On Sat, Jan 29, 2011 at 5:37 AM, Henning Brauer <lists-open...@bsws.de> wrote: > no, that's wrong. match rules that matched during evaluation get their > counters updated. aka, your rule did not match.
ok, that's wrong. :) Somebody else told me to add a "pass all" rule at the top of the rule set. Then it did work. But pass all is the default. Somehow adding it explicitly changes the behavior of match rules. I know the rule matches because it does so after adding pass all. > > see pf_counters_inc() in sys/net/pf.c > > * Josh Hoppes <josh.hop...@gmail.com> [2011-01-29 07:11]: >> If I'm reading the man page correctly the rule only counts if it's the >> one creating a state. Since the match rule won't be the deciding one >> to generate a state or not I expect it will never actually count on >> those statistics. >> >> On Fri, Jan 28, 2011 at 8:48 PM, Ted Unangst <ted.unan...@gmail.com> wrote: >> > I am apparently not getting pf at a very simple level. Here's my rule: >> > >> > match proto tcp from any to any port 80 label "web" >> > >> > Here's the output of pfctl -sr -v after visiting a few websites: >> > >> > match proto tcp from any to any port = www label "web" >> > [ Evaluations: 1398 Packets: 0 Bytes: 0 States: 0 >> ] >> > [ Inserted: uid 0 pid 931 State Creations: 0 ] >> > >> > I would expect that rule to match the packets to port 80 and make the >> > counters go up, but they stay stuck at 0. Why is that? >> > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting
