Hi, With a fresh install of a 5.7 snapshot on amd64 (OpenBSD 5.7-beta (GENERIC) #805: Sun Feb 22 03:09:53 MST 2015) I have noticed the following:
With this pf ruleset: $ sudo pfctl -s r block drop all pass all flags S/SA block return in on ! lo0 proto tcp from any to any port 6000:6010 block drop in log on internal-group all pass in on internal-group inet proto udp from any to 172.28.78.11 port = 53 pass in on internal-group inet proto udp from any to 172.28.79.11 port = 53 pass in on internal-group inet proto udp from any to 172.28.79.19 port = 123 pass in on internal-group inet proto udp from any to 172.28.79.29 port = 123 pass in on internal-group inet proto tcp from 10.121.130.139 to 172.28.78.11 port = 636 flags S/SA pass in on internal-group inet proto tcp from 10.121.130.139 to 172.28.79.11 port = 636 flags S/SA pass in on internal-group inet proto tcp from 10.121.130.139 to 172.28.79.29 port = 25 flags S/SA pass in on internal-group inet proto icmp from any to 10.121.130.129 icmp-type echoreq pass in on internal-group inet proto icmp from any to 10.121.124.1 icmp-type echoreq I get this pflog output: $ sudo tcpdump -i pflog0 -n -e action pass tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG 08:24:27.831052 rule 1/(match) pass in on vlan308: 10.120.108.2 > 224.0.0.1: igmp query [tos 0xc0] [ttl 1] 08:26:36.645149 rule 1/(match) pass in on vlan308: 10.120.108.2 > 224.0.0.1: igmp query [tos 0xc0] [ttl 1] Two things which I don't understand: 1. Why is pflog0 showing packets for a rule (1:pass all flags S/SA) that does not even have logging enabled? 2. If we ignore question #1, why is is pflog0 only showing the IGMP traffic, considering that while the tcpdump was run other traffic matched rule 1 as well and created state? Is this the normal pflog0 behavior with regards to IGMP traffic (i.e. it's always reported, regardless of whether or not logging was requested in a given rule)? Thanks! -Martin
