[Ipac-ng-developer] ipac-ng v1.31 and iptables time extension problem/bug

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

I've found a problem with using ipac-ng (v1.31) with the iptables 
(v1.2.11) "Time" extension on Debian Sarge(386).

Within the ipac-ng "agents/iptables.c" file the

   m->parse(c - m->option_offset,
            d->extension, invert,
            &m->mflags,
            &fw, &fw.nfcache, &m->m)

function call (see line 1367,in "prepare_entry()") seems to be 
incorrectly setting the contents of "m->m->data[]". This could be because

  - I am not using the correct compile options for ipac-ng.
  - There is a bug in ipac-ng.
  - There is a bug in the Time extension.
  - There is a bug in iptables.
  - Something else I haven't thought of.

I would much appreciate it, if you would let me know your thoughts on 
the problem and any suggestions on how to fix it. See below for more 
details.

Many thanks,
Declan

Problem details:

For the Time extension, "m->m->data[]" has a data structure of

   struct ipt_time_info {
           u_int8_t  days_match;
           u_int16_t time_start;
           u_int16_t time_stop;
           u_int8_t  kerneltime;
           time_t    date_start;
           time_t    date_stop;
   };

When "m->parse()" is called with a "d->extension" of

   "fetchipac", "-m", "time", "--timestart", "1:0",
   "--timestop", "7:0", "--days", "Mon"

and a first parameter of 49 (ie c=305 and m->option_offset=256) to 
process the "--timestart" "1:0"

   "time_start" is set to zero and "time_stop" is set to 1439,
   however "m->flags" is correctly set to 1

and when "m->parse()" is next called with a first parameter of 50 (ie 
c=306 and m->option_offset=256) to process the "--timestop" "7:0"

   "time_start" is set to zero and "time_stop" is set to zero,
   however "m->mflags" is correctly set to 3

and when "m->parse()" is next called with a first parameter of 51 (ie 
c=307 and m->option_offset=256) to process the "--days" "Mon"

   "time_start" is still set to zero and "time_stop" is still set to
   zero, however "m->mflags" is correctly set to 3 and "days_match"
   is correctly set to 0x20

I've built ipac-ng with a "configure" of

   ./configure \
   --enable-default-storage=postgre \
   --enable-debug-ipacsum=no  \
   --enable-debug-database=no \
   --with-postgresql-inc=/usr/include/postgresql

The CFLAGS within the resultant Makefile are

   -g -O2 -Wall -I/usr/include/postgresql

The debian iptables package is version "1.2.11-8". Its iptables command 
is able to correctly use the Time extension. Eg

   iptables -A INPUT -m time --timestop 7:0

works as expected and produces the following "iptables -L" line:

   all  --  anywhere   anywhere  TIME to 7:0 on all days

The kernel is built from Debian's "2.4.27-8" source code, patched with 
the Time extension by using the iptables patch-o-matic that comes with 
the iptables version "1.2.11-8" source code package.

Due to the above incorrect setting of "m->m->data", a "rules.conf" file of

   offpeak|ipac~o|ppp0|all|||time --timestop 7:0|

doesn't produce the expected results and instead produces the following 
"iptables -L" line:

   all  --  anywhere   anywhere  TIME to 0:0 on all days

Any suggestions would be much appreciated.

Regards,
Declan