Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 25 Nov 2024 10:15:09 +0000
From:      bugzilla-noreply@freebsd.org
To:        pf@FreeBSD.org
Subject:   [Bug 282877] pfctl: [Feature request] Allow pfctl to reset statistics for an individual IP address
Message-ID:  <bug-282877-16861-r6nwHGDSyg@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-282877-16861@https.bugs.freebsd.org/bugzilla/>
References:  <bug-282877-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D282877

Leonid Evdokimov <leon+freebsd@darkk.net.ru> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |leon+freebsd@darkk.net.ru

--- Comment #4 from Leonid Evdokimov <leon+freebsd@darkk.net.ru> ---
Created attachment 255439
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D255439&action=
=3Dedit
pfctl -T makezero

> An external tool like blacklistd or fail2ban (or something home-brewn)
> tracks the PF log, and resets the statistics for offending hosts
> that are already in table <blocked>.

That's certainly an existing pattern for pf table management. E.g.
https://forums.freebsd.org/threads/pf-firewall-expiretable.61827/ discusses
that as well.

I'd like to suggest one more patch, that makes alike pattern easier to
implement for home-brewers.

Feeding pflog to blacklistd is fine, but `pf` tables also have counters tho=
se
can be used for the same purpose. So this policy might be implemented using
either pflog or pf table counters and these solutions might have different
performance and reliability characteristics. As far as I understand, `count=
er`
is always incremented on a match, but pflog might be dropping packets in ca=
se
of consumer being somewhat slow.

So I suggest to add a table command "makezero" that combines semantics of
`make` (doing things incrementally and as-necessary) and `zero` clearing
statistics. :-)

In the case of table counters having an acceptable overhead, the cron-job w=
ould
be as simple as pfctl -t blocked -T makezero && pfctl -t blocked -T expire
1209600

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-282877-16861-r6nwHGDSyg>