From: obsd@mulh.net
Subject: Re: pf(4) add timeout option to ip address tables
To: tech@openbsd.org
Date: Mon, 11 May 2026 14:14:02 -0400

On 2026-05-11 1:05:27, Alexandr Nedvedicky wrote:
> Diff below adds 'timeout' option for table, so administrator
> can define duration in seconds for how long the IP address
> is kept in table.

I had been looking for something like this but...

> * timeout tables are intended for 'overload' action in
> * rules and limiters. They are not supposed to be
> * either constant nor managed from command line
> * (persistent). Also no support for counters.

The nice thing about the counters is they include time
when an IP was last seen.  When I block an IP I want to
keep that IP in the table if the offender keeps trying
to access my server.  I'll remove the IP only after it
has not been seen after some specified amount of time.

On 2026-05-11 6:18:18, Peter N. M. Hansteen wrote:
> The classic advice about using overload tables for anything has been
> that good housekeeping includes running "pfctl expire" with sensible
> parameters on the tables from a cron job.

That's exactly what I do.

I don't remember the conditions but I also have to "pfctl zero IP"
because there are times an in/out counter increased but the timestamp
was not reset.

The "feature request" wish I have is to be able to backup/restore tables
preserving the counters and timestamp for each entry.

Currently I do a "pfctl -T show" and save to file on server shutdown.
Then I do a "pfctl -T add" from filename to reload table on boot.
Obviously this resets all the timestamps to the current boot time.
I know, don't reboot.