Automatic expiry at timeout for pf(4) overload tables
by from OpenBSD Journal on (#75K2S)
Network-oriented readers will be familiar with the concept of overload tables, commonly used with state tracking options to create adaptive rulesets for such things as punishingpassword-guessing botnets.
A downside to tables that would tend to fill up indefinitely is that at some point they will be quite full, and the administrator would need to either manually run pfctl expire or set up a crontab entry to weed out old entries at intervals.
Now Alexandr Nedvedicky (sashan@) is airing a patch on tech@ that would add a timeout option to to tables declarations, doing away with the need to set up crontab entries to run pfctl expire.
The patch and the explanation can be found in the thread pf(4) add timeout option to ip address tables, with followup discussion where several developers and users pitch in.
The message reads,
List: openbsd-techSubject: pf(4) add timeout option to ip address tablesFrom: Alexandr Nedvedicky <sashan () fastmail ! net>Date: 2026-05-11 1:05:27Hello,diff below should help people who use 'overload' action in theirfirewall configuration. This is how pf.conf(5) describes theoverload option: