On Mon, Jan 31, 2005 at 07:48:08PM -0500, Chad M Stewart wrote: > # pfctl -s labels > rl0 ping in 2 0 0 > rl3 ping in 3 0 0 > spamd Windows .NET 1 0 0 > spamd Windows 2000 1 0 0 > spamd Windows XP 1 0 0 > spamd Windows NT 1 0 0 > spamd Windows 95 1 0 0 > spamd Windows 98 1 0 0 > spamd OpenBSD 1 11 691 > spamd undefined 0 0 0 > > I'm confused why every rule and thus label applied, or seems to have > applied. After a random IP shows up in /var/log/spamd I see
This one is simple to explain. The first number printed after the label name is the number of times the rule with that label was _evaluated_. The second number is the number of packets that matched the rule last (that were passed or blocked because of this rule), and the third is the sum of the sizes of these packets. Since your "os OpenBSD" rule is the last one in the block, a packet from an OpenBSD client will cause evaluation of all rules in the block. It won't match any of those rules but the last one, but it causes each one's evaluation. There was a single connection. The first packet of the connection caused evaluation of each rule. It last matched the final 'OpenBSD' rule, passed, and created state. Then there were 10 additional packets related to the connection. These did not cause any ruleset evaluations, as they matched the created state. Hence, the evaluation counters didn't increase anymore for those 10 packets, but the packet and size counters (11 and 691) did. > spamd Windows .NET 2 0 0 > spamd Windows 2000 2 8 485 > spamd Windows XP 1 0 0 > spamd Windows NT 1 0 0 > spamd Windows 95 1 0 0 > spamd Windows 98 1 0 0 > spamd OpenBSD 1 11 691 > spamd undefined 0 0 0 Now a "Windows 2000" client connected, and the same thing happened. But because the first rule matched (and it has the 'quick' option), no further rules were evaluated. There must have been two connections from "Windows 2000" clients, and a total of 8 packets with a sum of 485 bytes. Daniel
