Hello, I have a table in my pf.conf that is declared and used as such:
table <bruteforce> persist .... block drop quick from <bruteforce> .... pass in on $EXT_IF inet proto tcp from any to any port 22 keep state (max-src-conn 5, max-src-conn-rate 5/3, overload <bruteforce> flush global) which gets flushed via roots crontab: 10 1 * * * /sbin/pfctl -t bruteforce -T expire 86400 when looking at it with pfctl -vvs all it seems like the "cleared" field gets set to the epoch: .... -pa-r-- bruteforce Addresses: 17 Cleared: Thu Jan 1 01:00:00 1970 References: [ Anchors: 0 Rules: 2 ] Evaluations: [ NoMatch: 399867 Match: 31301 ] In/Block: [ Packets: 31301 Bytes: 1863344 ] In/Match: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Match: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] .... My non-persisting tables show: .... --a-r-- shares Addresses: 3 Cleared: Fri Apr 14 10:19:10 2017 References: [ Anchors: 0 Rules: 1 ] Evaluations: [ NoMatch: 192012 Match: 0 ] In/Block: [ Packets: 0 Bytes: 0 ] In/Match: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] In/XPass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Match: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 0 Bytes: 0 ] Out/XPass: [ Packets: 0 Bytes: 0 ] .... which corresponds to the pf uptime. Is this intentional? I ran into this while trying to parse snmp info: $ snmpwalk -l authPriv -x AES -a MD5 -X xxxxxxxx -u snmp -A xxxxxxxx thor iso.org.dod.internet.private.enterprises.openBSD | egrep 'pfTblName.[23]|pfTblStatsCleared.[23]' OPENBSD-PF-MIB::pfTblName.2 = STRING: "bruteforce" OPENBSD-PF-MIB::pfTblName.3 = STRING: "shares" OPENBSD-PF-MIB::pfTblStatsCleared.2 = Timeticks: (3238636736) 374 days, 20:12:47.36 1/100th of a Second OPENBSD-PF-MIB::pfTblStatsCleared.3 = Timeticks: (51729800) 5 days, 23:41:38.00 1/100th of a Second Alf $ uname -vmr 6.1 GENERIC.MP#20 amd64