git: d2bb19883f78 - main - pf: introduce a way to match "any" interface, excluding loopback ones

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Fri, 14 Feb 2025 17:50:25 UTC 
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=d2bb19883f780ea17a794787d6b67e75059b085e

commit d2bb19883f780ea17a794787d6b67e75059b085e
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-02-11 09:59:12 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-14 17:47:52 +0000

    pf: introduce a way to match "any" interface, excluding loopback ones
    
    pfi_kkif_attach() annotates the kif with a flag indicating it is the "any" match.
    pfi_kif_match obeys() that flag.
    
    ok benno
    
    Obtained from:  OpenBSD, henning <henning@openbsd.org>, 4be478ce5d
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/net/pfvar.h        | 1 +
 sys/netpfil/pf/pf_if.c | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 964a1d41f353..0295bcc125f8 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1600,6 +1600,7 @@ struct pfi_kkif {
 
 #define	PFI_IFLAG_REFS		0x0001	/* has state references */
 #define PFI_IFLAG_SKIP		0x0100	/* skip filtering on interface */
+#define	PFI_IFLAG_ANY 		0x0200	/* match any non-loopback interface */
 
 #ifdef _KERNEL
 struct pf_sctp_multihome_job;
diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c
index d2b1b6a781f4..31fc8b152719 100644
--- a/sys/netpfil/pf/pf_if.c
+++ b/sys/netpfil/pf/pf_if.c
@@ -357,6 +357,11 @@ pfi_kkif_attach(struct pfi_kkif *kif, const char *kif_name)
 	kif->pfik_tzero = time_second > 1 ? time_second : 0;
 	TAILQ_INIT(&kif->pfik_dynaddrs);
 
+	if (!strcmp(kif->pfik_name, "any")) {
+		/* both so it works in the ioctl and the regular case */
+		kif->pfik_flags |= PFI_IFLAG_ANY;
+	}
+
 	RB_INSERT(pfi_ifhead, &V_pfi_ifs, kif);
 
 	return (kif);
@@ -474,6 +479,10 @@ pfi_kkif_match(struct pfi_kkif *rule_kif, struct pfi_kkif *packet_kif)
 				return (1);
 	}
 
+	if (rule_kif->pfik_flags & PFI_IFLAG_ANY && packet_kif->pfik_ifp &&
+	    !(packet_kif->pfik_ifp->if_flags & IFF_LOOPBACK))
+			return (1);
+
 	return (0);
 }