Expire rules after delay

[pudelkoM]

No description provided.

[pudelkoM]

• Add timestamp field in TTL_flow_data, remove tracked flag?
• Analyzers insert timestamp from packet header
• Swapper expires rule with {action: "delete", filter: "ip host ...", keepUntil: 123456}
• Dumper store delete events in FIFO queue
• Keep current ts from last packet in bucket
• Check rule list in every iteration

[pudelkoM]

For rule dequeue: https://github.com/catwell/cw-lua/blob/master/deque/deque.lua

[emmericp]

You'll need a priority queue if the keepUntil timestamps aren't in increasing order.

I happen to have an implementation here: https://github.com/DeadlyBossMods/DeadlyBossMods/blob/master/DBM-Core/DBM-Core.lua#L1378-L1470

Or easier: insert new deletion events in the middle of the queue

[pudelkoM]

Another approach:

• Make tracked flag an uint8_t
• Analyzers set it to 1 for tracked, 0 means not tracked
• Swapper increments field on flow table swap (only if prev. value was > 0)
• Swapper expires flow when a value reaches threshold N

We can keep the table swapping interval short[1] and can control the delay: swap_interval * N.

No modification in the dumpers which are already slow.
No modification in the analyzers, they always reset the counter to 1.
Little modification in the swapper.

[1] Do we actually care about this? Why not set it to 10 mins and be done with this whole issue?