display negate rules in firewall_rules.php and evaluate when added
the fact the negate policy routing rule isn't shown is bad as it has lead to unintended consequences (ends up passing traffic people don't realize is passed because it's hidden). They should be shown as a grayed out auto-added rule, similar to block private/bogon.
Also need to look at when and how that rule is automatically added. In some circumstances it can allow more traffic than the user intends, such as: