freebsd-src icon indicating copy to clipboard operation
freebsd-src copied to clipboard

Published 20 hours ago verified publisher icon freebsd

Preserve pf table timers during counters cleanup

Open Onepamopa opened this issue 4 years ago • 3 comments

Normal behavior for clearing up statistics is preserved: call DIOCRCLRTSTATS with PFR_FLAG_ADDRSTOO Preserve timers (only clear packets/bytes counters): call DIOCRCLRTSTATS with PFR_FLAG_ATOMIC

Example - In my case - "counters" table with ~900k entries (throughout the day). When the timer is not zeroed, it becomes an "entry" timer - when the IP was initially added to the table. Counters are zeroed with ATOMIC, then only the entries within a time period (here's where not zeroing the timer comes into play) are checked - if they have or not have any new packets/bytes (i.e. - are currently active/inactive), while the rest remain untouched. This is then used to determine if an IP should remain in the table or be removed / placed into another table, etc.

Maybe this could be done in a more elegant way, it's just the way I've been using it on my servers for more than 5-6 months w/o any issues whatsoever. Could be extended to pfctl, if desired.

Feel free to rework.

Onepamopa avatar Oct 15 '21 20:10 Onepamopa

@mjguzik any chance of getting this checked (reworked if needed) / committed?

Onepamopa avatar Oct 31 '21 09:10 Onepamopa

I think @kprovost should weigh in on this.

mjguzik avatar Oct 31 '21 15:10 mjguzik

@kprovost mind weighing in on this? :) Its not breaking the default behavior, just enhancing it a bit.

Onepamopa avatar Nov 11 '21 08:11 Onepamopa

Without a generic use case I’m not inclined to pick this up.

kprovost avatar Feb 27 '23 05:02 kprovost

As far as a "generic" use case - I've explained what I'm using it for - expiring (removing) only inactive blocked addresses - i.e. addresses that are not sending any traffic after a X amount of minutes being added to a "block" counters table. It's a way of tracking how much time the IP has spent in the table. I'm only checking if it's not sending any traffic after it's already being 30 minutes in the table.

As I said - it costs nothing to implement, it doesn't break the normal usage of DIOCRCLRTSTATS - it just adds an additional flag that alters the behavior of DIOCRCLRTSTATS in a predictable way.

Onepamopa avatar Feb 27 '23 09:02 Onepamopa

I'll let @Onepamopa and @kprovost work this out offline. Our new pull request policy discourages pull requests where there are open issues that haven't been resolved. Please work elsewhere to build consensus for this patch and resubmit... or better yet, have @kprovost commit it. I'm sorry it took the project so long to provide this feedback. We recognized that we weren't doing a good job and have a new pull request policy to try to address lingering issues without feedback like this.

bsdimp avatar Feb 28 '23 00:02 bsdimp