From nobody@FreeBSD.org  Wed Dec 14 12:44:47 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7A37A16A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 14 Dec 2005 12:44:47 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2611643D46
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 14 Dec 2005 12:44:47 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jBECik7v074481
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 14 Dec 2005 12:44:46 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id jBECikxH074480;
	Wed, 14 Dec 2005 12:44:46 GMT
	(envelope-from nobody)
Message-Id: <200512141244.jBECikxH074480@www.freebsd.org>
Date: Wed, 14 Dec 2005 12:44:46 GMT
From: Denis Grinchuk <den2208@yandex.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pfctl -s labels don't count bytes if labeled rule was NATted
X-Send-Pr-Version: www-2.3

>Number:         90386
>Category:       misc
>Synopsis:       pfctl -s labels don't count bytes if labeled rule was NATted
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 14 12:50:02 GMT 2005
>Closed-Date:    Wed Dec 14 17:44:21 GMT 2005
>Last-Modified:  Wed Dec 14 17:44:21 GMT 2005
>Originator:     Denis Grinchuk
>Release:        5.4
>Organization:
-
>Environment:
FreeBSD free54.newintech.com. 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Mon Nov  7 15:41:11 MSK 2005     root@free53.newintech.com.:/usr/src/sys/i386/compile/mykernel2  i386          
>Description:
My machine is firewall and proxy-server. I need to count forwarding traffic from Internet (inbound only). Firewall - pf with nat (I have one real IP).Counter based on pf labels. NAT working on extenal interface like this (I simplify):

nat on $ext_if from $INT_NET to any -> $EXT_IP
pass out on $ext_if from $EXT_IP to any
pass in on $ext_if from any to $EXT_IP label "$dstaddr:external"
pass in on $int_if from $INT_NET to !<private>
pass out on $int_if from !<private> to $INT_NET label "$dstaddr:internal"

Counters at internal interface working well, but external show zero bytes:
#pfctl -s labels
192.168.0.0/24:internal 111  10   10000
1.2.3.4:extenal 111   0   0
I.e. hits was, but bytes wasn't counted for nat'ted backward packets.

Sorry for my English. Thank you for FreeBSD!
>How-To-Repeat:
              
>Fix:
              
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: dhartmei 
State-Changed-When: Wed Dec 14 17:38:30 UTC 2005 
State-Changed-Why:  
This is not a bug. NAT implies creation of a state entry. Packets matching 
a state entry pass without further ruleset evaluation. They increase the 
packet/byte counters of the rule that created the state (a pass rule last 
matching after the translation performed by the NAT rule). Hence, you have 
to add the label to that particular rule to query the counters through the 
label later. Try pfctl -vvsr to see all rule counters (not just those of 
labelled rules), and pfctl -vvss to see which connection gets counted 
into what rule. 

The first counter (the one you see increase) counts the number of times 
the rule was evaluated, which isn't the same as how many times it matched 
or matched last. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=90386 
>Unformatted:
