Introduce a new feature in IPFW: Check of the source or destination

address is configured on a interface.  This is useful for routers with
dynamic interfaces.  It is now possible to say:

        0100 allow       tcp from any to any established
        0200 skipto 1000 tcp from any to any
        0300 allow       ip from any to any
        1000 allow       tcp from 1.2.3.4 to me 22
        1010 deny        tcp from any to me 22
        1020 allow       tcp from any to any

and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.

The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.

1 files changed, 14 insertions, 0 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 765fb3d..a64f290 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -478,9 +478,23 @@ or
 .Cm all
 keywords mean any protocol will match.
 .It Ar src No and Ar dst :
+.Cm any
+|
+.Cm me
+|
+.Op Cm not
 .Aq Ar address Ns / Ns Ar mask
 .Op Ar ports
 .Pp
+Specifying
+.Cm any
+makes the rule match any IP number.
+.Pp
+Specifying
+.Cm me
+makes the rule match any IP number configured on an interface in the system.
+This is an computationally semi-expensive check which should be used with care.
+.Pp
 The
 .Aq Ar address Ns / Ns Ar mask
 may be specified as: