From owner-freebsd-ipfw@freebsd.org Tue Sep 20 16:34:22 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD5B8BE22FB for ; Tue, 20 Sep 2016 16:34:22 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B18F81099 for ; Tue, 20 Sep 2016 16:34:22 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from julian-mbp3.pixel8networks.com (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u8KGYD0d072604 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 20 Sep 2016 09:34:14 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: ipfw table expiry.. how to do it..? To: bycn82@dragonflybsd.org, Ian Smith References: <0f1acc7f-2c85-dc4d-a272-5631c1e749cd@elischer.org> <20160912135241.J91459@sola.nimnet.asn.au> Cc: Julian Elischer , "freebsd-ipfw@freebsd.org" From: Julian Elischer Message-ID: Date: Tue, 20 Sep 2016 09:34:08 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2016 16:34:22 -0000 Hi Bill, On 15/09/2016 9:48 PM, Bill Yuan wrote: > In Ipfw3, each table entry has its own counter and last hit > timestamp for both directions. I suspect you are confusing tables and dynamic rules? (your comment about 'direction') if not, can you give examples? > > On 12 September 2016 at 12:12, Ian Smith > wrote: > > On Mon, 12 Sep 2016 11:04:26 +0800, Julian Elischer wrote: > > > Unfortunately we don't have any timers on table entries, so > it's not possible > > to see how long an entry has been in use, or idle. > > > > > > If I were to ha ve a captive portal, which placed the address > of 'allowed' > > hosts into a table, we would have no way to time them out > when they go idle. > > The omly thing you can do is throw away all the entries at > some time, and > > force them to all log in again. > > > > Does anyone have any patches to add "access time" to table > entries? > > > > > > I'm guessing the way it would need to be done now would be to > use dynamic > > rules and having the syn packet of every tcp session sent to > the portal for > > approval, before being passed back to create the dynamic rule. > > Well nothing like patches, and surely not what you want, but > I've been > using the below since '08 to add timestamps to entries, and a > couple of > related scripts to list entries for particular tables in date > order etc. > I never finished adding the 'purge before somedate' script .. > > Nowadays with multiple table values you could maybe have useful > tablearg > values like skipto targets as well. > > cheers, Ian > > #!/bin/sh > # addr_to_table 24/11/8 smithi > # add ipaddr[/masklen|32] and value (seconds from epoch) to table N > # 31/12/9 CIDR matching for updates, (ab)using table 0 for calc > # 4/4/11 prefer direct ipaddr/masklen format, add numeric check > usage() { > [ "$1" ] && echo $1 > echo "usage: `basename $0` table address[/masklen | [ > masklen]]" > exit 1 > } > validint() { # value min max > [ "`echo $1 | tr -d 0-9`" ] && return 1 # not all numeric > [ $1 -ge $2 -a $1 -le $3 ] && return 0 || return 1 > } > [ "$2" ] || usage > table=$1 ; addr=$2 > `validint $table 1 127` || usage "table '$table' not 1..127" > [ "$3" ] && mlen=$3 || mlen=32 # allow old but prefer CIDR format > [ "${addr%/*}" != "$addr" ] && mlen=${addr#*/} && addr=${addr%/*} > `validint $mlen 8 32` || usage "masklen '$mlen' not 8..32" > > addr=$addr/$mlen > if [ $mlen -lt 32 ]; then # calc CIDR netblock addr using > table 0 > ipfw -q table 0 flush ; ipfw -q table 0 add $addr > addr=`ipfw table 0 list | awk '{print $1}'` > fi # only needed if looking up > addr/mask > > ipfw -q table $table add $addr `date "+%s"` 2>/dev/null > [ $? -eq 0 ] || echo "table $table add $addr `date +%s` failed: > dupe?" > exit 0 > _______________________________________________ > freebsd-ipfw@freebsd.org > mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org > " > >