holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add time match support in /etc/shorewall/rules

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8783 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-10-14 19:37:35 +00:00
parent cf82a52bef
commit 1814ef0201
8 changed files with 202 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-common/changelog.txt
View File

@ -6,4 +6,8 @@ Changes in Shorewall 4.2.1
3) Add CONNLIMIT to policy and rules. 3) Add CONNLIMIT to policy and rules.
4) Allow use of iptables-1.4.1.
5) Add time match support.
Initial release of Shorewall 4.2.0. Initial release of Shorewall 4.2.0.

11
Shorewall-common/lib.base
View File

@ -1046,6 +1046,7 @@ determine_capabilities() {
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
CONNTRACK_MATCH= CONNTRACK_MATCH=
NEW_CONNTRACK_MATCH=
MULTIPORT= MULTIPORT=
XMULTIPORT= XMULTIPORT=
POLICY_MATCH= POLICY_MATCH=
@ -1077,6 +1078,7 @@ determine_capabilities() {
REALM_MATCH= REALM_MATCH=
HELPER_MATCH= HELPER_MATCH=
CONNLIMIT_MATCH= CONNLIMIT_MATCH=
TIME_MATCH=
chain=fooX$$ chain=fooX$$
@ -1101,6 +1103,10 @@ determine_capabilities() {
qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
if [ -n "$CONNTRACK_MATCH" ]; then
qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
fi
if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
MULTIPORT=Yes MULTIPORT=Yes
qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
@ -1179,6 +1185,7 @@ determine_capabilities() {
qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
qt $IPTABLES -F $chain qt $IPTABLES -F $chain
qt $IPTABLES -X $chain qt $IPTABLES -X $chain
@ -1204,6 +1211,7 @@ report_capabilities() {
report_capability "Multi-port Match" $MULTIPORT report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match" $CONNTRACK_MATCH report_capability "Connection Tracking Match" $CONNTRACK_MATCH
report_capability "New Connection Tracking Match Syntax" $NEW_CONNTRACK_MATCH
report_capability "Packet Type Match" $USEPKTTYPE report_capability "Packet Type Match" $USEPKTTYPE
report_capability "Policy Match" $POLICY_MATCH report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match" $PHYSDEV_MATCH report_capability "Physdev Match" $PHYSDEV_MATCH
@ -1233,6 +1241,7 @@ report_capabilities() {
report_capability "Realm Match" $REALM_MATCH report_capability "Realm Match" $REALM_MATCH
report_capability "Helper Match" $HELPER_MATCH report_capability "Helper Match" $HELPER_MATCH
report_capability "Connlimit Match" $CONNLIMIT_MATCH report_capability "Connlimit Match" $CONNLIMIT_MATCH
report_capability "Time Match" $TIME_MATCH
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1253,6 +1262,7 @@ report_capabilities1() {
report_capability1 MULTIPORT report_capability1 MULTIPORT
report_capability1 XMULTIPORT report_capability1 XMULTIPORT
report_capability1 CONNTRACK_MATCH report_capability1 CONNTRACK_MATCH
report_capability1 NEW_CONNTRACK_MATCH
report_capability1 USEPKTTYPE report_capability1 USEPKTTYPE
report_capability1 POLICY_MATCH report_capability1 POLICY_MATCH
report_capability1 PHYSDEV_MATCH report_capability1 PHYSDEV_MATCH
@ -1282,6 +1292,7 @@ report_capabilities1() {
report_capability1 REALM_MATCH report_capability1 REALM_MATCH
report_capability1 HELPER_MATCH report_capability1 HELPER_MATCH
report_capability1 CONNLIMIT_MATCH report_capability1 CONNLIMIT_MATCH
report_capability1 TIME_MATCH
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
} }

