pf: Reject rules with invalid port ranges

Ranges where the left boundary is bigger than the right one are always bogus
as they work like port any' (port 34<>12' means "all ports") or in way
that inverts the rule's action (`pass ... port 34:12' means "pass no port at
all").

Add checks for all ranges and invalidate those that yield no or all ports.

For this to work on redirections, make pfctl(8) pass the range's type,
otherwise boundary including ranges are not detected as such; that is to
say, struct pf_pool's port_op' member was unused in the kernel so far.

`rdr-to' rules with invalid ranges could panic the kernel when hit.
Reported-by: syzbot+9c309db201f06e39a8ba@syzkaller.appspotmail.com

OK sashan

Obtained from: OpenBSD, kn <kn@openbsd.org>, 39c2a1337a
Sponsored by: Rubicon Communications, LLC ("Netgate")