From 4f4ebd28967392daea4938eeaaae8a9aca5ca1ba Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 12 Mar 2025 11:19:58 +0100
Subject: [PATCH] pf: only force state failure logging if logging was requested

PR: https://forum.opnsense.org/index.php?topic=45801.0
Fixes: 1a2a481
---
 sys/netpfil/pf/pf.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 202a270e063..91ea51a7275 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5084,7 +5084,9 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, struct pfi_kkif *kif,
 		    hdrlen, &match_rules);
 		sk = nk = NULL;
 		if (action != PF_PASS) {
-			pd->act.log |= PF_LOG_FORCE;
+			/* XXX force drop log only for eligible rules */
+			if (r->log || (nr != NULL && nr->log))
+				pd->act.log |= PF_LOG_FORCE;
 			if (action == PF_DROP &&
 			    (r->rule_flag & PFRULE_RETURN))
 				pf_return(r, nr, pd, off, m, th, kif,