Hi,
If a packet is malformed, it is dropped by pf(4). The rule referenced
in pflog(4) is the default rule. As the default rule is a pass
rule, tcpdump prints "pass" although the packet is actually dropped.
I have reports from genua and OPNsense users who are confused by
the output.
With the diff below we see pass or blocked when the packet is matched
or dropped due to bad fragment respectively.
19:29:17.314991 rule def/(match) [uid 0, pid 0] pass in on em1: 10.188.81.21 >
10.188.81.22: (frag 43955:8@8+) (ttl 64, len 28)
19:29:31.321728 rule def/(fragment) [uid 0, pid 0] block in on em1:
10.188.81.21 > 10.188.81.22: (frag 27096:64@4032+) (ttl 64, len 84)
ok?
bluhm
Index: net/if_pflog.c
===================================================================
RCS file: /cvs/src/sys/net/if_pflog.c,v
retrieving revision 1.97
diff -u -p -r1.97 if_pflog.c
--- net/if_pflog.c 20 Jan 2021 23:25:19 -0000 1.97
+++ net/if_pflog.c 10 Oct 2023 17:20:00 -0000
@@ -204,7 +204,9 @@ pflog_packet(struct pf_pdesc *pd, u_int8
bzero(&hdr, sizeof(hdr));
hdr.length = PFLOG_REAL_HDRLEN;
- hdr.action = rm->action;
+ /* Default rule does not pass packets dropped for other reasons. */
+ hdr.action = (rm->nr == (u_int32_t)-1 && reason != PFRES_MATCH) ?
+ PF_DROP : rm->action;
hdr.reason = reason;
memcpy(hdr.ifname, pd->kif->pfik_name, sizeof(hdr.ifname));
