Date: Tue, 20 Sep 2016 09:34:08 -0700 From: Julian Elischer <julian@freebsd.org> To: bycn82@dragonflybsd.org, Ian Smith <smithi@nimnet.asn.au> Cc: Julian Elischer <julian@elischer.org>, "freebsd-ipfw@freebsd.org" <Freebsd-ipfw@freebsd.org> Subject: Re: ipfw table expiry.. how to do it..? Message-ID: <a502e251-a881-5210-808e-22a208e1906d@freebsd.org> In-Reply-To: <CAC%2BJH2yoge1Be-=7pnDJOmZbU=uLo8mEKMGtDCsuBKYVWQZo0Q@mail.gmail.com> References: <0f1acc7f-2c85-dc4d-a272-5631c1e749cd@elischer.org> <20160912135241.J91459@sola.nimnet.asn.au> <CAC%2BJH2yoge1Be-=7pnDJOmZbU=uLo8mEKMGtDCsuBKYVWQZo0Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Bill,
On 15/09/2016 9:48 PM, Bill Yuan wrote:
> In Ipfw3, each table entry has its own counter and last hit
> timestamp for both directions.
I suspect you are confusing tables and dynamic rules? (your comment
about 'direction')
if not, can you give examples?
>
> On 12 September 2016 at 12:12, Ian Smith <smithi@nimnet.asn.au
> <mailto:smithi@nimnet.asn.au>> wrote:
>
> On Mon, 12 Sep 2016 11:04:26 +0800, Julian Elischer wrote:
>
> > Unfortunately we don't have any timers on table entries, so
> it's not possible
> > to see how long an entry has been in use, or idle.
> >
> >
> > If I were to ha ve a captive portal, which placed the address
> of 'allowed'
> > hosts into a table, we would have no way to time them out
> when they go idle.
> > The omly thing you can do is throw away all the entries at
> some time, and
> > force them to all log in again.
> >
> > Does anyone have any patches to add "access time" to table
> entries?
> >
> >
> > I'm guessing the way it would need to be done now would be to
> use dynamic
> > rules and having the syn packet of every tcp session sent to
> the portal for
> > approval, before being passed back to create the dynamic rule.
>
> Well nothing like patches, and surely not what you want, but
> I've been
> using the below since '08 to add timestamps to entries, and a
> couple of
> related scripts to list entries for particular tables in date
> order etc.
> I never finished adding the 'purge before somedate' script ..
>
> Nowadays with multiple table values you could maybe have useful
> tablearg
> values like skipto targets as well.
>
> cheers, Ian
>
> #!/bin/sh
> # addr_to_table 24/11/8 smithi
> # add ipaddr[/masklen|32] and value (seconds from epoch) to table N
> # 31/12/9 CIDR matching for updates, (ab)using table 0 for calc
> # 4/4/11 prefer direct ipaddr/masklen format, add numeric check
> usage() {
> [ "$1" ] && echo $1
> echo "usage: `basename $0` table address[/masklen | [
> masklen]]"
> exit 1
> }
> validint() { # value min max
> [ "`echo $1 | tr -d 0-9`" ] && return 1 # not all numeric
> [ $1 -ge $2 -a $1 -le $3 ] && return 0 || return 1
> }
> [ "$2" ] || usage
> table=$1 ; addr=$2
> `validint $table 1 127` || usage "table '$table' not 1..127"
> [ "$3" ] && mlen=$3 || mlen=32 # allow old but prefer CIDR format
> [ "${addr%/*}" != "$addr" ] && mlen=${addr#*/} && addr=${addr%/*}
> `validint $mlen 8 32` || usage "masklen '$mlen' not 8..32"
>
> addr=$addr/$mlen
> if [ $mlen -lt 32 ]; then # calc CIDR netblock addr using
> table 0
> ipfw -q table 0 flush ; ipfw -q table 0 add $addr
> addr=`ipfw table 0 list | awk '{print $1}'`
> fi # only needed if looking up
> addr/mask
>
> ipfw -q table $table add $addr `date "+%s"` 2>/dev/null
> [ $? -eq 0 ] || echo "table $table add $addr `date +%s` failed:
> dupe?"
> exit 0
> _______________________________________________
> freebsd-ipfw@freebsd.org <mailto:freebsd-ipfw@freebsd.org>
> mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>;
> To unsubscribe, send any mail to
> "freebsd-ipfw-unsubscribe@freebsd.org
> <mailto:freebsd-ipfw-unsubscribe@freebsd.org>"
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a502e251-a881-5210-808e-22a208e1906d>