Introduce 'set skip on <ifspec>' to support a list of interfaces where no

packet filtering should occur (like loopback, for instance).
Code from Max Laier, with minor improvements based on feedback from
deraadt@. ok mcbride@, henning@

1 files changed, 39 insertions, 1 deletions

diff --git a/sys/net/pf_if.c b/sys/net/pf_if.c
index ad652919090..26ce0ee731e 100644
--- a/sys/net/pf_if.c
+++ b/sys/net/pf_if.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_if.c,v 1.22 2004/12/13 23:51:22 dhartmei Exp $ */
+/*	$OpenBSD: pf_if.c,v 1.23 2004/12/22 17:17:55 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -689,6 +689,44 @@ pfi_clr_istats(const char *name, int *nzero, int flags)
 }
 
 int
+pfi_set_flags(const char *name, int flags)
+{
+	struct pfi_kif	*p;
+	int		 s;
+
+	if (flags & ~PFI_IFLAG_SETABLE_MASK)
+		return (EINVAL);
+
+	s = splsoftnet();
+	RB_FOREACH(p, pfi_ifhead, &pfi_ifs) {
+		if (pfi_skip_if(name, p, PFI_FLAG_GROUP|PFI_FLAG_INSTANCE))
+			continue;
+		p->pfik_flags |= flags;
+	}
+	splx(s);
+	return (0);
+}
+
+int
+pfi_clear_flags(const char *name, int flags)
+{
+	struct pfi_kif	*p;
+	int		 s;
+
+	if (flags & ~PFI_IFLAG_SETABLE_MASK)
+		return (EINVAL);
+
+	s = splsoftnet();
+	RB_FOREACH(p, pfi_ifhead, &pfi_ifs) {
+		if (pfi_skip_if(name, p, PFI_FLAG_GROUP|PFI_FLAG_INSTANCE))
+			continue;
+		p->pfik_flags &= ~flags;
+	}
+	splx(s);
+	return (0);
+}
+
+int
 pfi_get_ifaces(const char *name, struct pfi_if *buf, int *size, int flags)
 {
 	struct pfi_kif	*p;