The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=67c19da08f5788da53cec2764618b9a0dd97460f
commit 67c19da08f5788da53cec2764618b9a0dd97460f
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-02-10 16:30:50 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-02-13 12:38:44 +0000
pf: support negated matches on the rcvif
ok dlg benno
Obtained from: OpenBSD, henning <henn...@openbsd.org>, 08c03b768d
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/pfvar.h | 1 +
sys/netpfil/pf/pf.c | 3 ++-
sys/netpfil/pf/pf_ioctl.c | 1 +
sys/netpfil/pf/pf_nl.c | 2 ++
sys/netpfil/pf/pf_nl.h | 1 +
5 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 88364aaa45ed..d973fe15a5c4 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -865,6 +865,7 @@ struct pf_krule {
u_int8_t prio;
u_int8_t set_prio[2];
sa_family_t naf;
+ u_int8_t rcvifnot;
struct {
struct pf_addr addr;
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 1b0eb6d6dd80..378be1e72d9a 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5778,7 +5778,8 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm,
PF_TEST_ATTRIB(r->match_tag && !pf_match_tag(pd->m, r, &tag,
pd->pf_mtag ? pd->pf_mtag->tag : 0),
TAILQ_NEXT(r, entries));
- PF_TEST_ATTRIB(r->rcv_kif && !pf_match_rcvif(pd->m, r),
+ PF_TEST_ATTRIB((r->rcv_kif && pf_match_rcvif(pd->m, r) ==
+ r->rcvifnot),
TAILQ_NEXT(r, entries));
PF_TEST_ATTRIB((r->rule_flag & PFRULE_FRAGMENT &&
pd->virtual_proto != PF_VPROTO_FRAGMENT),
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index b8e9a078baf2..bea2cf1a5331 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1316,6 +1316,7 @@ pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule)
PF_MD5_UPD(rule, af);
PF_MD5_UPD(rule, quick);
PF_MD5_UPD(rule, ifnot);
+ PF_MD5_UPD(rule, rcvifnot);
PF_MD5_UPD(rule, match_tag_not);
PF_MD5_UPD(rule, natpass);
PF_MD5_UPD(rule, keep_state);
diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c
index 97552880b9e3..4cdb16d1fbba 100644
--- a/sys/netpfil/pf/pf_nl.c
+++ b/sys/netpfil/pf/pf_nl.c
@@ -737,6 +737,7 @@ static const struct nlattr_parser nla_p_rule[] = {
{ .type = PF_RT_RPOOL_NAT, .off = _OUT(nat), .arg = &pool_parser, .cb =
nlattr_get_nested },
{ .type = PF_RT_NAF, .off = _OUT(naf), .cb = nlattr_get_uint8 },
{ .type = PF_RT_RPOOL_RT, .off = _OUT(route), .arg = &pool_parser, .cb
= nlattr_get_nested },
+ { .type = PF_RT_RCV_IFNOT, .off = _OUT(rcvifnot), .cb = nlattr_get_bool
},
};
NL_DECLARE_ATTR_PARSER(rule_parser, nla_p_rule);
#undef _OUT
@@ -940,6 +941,7 @@ pf_handle_getrule(struct nlmsghdr *hdr, struct nl_pstate
*npt)
nlattr_add_rule_uid(nw, PF_RT_GID, (const struct pf_rule_uid
*)&rule->gid);
nlattr_add_string(nw, PF_RT_RCV_IFNAME, rule->rcv_ifname);
+ nlattr_add_bool(nw, PF_RT_RCV_IFNOT, rule->rcvifnot);
nlattr_add_u32(nw, PF_RT_RULE_FLAG, rule->rule_flag);
nlattr_add_u8(nw, PF_RT_ACTION, rule->action);
diff --git a/sys/netpfil/pf/pf_nl.h b/sys/netpfil/pf/pf_nl.h
index a66ff5bc3f1e..4d9db08c8be2 100644
--- a/sys/netpfil/pf/pf_nl.h
+++ b/sys/netpfil/pf/pf_nl.h
@@ -270,6 +270,7 @@ enum pf_rule_type_t {
PF_RT_RPOOL_NAT = 75, /* nested, pf_rpool_type_t */
PF_RT_NAF = 76, /* u8 */
PF_RT_RPOOL_RT = 77, /* nested, pf_rpool_type_t */
+ PF_RT_RCV_IFNOT = 78, /* bool */
};
enum pf_addrule_type_t {
