How midnight boundary affects Firewall Rule time constraints

Hello experts.

Since the first time I tried to use Time Constraints on Firewall Rules, I noticed I had issues with devices accessing the Internet. After some lengthy trial and error, I found the problem seems to be because of the iptables rule created by ipFire after translating from LocalZone to UTC.

Following is a sample with a constraint from 6:00pm to 7:00pm on a Tuesday.

I configure a rule with a constraint from 18:00 to 19:00 on a Tuesday (my local timezone which is UTC -5), the resulting TIME part of the iptables rule is:

TIME from 23:00:00 to 02:00:00 on Tue UTC

What seems to happen then is that the rule is applied at 18:00 Tuesday (23:00 UTC), but the rule is no longer in effect at 19:00 (00:00 UTC) because at that point it’s no longer Tuesday, but rather 00:00 UTC on Wednesday.

If I’m correct on this, I suppose it’s more of an ipTables issue than ipFire.

If so: Do I have to create multiple rules to accommodate for midnight boundaries?

Thank you in advance!

Some more research into this points to a possible missing argument in the iptables command.

According to the man page for iptables-extensions:

Matching across days might not do what is expected. For instance,

-m time --weekdays Mo --timestart 23:00 --timestop 01:00

Will match Monday, for one hour from midnight to 1 a.m., and then again for another hour from 23:00 onwards. If this is unwanted, e.g. if you would like ‘match for two hours from Monday 23:00 onwards’ you need to also specify the –contiguous option in the example above.

If I dump my iptables after creating a rule that matches Monday 23:00 UTC to 01:00 UTC, which starts on Monday and ends on Tuesday, I get the following (I removed irrelevant parts of the line):

-m time --timestart 23:00:00 --timestop 01:00:00 --weekdays Mon

Notice that it doesn’t have the --contiguous argument.

Could that be the issue?