this diff adds "any" as a away to match any non-loopback interface.
primary use is probably sth like
block out on $someinf received-on any
which prevents anything to be forwarded to $someif, while still
allowing locally generated packets.
pass on any
also works, but is probably not all that useful.
Index: sys/net/pf_if.c
===================================================================
RCS file: /cvs/src/sys/net/pf_if.c,v
retrieving revision 1.70
diff -u -p -r1.70 pf_if.c
--- sys/net/pf_if.c 8 Jan 2014 22:38:29 -0000 1.70
+++ sys/net/pf_if.c 20 Jan 2014 03:54:33 -0000
@@ -118,6 +118,12 @@ pfi_kif_get(const char *kif_name)
kif->pfik_tzero = time_second;
TAILQ_INIT(&kif->pfik_dynaddrs);
+ if (!strcmp(kif->pfik_name, "any")) {
+ /* both so it works in the ioctl and the regular case */
+ kif->pfik_flags |= PFI_IFLAG_ANY;
+ kif->pfik_flags_new |= PFI_IFLAG_ANY;
+ }
+
RB_INSERT(pfi_ifhead, &pfi_ifs, kif);
return (kif);
}
@@ -199,6 +205,10 @@ pfi_kif_match(struct pfi_kif *rule_kif,
TAILQ_FOREACH(p, &packet_kif->pfik_ifp->if_groups, ifgl_next)
if (p->ifgl_group == rule_kif->pfik_group)
return (1);
+
+ if (rule_kif->pfik_flags & PFI_IFLAG_ANY && packet_kif->pfik_ifp &&
+ !(packet_kif->pfik_ifp->if_flags & IFF_LOOPBACK))
+ return (1);
return (0);
}
Index: sys/net/pfvar.h
===================================================================
RCS file: /cvs/src/sys/net/pfvar.h,v
retrieving revision 1.396
diff -u -p -r1.396 pfvar.h
--- sys/net/pfvar.h 20 Jan 2014 02:57:50 -0000 1.396
+++ sys/net/pfvar.h 20 Jan 2014 04:01:19 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.394 2014/01/03 12:43:09 pelikan Exp $ */
+/* $OpenBSD: pfvar.h,v 1.396 2014/01/20 02:57:50 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1222,6 +1222,7 @@ enum pfi_kif_refs {
};
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
+#define PFI_IFLAG_ANY 0x0200 /* match any non-loopback interface */
struct pf_pdesc {
struct {
Index: sbin/pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.629
diff -u -p -r1.629 parse.y
--- sbin/pfctl/parse.y 20 Jan 2014 02:59:13 -0000 1.629
+++ sbin/pfctl/parse.y 20 Jan 2014 03:20:52 -0000
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.627 2013/11/22 04:12:48 deraadt Exp $ */
+/* $OpenBSD: parse.y,v 1.629 2014/01/20 02:59:13 henning Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -2762,6 +2762,15 @@ if_item : STRING {
$$->ifa_flags = n->ifa_flags;
free($1);
+ $$->not = 0;
+ $$->next = NULL;
+ $$->tail = $$;
+ }
+ | ANY {
+ $$ = calloc(1, sizeof(struct node_if));
+ if ($$ == NULL)
+ err(1, "if_item: calloc");
+ strlcpy($$->ifname, "any", sizeof($$->ifname));
$$->not = 0;
$$->next = NULL;
$$->tail = $$;
Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.534
diff -u -p -r1.534 pf.conf.5
--- share/man/man5/pf.conf.5 20 Jan 2014 02:59:55 -0000 1.534
+++ share/man/man5/pf.conf.5 20 Jan 2014 04:05:09 -0000
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.532 2013/12/21 20:57:01 camield Exp $
+.\" $OpenBSD: pf.conf.5,v 1.534 2014/01/20 02:59:55 henning Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" Copyright (c) 2003 - 2013 Henning Brauer <[email protected]>
@@ -276,6 +276,8 @@ see the
.Ic group
keyword in
.Xr ifconfig 8 .
+.Ar any
+will match any existing interface except loopback ones.
.It Ar on Ar rdomain Aq Ar number
This rule applies only to packets coming in on, or going out through, this
particular routing domain.
@@ -627,6 +629,8 @@ For example, the following rule will dro
Only match packets which were received on the specified
.Ar interface
(or interface group).
+.Ar any
+will match any existing interface except loopback ones.
.Pp
.It Ar rtable Aq Ar number
Used to select an alternate routing table for the routing lookup.
