Hi, I'd like to request the implementation of a new feature in pfctl. This new feature, as stated in the subject, would allow resetting the statistics for a single IP address. The resetting of statistics for all IP addresses in a specified table is already implemented (`pfctl -t sometable -T zero'). However, resetting the statistics for a single IP address in a table would allow me to continuously block repeat offenders, while releasing one-time offenders. The scenario I'm thinking about is as follows: An offender is added to a certain table, let's call it <blocked>, either by PF using the 'overload' feature, an external tool like blacklistd or fail2ban, or manually. A cronjob expires addresses in table <blocked> after a time period X (`pfctl -t blocked -T expire 1209600'). An external tool like blacklistd or fail2ban (or something home-brewn) tracks the PF log, and resets the statistics for offending hosts that are already in table <blocked>. This way, repeat offenders will remain in table <blocked> indefinitely, while hosts that attacked my server 'by accident' will get a retry. PF already supports the necessary ioctl command DIOCRCLRASTATS, which does exactly what I want. So only pfctl would need to be patched for this feature to be implemented. Actually, thinking FreeBSD pfctl was the same as OpenBSD pfctl, I requested this feature on the OpenBSD bugs mailing list yesterday. The request was accepted, and a patch was committed this afternoon. However, after all this, they told me that the 2 are not the same, and I should make a new feature request here. So, here it is. More info can be found on the OpenBSD bugs and tech mailing lists: https://marc.info/?l=openbsd-bugs&m=173206758904599&w=2 https://marc.info/?l=openbsd-tech&m=173210109222862&w=2 And the definitive OpenBSD patch is here: https://marc.info/?l=openbsd-tech&m=173210375324534&w=2 Thank you for considering this feature request. Sincerely, Rob LA LAU
Please find the patch ported to FreeBSD here https://reviews.freebsd.org/D47698 . It also lead to finding a bug https://reviews.freebsd.org/D47697 , so you probably want to apply both patches. I've developed them on the main branch, but they apply to FreeBSD 14 too, however I have not tested them on 14.
Thank you so much for your quick response. Will take a few days to get back to you with results (working today and this weekend).
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6463b6b59152fb1695bbe0de78f6e2675c5a765a commit 6463b6b59152fb1695bbe0de78f6e2675c5a765a Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2024-11-21 20:33:41 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2024-11-22 11:22:16 +0000 pfctl: clear statistic for specified addresses The ioctl DIOCRCLRASTATS provides the functionality of clearing stats not only for the whole table for for addresses stored in that table. The functionality was missing from pfctl, though. Add it now. PR: 282877 Obtained from: OpenBSD, kirill <kirill@openbsd.org>, e496dff3a7 MFC after: 3 weeks sbin/pfctl/pfctl.8 | 6 ++--- sbin/pfctl/pfctl.h | 1 + sbin/pfctl/pfctl_radix.c | 23 +++++++++++++++++ sbin/pfctl/pfctl_table.c | 17 +++++++++++-- tests/sys/netpfil/pf/table.sh | 57 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 99 insertions(+), 5 deletions(-)