctly, but seems that if time-zone defined in the
host is !UTC, then something wierd happens

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240222/103f0fc1/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1737

Simon G. Trajkovski <neuroarmitage at proton.me> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |neuroarmitage at proton.me

--- Comment #3 from Simon G. Trajkovski <neuroarmitage at proton.me> ---
(In reply to nicolasfort1988 from comment #0)
> When using meta hour, and also using different time zone (for example
> Australia/Sydney), rules are written correctly, but they do not match as
> expected.
> 
> 
> ### Config and date
> For example:
> 
> table ip vyos_filter {
>         chain VYOS_OUTPUT_filter {
>                 type filter hook output priority filter; policy accept;
>                 ip daddr 1.1.1.1 meta hour >= "03:01" meta
hour < "08:00"
> counter packets 1 bytes 84 accept comment "ipv4-OUT-filter-10"
>                 ip daddr 8.8.8.8 meta hour >= "03:01" meta
hour < "14:00"
> counter packets 0 bytes 0 accept comment "ipv4-OUT-filter-20"
use a range:

                 ip daddr 8.8.8.8 meta hour "03:01"-"08:00"
counter packets 1
bytes 84 accept comment "ipv4-OUT-filter-10"

and it works fine; but listing displays this :

                 ip daddr 8.8.8.8 meta hour !=
"14:00"-"03:01" counter packets
1 bytes 84 accept comment "ipv4-OUT-filter-10"

not knowledgeable of this code, but nftables/src/evaluate.c has special
handling  for this.
>                 counter packets 76 bytes 5652 log prefix
> "[ipv4-OUT-filter-default-A]" accept comment "OUT-filter
default-action
> accept"
>         }
> }
> 
> vyos at TEST:~$ date
> Fri Feb 23 07:19:16 AM AEDT 2024
> ###
> 
> And after running ping to both hosts, we can check on logs that second rule
> was not hit, and we get log for last rule.
> 
> ### Log 
> Feb 23 07:19:33 TEST kernel: [ipv4-OUT-filter-default-A]IN= OUT=eth0
> SRC=192.168.0.151 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30358 DF
> PROTO=ICMP TYPE=8 CODE=0 ID=48824 SEQ=1 
> ####
> 
> 
> - nftables version: 1.0.9-1
-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240319/b00f887b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1737

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Simon G. Trajkovski from comment #3)
> (In reply to nicolasfort1988 from comment #0)
> > When using meta hour, and also using different time zone (for example
> > Australia/Sydney), rules are written correctly, but they do not match
as
> > expected.
> > 
> > 
> > ### Config and date
> > For example:
> > 
> > table ip vyos_filter {
> >         chain VYOS_OUTPUT_filter {
> >                 type filter hook output priority filter; policy
accept;
> >                 ip daddr 1.1.1.1 meta hour >= "03:01"
meta hour < "08:00"
> > counter packets 1 bytes 84 accept comment
"ipv4-OUT-filter-10"
> >                 ip daddr 8.8.8.8 meta hour >= "03:01"
meta hour < "14:00"
> > counter packets 0 bytes 0 accept comment
"ipv4-OUT-filter-20"
> 
> use a range:
> 
>                  ip daddr 8.8.8.8 meta hour
"03:01"-"08:00" counter packets
> 1 bytes 84 accept comment "ipv4-OUT-filter-10"
> 
> and it works fine; but listing displays this :
> 
>                  ip daddr 8.8.8.8 meta hour !=
"14:00"-"03:01" counter
> packets 1 bytes 84 accept comment "ipv4-OUT-filter-10"
> 
> not knowledgeable of this code, but nftables/src/evaluate.c has special
> handling  for this.
Thanks for disentangling this bug report.

I made this patch:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240319192609.218891-1-pablo
at netfilter.org/

so it is the implicit cross-day handling that is reversing an interval what it
is missing in this ruleset.

So, basically, 14:00-03:01 triggers a cross-day interval swap in AEDT time,
since kernel handles time in UTC.

To improve usability, I have completed the remaining code in the listing path
and I have documented that use of ranges is recommended.

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240319192609.218891-1-pablo
at netfilter.org/

it should be possible to make this change to swap this opencoded range
notation:

    meta hour >= "03:01" meta hour < "14:00"

but it is still more efficient to express this with a range expression.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240319/14a6c52f/attachment-0001.html>