From: Alexandr Nedvedicky Subject: Re: pf(4) add timeout option to ip address tables To: obsd@mulh.net Cc: tech@openbsd.org Date: Mon, 11 May 2026 22:57:09 +0200 Hello, On Mon, May 11, 2026 at 02:14:02PM -0400, obsd@mulh.net wrote: > On 2026-05-11 1:05:27, Alexandr Nedvedicky wrote: > > Diff below adds 'timeout' option for table, so administrator > > can define duration in seconds for how long the IP address > > is kept in table. > > I had been looking for something like this but... > > > * timeout tables are intended for 'overload' action in > > * rules and limiters. They are not supposed to be > > * either constant nor managed from command line > > * (persistent). Also no support for counters. > > The nice thing about the counters is they include time > when an IP was last seen. When I block an IP I want to > keep that IP in the table if the offender keeps trying > to access my server. I'll remove the IP only after it > has not been seen after some specified amount of time. so the expiration timer for address should be reset every time there is a match on IP address/packet. this is something what can be done. > > On 2026-05-11 6:18:18, Peter N. M. Hansteen wrote: > > The classic advice about using overload tables for anything has been > > that good housekeeping includes running "pfctl expire" with sensible > > parameters on the tables from a cron job. > > That's exactly what I do. > > I don't remember the conditions but I also have to "pfctl zero IP" > because there are times an in/out counter increased but the timestamp > was not reset. > > The "feature request" wish I have is to be able to backup/restore tables > preserving the counters and timestamp for each entry. > > Currently I do a "pfctl -T show" and save to file on server shutdown. > Then I do a "pfctl -T add" from filename to reload table on boot. > Obviously this resets all the timestamps to the current boot time. > I know, don't reboot. > understood. I will look at it and investigate options how this can be implemented. thanks and regards sashan