Expiretable is a utility used to remove entries from a pf(4) table based on their age.

The age in question being the amount of time that has passed since the statistics for each entry in the target table was last cleared.

This program needs to be run as a user with read/write permission to /dev/pf. As with all unknown things that need to be run as the superuser or similar there is always the chance this one will cause death and destruction, so use at your own risk. It WorksForMe<tm>, don't blame me if your cat grows another eye, and so on and so forth.

If you find yourself using this utility, especially for a reason not mentioned here, please tell me about it.

The man-page:

• expiretable(1) - Really ugly, but there it is.

Johan Fredin has been nice enough to provide a port for expiretable. He has also put together a how-to on how to use expiretable to block attempts to bruteforce ssh. Be sure to check out the work of Peter N. M. Hansteen on firewalling with PF, especially the section on bruteforcing. 'geek00L' has written a short piece on using Snort2c + Expiretable. Thanks to Samuel Ljungkvist and others for ideas.

The sources:

• expiretable-0.6.tar.gz - Latest version. Added the ability to specify age in minutes, hours, days etc. Changed the age-limit to the limit imposed by OpenBSDs nanosleep(2).
• expiretable-0.5.tar.gz - Daemon-mode, small memory-handling fix and some cleaning of error-messages.
• expiretable-0.4.tar.gz
• expiretable-0.3.tar.gz
• expiretable-0.2.tar.gz
• expiretable-0.1.tar.gz - Same version as that posted on pf@

References:

• Made it into the FreeBSD ports tree as well it seems.
• Well, look at that. It's in the -current OpenBSD ports tree.
• Announcement of the utility.
• The thread on pf@ that gave me the idea.

TODO:

• Add option to expire entries after some time after last match.
• Expire entries after a number of matched packets/transferred bytes.
• Move entries to another table on expire.

Tableutil is a utility for converting, aggregating and performing operations (currently unions, differences, complements and intersections) on lists of IP-addresses. Its primary use is to convert files into a format pfctl(8) can read, but if you find another use for it I'd really like to know about it. It can read plain-text-files with ranges (12.12.12.12-23.23.23.23), CIDR-style networks (192.168.0.0/24) single addresses (242.242.242.242) or hostnames (one.two.com). It can also read p2b-files, the preferred file-format(s) of PeerGuardian. Tableutil has two modes of operation: Quick mode, which is used for converting files to pfctl-compatible tables and advanced mode, which is used to perform more advanced operations on files, and for greater flexibility of the output format.

For example, if you have three files, 'block1', 'block2' and 'exceptions' that is to be used in a table that blocks the hosts in 'block1' and 'block2', excepting the ranges in 'exceptions', create a file looking something like this:

# cat blockspec
$block1 = load(text, "block1"); # The block1-blocklist
$block2 = load(text, "block2"); # The block2-blocklist
$exceptions = load(text, "exceptions"); # List of exceptions

$block = difference(union($block1, $block2), $exceptions);

save(cidr, "blocklist", $block);

Or, if you just want to load a peerguardian blocklist (the text-kind), do something like this:

# cat update-blocklist.sh
#! /bin/sh

URL="http://peerguardian.sourceforge.net/lists/ads.php"
rm -f /tmp/blocklist

ftp -V -o - ${URL} 2> /dev/null | gunzip -c - | sed "s/.*:\([0-9.-]\)/\1/" | \
        tableutil -q text 2> /dev/null > /tmp/blocklist

if [ -s /tmp/blocklist ] ; then
        mv /etc/pfdata/blocklist /etc/pfdata/blocklist.old &&
        cp /tmp/blocklist /etc/pfdata/blocklist &&
        pfctl -f /etc/pf.conf -T load
fi

The man-page:

• tableutil(1) - Someone should do something about this mess. :)

In the next release, there will be a BNF:ish grammar that describes the config-file in the man-page. Until then I'll just put it here:

statements          ::= [ ( <table_statement> | <save_op> ) ";"
                        [ <statements> ] ]
table_statement     ::= <variable> | <table_literal> | <load_op> |
                        <assignment_op> | <union_op> | <difference_op> |
                        <intersection_op> | <complement_op>
variable            ::= VARIABLE_NAME
table_literal       ::= "{" [ <table_literal_entry> ] "}"
table_literal_entry ::= ( CIDR | RANGE | SINGLE_IP | HOSTNAME ) [ ,
                        <table_literal_entry> ]
load_op             ::= "load" "(" ( "text" | "p2b" ) ","
                        ( "stdin" , FILENAME ) ")"
save_op             ::= "save" "(" ( "cidr" | "range" | "single" ) ","
                        ( "stdout" | FILENAME ) ")"
assignment_op       ::= <variable> "=" <table_statement>
union_op            ::= "union" "(" <table_statement> "," <table_statement> ")"
difference_op       ::= "difference" "(" <table_statement> ","
                        <table_statement> ")"
intersection_op     ::= "intersection" "(" <table_statement> ","
                        <table_statement> ")"
complement_op       ::= "invert" "(" <table_statement> ")"

Where:

• VARIABLE_NAME is a string literal of the form \$[[:alpha:]][[:alnum:]_], eg. "$my_1st_variable".
• CIDR is an IP appended by a network prefix, eg. "192.168.0.0/24".
• RANGE is two IPs separated by a -, eg. "192.168.0.0-192.168.0.255".
• SINGLE_IP is a single IP, eg. "192.168.0.0".
• HOSTNAME is a valid hostname, eg. "www.google.com".
• FILENAME is a valid filename enclosed in double quotes, eg. ""/tmp/table"".

The sources:

• tableutil-0.6.tar.gz - Latest version. Small lexer-fix to handle different new-lines gracefully.
• tableutil-0.5.tar.gz - Supports p2b v3.
• tableutil-0.4.tar.gz
• tableutil-0.3.tar.gz
• tableutil-0.2.tar.gz
• tableutil-0.1.tar.gz - Initial internal release

References:

• Seems like some FreeBSD-people found it useful.

TODO:

• IPv6 support.
• Decent documentation.
• Storing/loading tables directly to/from /dev/pf.