On Mon, Jan 30, 2017 at 11:46:32AM +0000, Stuart Henderson wrote: > > I'm surprised that I get logging in pflog even I have *no* 'log' > > in my pf.conf. > > > > # pfctl -vvsr -R 14 > > @14 pass all flags S/SA > > [ Evaluations: 30082 Packets: 569255 Bytes: 365488723 States: 23 > > ] > > [ Inserted: uid 0 pid 71493 State Creations: 29574 ] > > > > According to pf.conf(5) 'all' in above should be, though still > > not having 'log': > > > > " all This is equivalent to `from any to any'." > > > > # tcpdump -r /var/log/pflog -n -e -ttt rulenum 14 | tail -n1 > > tcpdump: WARNING: snaplen raised from 116 to 160 > > Jan 30 11:52:45.295489 rule 14/(ip-option) pass in on vlan0: > > 192.168.254.101 > 224.0.0.22: igmp-2 [v2] [ttl 1] > > > > # sysctl kern.version > > kern.version=OpenBSD 6.0-current (GENERIC.MP) #153: Tue Jan 24 19:06:50 MST > > 2017 > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > > Is this a bug or feature? Thx. > > afaik, feature. It's a packet with ip-options which is blocked outright > by PF unless you have an "allow-opts" rule.
OK, but there's nothing about logging ip-options packets in pf.conf under 'allow-opts'. j.
