root@freebsd:/usr/ports/security/expiretable # make ===> expiretable-0.6_1 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by expiretable-0.6_1 for building ===> Extracting for expiretable-0.6_1 => SHA256 Checksum OK for expiretable-0.6.tar.gz. ===> Patching for expiretable-0.6_1 ===> Applying FreeBSD patches for expiretable-0.6_1 from /usr/ports/security/expiretable/files ===> Configuring for expiretable-0.6_1 ===> Building for expiretable-0.6_1 --- expiretable.o --- --- ioctl_helpers.o --- --- messages.o --- --- expiretable.o --- cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -pedantic -Wall -ansi -c expiretable.c -o expiretable.o --- ioctl_helpers.o --- cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -pedantic -Wall -ansi -c ioctl_helpers.c -o ioctl_helpers.o --- messages.o --- cc -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -pedantic -Wall -ansi -c messages.c -o messages.o --- ioctl_helpers.o --- ioctl_helpers.c:203:10: warning: incompatible pointer types assigning to 'struct pf_state *' from 'struct pfsync_state *' [-Wincompatible-pointer-types] *states = ps.ps_states; ^ ~~~~~~~~~~~~ ioctl_helpers.c:204:21: error: invalid application of 'sizeof' to an incomplete type 'struct pf_state' return ps.ps_len / sizeof(struct pf_state); ^ ~~~~~~~~~~~~~~~~~ /usr/include/net/pfvar.h:485:15: note: forward declaration of 'struct pf_state' TAILQ_HEAD(, pf_state) states[2]; ^ 1 warning and 1 error generated. *** [ioctl_helpers.o] Error code 1 make[1]: stopped in /usr/ports/security/expiretable/work/expiretable-0.6 1 error make[1]: stopped in /usr/ports/security/expiretable/work/expiretable-0.6 ===> Compilation failed unexpectedly. Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to the maintainer. *** Error code 1 Stop. make: stopped in /usr/ports/security/expiretable root@freebsd:/usr/ports/security/expiretable #
That's a result of the removal of the pf_state definition from the public headers, as part of the pf counter rework. It was removed because pf_state is a kernel-internal structure, and it has changed. Note that the ioctl() performed by this port (DIOCGETSTATES) doesn't actually return pf_state structures. It returns pfsync_state structures, and those are different. In other words: this port was already thoroughly broken, but now it also fails to compile. It does not make sense to return the structure to userspace visibility, because that won't actually make it work either.
(In reply to Kristof Provost from comment #1) OK, understood. If there a different port or better way to approach this ? Expiring entries by time is a useful feature to have in various rate limiting firewalls
(In reply to mike from comment #2) I'm sure that the port can be fixed. If it's changed to use the pfsync_state structure it'll likely work fine. I don't use any such tools, so I have no alternatives to recommend.
(In reply to mike from comment #3) Maybe You don't need any tool, you can use pfctl. With expiretable I used the following # expiretable -v -t $ttl $table With pfctl I can use # pfctl -v -t $table -T expire $ttl