In Ipfw3, each table entry has its own counter and last hit timestamp for
both directions.
On 12 September 2016 at 12:12, Ian Smith <smi...@nimnet.asn.au> wrote:
> On Mon, 12 Sep 2016 11:04:26 +0800, Julian Elischer wrote:
>
> > Unfortunately we don't have any timers on table entries, so it's not
> possible
> > to see how long an entry has been in use, or idle.
> >
> >
> > If I were to ha ve a captive portal, which placed the address of
> 'allowed'
> > hosts into a table, we would have no way to time them out when they go
> idle.
> > The omly thing you can do is throw away all the entries at some time,
> and
> > force them to all log in again.
> >
> > Does anyone have any patches to add "access time" to table entries?
> >
> >
> > I'm guessing the way it would need to be done now would be to use
> dynamic
> > rules and having the syn packet of every tcp session sent to the portal
> for
> > approval, before being passed back to create the dynamic rule.
>
> Well nothing like patches, and surely not what you want, but I've been
> using the below since '08 to add timestamps to entries, and a couple of
> related scripts to list entries for particular tables in date order etc.
> I never finished adding the 'purge before somedate' script ..
>
> Nowadays with multiple table values you could maybe have useful tablearg
> values like skipto targets as well.
>
> cheers, Ian
>
> #!/bin/sh
> # addr_to_table 24/11/8 smithi
> # add ipaddr[/masklen|32] and value (seconds from epoch) to table N
> # 31/12/9 CIDR matching for updates, (ab)using table 0 for calc
> # 4/4/11 prefer direct ipaddr/masklen format, add numeric check
> usage() {
> [ "$1" ] && echo $1
> echo "usage: `basename $0` table address[/masklen | [ masklen]]"
> exit 1
> }
> validint() { # value min max
> [ "`echo $1 | tr -d 0-9`" ] && return 1 # not all numeric
> [ $1 -ge $2 -a $1 -le $3 ] && return 0 || return 1
> }
> [ "$2" ] || usage
> table=$1 ; addr=$2
> `validint $table 1 127` || usage "table '$table' not 1..127"
> [ "$3" ] && mlen=$3 || mlen=32 # allow old but prefer CIDR format
> [ "${addr%/*}" != "$addr" ] && mlen=${addr#*/} && addr=${addr%/*}
> `validint $mlen 8 32` || usage "masklen '$mlen' not 8..32"
>
> addr=$addr/$mlen
> if [ $mlen -lt 32 ]; then # calc CIDR netblock addr using table 0
> ipfw -q table 0 flush ; ipfw -q table 0 add $addr
> addr=`ipfw table 0 list | awk '{print $1}'`
> fi # only needed if looking up addr/mask
>
> ipfw -q table $table add $addr `date "+%s"` 2>/dev/null
> [ $? -eq 0 ] || echo "table $table add $addr `date +%s` failed: dupe?"
> exit 0
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
>
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
