From nobody Tue Nov 26 11:36:53 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XyLBs31q7z5fKyQ for ; Tue, 26 Nov 2024 11:36:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XyLBs0sjvz40HG for ; Tue, 26 Nov 2024 11:36:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1732621013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=EE3nNrooviAuc+uglcUrjPZTWqSXCIySk39dnQcc9PY=; b=jpD8+e5IM+/1bxPTHFQZ5wIxiZKQunu8y1CD0ox/KIQ7ip/hn2I5H5+ztcMFvSpwwp7gv5 BmZp0BPwQkHgptbZMCRZLkJNlhlyearTMYX8QouSzqKdKpXwXgHNSEDrYUfDfT1sds25FT ap5kFHoCL582bDa6J93u2tou7EdcNnSXURIeyoMLtK8UzIauROxeik4WhhZ+Jp2oOjHg1+ jKJq6uo43umNdjPHLiXIXjMlO/WanaWs0IgLvDCL6vGUkwfmW+wugdnw3tgxG1PxhOaR8/ B9t5F5HsBvdWFO/L+J3pccqppfPC05o1aiSFjWg6Yvv+tpSBZ911Xqt+VVj9Yw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1732621013; a=rsa-sha256; cv=none; b=Kg4unOdpfr78OGROCmZG8adZA/8pTGMAJ0JqdYF14MhdbDEOwn8w7N+xmlMHQl2SL1m7pH VJ5Oirx8SS8pauqSpK6XPUGtWvRrCf7h+SRjzzPoUQ0gShqHVDpb0UO0POGKNtWrp8KufE kwRtqts1E9nJNSGkqW0Fw+kZhjuu6z0CPU9F1UlnpQ+VOVSWHJbEx0tFv/LfXmfwmGE28R msel3cvN7WAEMZ3xSWves+L2Pyw7cm4pUhBePe9+ndmGPUcuhCFvU6FcBZGbwtUtfWga0L gl95NpH8toRkqSTn08r+vF0SDzRZpbOZjTSqZw+TrmeYq1ZeUQHB5zEOEcZGZg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XyLBs0SpmzNnn for ; Tue, 26 Nov 2024 11:36:53 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 4AQBars0009803 for ; Tue, 26 Nov 2024 11:36:53 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 4AQBarbM009802 for bugs@FreeBSD.org; Tue, 26 Nov 2024 11:36:53 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 282984] [PATCH] pfctl: add -T `makezero` to touch pfras_tzero _only_ for non-zero entries Date: Tue, 26 Nov 2024 11:36:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 14.1-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: leon+freebsd@darkk.net.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D282984 Bug ID: 282984 Summary: [PATCH] pfctl: add -T `makezero` to touch pfras_tzero _only_ for non-zero entries Product: Base System Version: 14.1-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: leon+freebsd@darkk.net.ru Created attachment 255466 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D255466&action= =3Dedit pfctl -T makezero patch There is a common pattern "keep an entry in pf table while it's active + TTL seconds more". This pattern is observed: > resetting the statistics for a single IP address in a table would allow m= e to > _continuously_ block repeat offenders, while releasing one-time offenders - #282877 > Is there a way to remove entries based on the last date accessed ? - https://forums.freebsd.org/threads/pf-firewall-expiretable.61827/ I need it for a policy-based routing based on a pf table that is filled with `unbound` ipset patch and is expired as soon as an address is silent for a while. I propose `makezero` command to pfctl that clears `pfras_tzero` for the ent= ries with non-zero counters to implement that pattern. `pfctl -t tbl -T zero $ip1 $ip2 ...` is fine, but it means that "activity" = is tracked somewhere else and this solution has it's pros and contras. - pflog might be dropping packets in case of consumer being somewhat slow - table counters are "unavoidable", but come with some performance penalty - both options are prone to TOCTOU race-condition=20 "makezero" name combines semantics of `make` (doing things incrementally and only-as-necessary) and `zero` clearing statistics. :-) In this case the cronjob maintaining the table would be as simple as: > pfctl -t tbl -T makezero && pfctl -t tbl -T expire ${TTL} The patch depends on 6463b6b59152fb1695bbe0de78f6e2675c5a765a and https://reviews.freebsd.org/D47697 --=20 You are receiving this mail because: You are the assignee for the bug.=