Hello,
</snip>
> When I check my pflog files in WireShark, I note that WireShark displays
> this in the "Info" column:
>
> [pass vio0/-1]
>
yes, this can be default rule. snippet below comes from pfattach():
239 /* default rule should never be garbage collected */
240 pf_default_rule.entries.tqe_prev =
&pf_default_rule.entries.tqe_next;
241 pf_default_rule.action = PF_PASS;
242 pf_default_rule.nr = (u_int32_t)-1;
243 pf_default_rule.rtableid = -1;
at line 242 the rule number for default rule is initialized to -1.
the number never changes.
regards
sashan
On Fri, Oct 13, 2023 at 04:36:25PM -0400, J Doe wrote:
> On 2023-10-10 18:28, Alexander Bluhm wrote:
>
> > Hi,
> >
> > If a packet is malformed, it is dropped by pf(4). The rule referenced
> > in pflog(4) is the default rule. As the default rule is a pass
> > rule, tcpdump prints "pass" although the packet is actually dropped.
> > I have reports from genua and OPNsense users who are confused by
> > the output.
> >
> > With the diff below we see pass or blocked when the packet is matched
> > or dropped due to bad fragment respectively.
>
> Hello,
>
> I have experienced something with pf that I think may be related to this,
> but I wasn't sure.
>
> When I check my pflog files in WireShark, I note that WireShark displays
> this in the "Info" column:
>
> [pass vio0/-1]
>
> Does the "-1" for the rule number mean that this is the implicit/default
> rule ?
>
> This is for a packet that is being processed by my default deny rule, which
> appears to be a malformed packet, but shows up in WireShark as "pass".
>
> Thanks,
>
> - J
>
