From owner-freebsd-ipfw@freebsd.org  Mon Sep 12 03:04:40 2016
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 18E5EBD7705
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Mon, 12 Sep 2016 03:04:40 +0000 (UTC)
 (envelope-from julian@elischer.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "vps1.elischer.org",
 Issuer "CA Cert Signing Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id ED4B1D61
 for <Freebsd-ipfw@freebsd.org>; Mon, 12 Sep 2016 03:04:36 +0000 (UTC)
 (envelope-from julian@elischer.org)
Received: from Julian-MBP3.local
 (ppp121-45-239-154.lns20.per1.internode.on.net [121.45.239.154])
 (authenticated bits=0)
 by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u8C34Vq8031038
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO)
 for <Freebsd-ipfw@freebsd.org>; Sun, 11 Sep 2016 20:04:35 -0700 (PDT)
 (envelope-from julian@elischer.org)
To: "freebsd-ipfw@freebsd.org" <Freebsd-ipfw@freebsd.org>
From: Julian Elischer <julian@elischer.org>
Subject: ipfw table expiry.. how to do it..?
Message-ID: <0f1acc7f-2c85-dc4d-a272-5631c1e749cd@elischer.org>
Date: Mon, 12 Sep 2016 11:04:26 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2016 03:04:40 -0000

Unfortunately we don't have any timers on table entries, so it's not 
possible to see how long an entry has been in use, or idle.


If I were to ha ve a captive portal, which placed the address of 
'allowed' hosts into a table, we would have no way to time them out 
when they go idle. The omly thing you can do is throw away all the 
entries at some time, and force them to all log in again.

Does anyone have any patches to add "access time" to table entries?


I'm guessing the way it would need to be done now would be to use 
dynamic rules and having the syn packet of every tcp session sent to 
the portal for approval, before being passed back to create the 
dynamic rule.