* william dunand <william.dun...@gmail.com> [2010-06-14 11:03]: > Dear list, > > I just noticed something strange with pf (4.7) and I wondered if > someone could help me to understand it. > > Let's consider the following simple rule-set: > > <pf.conf> > set skip on lo0 > pass all > block out log on bge0 inet proto tcp from any to x.x.x.x port 80 > match out on bge0 inet proto tcp from any to x.x.x.x port 80 > <\pf.conf> > > Then if I just try a simple hping on x.x.x.x on port 80, I expect to > see the packet blocked, and logged on pflog0, but I don't see it. > If I just add a "log" to the "match" rule, then my hping packet will > be logged twice on pflog0 (for the block and the match). > I observe analog behavior if I replace the block rule by a similar pass rule. > > So it seems impossible to log specific traffic if this traffic is > matched somewhere by a simple "match" rule, one would need to add the > "log" directive to the latter, which might of course not be desirable. > > Is this the expected behavior, or is there something I am overlooking?
that would be a bug, by yours truly. i think i already saw you sendbug'ing it, if it is not yet sendbug'd please do, i plan to go over the pf related PR entries soonish. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
