Bug 177810 - [pf] traffic dropped by accepting rules is not counted
Summary: [pf] traffic dropped by accepting rules is not counted
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 9.1-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-12 16:40 UTC by Kajetan Staszkiewicz
Modified: 2017-12-31 22:27 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kajetan Staszkiewicz 2013-04-12 16:40:00 UTC 
Currently per-rule counting is performed only for packets that are
accepted by any rule or any packets matched by a droping rule. Counting
on per-interface basis is perfomed properly.

There are some possibilities for a packet do be dropped by an accepting
rule and therefore not counted:

1. SYN/SYN+ACK/ACK packets going through synproxy are dropped with
   PF_SYNPROXY_DROP action. This generates new packets sent to client
   and server that are legitimate traffic and should be counted.

2. Creation of a state or a src-node might fail due to memory or per-
   rule state limits. This traffic is dropped (or at least should be,
   have a look on kern/177808), but still matched some rule. I believe
   it also should be counted, but this is open for discussion.

How-To-Repeat: SYN-flood your FreeBSD based machine with synproxy rules or rules with
state limit, observe no increase of counters of `pfctl -sl`
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2013-04-13 00:56:30 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-pf

Over to maintainer(s).
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:01 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped