From patchwork Wed Jul 31 08:42:15 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Henry Lee <henryronlee@gmail.com>
X-Patchwork-Id: 263627
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id D702B2C0084
	for <incoming@patchwork.ozlabs.org>;
	Wed, 31 Jul 2013 18:42:56 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1758920Ab3GaImx (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 31 Jul 2013 04:42:53 -0400
Received: from mail-pb0-f43.google.com ([209.85.160.43]:51048 "EHLO
	mail-pb0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755731Ab3GaImQ (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Wed, 31 Jul 2013 04:42:16 -0400
Received: by mail-pb0-f43.google.com with SMTP id md4so509563pbc.16
	for <multiple recipients>; Wed, 31 Jul 2013 01:42:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=mime-version:date:message-id:subject:from:to:cc:content-type;
	bh=HoBsy4axnCKDgHbIkjP2BLr3R7eJfwI/a9UyY/hjOW8=;
	b=X54IzSo9uQr3ryE70jjllcPib+1KqlqVskB8XmVVohQGMvRUPB3NDfJr7/XZdbdxg6
	ndRW1SM4soBU6G/qApim2OdzsV2aSwC7O3nSoxoVQktQsiBakvsCoJSM52exIBLtzTUz
	O5zKkZNj1llfdOi03mqGeRLzb7ured7DHss8bj76+P5HAFXPj7yKqSe9MB9fZSDwFrpU
	6B5Q/TN51IdwTip/wUxMDsFCQMUyR24VXTQoZJFJDeb2bG3hJPaCmvRruXQTLoWRULmE
	t0OE4WUoS6+5c/2sbrGroQukFRtbah9bvC9NQnEZxOn7fS5o9xVTVfmlPn2rIOvI8Ggx
	YPXA==
MIME-Version: 1.0
X-Received: by 10.69.14.165 with SMTP id fh5mr48483273pbd.81.1375260135562;
	Wed, 31 Jul 2013 01:42:15 -0700 (PDT)
Received: by 10.70.43.7 with HTTP; Wed, 31 Jul 2013 01:42:15 -0700 (PDT)
Date: Wed, 31 Jul 2013 16:42:15 +0800
Message-ID: 
 <CAK+MRYuFUCvkker9sq7LFa42t=vQ7FhWwzz37Mtw3sLMZTJ+EQ@mail.gmail.com>
Subject: PROBLEM: Netfilter time matching matches all packets when time start
	and time stop is the same
From: Henry Lee <henryronlee@gmail.com>
To: pablo@netfilter.org, kaber@trash.net, kadlec@blackhole.kfki.hu
Cc: netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org,
	coreteam@netfilter.org
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Dear sirs:

I've found a bug when running the netfilter time matching module. Here
is the description.

[1.] One line summary of the problem:
Netfilter time matching matches all packets when time start and time
stop is the same

[2.] Full description of the problem/report:
When I used "-m time --timestart 01:00 --timestop 01:00", the netfitler
matches all day packets, which in my point of view, looks unnatural.

[3.] Keywords (i.e., modules, networking, kernel):
modules, networking, netfilter

[4.] Kernel information

[4.1.] Kernel version (from /proc/version):
Linux version 3.8.0-27-generic (buildd@roseapple) (gcc version 4.7.3
(Ubuntu/Linaro 4.7.3-1ubuntu1) ) #40-Ubuntu SMP Tue Jul 9 00:17:05 UTC 2013

I tested this on 3.8.0, in which the xt_time.c should be the newest.

[4.2.] Kernel .config file:
Irrelevant.

[5.] Most recent kernel version which did not have the bug:
None.

[6.] Output of Oops.. message (if applicable) with symbolic information
      resolved (see Documentation/oops-tracing.txt)
Irrelevant.

[7.] A small shell script or example program which triggers the
      problem (if possible)
iptables -I INPUT -m time --timestart 01:00 --timestop 01:00 -j DROP

[8.] Environment
[8.1.] Software (add the output of the ver_linux script here)
Irrelevant.

[8.2.] Processor information (from /proc/cpuinfo):
Irrelevant.

[8.3.] Module information (from /proc/modules):
Module                  Size  Used by
xt_time                12661  0
xt_tcpudp              12603  1
iptable_filter         12810  1
xt_multiport           12597  1
ipt_MASQUERADE         12759  1
iptable_nat            12810  1
nf_conntrack_ipv4      14487  1
nf_defrag_ipv4         12729  1 nf_conntrack_ipv4
nf_nat_ipv4            13263  1 iptable_nat
nf_nat                 25867  3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
nf_conntrack           83275  5
ipt_MASQUERADE,nf_nat,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4
ip_tables              26995  2 iptable_filter,iptable_nat
8021q                  24000  0
garp                   14354  1 8021q
stp                    12976  1 garp
llc                    14552  2 stp,garp
ipt_ULOG               17410  1
x_tables               29803  7
xt_time,ipt_ULOG,ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_multiport,iptable_filter
...
The rest are irrelevant.

[8.4.] Loaded driver and hardware information (/proc/ioports, /proc/iomem)
Irrelevant.

[8.5.] PCI information ('lspci -vvv' as root)
Irrelevant.

[8.6.] SCSI information (from /proc/scsi/scsi)
Irrelevant.

[8.7.] Other information that might be relevant to the problem
        (please look in /proc and include all information that you
        think to be relevant):
None.

[X.] Other notes, patches, fixes, workarounds:
I'll place the patch in the attachment as well.

             return false;

==========

Yours faithfully,
Henry Lee

diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 0ae55a3..753573c 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -192,7 +192,7 @@ time_mt(const struct sk_buff *skb, struct xt_action_param *par)
 
 	packet_time = localtime_1(&current_time, stamp);
 
-	if (info->daytime_start < info->daytime_stop) {
+	if (info->daytime_start <= info->daytime_stop) {
 		if (packet_time < info->daytime_start ||
 		    packet_time > info->daytime_stop)
 			return false;