pflog: print the ruleset if it's present.

guyharris · guyharris · commit b50d26f23956 · 2024-12-17T01:00:52.000-08:00
Do that regardless of whether the subrule is present.

Picked up from the OpenBSD tcpdump.
diff --git a/CHANGES b/CHANGES
@@ -148,7 +148,11 @@ Friday, August 30, 2024 / The Tcpdump Group
       OSPF: Update LS-Ack printing not to run off the end of the packet.
       OSPF6: Fix an undefined behavior.
       pflog: use nd_ types in struct pfloghdr.
+      pflog: print some additional fields from the header (picked up
+        from the FreeBSD tcpdump).
       pflog: handle all types of pflog files (as best as can be done)
+      pflog: print the ruleset if it's present, regardless of whether
+        the subrule is present (picked up from the OpenBSD tcpdump).
       PPP: Check if there is some data to hexdump.
       PPP: Remove an extra colon before LCP Callback Operation.
       Use the buffer stack for de-escaping PPP; fixes CVE-2024-2397;
diff --git a/print-pflog.c b/print-pflog.c
@@ -350,13 +350,17 @@ pflog_print(netdissect_options *ndo, const struct pfloghdr *hdr)
 
 	rulenr = GET_BE_U_4(hdr->rulenr);
 	subrulenr = GET_BE_U_4(hdr->subrulenr);
-	if (subrulenr == (uint32_t)-1)
-		ND_PRINT("rule %u/", rulenr);
-	else {
-		ND_PRINT("rule %u.", rulenr);
-		nd_printjnp(ndo, (const u_char*)hdr->ruleset, PFLOG_RULESET_NAME_SIZE);
-		ND_PRINT(".%u/", subrulenr);
+	ND_PRINT("rule ");
+	if (rulenr != (uint32_t)-1) {
+		ND_PRINT("%u", rulenr);
+		if (hdr->ruleset[0] != '\0') {
+			ND_PRINT(".");
+			nd_printjnp(ndo, (const u_char*)hdr->ruleset, PFLOG_RULESET_NAME_SIZE);
+		}
+		if (subrulenr != (uint32_t)-1)
+			ND_PRINT(".%u", subrulenr);
 	}
+	ND_PRINT("/");
 
 	if (length == PFLOG_HEADER_LEN_FREEBSD)
 		ND_PRINT("%s", tok2str(pf_reasons_freebsd, "unkn(%u)", GET_U_1(hdr->reason)));
