Bug 177810

Summary: [pf] traffic dropped by accepting rules is not counted
Product: Base System Reporter: Kajetan Staszkiewicz <vegeta>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Only Me    
Priority: Normal    
Version: 9.1-RELEASE   
Hardware: Any   
OS: Any   

Description Kajetan Staszkiewicz 2013-04-12 16:40:00 UTC 
Currently per-rule counting is performed only for packets that are
accepted by any rule or any packets matched by a droping rule. Counting
on per-interface basis is perfomed properly.

There are some possibilities for a packet do be dropped by an accepting
rule and therefore not counted:

1. SYN/SYN+ACK/ACK packets going through synproxy are dropped with
   PF_SYNPROXY_DROP action. This generates new packets sent to client
   and server that are legitimate traffic and should be counted.

2. Creation of a state or a src-node might fail due to memory or per-
   rule state limits. This traffic is dropped (or at least should be,
   have a look on kern/177808), but still matched some rule. I believe
   it also should be counted, but this is open for discussion.

How-To-Repeat: SYN-flood your FreeBSD based machine with synproxy rules or rules with
state limit, observe no increase of counters of `pfctl -sl`
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2013-04-13 00:56:30 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-pf

Over to maintainer(s).
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:01 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped