Hello, I'm fine with it.
OK sashan On Wed, Oct 11, 2023 at 12:28:20AM +0200, Alexander Bluhm wrote: > Hi, > > If a packet is malformed, it is dropped by pf(4). The rule referenced > in pflog(4) is the default rule. As the default rule is a pass > rule, tcpdump prints "pass" although the packet is actually dropped. > I have reports from genua and OPNsense users who are confused by > the output. > > With the diff below we see pass or blocked when the packet is matched > or dropped due to bad fragment respectively. > > 19:29:17.314991 rule def/(match) [uid 0, pid 0] pass in on em1: 10.188.81.21 > > 10.188.81.22: (frag 43955:8@8+) (ttl 64, len 28) > 19:29:31.321728 rule def/(fragment) [uid 0, pid 0] block in on em1: > 10.188.81.21 > 10.188.81.22: (frag 27096:64@4032+) (ttl 64, len 84) > > ok? > > bluhm > > Index: net/if_pflog.c > =================================================================== > RCS file: /cvs/src/sys/net/if_pflog.c,v > retrieving revision 1.97 > diff -u -p -r1.97 if_pflog.c > --- net/if_pflog.c 20 Jan 2021 23:25:19 -0000 1.97 > +++ net/if_pflog.c 10 Oct 2023 17:20:00 -0000 > @@ -204,7 +204,9 @@ pflog_packet(struct pf_pdesc *pd, u_int8 > > bzero(&hdr, sizeof(hdr)); > hdr.length = PFLOG_REAL_HDRLEN; > - hdr.action = rm->action; > + /* Default rule does not pass packets dropped for other reasons. */ > + hdr.action = (rm->nr == (u_int32_t)-1 && reason != PFRES_MATCH) ? > + PF_DROP : rm->action; > hdr.reason = reason; > memcpy(hdr.ifname, pd->kif->pfik_name, sizeof(hdr.ifname)); > >
