The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=d2bb19883f780ea17a794787d6b67e75059b085e
commit d2bb19883f780ea17a794787d6b67e75059b085e
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-02-11 09:59:12 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-02-14 17:47:52 +0000
pf: introduce a way to match "any" interface, excluding loopback ones
pfi_kkif_attach() annotates the kif with a flag indicating it is the "any"
match.
pfi_kif_match obeys() that flag.
ok benno
Obtained from: OpenBSD, henning <henn...@openbsd.org>, 4be478ce5d
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/pfvar.h | 1 +
sys/netpfil/pf/pf_if.c | 9 +++++++++
2 files changed, 10 insertions(+)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 964a1d41f353..0295bcc125f8 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1600,6 +1600,7 @@ struct pfi_kkif {
#define PFI_IFLAG_REFS 0x0001 /* has state references */
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
+#define PFI_IFLAG_ANY 0x0200 /* match any non-loopback
interface */
#ifdef _KERNEL
struct pf_sctp_multihome_job;
diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c
index d2b1b6a781f4..31fc8b152719 100644
--- a/sys/netpfil/pf/pf_if.c
+++ b/sys/netpfil/pf/pf_if.c
@@ -357,6 +357,11 @@ pfi_kkif_attach(struct pfi_kkif *kif, const char *kif_name)
kif->pfik_tzero = time_second > 1 ? time_second : 0;
TAILQ_INIT(&kif->pfik_dynaddrs);
+ if (!strcmp(kif->pfik_name, "any")) {
+ /* both so it works in the ioctl and the regular case */
+ kif->pfik_flags |= PFI_IFLAG_ANY;
+ }
+
RB_INSERT(pfi_ifhead, &V_pfi_ifs, kif);
return (kif);
@@ -474,6 +479,10 @@ pfi_kkif_match(struct pfi_kkif *rule_kif, struct pfi_kkif
*packet_kif)
return (1);
}
+ if (rule_kif->pfik_flags & PFI_IFLAG_ANY && packet_kif->pfik_ifp &&
+ !(packet_kif->pfik_ifp->if_flags & IFF_LOOPBACK))
+ return (1);
+
return (0);
}
