I'm keeping basic in/out IP accounting info using labels. However, consider this simple ruleset:
pass out keep state pass in on $int_if from $client1 to ! $localnet label "Client1_out" pass out on $int_if from ! $localnet to $client1 label "Client1_in" Of course, when keeping state, packets matching the state effectively skip the rest of the ruleset. According to <URL:http://www.openbsd.org/faq/pf/filter.html#state>: "[...] not only do packets going from the sender to receiver match the state entry and bypass ruleset evaluation, but so do the reply packets from receiver to sender." Does this mean that basic label-based IP accounting won't mix with keeping state at all? Please note that I cannot simply count incoming and outgoing packets/bytes on each interface, since only routed "internet" traffic should be accounted for -- not traffic on the local net, including between clients and the router itself. regards, sven
