From nobody Mon Jun 30 02:22:31 2025 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bVqgZ1jgyz5yn5K for ; Mon, 30 Jun 2025 02:22:34 +0000 (UTC) (envelope-from mason@blisses.org) Received: from yangtze.blisses.org (yangtze.blisses.org [144.202.50.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4bVqgY5zVKz3JZL for ; Mon, 30 Jun 2025 02:22:33 +0000 (UTC) (envelope-from mason@blisses.org) Authentication-Results: mx1.freebsd.org; none Received: from contoocook.blisses.org (contoocook.blisses.org [68.238.57.52]) by yangtze.blisses.org (Postfix) with ESMTP id CA53F17DE81; Sun, 29 Jun 2025 22:22:32 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=blisses.org; s=default; t=1751249620; bh=fCk0tL6o1043DkI7giO/TRyJpifAc0vQ6I5ssDc+0fU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=IEoo30pCPuErrM2OtkdVgGAb66swFH8UCGQyjuiyiimcXwKTq5b9bsA7eQqN6Ho2o SnqhgDGvTZMJarLI4JoE0AxjbUzWCcW3BUDeZ8pT7H2ODytud3AEOyPzXWWOqpZ3pS RvBAjVRbyO5J2ij0PQNlv7xeZ3EJb4Banna5sBlrEvZC8qWFjUCj5YySK2gMs7mq4j qHyD1JnXyToQwc6hAyE0L5lNmeED7cEM2A1ZdhtnRyLQwSShq+WV/RDnAWED5JAVGX 50RlFr8Jy/qWTO79dXqRelRbknN4KIrXtG+SahwzdIfBpwIiqpVp5r1TC1nOKaYmfc 0tKQPt6azx0Bg== Date: Sun, 29 Jun 2025 22:22:31 -0400 From: Mason Loring Bliss To: Paul Procacci Cc: freebsd-net@freebsd.org Subject: Re: rp_filter equivalent? Message-ID: References: List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lpCum9QrXN1xQoGV" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4bVqgY5zVKz3JZL X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:20473, ipnet:144.202.48.0/20, country:US] --lpCum9QrXN1xQoGV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 29, 2025 at 09:48:58PM -0400, Paul Procacci wrote: > The "fix" your problem ...... > You need to create a bridge. > Add your main interface to the bridge. > You can assign your .10 to the bridge. > Then, you can create your epair. > Assign the a side the bridge and the b side to your jail. > Add your .50 the the 'b' side, and add the default route of .1. Hrm, hrm. That's what I was doing first. I was basing it off what I use here: https://wiki.freebsd.org/MasonLoringBliss/JailsEpair In fact... I... am pretty sure I did exactly what you're suggesting, but the system told me I couldn't set a default route in the jail because it wasn't a legal address. So: NIC, epair0a in bridge0; epair0b in vnet jail. If epair0b had the correct (floating) address I couldn't set the default route, because the default route was in an unrelated /24. I had to set epair0a to something in the same /24 for me to get a default route set for epair0b, and I had to break epair0a out of the bridge. I'll mess with it again sometime soon because I feel like it really ought to have worked the way I set it up first. I'll report back here with more details. It's working now, but I really don't like *how* it's working. --=20 Mason Loring Bliss (( If I have not seen as far as others, it is because mason@blisses.org )) giants were standing on my shoulders. - Hal Abels= on --lpCum9QrXN1xQoGV Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEEXtBZz1axB5rEDCEnrJXcHbvJVUFAmhh9OUACgkQnrJXcHbv JVWtEg//bEtFlEaUyWfV6NuBukZCSVkPwooGjlpczR8GbWQhs9OPKqnr1BauJ9PC 2Uns6FZQEEBNgv7rR9dnznQc4/AJ6Z/ok2V6OVGPLHG6jAdTGtGPx2jStqrW2S/U rkkSy7aCBfRDZE9in0WmFvt0ShZedXuYw03KbWvl19qTY4xidySSxNKGrMF+/2nc CjxGlH4Dw2jBAjp7gL2/glKyowJ18C443FGPy3RJyftIHI6VI+0trj/SV/h8PLjl gIdOzFgzZxNJryy41TajwzwuUrTRlFphgvExnLTJNivU3Ewijfqg2HYdGt6fhaob IFCCXze/+/gusDEkFaLLVgUtjcpPCv9ki0VETS4w0+IQ4/OFVlw5LH6Y2tnQxVtb lsHCBV7IQ/J79WIknNhZfyInfThT87c6OvKWN5xlF6fi3Gfga2X04DcMk4xCbj5s Aglbu5HP9XtC290vm/YpSr1PxPmwUBh6xThY79hXt7lFr41sCG0BhxQLzrq6mKLj X3CLiOhX1ioOxQLKsJfWAZskqwjclXhwCJnFpX8dxQRaskEbXfVT0hrrFUXPf8AT ZQ2jpyt598+uD7pyTYTsYEvPbrAuuQEK33XpInk6DaB1JyBun3Cr5JShLB3Jzvai p7b8e4Y+gvciL0jJDWBqhWFG2/vD55UBq4dYvo7goskcVP4zDVo= =/Thv -----END PGP SIGNATURE----- --lpCum9QrXN1xQoGV--