While this is wierd behaviour, I don't see what purpose this match rule can serve, so it's not entirely surprising this hasn't been noticed before... What are you trying to do with this?
On 2010-06-14, william dunand <william.dun...@gmail.com> wrote: > Dear list, > > I just noticed something strange with pf (4.7) and I wondered if > someone could help me to understand it. > > Let's consider the following simple rule-set: > ><pf.conf> > set skip on lo0 > pass all > block out log on bge0 inet proto tcp from any to x.x.x.x port 80 > match out on bge0 inet proto tcp from any to x.x.x.x port 80 ><\pf.conf> > > Then if I just try a simple hping on x.x.x.x on port 80, I expect to > see the packet blocked, and logged on pflog0, but I don't see it. > If I just add a "log" to the "match" rule, then my hping packet will > be logged twice on pflog0 (for the block and the match). > I observe analog behavior if I replace the block rule by a similar pass rule. > > So it seems impossible to log specific traffic if this traffic is > matched somewhere by a simple "match" rule, one would need to add the > "log" directive to the latter, which might of course not be desirable. > > Is this the expected behavior, or is there something I am overlooking? > > Any help would be greatly appreciated. > > Regards, > William
