Hello,
I have a table in my pf.conf that is declared and used as such:
table <bruteforce> persist
....
block drop quick from <bruteforce>
....
pass in on $EXT_IF inet proto tcp from any to any port 22 keep state
(max-src-conn 5, max-src-conn-rate 5/3, overload <bruteforce> flush global)
which gets flushed via roots crontab:
10 1 * * * /sbin/pfctl -t bruteforce -T expire
86400
when looking at it with pfctl -vvs all it seems like the "cleared"
field gets set to the epoch:
....
-pa-r-- bruteforce
Addresses: 17
Cleared: Thu Jan 1 01:00:00 1970
References: [ Anchors: 0 Rules: 2 ]
Evaluations: [ NoMatch: 399867 Match: 31301 ]
In/Block: [ Packets: 31301 Bytes: 1863344 ]
In/Match: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Match: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
....
My non-persisting tables show:
....
--a-r-- shares
Addresses: 3
Cleared: Fri Apr 14 10:19:10 2017
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 192012 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Match: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Match: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
....
which corresponds to the pf uptime.
Is this intentional?
I ran into this while trying to parse snmp info:
$ snmpwalk -l authPriv -x AES -a MD5 -X xxxxxxxx -u snmp -A xxxxxxxx thor
iso.org.dod.internet.private.enterprises.openBSD | egrep
'pfTblName.[23]|pfTblStatsCleared.[23]'
OPENBSD-PF-MIB::pfTblName.2 = STRING: "bruteforce"
OPENBSD-PF-MIB::pfTblName.3 = STRING: "shares"
OPENBSD-PF-MIB::pfTblStatsCleared.2 = Timeticks: (3238636736) 374 days,
20:12:47.36 1/100th of a Second
OPENBSD-PF-MIB::pfTblStatsCleared.3 = Timeticks: (51729800) 5 days, 23:41:38.00
1/100th of a Second
Alf
$ uname -vmr
6.1 GENERIC.MP#20 amd64
