From nobody Mon Jun 30 01:29:41 2025 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bVpVc4wWRz5yjnG for ; Mon, 30 Jun 2025 01:29:44 +0000 (UTC) (envelope-from mason@blisses.org) Received: from yangtze.blisses.org (yangtze.blisses.org [144.202.50.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4bVpVb5FM0z3bKh for ; Mon, 30 Jun 2025 01:29:43 +0000 (UTC) (envelope-from mason@blisses.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=blisses.org header.s=default header.b="M/lou+Kg"; spf=pass (mx1.freebsd.org: domain of mason@blisses.org designates 144.202.50.44 as permitted sender) smtp.mailfrom=mason@blisses.org; dmarc=pass (policy=quarantine) header.from=blisses.org Received: from contoocook.blisses.org (contoocook.blisses.org [68.238.57.52]) by yangtze.blisses.org (Postfix) with ESMTP id 38E8817DE81 for ; Sun, 29 Jun 2025 21:29:43 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=blisses.org; s=default; t=1751246450; bh=7QxuDOUayI3W/vN6loofDYyJzDAPNIHfRru5SEyhpj8=; h=Date:From:To:Subject:From; b=M/lou+KgXkmSPLh+RjesewXKCUb6Fwdee2LzQY4u3u/g5eNaxuO4nbWq1uAYhTb7n 6KH2YHwskYQvCilO8q7WTd9YpHOR4sg8bYwh0D08Z/NN3B7NXuZgAEKyNvTc3+GZk5 LTRLpcfL87JwTKigDpgD/W107Au1Zl7Wll/u+1HG7a285LH3VSkdZqYVA815HBNAcQ N6+9DCKyBUi6I6xSGXBhAr4sEuVA9S13ivvBdPbAIl6fRZl+AgfkryLdMRGoAgmtK/ v6x/PQpvcK/XsuH3wuyOt6iZ8/a2zI9OA2bQH2MaUAugeEUhTxHNIl9vOsWBtZJJBF Y206spMHRkqIA== Date: Sun, 29 Jun 2025 21:29:41 -0400 From: Mason Loring Bliss To: freebsd-net@freebsd.org Subject: rp_filter equivalent? Message-ID: List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="NVJpxScUPeMEsq2C" Content-Disposition: inline X-Spamd-Result: default: False [-3.51 / 15.00]; SIGNED_PGP(-2.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_SPAM_MEDIUM(0.99)[0.995]; NEURAL_HAM_LONG(-0.90)[-0.904]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; DMARC_POLICY_ALLOW(-0.50)[blisses.org,quarantine]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+mx:c]; R_DKIM_ALLOW(-0.20)[blisses.org:s=default]; RCVD_IN_DNSWL_MED(-0.20)[68.238.57.52:received]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[144.202.50.44:from]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[blisses.org:+]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; ASN(0.00)[asn:20473, ipnet:144.202.48.0/20, country:US]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4bVpVb5FM0z3bKh X-Spamd-Bar: --- --NVJpxScUPeMEsq2C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all. I'm wondering what the equivalent to the Linux rp_filter is on FreeBSD. I'm asking because I've got a set-up on a hosting provider where I have a floating IP address that's not related to the main IP address of my system. Which is to say, my system is a.b.c.10 and routes through a.b.c.1, and I've got a floating IP that's x.y.z.50. Traffic from that x.y.z.50 address is supposed to route through a.b.c.1. I've got a vnet jail that's set up to use that x.y.z.50 address, and I've assigned x.y.z.50 to epair0b in the jail, but I ran into a problem. I couldn't tell that jail to use a.b.c.1 as its default gateway and that that was out through epair0a without assigning an a.b.c address to epair0a, even though I don't actually have a spare assigned to me. I believe I can just tell Linux to ram packets out an arbitrary interface if I turn off rp_filtering via a syscall, but I'm not sure how to cleanly do this with FreeBSD, hence my resorting to pilfering an IP address. I'll never receive traffic intended for this pilfered address and there's no risk of it causing confusion, but it doesn't feel like a clean answer. So, there's my question: is there some way I can have my vnet jail send packets out an interface that the system believes is unrelated to the IP address assigned to that interface? Thanks! --=20 (defun main () (format t "Mason Loring Bliss - mason@blisses.org - ") (format t "By the mysgydynge of the sterysman, he was set vpon the pylys") (format t " of the brydge, and the barge whelmyd. - Chronicle of Fabyan~%"= )) --NVJpxScUPeMEsq2C Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEEXtBZz1axB5rEDCEnrJXcHbvJVUFAmhh6IMACgkQnrJXcHbv JVX8UQ//eombue+zBWLl+43q+3gZqB02FDFVzun7geE514hHqG71PA6qk6xLia5G E3Jv3HJHw8U/8DDAATnH+snEL8QzOou4GZIalmhntAcFrYuXCmuOxlDsr1VU/ZGA CJoEXPag6Bqc3g9OqLY0+SzidHOxU1PZmVFhOOW7bfV0RyMz2ujA+JDRXS9yx4GG +71wX6MthcMwboNl/p5yjT1cbQT3n5l1UdxYCywGgl/gXcqkWWOhGm0BcRvdXzt8 C8pxW9PnNW78X48pWO3Fy74n+GY8JiPEZLF+4HtygUDOYvcwp3KcGkv0nK2e9HSr U/xD0ppGKWveoqUY06wns94fLybQLDYMaEwlhuW0PUFpPyWIR1UGf2EMskQ70evO 7vUC8Ey4Y2TVmy/tZ7SQcOml9qlPjBoP+yG9s/0biahBt50Kbi3DUZEHzmIFj0pC DLsTnndFl1k/O78aA3UV3WIM0yjdF3c5z2Y+i936iYSlusUrTRJ5LZW0Z2nNw5Qb QG4m0lkSEmwEJdWqLGRV7wmiUJodtXB/KIqt8Ho8ic2e5P/e6Tv43h4LiqYcNqfE HRV0Gf/ZH0U9PYYez1+mTfdFuT/1shQo2hYav9DHevX8MOGxWG5QhaAdHrYqP/1M 7UtuXMr01IYEgC1VnQgInw81+lzIyGJnGsPjZij3InyBgxLUDtk= =5XYX -----END PGP SIGNATURE----- --NVJpxScUPeMEsq2C--