From bb6ddad31be929650d15bf9278b19187a77848b3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 9 Oct 2023 09:03:55 +0200
Subject: [PATCH 1/2] pflog: the default rulenr is "-1"

As reported by an OPNsense user doing a security scan pf/pflog can
drop e.g. invalid length packets under the default rule which also
uses a -1 value like subrulenr.

Transform the displayed value from "4294967295" to "-1" in this case
because it is more correct (although both are suboptimal for processing).

FreeBSD: https://cgit.freebsd.org/src/tree/sys/netpfil/pf/pf_ioctl.c?id=3347078000c078f2e67214ef1ba2e0bffe1aea4f#n349
OpenBSD: https://github.com/openbsd/src/blob/142580dd4dc788acb41545aca79c845e04d1cb7d/sys/net/pf_ioctl.c#L242

See also: https://github.com/opnsense/core/issues/6800
---
 print-pflog.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/print-pflog.c b/print-pflog.c
index 408113534..07c433395 100644
--- a/print-pflog.c
+++ b/print-pflog.c
@@ -108,9 +108,12 @@ pflog_print(netdissect_options *ndo, const struct pfloghdr *hdr)
 	ndo->ndo_protocol = "pflog";
 	rulenr = GET_BE_U_4(hdr->rulenr);
 	subrulenr = GET_BE_U_4(hdr->subrulenr);
-	if (subrulenr == (uint32_t)-1)
-		ND_PRINT("rule %u/", rulenr);
-	else {
+	if (subrulenr == (uint32_t)-1) {
+		if (rulenr == (uint32_t)-1)
+			ND_PRINT("rule %d/", -1);
+		else
+			ND_PRINT("rule %u/", rulenr);
+	} else {
 		ND_PRINT("rule %u.", rulenr);
 		nd_printjnp(ndo, (const u_char*)hdr->ruleset, PFLOG_RULESET_NAME_SIZE);
 		ND_PRINT(".%u/", subrulenr);

From 0403ad2b677ff589ebd1b338fddeb1789d1078f3 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@lastsummer.de>
Date: Mon, 9 Oct 2023 15:16:03 +0200
Subject: [PATCH 2/2] pflog: use the OpenBSD way of printing this edge case

---
 print-pflog.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/print-pflog.c b/print-pflog.c
index 07c433395..4f457ba32 100644
--- a/print-pflog.c
+++ b/print-pflog.c
@@ -110,7 +110,7 @@ pflog_print(netdissect_options *ndo, const struct pfloghdr *hdr)
 	subrulenr = GET_BE_U_4(hdr->subrulenr);
 	if (subrulenr == (uint32_t)-1) {
 		if (rulenr == (uint32_t)-1)
-			ND_PRINT("rule %d/", -1);
+			ND_PRINT("rule %s/", "def");
 		else
 			ND_PRINT("rule %u/", rulenr);
 	} else {