From owner-freebsd-ipfw@freebsd.org Mon Sep 12 04:13:01 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F074DBD550A for ; Mon, 12 Sep 2016 04:13:01 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F35BC76 for ; Mon, 12 Sep 2016 04:13:00 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u8C4CZ89006444; Mon, 12 Sep 2016 14:12:36 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 12 Sep 2016 14:12:35 +1000 (EST) From: Ian Smith To: Julian Elischer cc: "freebsd-ipfw@freebsd.org" Subject: Re: ipfw table expiry.. how to do it..? In-Reply-To: <0f1acc7f-2c85-dc4d-a272-5631c1e749cd@elischer.org> Message-ID: <20160912135241.J91459@sola.nimnet.asn.au> References: <0f1acc7f-2c85-dc4d-a272-5631c1e749cd@elischer.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Sep 2016 04:13:02 -0000 On Mon, 12 Sep 2016 11:04:26 +0800, Julian Elischer wrote: > Unfortunately we don't have any timers on table entries, so it's not possible > to see how long an entry has been in use, or idle. > > > If I were to ha ve a captive portal, which placed the address of 'allowed' > hosts into a table, we would have no way to time them out when they go idle. > The omly thing you can do is throw away all the entries at some time, and > force them to all log in again. > > Does anyone have any patches to add "access time" to table entries? > > > I'm guessing the way it would need to be done now would be to use dynamic > rules and having the syn packet of every tcp session sent to the portal for > approval, before being passed back to create the dynamic rule. Well nothing like patches, and surely not what you want, but I've been using the below since '08 to add timestamps to entries, and a couple of related scripts to list entries for particular tables in date order etc. I never finished adding the 'purge before somedate' script .. Nowadays with multiple table values you could maybe have useful tablearg values like skipto targets as well. cheers, Ian #!/bin/sh # addr_to_table 24/11/8 smithi # add ipaddr[/masklen|32] and value (seconds from epoch) to table N # 31/12/9 CIDR matching for updates, (ab)using table 0 for calc # 4/4/11 prefer direct ipaddr/masklen format, add numeric check usage() { [ "$1" ] && echo $1 echo "usage: `basename $0` table address[/masklen | [ masklen]]" exit 1 } validint() { # value min max [ "`echo $1 | tr -d 0-9`" ] && return 1 # not all numeric [ $1 -ge $2 -a $1 -le $3 ] && return 0 || return 1 } [ "$2" ] || usage table=$1 ; addr=$2 `validint $table 1 127` || usage "table '$table' not 1..127" [ "$3" ] && mlen=$3 || mlen=32 # allow old but prefer CIDR format [ "${addr%/*}" != "$addr" ] && mlen=${addr#*/} && addr=${addr%/*} `validint $mlen 8 32` || usage "masklen '$mlen' not 8..32" addr=$addr/$mlen if [ $mlen -lt 32 ]; then # calc CIDR netblock addr using table 0 ipfw -q table 0 flush ; ipfw -q table 0 add $addr addr=`ipfw table 0 list | awk '{print $1}'` fi # only needed if looking up addr/mask ipfw -q table $table add $addr `date "+%s"` 2>/dev/null [ $? -eq 0 ] || echo "table $table add $addr `date +%s` failed: dupe?" exit 0