Date: Sun, 29 Jun 2025 21:48:58 -0400 From: Paul Procacci <pprocacci@gmail.com> To: Mason Loring Bliss <mason@blisses.org> Cc: freebsd-net@freebsd.org Subject: Re: rp_filter equivalent? Message-ID: <CAFbbPujxeDWotQROy9z4mSsxxr74d0hiQoiU%2Boj_GWgaS9z6hQ@mail.gmail.com> In-Reply-To: <aGHohWgtKxaPgdeR@blisses.org> References: <aGHohWgtKxaPgdeR@blisses.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 29, 2025 at 9:29=E2=80=AFPM Mason Loring Bliss <mason@blisses.o=
rg> wrote:
>
> Hi all.
>
> I'm wondering what the equivalent to the Linux rp_filter is on FreeBSD. I=
'm
> asking because I've got a set-up on a hosting provider where I have a
> floating IP address that's not related to the main IP address of my syste=
m.
> Which is to say, my system is a.b.c.10 and routes through a.b.c.1, and I'=
ve
> got a floating IP that's x.y.z.50. Traffic from that x.y.z.50 address is
> supposed to route through a.b.c.1.
>
> I've got a vnet jail that's set up to use that x.y.z.50 address, and I've
> assigned x.y.z.50 to epair0b in the jail, but I ran into a problem. I
> couldn't tell that jail to use a.b.c.1 as its default gateway and that th=
at
> was out through epair0a without assigning an a.b.c address to epair0a, ev=
en
> though I don't actually have a spare assigned to me.
>
> I believe I can just tell Linux to ram packets out an arbitrary interface
> if I turn off rp_filtering via a syscall, but I'm not sure how to cleanly
> do this with FreeBSD, hence my resorting to pilfering an IP address. I'll
> never receive traffic intended for this pilfered address and there's no
> risk of it causing confusion, but it doesn't feel like a clean answer.
>
> So, there's my question: is there some way I can have my vnet jail send
> packets out an interface that the system believes is unrelated to the IP
> address assigned to that interface?
>
> Thanks!
>
> --
> (defun main () (format t "Mason Loring Bliss - mason@blisses.org - ")
> (format t "By the mysgydynge of the sterysman, he was set vpon the pylys=
")
> (format t " of the brydge, and the barge whelmyd. - Chronicle of Fabyan~=
%"))
PF is the closest thing you'll get to rp_filter.
The "fix" your problem ......
You need to create a bridge.
Add your main interface to the bridge.
You can assign your .10 to the bridge.
Then, you can create your epair.
Assign the a side the bridge and the b side to your jail.
Add your .50 the the 'b' side, and add the default route of .1.
This allows L2+ traffic to work correctly for both the host and jail.
~Paul
--=20
__________________
:(){ :|:& };:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFbbPujxeDWotQROy9z4mSsxxr74d0hiQoiU%2Boj_GWgaS9z6hQ>