2

I have an issue that my pf logs many packets that it's not supposed to log. I reproduced it with almost empty pf.conf:

set skip on lo

and it still logs some packets. I think that all those packets have ICMP6 type and they do not really belong to my computer, I have no idea why am I receiving them, but I don't have control over it.

Here's example of packet (received with tcpdump on pflog0):

13:18:29.211678 rule def/(match) pass in on vio0: fe80::3ad5:47ff:fe75:1a2b > ff02::1:ff75:1a2b: HBH icmp6: multicast listener report  [hlim 1]

so my question is: where can I read about those default match rules and how do I disable those logs.

I tried to explicitly match those packets with something like pass in on vio0 (without logging statement), but they are still logged, probably because of that mysterious default match which marks the packet to be logged.

vbezhenar
  • 261
  • 1
  • 3
  • 10

1 Answers1

3

I have no idea why am I receiving them

It's multicast traffic.

where can I read about those default match rules

Well, the thing in whole is partially documented but it's not that obviously tracked back from the issue you're seeing.

From man pf.conf (markup is mine):

allow-optsBy default, packets with IPv4 options or IPv6 hop-by-hop or destination options header are blocked. When allow-opts is specified for a pass rule, packets that pass the filter based on that rule (last matching) do so even if they contain options.

HBH you're seeing in logs is exactly that "hop-by-hop".

My theory is: Pf's developers decided that since that kind of traffic is to be blocked even if there's a pass rule (which seemingly is by default there in your case) it would make sense to whistle-blow harder, that's why you're getting it logged.

and how do I disable those logs

As suggested in the man page you can fix that by introducing a pass rule with allow-opts explicitly given:

pass allow-opts

poige
  • 9,171
  • 2
  • 24
  • 50