tcpdump icon indicating copy to clipboard operation
tcpdump copied to clipboard

Published 20 hours ago verified publisher icon the-tcpdump-group

pflog: the default rulenr is "-1"

Open fichtner opened this issue 1 year ago • 3 comments

As reported by an OPNsense user doing a security scan pf/pflog can drop e.g. invalid length packets under the default rule which also uses a -1 value like subrulenr.

Transform the displayed value from "4294967295" to "-1" in this case because it is more correct (although both are suboptimal for processing).

FreeBSD: https://cgit.freebsd.org/src/tree/sys/netpfil/pf/pf_ioctl.c?id=3347078000c078f2e67214ef1ba2e0bffe1aea4f#n349 OpenBSD: https://github.com/openbsd/src/blob/142580dd4dc788acb41545aca79c845e04d1cb7d/sys/net/pf_ioctl.c#L242

See also: https://github.com/opnsense/core/issues/6800

fichtner avatar Oct 09 '23 07:10 fichtner

I don't mind changing the value to something else as requested as displaying "default" also makes sense, but it may have a bigger impact on parsers.

fichtner avatar Oct 09 '23 07:10 fichtner

OpenBSD prints "def" in tcpdump. This is easier to understand for the user than -1 in output. https://github.com/openbsd/src/blob/de35ea824a17d664ed147ca87993647d140bcf42/usr.sbin/tcpdump/print-pflog.c#L98

bluhm avatar Oct 09 '23 12:10 bluhm

@bluhm Thanks for the pointer. I've updated it accordingly.

fichtner avatar Oct 09 '23 13:10 fichtner