Solved weird pfctl -s labels outputs

[patpro]

Hello,

I’m using pf on a FreeBSD 14.1-RELEASE and I have this kind of rules:

block in log quick proto tcp from <datacenteripv4> to $ext_if port 22 label "datacenteripv4 ssh deny"

When I display statistics by labels, many lines are duplicated, but with different metrics:

# pfctl -s labels|grep "ssh deny"
datacenteripv4 ssh deny 137 0 0 0 0 0 0 0
datacenteripv4 ssh deny 14 0 0 0 0 0 0 0
datacenteripv4 ssh deny 0 0 0 0 0 0 0 0

Is there an explanation for this behavior?

 

[SirDice]

Three rules with the same label? grep "datacenteripv4 ssh deny" /etc/pf.conf or better; pfctl -s rules | grep "datacenteripv4 ssh deny" as a single line in pf.conf can result in more than one actual rule.

 

[patpro]

oh crap.

Obviously I have only one rule in pf.conf.
But recently I’ve added IPv6 on interface $ext_if, and now there are 3 IP addresses, yielding to 3 effective rules revealed by pfctl -s rules | grep "datacenteripv4 ssh deny".

Thanks!