From owner-freebsd-bugs@FreeBSD.ORG  Wed Dec 14 17:44:20 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9C7D616A420;
	Wed, 14 Dec 2005 17:44:20 +0000 (GMT)
	(envelope-from dhartmei@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6458143D46;
	Wed, 14 Dec 2005 17:44:20 +0000 (GMT)
	(envelope-from dhartmei@FreeBSD.org)
Received: from freefall.freebsd.org (dhartmei@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id jBEHiKhQ080934;
	Wed, 14 Dec 2005 17:44:20 GMT
	(envelope-from dhartmei@freefall.freebsd.org)
Received: (from dhartmei@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id jBEHiKul080930;
	Wed, 14 Dec 2005 17:44:20 GMT (envelope-from dhartmei)
Date: Wed, 14 Dec 2005 17:44:20 GMT
From: Daniel Hartmeier <dhartmei@FreeBSD.org>
Message-Id: <200512141744.jBEHiKul080930@freefall.freebsd.org>
To: den2208@yandex.ru, dhartmei@FreeBSD.org, freebsd-bugs@FreeBSD.org
Cc: 
Subject: Re: misc/90386: pfctl -s labels don't count bytes if labeled rule
	was NATted
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2005 17:44:20 -0000

Synopsis: pfctl -s labels don't count bytes if labeled rule was NATted

State-Changed-From-To: open->closed
State-Changed-By: dhartmei
State-Changed-When: Wed Dec 14 17:38:30 UTC 2005
State-Changed-Why: 
This is not a bug. NAT implies creation of a state entry. Packets matching
a state entry pass without further ruleset evaluation. They increase the
packet/byte counters of the rule that created the state (a pass rule last
matching after the translation performed by the NAT rule). Hence, you have
to add the label to that particular rule to query the counters through the
label later. Try pfctl -vvsr to see all rule counters (not just those of
labelled rules), and pfctl -vvss to see which connection gets counted
into what rule.

The first counter (the one you see increase) counts the number of times
the rule was evaluated, which isn't the same as how many times it matched
or matched last.

http://www.freebsd.org/cgi/query-pr.cgi?pr=90386