iptables issue with timestart-timestop due to timezone

[rdavila]

Hello everyone,

I found an issue that seems to be caused by iptables, but I wanted to check if it's known and if there are any workarounds.

My timezone is EST, which at the moment is UTC -05:00
I create a Schedule to give access on Wednesday from 18:00 to 20:00 EST.
This translates to Wednesday 23:00 to Thursday 01:00 UTC.

When I apply the Profile to a Device, it gets blocked at 19:00 EST.

The problem seems to be that the timestart and timestop parameters to iptables are translated to UTC, and this breaks the access.

Below is the iptables line created by KeexyBox.
-A FORWARD -m mac --mac-source nn:nn:nn:nn:nn:nn -m time --timestart 23:00:00 --timestop 01:00:00 --weekdays Wed -j 49_FORWARD

When the time is 19:00 EST, I think the following is what iptables interprets:

• Time is 00:00 UTC
  
• The timestart parameter is 23:00:00
  
• 00:00 is before the timestart parameter
  
• iptables decides that the rule does not apply
  

I hope this all made sense :-)

[rdavila]

Hello everyone,

I found an issue that seems to be caused by iptables, but I wanted to check if it's known and if there are any workarounds.

My timezone is EST, which at the moment is UTC -05:00
I create a Schedule to give access on Wednesday from 18:00 to 20:00 EST.
This translates to Wednesday 23:00 to Thursday 01:00 UTC.

When I apply the Profile to a Device, it gets blocked at 19:00 EST.

The problem seems to be that the timestart and timestop parameters to iptables are translated to UTC, and this breaks the access.

Below is the iptables line created by KeexyBox.
-A FORWARD -m mac --mac-source nn:nn:nn:nn:nn:nn -m time --timestart 23:00:00 --timestop 01:00:00 --weekdays Wed -j 49_FORWARD

When the time is 19:00 EST, I think the following is what iptables interprets:

• Time is 00:00 UTC
  
• The timestart parameter is 23:00:00
  
• 00:00 is before the timestart parameter
  
• iptables decides that the rule does not apply
  

I hope this all made sense :-)

[rdavila]

Well...  There doesn't seem to be a fix for this at the moment.
I did find a workaround, which is to create two schedules in the same profile.

Following the example above of covering Wednesday 18:00 EST to 20:00 EST.
This translates to Wednesday 23:00 UTC to Thursday 01:00 UTC, which is a problem for iptables.
The workaround is to create two schedules in the following way:
- Wednesday 18:00 EST to 19:00 EST which translates to Wednesday 23:00 to Thursday 00:00 UTC
- Wednesday 19:00 EST to 20:00 EST which translates to Thursday 00:00 to Thursday 01:00 UTC

This effectively covers the intended schedule of Wednesday 18:00 to 20:00 EST.

I hope this helps anyone out there with the same issue :-)

[rdavila]

Well...  There doesn't seem to be a fix for this at the moment.
I did find a workaround, which is to create two schedules in the same profile.

Following the example above of covering Wednesday 18:00 EST to 20:00 EST.
This translates to Wednesday 23:00 UTC to Thursday 01:00 UTC, which is a problem for iptables.
The workaround is to create two schedules in the following way:
- Wednesday 18:00 EST to 19:00 EST which translates to Wednesday 23:00 to Thursday 00:00 UTC
- Wednesday 19:00 EST to 20:00 EST which translates to Thursday 00:00 to Thursday 01:00 UTC

This effectively covers the intended schedule of Wednesday 18:00 to 20:00 EST.

I hope this helps anyone out there with the same issue :-)