Page MenuHomeVyOS Platform
Create Task
Maniphest T3895

VYOS firewall rules do not adhere to time schedule unless placed in UTC mode.
Closed, ResolvedPublic
Actions

Description

Using starttime and stoptime within firewall rules does not work, unless the rule, specifies UTC time.

This rule seems to be ignored.

set firewall name INSIDE-OUTSIDE rule 550 description ‘Allow Web Ports 8:30AM-8:30PM’
set firewall name INSIDE-OUTSIDE rule 550 time starttime ‘08:30:00’
set firewall name INSIDE-OUTSIDE rule 550 time stoptime ‘20:30:00’

On the other hand, the following rule works.

set firewall name INSIDE-OUTSIDE rule 550 description ‘Allow Web Ports 8:30AM-8:30PM’
set firewall name INSIDE-OUTSIDE rule 550 time starttime ‘21:30:00’
set firewall name INSIDE-OUTSIDE rule 550 time stoptime ‘09:30:00’
set firewall name INSIDE-OUTSIDE rule 550 time utc

This causes an issue during day light saving times, multiple rules using time rules need to be modified twice a year.

Is it possible to have the time reference the time zone that's been specified?

Link to community post: https://forum.vyos.io/t/vyos-handles-day-light-saving/7813

Details

Difficulty level
Unknown (require assessment)
Version
1.3RC6
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Event Timeline

anowak created this task.Oct 7 2021, 11:33 PM
pasik added a subscriber: pasik.Oct 8 2021, 8:49 PM
syncer removed a project: VyOS 1.3 Equuleus.Oct 17 2021, 1:12 PM
Viacheslav added a subscriber: Viacheslav.Oct 17 2021, 7:00 PM

As I know, iptables works only in UTC time. And any workaround with recalculate Datetime will be affected incorrect behavior.

anowak changed the subtype of this task from "Bug" to "Task".Oct 17 2021, 10:07 PM

Hi Viacheslav,

So if this is the case, how does VyOS deal with daylight saving time and time rules?
If not possible through iptables, could there not be a script that activates twice a year on DST and ST and rewrites the rule time 1hr forward or back?

Regards

anowak closed this task as Resolved.Nov 24 2023, 2:57 AM
anowak claimed this task.

Looks like this has been resolved using the latest 1.4 nftables. I am now able to specify local time without the use of UTC.