From nobody Mon Nov 25 10:15:09 2024 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XxhR21kkBz5fc4v for ; Mon, 25 Nov 2024 10:15:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XxhR20DjFz4gfR for ; Mon, 25 Nov 2024 10:15:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1732529710; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qpTaFvEi2fS1AmV450J/NMzbdgFHoUDtEmQaqPXjwfs=; b=D6gfKbwHMq2CcOofrbo02Eg/lgB47B1Ouod5+0smbaA/zoEJgEoJHG+RFYre4n7Wexbmrl txI3IAIRApW1MShdz9YM2eZWAFKmaRrcWH0G5yWA5JWHCVopWIrSkAAtuCLN+zgGUr/S39 ubyo0hZfjSO5eiAAldgVRHOQoIuU5rMD3nMm4RmaN9i2kI/hYWfAXItfiknqjeYbv9dYBL Fn+0f2Q93Vo0lHE5UVB5n+pJ9Jl18t/wvWmAe/PONimF9MD9mIkJOOeSOPrS4qWPuQaHYD jZGvVTqkfXbLLOj8eLHy1ijbe5N1UJxPyBmZDI7hbE/374rrldaXNqfnYn5GZA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1732529710; a=rsa-sha256; cv=none; b=PmdOhSzbMywldaxnd66z72rZVLJfcFNwymQQ6C407gxyOpDc2ZvgW+pUxaaG6P1/42aZ9j gTKs+LHKG5eQsqBkRMwrc9AFOTte1CGBnKRw9GzCpMCa3CPy/2WIT177U//ZYhw5qj3etx kTLcVc4bJ2lSidh0wRXejrP/NP5tl08CrKUWra3vt/vjrfvzvS+0kG3j0+o1Xne25XeRID a1cP3Qiau6CCIhxD5sNL6WmVfrY+MraVCsy0gAsxTlRCJoPLVVMvMODL9dqeUQclqICW55 tmeSRYqP6VyqL+E58pegzaMMyGSI86ba3XpiwCZXHecKe0QWETjyMkEXPPMI9g== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XxhR16Pp5zc26 for ; Mon, 25 Nov 2024 10:15:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 4APAF9Pv043820 for ; Mon, 25 Nov 2024 10:15:09 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 4APAF9UY043819 for pf@FreeBSD.org; Mon, 25 Nov 2024 10:15:09 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 282877] pfctl: [Feature request] Allow pfctl to reset statistics for an individual IP address Date: Mon, 25 Nov 2024 10:15:09 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 14.1-RELEASE X-Bugzilla-Keywords: feature X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: leon+freebsd@darkk.net.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-pf@freebsd.org Sender: owner-freebsd-pf@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D282877 Leonid Evdokimov changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |leon+freebsd@darkk.net.ru --- Comment #4 from Leonid Evdokimov --- Created attachment 255439 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D255439&action= =3Dedit pfctl -T makezero > An external tool like blacklistd or fail2ban (or something home-brewn) > tracks the PF log, and resets the statistics for offending hosts > that are already in table . That's certainly an existing pattern for pf table management. E.g. https://forums.freebsd.org/threads/pf-firewall-expiretable.61827/ discusses that as well. I'd like to suggest one more patch, that makes alike pattern easier to implement for home-brewers. Feeding pflog to blacklistd is fine, but `pf` tables also have counters tho= se can be used for the same purpose. So this policy might be implemented using either pflog or pf table counters and these solutions might have different performance and reliability characteristics. As far as I understand, `count= er` is always incremented on a match, but pflog might be dropping packets in ca= se of consumer being somewhat slow. So I suggest to add a table command "makezero" that combines semantics of `make` (doing things incrementally and as-necessary) and `zero` clearing statistics. :-) In the case of table counters having an acceptable overhead, the cron-job w= ould be as simple as pfctl -t blocked -T makezero && pfctl -t blocked -T expire 1209600 --=20 You are receiving this mail because: You are the assignee for the bug.=