$OpenBSD: patch-src_decode_h,v 1.1 2012/04/07 08:31:39 mcbride Exp $
--- src/decode.h.orig	Fri Mar 19 02:50:54 2010
+++ src/decode.h	Sat Apr  7 16:10:11 2012
@@ -749,13 +749,14 @@ typedef struct _SLLHdr {
 
 
 /*
- * Snort supports 3 versions of the OpenBSD pflog header:
+ * Snort supports 4 versions of the OpenBSD pflog header:
  *
  * Pflog1_Hdr:  CVS = 1.3,  DLT_OLD_PFLOG = 17,  Length = 28
  * Pflog2_Hdr:  CVS = 1.8,  DLT_PFLOG     = 117, Length = 48
  * Pflog3_Hdr:  CVS = 1.12, DLT_PFLOG     = 117, Length = 64
+ * Pflog4_Hdr:  CVS = 1.16, DLT_PFLOG     = 117, Length = 100
  *
- * Since they have the same DLT, Pflog{2,3}Hdr are distinguished
+ * Since they have the same DLT, Pflog{2,3,4}Hdr are distinguished
  * by their actual length.  The minimum required length excludes
  * padding.
  */
@@ -823,6 +824,33 @@ typedef struct _Pflog3_hdr
 #define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr))
 #define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN)
 
+typedef struct _Pflog4_hdr
+{
+    uint8_t  length;
+    uint8_t  af;
+    uint8_t  action;
+    uint8_t  reason;
+    char     ifname[IFNAMSIZ];
+    char     ruleset[PFLOG_RULELEN];
+    uint32_t rulenr;
+    uint32_t subrulenr;
+    uint32_t uid;
+    uint32_t pid;
+    uint32_t rule_uid;
+    uint32_t rule_pid;
+    uint8_t  dir;
+    uint8_t  rewritten;
+    uint8_t  naf;
+    uint8_t  pad[1];
+    uint8_t  saddr[16];
+    uint8_t  daddr[16];
+    uint16_t sport;
+    uint16_t dport;
+} Pflog4Hdr;
+
+#define PFLOG4_HDRLEN (sizeof(struct _Pflog4_hdr))
+#define PFLOG4_HDRMIN (PFLOG4_HDRLEN)	/* no trailing padding */
+
 /*
  * ssl_pkttype values.
  */
@@ -1627,6 +1655,7 @@ typedef struct _Packet
     Pflog1Hdr *pf1h;            /* OpenBSD pflog interface header - version 1 */
     Pflog2Hdr *pf2h;            /* OpenBSD pflog interface header - version 2 */
     Pflog3Hdr *pf3h;            /* OpenBSD pflog interface header - version 3 */
+    Pflog4Hdr *pf4h;            /* OpenBSD pflog interface header - version 4 */
 
     const SLLHdr *sllh;         /* Linux cooked sockets header */
     const WifiHdr *wifih;       /* wireless LAN header */