36
Shorewall-common/releasenotes.txt
View File

@ -88,6 +88,10 @@ Problems corrected in Shorewall 4.2.1
non-zero. A value of zero for <max> was equivalent to omitting non-zero. A value of zero for <max> was equivalent to omitting
<max>. <max>.
3) iptables 1.4.1 discontinued support of syntax generated by
shorewall in some cases. Shorewall now detects when the new syntax
is accepted and uses it instead.
Other changes in Shorewall 4.2.1 Other changes in Shorewall 4.2.1
1) With the recent renewed interest in DOS attacks, it seems 1) With the recent renewed interest in DOS attacks, it seems
@ -130,6 +134,38 @@ Other changes in Shorewall 4.2.1
your Shorewall configuration(s), then you need to regenerate the your Shorewall configuration(s), then you need to regenerate the
file using Shorewall or Shorewall-lite 4.2.1. file using Shorewall or Shorewall-lite 4.2.1.
2) Shorewall now supports time/date restrictions on entries in the
rules file via a new TIME column.
The contents of this column is a series of one or more "time
elements" separated by apersands ("&"). Possible time elements are:
utc Times are expressed in GMT.
localtz Times are expressed in local civil time (default)
timestart=hh:mm[:ss]
timestop=hh:mm[:ss] Start and stop time of day for rule
weekdays=ddd[,ddd...] where ddd is Mon,Tue,Wed,Thu,Fri,Sat or
Sun
monthdays=dd[,dd...] where dd is an ordinal day of the month.
datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
where yyyy = Year
first mm = Month
dd = Day
hh = Hour
2nd mm = Minute
ss = Second
Examples:
1) utc&timestart=10:00&timestop=12:00
Between 10am and 12 noon each day, GMT
2) datestart=2008-11-01T12:00
Beginning November 1, 2008 at noon LCT.
New Features in Shorewall 4.2. New Features in Shorewall 4.2.
1) Shorewall 4.2 contains support for multiple Internet providers 1) Shorewall 4.2 contains support for multiple Internet providers

4
Shorewall-common/rules
View File

@ -6,8 +6,8 @@
# The manpage is also online at # The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html # http://www.shorewall.net/manpages/shorewall-rules.html
# #
###################################################################################################################################### ####################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED #SECTION ESTABLISHED
#SECTION RELATED #SECTION RELATED

38
Shorewall-perl/Shorewall/Chains.pm
View File

@ -121,6 +121,7 @@ our %EXPORT_TAGS = (
do_test do_test
do_ratelimit do_ratelimit
do_connlimit do_connlimit
do_time
do_user do_user
do_tos do_tos
do_connbytes do_connbytes
@ -1292,6 +1293,43 @@ sub do_connlimit( $ ) {
} }
} }
sub do_time( $ ) {
my ( $time ) = @_;
return '' unless $time ne '-';
require_capability 'TIME_MATCH', 'A non-empty TIME', 's';
my $result = '-m time ';
for my $element (split /&/, $time ) {
fatal_error "Invalid time element list ($time)" unless defined $element && $element;
if ( $element =~ /^(timestart|timestop)=(\d{1,2}:\d{1,2}(:\d{1,2})?)$/ ) {
$result .= "--$1 $2 ";
} elsif ( $element =~ /^weekdays=(.*)$/ ) {
my $days = $1;
for my $day ( split /,/, $days ) {
fatal_error "Invalid weekday ($day)" unless $day =~ /^(Mon|Tue|Wed|Thu|Fri|Sat|Sun)$/ || ( $day =~ /^\d$/ && $day && $day <= 7);0
}
$result .= "--weekday $days ";
} elsif ( $element =~ /^monthdays=(.*)$/ ) {
my $days = $1;
for my $day ( split /,/, $days ) {
fatal_error "Invalid day of the month ($day)" unless $day =~ /^\d{1,2}$/ && $day && $day <= 31;
}
} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
$result .= "--$1 $2 ";
} elsif ( $element =~ /^(utc|localtz)$/ ) {
$result .= "--$1 ";
} else {
fatal_error "Invalid time element ($element)";
}
}
$result;
}
# #
# Create a "-m owner" match for the passed USER/GROUP # Create a "-m owner" match for the passed USER/GROUP
# #

3
Shorewall-perl/Shorewall/Config.pm
View File

@ -208,6 +208,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
REALM_MATCH => 'Realm Match', REALM_MATCH => 'Realm Match',
HELPER_MATCH => 'Helper Match', HELPER_MATCH => 'Helper Match',
CONNLIMIT_MATCH => 'Connlimit Match', CONNLIMIT_MATCH => 'Connlimit Match',
TIME_MATCH => 'Time Match',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
); );
# #
@ -417,6 +418,7 @@ sub initialize() {
REALM_MATCH => undef, REALM_MATCH => undef,
HELPER_MATCH => undef, HELPER_MATCH => undef,
CONNLIMIT_MATCH => undef, CONNLIMIT_MATCH => undef,
TIME_MATCH => undef,
CAPVERSION => undef, CAPVERSION => undef,
); );
# #
@ -1638,6 +1640,7 @@ sub determine_capabilities( $ ) {
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" ); $capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
$capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" ); $capabilities{HELPER_MATCH} = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
$capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" ); $capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
$capabilities{TIME_MATCH} = qt1( "$iptables -A $sillyname -m time --timestart 11:00" );
qt1( "$iptables -F $sillyname" ); qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" ); qt1( "$iptables -X $sillyname" );

30
Shorewall-perl/Shorewall/Rules.pm
View File

@ -811,13 +811,13 @@ sub setup_mac_lists( $ ) {
} }
} }
sub process_rule1 ( $$$$$$$$$$$$ ); sub process_rule1 ( $$$$$$$$$$$$$ );
# #
# Expand a macro rule from the rules file # Expand a macro rule from the rules file
# #
sub process_macro ( $$$$$$$$$$$$$$ ) { sub process_macro ( $$$$$$$$$$$$$$$ ) {
my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $wildcard ) = @_; my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $wildcard ) = @_;
my $nocomment = no_comment; my $nocomment = no_comment;
@ -907,6 +907,7 @@ sub process_macro ( $$$$$$$$$$$$$$ ) {
merge_macro_column( $muser, $user ) , merge_macro_column( $muser, $user ) ,
$mark, $mark,
$connlimit, $connlimit,
$time,
$wildcard $wildcard
); );
@ -924,8 +925,8 @@ sub process_macro ( $$$$$$$$$$$$$$ ) {
# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If # Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If
# the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion. # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
# #
sub process_rule1 ( $$$$$$$$$$$$ ) { sub process_rule1 ( $$$$$$$$$$$$$ ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $wildcard ) = @_; my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wildcard ) = @_;
my ( $action, $loglevel) = split_action $target; my ( $action, $loglevel) = split_action $target;
my ( $basictarget, $param ) = get_target_param $action; my ( $basictarget, $param ) = get_target_param $action;
my $rule = ''; my $rule = '';
@ -969,6 +970,7 @@ sub process_rule1 ( $$$$$$$$$$$$ ) {
$user, $user,
$mark, $mark,
$connlimit, $connlimit,
$time,
$wildcard ); $wildcard );
$macro_nest_level--; $macro_nest_level--;
@ -1108,7 +1110,7 @@ sub process_rule1 ( $$$$$$$$$$$$ ) {
# #
# Generate Fixed part of the rule # Generate Fixed part of the rule
# #
$rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) , do_connlimit( $connlimit ) ); $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) , do_connlimit( $connlimit ), do_time( $time ) );
unless ( $section eq 'NEW' ) { unless ( $section eq 'NEW' ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
@ -1302,8 +1304,8 @@ sub process_rule1 ( $$$$$$$$$$$$ ) {
# #
# Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column). # Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column).
# #
sub process_rule ( $$$$$$$$$$$ ) { sub process_rule ( $$$$$$$$$$$$ ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit ) = @_; my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit , $time ) = @_;
my $intrazone = 0; my $intrazone = 0;
my $includesrcfw = 1; my $includesrcfw = 1;
my $includedstfw = 1; my $includedstfw = 1;
@ -1365,7 +1367,7 @@ sub process_rule ( $$$$$$$$$$$ ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) { if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) {
if ( $intrazone || ( $zone ne $zone1 ) ) { if ( $intrazone || ( $zone ne $zone1 ) ) {
process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, 1; process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
} }
} }
} }
@ -1373,7 +1375,7 @@ sub process_rule ( $$$$$$$$$$$ ) {
my $destzone = (split( /:/, $dest, 2 ) )[0]; my $destzone = (split( /:/, $dest, 2 ) )[0];
$destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid $destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
if ( $intrazone || ( $zone ne $destzone ) ) { if ( $intrazone || ( $zone ne $destzone ) ) {
process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, 1; process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
} }
} }
} }
@ -1382,11 +1384,11 @@ sub process_rule ( $$$$$$$$$$$ ) {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
my $sourcezone = ( split( /:/, $source, 2 ) )[0]; my $sourcezone = ( split( /:/, $source, 2 ) )[0];
if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) { if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, 1; process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
} }
} }
} else { } else {
process_rule1 $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, 0; process_rule1 $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 0;
} }
progress_message " Rule \"$thisline\" $done"; progress_message " Rule \"$thisline\" $done";
@ -1403,7 +1405,7 @@ sub process_rules() {
while ( read_a_line ) { while ( read_a_line ) {
my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit ) = split_line1 1, 11, 'rules file', \%rules_commands; my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 12, 'rules file', \%rules_commands;
if ( $target eq 'COMMENT' ) { if ( $target eq 'COMMENT' ) {
process_comment; process_comment;
@ -1429,7 +1431,7 @@ sub process_rules() {
if ( "\L$source" =~ /^none(:.*)?$/ || "\L$dest" =~ /^none(:.*)?$/ ) { if ( "\L$source" =~ /^none(:.*)?$/ || "\L$dest" =~ /^none(:.*)?$/ ) {
progress_message "Rule \"$currentline\" ignored." progress_message "Rule \"$currentline\" ignored."
} else { } else {
process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit; process_rule $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time;
} }
} }
} }

