Linux – Iptables ipt_time extension

extensioniptableslinuxpatch-management

I'm trying to get the ipt_time extension for netfilter/iptables to work on CentOS 5.3. It's a bloodbath.

First of all, the HOWTO I linked is the official Netfilter Extension HOWTO, but it's also horribly outdated: so outdated, actually, that not only the CVS repository mentioned here doesn't exist anymore, but the whole project gave up on using CVS long ago; current netfilter/iptables/patch-o-matic releases are to be obtained through GIT (which BTW is not packaged in CentOS, so you have to get it first…).

In order to compile the patch, you need the kernel sources… which really are a lot of fun to install in CentOS. If you by sheer luck and endless frustration manage to get them, you then need to use a silly patching tool called patch-o-matic to apply the patch both to the iptables source (which, of course, you must also download using GIT) and to the kernel.

When this is done, you need to recompile the kernel modules (which now include ipt_time), and finally you can load this thing.

Then you need to compile and load the iptables extension for managing ipt_time, libipt_time.so.

This one just doesn't compile. Looks like there have been some (recent?) API changes in both netfilter and iptables, which broke it.

The questions:

  • Is this patch mantained/supported by the developer anymore?
  • Is it used at all by anyone?
  • Has anyone managed to apply and use it?
  • On which kernel/iptables versions does it work?

The rant:

HOW IN THE F**CKING WORLD IS IT POSSIBLE THAT THE MAIN FIREWALL SUBSYSTEM IN THE LINUX KERNEL IS SO LOUSILY MANTAINED THAT THE PROJECT SITE HOSTS LOTS OF INCOMPATIBLE THINGS WITHOUT ANY WARNING AND THE OFFICIAL EXTENSIONS HOWTO JUST DOESN'T BEAR ANY RESEMBLANCE TO REALITY?!?

Best Answer

Is this patch mantained/supported by the developer anymore?

It appears that a equivalent feature (xt_time) is now part of the kernel. It appears to be compiled in and functional on the current Debian Lenny kernel.

2  *      xt_time
3  *      Copyright © CC Computer Consultants GmbH, 2007
4  *      Contact: <jengelh@computergmbh.de>
5  *
6  *      based on ipt_time by Fabrice MARIE <fabrice@netfilter.org>
7  *      This is a module which is used for time matching

Is it used at all by anyone?

Probably, but like many of the obscure features, it probably isn't being used by many people. I am not using it, so I can't tell you much.

Has anyone managed to apply and use it?

The precense of xt_time in the kernel, and being available in the distributed Debian kernel does seem to indicate that it can be applied and is functional. It appears to have been in there since October 2007.

On which kernel/iptables versions does it work?

I believe if you are looking at using xt_time without a lot of work, then you need to be looking at 2.6.24+. If you are willing to roll up your sleeves and do some back-porting, you may be able to get it to work for whatever kernel you are currently running.

HOW IN THE F**CKING WORLD IS IT POSSIBLE THAT THE MAIN FIREWALL SUBSYSTEM IN THE LINUX KERNEL IS SO LOUSILY..

The main functionality of netfilter is fine, and the most of the docs from years ago are just as useful today. Linux is a volunteer effort. If someone doesn't want to write or update documentation, then nobody will. If you want to donate some of your time to the cause, I bet they would accept some help in getting things up to date.

THE PROJECT SITE HOSTS LOTS OF INCOMPATIBLE THINGS WITHOUT ANY WARNING

I suspect the fact that is no in the stable kernel is a big enough warning to deter most people. Building/patching a kernel is not a trivial task to be undertaken lightly.

THE OFFICIAL EXTENSIONS HOWTO JUST DOESN'T BEAR ANY RESEMBLANCE TO REALITY?!?

Welcome to the Internet. You could send them a nice email and ask them to at least put something on the page about the old system being obsolete.

Related Topic