[Bug 282984] [PATCH] pfctl: add -T `makezero` to touch pfras_tzero _only_ for non-zero entries
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 282984] [PATCH] pfctl: add -T `makezero` to touch pfras_tzero _only_ for non-zero entries"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 282984] [PATCH] pfctl: add -T `makezero` to touch pfras_tzero _only_ for non-zero entries"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 282984] [PATCH] pfctl: add -T `makezero` to touch pfras_tzero _only_ for non-zero entries"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 282984] [PATCH] pfctl: add -T `makezero` to touch pfras_tzero _only_ for non-zero entries"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 282984] [PATCH] pfctl: add -T `makezero` to touch pfras_tzero _only_ for non-zero entries"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 282984] [PATCH] pfctl: add -T `makezero` to touch pfras_tzero _only_ for non-zero entries"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 282984] [PATCH] pfctl: add -T `makezero` to touch pfras_tzero _only_ for non-zero entries"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 26 Nov 2024 11:36:53 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282984
Bug ID: 282984
Summary: [PATCH] pfctl: add -T `makezero` to touch pfras_tzero
_only_ for non-zero entries
Product: Base System
Version: 14.1-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: leon+freebsd@darkk.net.ru
Created attachment 255466
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=255466&action=edit
pfctl -T makezero patch
There is a common pattern "keep an entry in pf table while it's active + TTL
seconds more".
This pattern is observed:
> resetting the statistics for a single IP address in a table would allow me to
> _continuously_ block repeat offenders, while releasing one-time offenders
- #282877
> Is there a way to remove entries based on the last date accessed ?
- https://forums.freebsd.org/threads/pf-firewall-expiretable.61827/
I need it for a policy-based routing based on a pf table that is filled with
`unbound` ipset patch and is expired as soon as an address is silent for a
while.
I propose `makezero` command to pfctl that clears `pfras_tzero` for the entries
with non-zero counters to implement that pattern.
`pfctl -t tbl -T zero $ip1 $ip2 ...` is fine, but it means that "activity" is
tracked somewhere else and this solution has it's pros and contras.
- pflog might be dropping packets in case of consumer being somewhat slow
- table counters are "unavoidable", but come with some performance penalty
- both options are prone to TOCTOU race-condition
"makezero" name combines semantics of `make` (doing things incrementally and
only-as-necessary) and `zero` clearing statistics. :-)
In this case the cronjob maintaining the table would be as simple as:
> pfctl -t tbl -T makezero && pfctl -t tbl -T expire ${TTL}
The patch depends on 6463b6b59152fb1695bbe0de78f6e2675c5a765a and
https://reviews.freebsd.org/D47697
--
You are receiving this mail because:
You are the assignee for the bug.