Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 26 Nov 2024 11:36:53 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 282984] [PATCH] pfctl: add -T `makezero` to touch pfras_tzero _only_ for non-zero entries
Message-ID:  <bug-282984-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D282984

            Bug ID: 282984
           Summary: [PATCH] pfctl: add -T `makezero` to touch pfras_tzero
                    _only_ for non-zero entries
           Product: Base System
           Version: 14.1-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: leon+freebsd@darkk.net.ru

Created attachment 255466
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D255466&action=
=3Dedit
pfctl -T makezero patch

There is a common pattern "keep an entry in pf table while it's active + TTL
seconds more".

This pattern is observed:

> resetting the statistics for a single IP address in a table would allow m=
e to
> _continuously_ block repeat offenders, while releasing one-time offenders

- #282877

> Is there a way to remove entries based on the last date accessed ?

- https://forums.freebsd.org/threads/pf-firewall-expiretable.61827/

I need it for a policy-based routing based on a pf table that is filled with
`unbound` ipset patch and is expired as soon as an address is silent for a
while.

I propose `makezero` command to pfctl that clears `pfras_tzero` for the ent=
ries
with non-zero counters to implement that pattern.

`pfctl -t tbl -T zero $ip1 $ip2 ...` is fine, but it means that "activity" =
is
tracked somewhere else and this solution has it's pros and contras.

- pflog might be dropping packets in case of consumer being somewhat slow
- table counters are "unavoidable", but come with some performance penalty
- both options are prone to TOCTOU race-condition=20

"makezero" name combines semantics of `make` (doing things incrementally and
only-as-necessary) and `zero` clearing statistics. :-)

In this case the cronjob maintaining the table would be as simple as:

> pfctl -t tbl -T makezero && pfctl -t tbl -T expire ${TTL}

The patch depends on 6463b6b59152fb1695bbe0de78f6e2675c5a765a and
https://reviews.freebsd.org/D47697

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-282984-227>