Using 'hour' seems to behave as expected when I specify a time <= 16:59 (4:59 PM), but strangely for 17:00 on.
Here's a simple test to expose the oddity. Create a test chain, add two rules - one for 16:00-16:59 and another for 17:00-17:59. List the chain and note the differences between the two rules.
# nft add chain test FORWARD
# nft add rule test FORWARD ip saddr 192.168.2.100 meta hour "16:00-16:59" accept
# nft add rule test FORWARD ip saddr 192.168.2.100 meta hour "17:00-17:59" accept
# nft list chain test FORWARD
table ip test {
chain FORWARD {
ip saddr 192.168.2.100 meta hour "16:00"-"16:59" accept
ip saddr 192.168.2.100 meta hour "23:28:16"-"00:27:16" accept
}
}
When we list the rules, the first shows up as expected, and the second specifies a time range I can't understand.
Does the 'hour' option use UTC or local time? I'm in Pacific Daylight Time, so an 8-hour difference is somewhat suspicious. Even so, it wouldn't explain the conversion of 17:00 -> 23:28:16.
I first found this behavior in 1.0.2 (from OpenWrt 23.02). I find the same behavior in 1.0.8 (after upgrading to OpenWrt 23.05).
# nft -version
nftables v1.0.8 (Old Doc Yak #2)
Additionally, the wiki page linked above indicates that seconds are optional (so the example above omits them). If I add seconds, I get:
# nft add rule test FORWARD ip saddr 192.168.2.100 meta hour "16:00:00-16:59:59" accept
Error: syntax error, unexpected colon, expecting end of file or newline or semicolon
add rule test FORWARD ip saddr 192.168.2.100 meta hour 16:00:00-16:59:59 accept
^
Any clarification of the time-based matching (or documentation thereof) would be appreciated.
There definitely seems to be a problem with the time that corresponds to midnight UTC (17:00 PDT). I did a similar entry for 20:00 EDT and saw an even worse output (on Debian Bookworm with nftables 1.0.6 and kernel 6.1).
meta hour "1193042:28:16"-"1193043:27:16" accept
See the overflow with a debug statement:
# nft --debug=eval -c add rule inet fw4 mangle_postrouting meta hour "20:00-20:59" accept
Evaluate add
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Evaluate expression
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^^^^^^^^^^^^^^^^^
meta hour 20:00-20:59
Evaluate relational
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^^^^^^^^^^^^^^^^^
meta hour 20:00-20:59
Evaluate meta
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^^^^^
meta hour
Evaluate symbol
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^
20:00
Evaluate value
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^
"1193042:28:16"
Evaluate symbol
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^
20:59
Evaluate value
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^
"1193043:27:16"
Evaluate range
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^^^^^^^
"1193042:28:16"-"1193043:27:16"
Evaluate value
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^
"1193042:28:16"
Evaluate value
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^
"1193043:27:16"
Evaluate unary
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^^^^^
meta hour
Evaluate meta
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^^^^^
meta hour
Evaluate verdict
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^^
accept
Evaluate verdict
add rule inet fw4 mangle_postrouting meta hour 20:00-20:59 accept
^^^^^^
accept
Is there any chance that's a display-only bug? (I.e., in meta.c / hour_type_print()). I haven't yet read the code in detail, and don't know if the --debug=eval option uses the configured print routines or something separate.