Date: Wed, 14 Dec 2005 17:44:20 GMT From: Daniel Hartmeier <dhartmei@FreeBSD.org> To: den2208@yandex.ru, dhartmei@FreeBSD.org, freebsd-bugs@FreeBSD.org Subject: Re: misc/90386: pfctl -s labels don't count bytes if labeled rule was NATted Message-ID: <200512141744.jBEHiKul080930@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
Synopsis: pfctl -s labels don't count bytes if labeled rule was NATted State-Changed-From-To: open->closed State-Changed-By: dhartmei State-Changed-When: Wed Dec 14 17:38:30 UTC 2005 State-Changed-Why: This is not a bug. NAT implies creation of a state entry. Packets matching a state entry pass without further ruleset evaluation. They increase the packet/byte counters of the rule that created the state (a pass rule last matching after the translation performed by the NAT rule). Hence, you have to add the label to that particular rule to query the counters through the label later. Try pfctl -vvsr to see all rule counters (not just those of labelled rules), and pfctl -vvss to see which connection gets counted into what rule. The first counter (the one you see increase) counts the number of times the rule was evaluated, which isn't the same as how many times it matched or matched last. http://www.freebsd.org/cgi/query-pr.cgi?pr=90386
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200512141744.jBEHiKul080930>