Currently per-rule counting is performed only for packets that are
accepted by any rule or any packets matched by a droping rule. Counting
on per-interface basis is perfomed properly.
There are some possibilities for a packet do be dropped by an accepting
rule and therefore not counted:
1. SYN/SYN+ACK/ACK packets going through synproxy are dropped with
PF_SYNPROXY_DROP action. This generates new packets sent to client
and server that are legitimate traffic and should be counted.
2. Creation of a state or a src-node might fail due to memory or per-
rule state limits. This traffic is dropped (or at least should be,
have a look on kern/177808), but still matched some rule. I believe
it also should be counted, but this is open for discussion.
How-To-Repeat: SYN-flood your FreeBSD based machine with synproxy rules or rules with
state limit, observe no increase of counters of `pfctl -sl`
Over to maintainer(s).
For bugs matching the following criteria:
Status: In Progress Changed: (is less than) 2014-06-01
Reset to default assignee and clear in-progress tags.
Mail being skipped