Bug 237973

Summary: pf: implement egress keyword to simplify rules across different hardware
Product: Base System Reporter: Dave Cottlehuber <dch>
Component: kernAssignee: freebsd-pf (Nobody) <pf>
Status: Open ---    
Severity: Affects Some People Keywords: feature, needs-patch
Priority: --- Flags: koobs: mfc-stable12?
koobs: mfc-stable11?
Version: CURRENT   
Hardware: Any   
OS: Any   
URL: https://man.openbsd.org/pf.conf

Description Dave Cottlehuber freebsd_committer 2019-05-18 18:37:09 UTC
OpenBSD 6.5 has an egress keyword, which I believe is a tag/label assigned to each interface that has a default route defined.

pass in on egress proto tcp from any to any port smtp \
	rdr-to port spamd

[see https://man.openbsd.org/pf.conf for details]

// discussed over falafel at BSDCan.
Comment 1 Kristof Provost freebsd_committer 2019-05-18 21:09:18 UTC
'egress' isn't strictly a pf keyword. It's just another ifgroup. You could emulate it by adding your egress interfaces to the group already.
OpenBSD add any interface with a default route to that group (as I understand it). If we do that too it'll automatically work with pf.

Look for IFG_EGRESS in openbsd/sys/net. It should be straightforward enough to add this to freebsd as well.
Comment 2 Kristof Provost freebsd_committer 2019-06-04 11:20:13 UTC
(Reassigned to pf@, because this is not on my short-term todo list.)