Hello,

On Mon, May 11, 2026 at 02:14:02PM -0400, obsd@mulh.net wrote:
> On 2026-05-11 1:05:27, Alexandr Nedvedicky wrote:
> > Diff below adds 'timeout' option for table, so administrator
> > can define duration in seconds for how long the IP address
> > is kept in table.
> 
> I had been looking for something like this but...
> 
> > * timeout tables are intended for 'overload' action in
> > * rules and limiters. They are not supposed to be
> > * either constant nor managed from command line
> > * (persistent). Also no support for counters.
> 
> The nice thing about the counters is they include time
> when an IP was last seen.  When I block an IP I want to
> keep that IP in the table if the offender keeps trying
> to access my server.  I'll remove the IP only after it
> has not been seen after some specified amount of time.

    so the expiration timer for address should be reset
    every time there is a match on IP address/packet.
    this is something what can be done.

> 
> On 2026-05-11 6:18:18, Peter N. M. Hansteen wrote:
> > The classic advice about using overload tables for anything has been
> > that good housekeeping includes running "pfctl expire" with sensible
> > parameters on the tables from a cron job.
> 
> That's exactly what I do.
> 
> I don't remember the conditions but I also have to "pfctl zero IP"
> because there are times an in/out counter increased but the timestamp
> was not reset.
> 
> The "feature request" wish I have is to be able to backup/restore tables
> preserving the counters and timestamp for each entry.
> 
> Currently I do a "pfctl -T show" and save to file on server shutdown.
> Then I do a "pfctl -T add" from filename to reload table on boot.
> Obviously this resets all the timestamps to the current boot time.
> I know, don't reboot.
> 

    understood. I will look at it and investigate options how this
    can be implemented.

thanks and
regards
sashan