Hi Bill, On 15/09/2016 9:48 PM, Bill Yuan wrote:
In Ipfw3, each table entry has its own counter and last hit timestamp for both directions.
I suspect you are confusing tables and dynamic rules? (your comment about 'direction')
if not, can you give examples?
On 12 September 2016 at 12:12, Ian Smith <smi...@nimnet.asn.au <mailto:smi...@nimnet.asn.au>> wrote:On Mon, 12 Sep 2016 11:04:26 +0800, Julian Elischer wrote: > Unfortunately we don't have any timers on table entries, so it's not possible > to see how long an entry has been in use, or idle. > > > If I were to ha ve a captive portal, which placed the address of 'allowed' > hosts into a table, we would have no way to time them out when they go idle. > The omly thing you can do is throw away all the entries at some time, and > force them to all log in again. > > Does anyone have any patches to add "access time" to table entries? > > > I'm guessing the way it would need to be done now would be to use dynamic > rules and having the syn packet of every tcp session sent to the portal for > approval, before being passed back to create the dynamic rule. Well nothing like patches, and surely not what you want, but I've been using the below since '08 to add timestamps to entries, and a couple of related scripts to list entries for particular tables in date order etc. I never finished adding the 'purge before somedate' script .. Nowadays with multiple table values you could maybe have useful tablearg values like skipto targets as well. cheers, Ian #!/bin/sh # addr_to_table 24/11/8 smithi # add ipaddr[/masklen|32] and value (seconds from epoch) to table N # 31/12/9 CIDR matching for updates, (ab)using table 0 for calc # 4/4/11 prefer direct ipaddr/masklen format, add numeric check usage() { [ "$1" ] && echo $1 echo "usage: `basename $0` table address[/masklen | [ masklen]]" exit 1 } validint() { # value min max [ "`echo $1 | tr -d 0-9`" ] && return 1 # not all numeric [ $1 -ge $2 -a $1 -le $3 ] && return 0 || return 1 } [ "$2" ] || usage table=$1 ; addr=$2 `validint $table 1 127` || usage "table '$table' not 1..127" [ "$3" ] && mlen=$3 || mlen=32 # allow old but prefer CIDR format [ "${addr%/*}" != "$addr" ] && mlen=${addr#*/} && addr=${addr%/*} `validint $mlen 8 32` || usage "masklen '$mlen' not 8..32" addr=$addr/$mlen if [ $mlen -lt 32 ]; then # calc CIDR netblock addr using table 0 ipfw -q table 0 flush ; ipfw -q table 0 add $addr addr=`ipfw table 0 list | awk '{print $1}'` fi # only needed if looking up addr/mask ipfw -q table $table add $addr `date "+%s"` 2>/dev/null [ $? -eq 0 ] || echo "table $table add $addr `date +%s` failed: dupe?" exit 0 _______________________________________________ freebsd-ipfw@freebsd.org <mailto:freebsd-ipfw@freebsd.org> mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw> To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org <mailto:freebsd-ipfw-unsubscr...@freebsd.org>"
_______________________________________________ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
