the line checking for PF_PASS has not changed since 2006, which predates the existence of match rules in PF.
We check for permissions in one place, but if they are (eventually) permitted, we want spamlogd to handle the packet. Is there a better way than checking the PF_MATCH state? Is there an "ultimately allowed" state that we can check? OK? Index: libexec/spamlogd/spamlogd.c =================================================================== RCS file: /cvs/openbsd/src/libexec/spamlogd/spamlogd.c,v retrieving revision 1.27 diff -u -p -u -p -r1.27 spamlogd.c --- libexec/spamlogd/spamlogd.c 16 Mar 2016 14:47:04 -0000 1.27 +++ libexec/spamlogd/spamlogd.c 1 Nov 2016 15:56:48 -0000 @@ -173,7 +173,7 @@ logpkt_handler(u_char *user, const struc } /* We're interested in passed packets */ - if (hdr->action != PF_PASS) + if (hdr->action != PF_PASS || hdr->action != PF_MATCH) return; af = hdr->af; -- An age is called Dark not because the light fails to shine, but because people refuse to see it. -- James Michener, "Space"