The timestamp is reset when you flush and reload the table with
# pfctl -t bruteforce -Ts >/etc/bruteforce
# pfctl -t bruteforce -Tf
# pfctl -t bruteforce -Ta -f /etc/bruteforce
Hmm, that't bad that there is no way to clear address stats without
flushing the table. Actually, there is a function in the kernel and
pfctl library (pfr_clr_astats) - We just forgot to implement it in
the pfctl tool. If nobody beats me, I'll look into doing that, as it
is probably a very short patch.
It should by possible to do:
/* clear two address */
# pfctl -t bruteforce -T? 1.2.3.4 5.6.7.8
/* clear all */
# pfctl -t bruteforce -Ts | pfctl -t bruteforce -T? -f -
Ok, so as Karl mentionned, -Tzero will clear all the stats/timestamp.
What we forgot to implement in pfctl is a way to clear the stats of
only selected addresses. The kernel already has this functionality,
modulo an unfortunate bug.
The following patch fixes the kernel bug, and implement the missing
functionality in pfctl userland.
http://www.berger.to/openbsd/pf001.txt
Cedric
