From owner-freebsd-ipfw@freebsd.org Fri Sep 16 04:48:01 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA37CBDCECA for ; Fri, 16 Sep 2016 04:48:01 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 820EB2F0 for ; Fri, 16 Sep 2016 04:48:01 +0000 (UTC) (envelope-from bycn82@gmail.com) Received: by mail-vk0-x233.google.com with SMTP id m62so10267304vkd.3 for ; Thu, 15 Sep 2016 21:48:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jWXrBg7CbaquVf5bpo4odByjJfBYy5Edo8dG3CuekyM=; b=CQ89s8JACPtCBB6kFWZNUrUw6DSM2Y2vTyYhtWtBdcuv2EoWwXNYtKGgWQtHPVe1+2 CXAuFl/LuWo/vxVgDyCYqSVX4vVhxeho+OVu07pipK2R8YBty8Hr4vMNPpWjEew47iyt cbYgsUzy+6bQ0M90iiGPnqGXVYFWCIjMr+arsHEbZLGSNGaUgeYv9K/xFpFYvqe3V/jv chUqNZAOBxExwr0LGXFiTc0mBaXKzxe94ZJBI3eNuPE9C8nrn+mVeSbr+MF7XPcA2Rb8 zWnAJ2qWy3fT3HPWKFsovzhTH5xORYh4ob3JNw7dlr5Z/KZ8pmqDZ7sFAPprPQbbzvmc ihXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=jWXrBg7CbaquVf5bpo4odByjJfBYy5Edo8dG3CuekyM=; b=TRqArcdQYClkKu+auq2vXiU0+Zc548wjjAfL6RJwK3OJWwiOCflMPLR3ptUX9Pka9u jST0HC77jf69+IU5AR1UHP0kNS3hI2TcV33b2csZZubzgJ1Tj01ZEfj6S50Jo/rYeRWm KY0cQwYr7f5fZOZI+/DjoiAZaiznmshdJmrUPDXOQPobqNKezK+6LV69vcq7Fu/jwfEN leNm3kXedbgOlH8TdyvSmpcTN1x6Bzi25r4+efWNWbLh22nG85mE4BZMUIVOX4A8/uyq CaDBOgw1TeYcGSJbo4OKIB9IgW0OMboQgepy8V31rDwrzQr2tn+L54NFjQ5Jmrzp2IrN RacA== X-Gm-Message-State: AE9vXwP1Ea3sYVLNIwPBmOC78cYL3FFncI8lmoedFtlDJT7CBtNNS6PDA1an3rJVMBlU2pN2wGOkR+3CrH9zcQ== X-Received: by 10.31.64.6 with SMTP id n6mr1339956vka.160.1474001280672; Thu, 15 Sep 2016 21:48:00 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.142.9 with HTTP; Thu, 15 Sep 2016 21:48:00 -0700 (PDT) Reply-To: bycn82@dragonflybsd.org In-Reply-To: <20160912135241.J91459@sola.nimnet.asn.au> References: <0f1acc7f-2c85-dc4d-a272-5631c1e749cd@elischer.org> <20160912135241.J91459@sola.nimnet.asn.au> From: Bill Yuan Date: Fri, 16 Sep 2016 12:48:00 +0800 Message-ID: Subject: Re: ipfw table expiry.. how to do it..? To: Ian Smith Cc: Julian Elischer , "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2016 04:48:01 -0000 In Ipfw3, each table entry has its own counter and last hit timestamp for both directions. On 12 September 2016 at 12:12, Ian Smith wrote: > On Mon, 12 Sep 2016 11:04:26 +0800, Julian Elischer wrote: > > > Unfortunately we don't have any timers on table entries, so it's not > possible > > to see how long an entry has been in use, or idle. > > > > > > If I were to ha ve a captive portal, which placed the address of > 'allowed' > > hosts into a table, we would have no way to time them out when they go > idle. > > The omly thing you can do is throw away all the entries at some time, > and > > force them to all log in again. > > > > Does anyone have any patches to add "access time" to table entries? > > > > > > I'm guessing the way it would need to be done now would be to use > dynamic > > rules and having the syn packet of every tcp session sent to the portal > for > > approval, before being passed back to create the dynamic rule. > > Well nothing like patches, and surely not what you want, but I've been > using the below since '08 to add timestamps to entries, and a couple of > related scripts to list entries for particular tables in date order etc. > I never finished adding the 'purge before somedate' script .. > > Nowadays with multiple table values you could maybe have useful tablearg > values like skipto targets as well. > > cheers, Ian > > #!/bin/sh > # addr_to_table 24/11/8 smithi > # add ipaddr[/masklen|32] and value (seconds from epoch) to table N > # 31/12/9 CIDR matching for updates, (ab)using table 0 for calc > # 4/4/11 prefer direct ipaddr/masklen format, add numeric check > usage() { > [ "$1" ] && echo $1 > echo "usage: `basename $0` table address[/masklen | [ masklen]]" > exit 1 > } > validint() { # value min max > [ "`echo $1 | tr -d 0-9`" ] && return 1 # not all numeric > [ $1 -ge $2 -a $1 -le $3 ] && return 0 || return 1 > } > [ "$2" ] || usage > table=$1 ; addr=$2 > `validint $table 1 127` || usage "table '$table' not 1..127" > [ "$3" ] && mlen=$3 || mlen=32 # allow old but prefer CIDR format > [ "${addr%/*}" != "$addr" ] && mlen=${addr#*/} && addr=${addr%/*} > `validint $mlen 8 32` || usage "masklen '$mlen' not 8..32" > > addr=$addr/$mlen > if [ $mlen -lt 32 ]; then # calc CIDR netblock addr using table 0 > ipfw -q table 0 flush ; ipfw -q table 0 add $addr > addr=`ipfw table 0 list | awk '{print $1}'` > fi # only needed if looking up addr/mask > > ipfw -q table $table add $addr `date "+%s"` 2>/dev/null > [ $? -eq 0 ] || echo "table $table add $addr `date +%s` failed: dupe?" > exit 0 > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >