pf: why is that rule not working?

[ivanatora]

Hello,
The situation is simple: two machines are behind NAT and I'm operating on the NAT box. The NAT is set up correctly - both of the machines are connected to the Internet. I have a few IPs from Internet that are put into a table <data>.
I'm trying to learn PF, but something is not going well. I have a rule that doesn't match. In order to debug things, I've set up a logging on that rule and it really doesn't match at all. Could you explain me why?
Forget about the (probably messed up) ALTQ, now everything I want is to understand why the last rule doesn't match.

Code:

### Macros
int_if = "re0"
ext_if = "rl0"
ext_ip = "192.168.1.2"

### Tables
table <network>  { 192.168.0.34, 192.168.0.223 }
table <data> persist file "/root/ip-store.data"

### Normalizations
scrub in all

### Queueing

altq on $int_if hfsc bandwidth 10Mb queue {general, data}
queue general bandwidth 4Mb hfsc (realtime 4Mb upperlimit 4Mb default)   
queue data bandwidth 1Mb hfsc (realtime 128Kb upperlimit 256Kb)

### Translation
nat pass on $ext_if from <network> to any -> $ext_ip

### Filtering

#pass log (all to pflog0) on $ext_if proto icmp # this is working on pflog0 or pflog1, so probability of not working logging devices is zero
pass out log (all to pflog1) on $int_if proto tcp from <data> to <network> #this is not working - nothing is logged to pflog1

First I made myself sure there are some ips into the <data> table - they were there. Then I tried to replace "from <data>" with "from any" - I hought there is no traffic from these hosts, and I tried expanding the rule to apply to the whole traffic. Nothing was logged again.
As you have seen I'm trying to do some ALTQ on the internal interface (for incomming traffic I thing this is the right interface?), and that's why I need that rule to get working. I assume something is totaly wrong in my setup or in my understandings, isn't it?

************************************************** *******************
Things are getting even more confusing!
I changed

Code:

pass out log (all to pflog1) on $int_if proto tcp from <data> to <network>

to

Code:

pass in log (all to pflog1) on $int_if proto tcp from <network> to <data>

and pflog1 began to log!
Despite the "from <network> to any" I see in tcpdump packets flying in both directions, like:

Code:

19:51:36.024411 IP 195.149.248.137.80 > 192.168.0.34.46276:  tcp 1472 [bad hdr length 8 - too short, < 20]
19:51:36.024738 IP 192.168.0.34.46276 > 195.149.248.137.80:  tcp 12 [bad hdr length 8 - too short, < 20]

I thought only the second packet should show up becouse of the "one way" matching only?
And why the opposite direction rule again doesn't match?

Code:

pass out log (all to pflog0) on $int_if proto tcp from <data> to <network>

************************************************** *******************
I'd say there is something interesting even more.
I see packets on pflog1, but according to pfctl -s rules, there shouldn't be any packets at all:

Code:

# pfctl -v -s rules
scrub in all fragment reassemble
  [ Evaluations: 39611     Packets: 19895     Bytes: 7958775     States: 0     ]
  [ Inserted: uid 0 pid 3338 ]
pass out quick on re0 from any to <network> flags S/SA keep state label "incomming"
  [ Evaluations: 5050      Packets: 8         Bytes: 1747        States: 8     ]
  [ Inserted: uid 0 pid 3338 ]
pass in log (all, to pflog1) on re0 proto tcp from <network> to <data> flags S/SA keep state label "??? in"
  [ Evaluations: 4688      Packets: 0         Bytes: 0           States: 0     ]                                                     <--- packets 0 !
  [ Inserted: uid 0 pid 3338 ]
pass in log (all) on rl0 proto tcp from <data> to <network> flags S/SA keep state label "??? out"
  [ Evaluations: 3186      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 3338 ]