Automatic expiry at timeout for pf(4) overload tables

Contributed by Peter N. M. Hansteen on 2026-05-12 from the overlords of overloads dept.

Network-oriented readers will be familiar with the concept of overload tables, commonly used with state tracking options to create adaptive rulesets for such things as punishing password-guessing botnets.

A downside to tables that would tend to fill up indefinitely is that at some point they will be quite full, and the administrator would need to either manually run pfctl expire or set up a crontab entry to weed out old entries at intervals.

Now Alexandr Nedvedicky (sashan@) is airing a patch on tech@ that would add a timeout option to to tables declarations, doing away with the need to set up crontab entries to run pfctl expire.

The patch and the explanation can be found in the thread pf(4) add timeout option to ip address tables, with followup discussion where several developers and users pitch in.

The message reads,

List:       openbsd-tech
Subject:    pf(4) add timeout option to ip address tables
From:       Alexandr Nedvedicky <sashan () fastmail ! net>
Date:       2026-05-11 1:05:27

Hello,

diff below should help people who use 'overload' action in their
firewall configuration. This is how pf.conf(5) describes the
overload option:

     Because the 3-way handshake ensures that the source address is not being
     spoofed, more aggressive action can be taken based on these limits.  With
     the overload <table> state option, source IP addresses which hit either
     of the limits on established connections will be added to the named
     table.  This table can be used in the ruleset to block further activity
     from the offending host, redirect it to a tarpit process, or restrict its
     bandwidth.

As you can see pf(4) keeps adding addresses to table. Administrator
must clear the table which is used by 'overload' option.

The newly added 'Source Limiter' suffers from the same issue.
Source limiter may add the source IP address which exceeds
the limit to table. However administrator can not define
any duration how long the IP address should be kept in
table referred by limiter.

Diff below adds 'timeout' option for table, so administrator
can define duration in seconds for how long the IP address
is kept in table.

I think it's been pointed out by dlg@ long time ago similar
feature is missing in pf(4).

OK ?

thanks and
regards
sashan
--------8<---------------8<---------------8<------------------8<--------

with the patch to implement the feature following the cut line.

It is worth noting that this is a work in progress, and testing will only work on a recent -current. So the questions we would all like to address are,

Would you want this feature to be included?
How would this feature affect your setup?
Would this be considered a breaking change?

Test the patch (on a fresh -current if you are able, and join the discussion!

Latest Articles

Wed, May 13
- 06:49 Automatic expiry at timeout for pf(4) overload tables (0)
Tue, May 12
- 11:52 Let's find out how to get predictable IPv6 addresses assigned to OpenBSD VMs (0)
- 05:26 Game of Trees 0.125 released (0)
Mon, May 11
- 20:20 Recent downtime (2)
Mon, Apr 20
- 08:58 LibreSSL 4.3.1 released (0)
- 05:32 OpenBSD -current is now "7.9-current" (0)
Wed, Apr 15
- 11:56 rpki-client 9.8 released (0)
- 05:00 Selectively block cores from the scheduler with sysctl hw.blockcpu (1)
Tue, Apr 14
- 05:20 OpenBSD -current has moved to version 7.9 (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]