Has iptables ended -m time option in present (REHL9) future releases? I can’t seem to find anything on this other than it was deprecated in RHEL8. If so any ideas for alternative solutions?
el8 and el9 have nftables in the kernel and the ‘iptables’ tool is a mere nft-wrapper that reads iptables-syntax from you and writes nftables-rules to kernel.
The tool was said to not be able to translate every possible iptables-rule. This is the first time I hear of example of that incompleteness.
You know what the iptables feature did. Seek nftables docs for equivalent.
What is -m time, is it a “module” called “time”, and what does it do?
-m is a match switch in IPTables. time is the switch to match then with time you can use --timestart and --timestop as rule parameters, for example:
iptables -A INPUT -p tcp --dport 9090 -m time --timestart 8:00 --timestop 23:00 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j DROP
Says: ACCEPT INPUT on port 9090 from 8:00 AM to 11:00 PM drop everything else.
The man iptables-extensions in el9 does describe the ‘time’ match:
This matches if the packet arrival time/date is within a given range. All options are optional, but are ANDed when specified. All times are interpreted as UTC by default.
The nftables has {time,day,hour} as meta expressions: Matching packet metainformation - nftables wiki
more on syntax: Data types - nftables wiki
Therefore, in nftables rule one could see:
meta hour >= "17:00" meta hour < "19:00" meta day Sunday
All the (current) rules you can read from kernel with: sudo nft list ruleset
I would not try to do any of those with FirewallD, so you should use the nftables.service.
@jlehtone Thanks! This is exactly what I was looking for. I never connected the dots with nftables either so that is very helpful as well.