97
manpages/shorewall-rules.xml
View File

@ -1081,11 +1081,12 @@
<listitem> <listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the number <para>Added in Shorewall-perl 4.2.1. May be used to limit the number
of simultaneous connections from each individual host to of simultaneous connections from each individual host to
<replaceable>limit</replaceable> connections. While the limit is <replaceable>limit</replaceable> connections. Requires connlimit
only checked on rules specifying CONNLIMIT, the number of current match in your kernel and iptables. While the limit is only checked
connections is calculated over all current connections from the on rules specifying CONNLIMIT, the number of current connections is
SOURCE host. By default, the limit is applied to each host but can calculated over all current connections from the SOURCE host. By
be made to apply to networks of hosts by specifying a default, the limit is applied to each host but can be made to apply
to networks of hosts by specifying a
<replaceable>mask</replaceable>. The <replaceable>mask</replaceable> <replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
specifies the width of a VLSM mask to be applied to the source specifies the width of a VLSM mask to be applied to the source
address; the number of current connections is then taken over all address; the number of current connections is then taken over all
@ -1096,6 +1097,92 @@
<replaceable>limit</replaceable>.</para> <replaceable>limit</replaceable>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">TIME</emphasis> -
<emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
<listitem>
<para>Added in Shorewall-perl 4.2.1. May be used to limit the rule
to a particular time period each day, to particular days of the week
or month, or to a range defined by dates and times. Requires time
match support in your kernel and iptables.</para>
<para><replaceable>timeelement</replaceable> may be:</para>
<variablelist>
<varlistentry>
<term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
<listitem>
<para>Defines the starting time of day.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
<listitem>
<para>Defines the ending time of day.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>utc</term>
<listitem>
<para>Times are expressed in Greenwich Mean Time.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>localtz</term>
<listitem>
<para>Times are expressed in Local Civil Time
(default).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>weekdays=ddd[,ddd]...</term>
<listitem>
<para>where <replaceable>ddd</replaceable> is one of
<option>Mon</option>, <option>Tue</option>,
<option>Wed</option>, <option>Thu</option>,
<option>Fri</option>, <option>Sat</option> or
<option>Sun</option></para>
</listitem>
</varlistentry>
<varlistentry>
<term>monthdays=dd[,dd],...</term>
<listitem>
<para>where <replaceable>dd</replaceable> is an ordinal day of
the month</para>
</listitem>
</varlistentry>
<varlistentry>
<term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
<listitem>
<para>Defines the starting date and time.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
<listitem>
<para>Defines the ending date and time.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>