introduce a way to match "any" interface, excluding loopback ones.

pfi_kif_get annotates the kif with a flag indicating it is the "any" match
pfi_kif_match obeys that flag
ok benno

1 files changed, 11 insertions, 1 deletions

diff --git a/sys/net/pf_if.c b/sys/net/pf_if.c
index 658689647d6..fa2b2ee26c7 100644
--- a/sys/net/pf_if.c
+++ b/sys/net/pf_if.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_if.c,v 1.70 2014/01/08 22:38:29 bluhm Exp $ */
+/*	$OpenBSD: pf_if.c,v 1.71 2014/01/21 01:50:07 henning Exp $ */
 
 /*
  * Copyright 2005 Henning Brauer <henning@openbsd.org>
@@ -118,6 +118,12 @@ pfi_kif_get(const char *kif_name)
 	kif->pfik_tzero = time_second;
 	TAILQ_INIT(&kif->pfik_dynaddrs);
 
+	if (!strcmp(kif->pfik_name, "any")) {
+		/* both so it works in the ioctl and the regular case */
+		kif->pfik_flags |= PFI_IFLAG_ANY;
+		kif->pfik_flags_new |= PFI_IFLAG_ANY;
+	}
+
 	RB_INSERT(pfi_ifhead, &pfi_ifs, kif);
 	return (kif);
 }
@@ -200,6 +206,10 @@ pfi_kif_match(struct pfi_kif *rule_kif, struct pfi_kif *packet_kif)
 			if (p->ifgl_group == rule_kif->pfik_group)
 				return (1);
 
+	if (rule_kif->pfik_flags & PFI_IFLAG_ANY && packet_kif->pfik_ifp &&
+	    !(packet_kif->pfik_ifp->if_flags & IFF_LOOPBACK))
+		return (1); 
+
 	return (0);
 }