From nobody Mon Jun 30 02:55:49 2025 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bVrQD09Slz5yq1P for ; Mon, 30 Jun 2025 02:56:04 +0000 (UTC) (envelope-from pprocacci@gmail.com) Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bVrQC3Lmwz3f7Z for ; Mon, 30 Jun 2025 02:56:03 +0000 (UTC) (envelope-from pprocacci@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-6097b404f58so6838899a12.3 for ; Sun, 29 Jun 2025 19:56:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1751252160; x=1751856960; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=4icY0Bk0XEBjsDvIF6ULFxUxj5M+f8/cg7VVtm39QPo=; b=kYff0Avvpa4Q3YZAymP9KlbHb4b9n4ASYYc25Uqq2RGcwCNX8/3X2rRWdo3JeUcH8t ObKY+u3SDPH7e0s6vWcANr5Vn9CaZ03+Bd/fli1WZg9o/XWTJ+M7v2BR1aUEv9eykqt6 Zro53sHbu7eBMuFRlWxcNeWditzveTZaG0FmvBY8GR/Mpfl/1R2PCY14B5/uXjwlY8H6 64NrqHcY7QtSDXgHdxzh7Yml1qeDuhH60B+DIYE+JgwGELsgTZD2YU1QxhAhUdzAW+jM rgGpIqwzIUjy7bvLns/yQttw+whxkouG7JctgmAO0ieiGsc8DgIfakQDBCMBy7IQlGF3 VmZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751252160; x=1751856960; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4icY0Bk0XEBjsDvIF6ULFxUxj5M+f8/cg7VVtm39QPo=; b=PnqIxUF/N5dI1+M5WbC99swAIxoi+jx4m52l5zhWYQpefHn23z27ZxUaZquExE448b 2xbi1LR9bNIDQ0bZgO+2DE/8GElZ6ASFY6CE5pBfhVsO+cxfBJNRtrOYRz1PGxavWvHc 83uKz+1tnVBS7eoo3RhVke7mDMFLxMhsXHkdx1yD4Hu8WJp2uXDE85Q/PwZCitRaEqBd 6CuZFCqB2qnbEddUVl84ai/tM5+iyertF66X0F/T+9vN0hHXUrEbhhL4aIYo7mropini +odHIxqCb1wO0pUaQtKcjH3vmYs0l8VItzKeGSF3F4/1f7KOPFpLtOEiPXgF50x+20gw mGPA== X-Gm-Message-State: AOJu0YxLOsm349LMhqrBy6rEefVXnDzem1WeeGQsptJ/ppOdbnbAfl5S jXscFsiruPWf1SjZLrUB0uPZB0lS1QsUyMu9OJPC5b1jQeZGAG/wXE+TIEaBGC25qlgrauvtMqF Zmyrr7tbq1gxZ/rJudn1f98TtUEy1pVZyIPI= X-Gm-Gg: ASbGncs8RujYocb6MhF/lqgHsK5AZiHUJB2sHrmR2LyGRgS61GMOIfz4P/CudLliDa+ Jb3pVTdS9B8iU1wea2cyCCPDVSpza2Gl5K7bAohQtxPKywKXCIk42jalLe1rkZsrktJnMdn8wsS +wcGqz1aA6u7amHKvlt/H1tRYVBlU22ZuSsp+5Or5r X-Google-Smtp-Source: AGHT+IHpIvrWzLyFmgYbk11Qq1veLVZWR/TeVh57d+jDK6+Qy31u0AYsiQTi29oH0okdIjAyFI4JmKugAhgeTHBeWbk= X-Received: by 2002:a17:907:3c89:b0:ae0:cc9c:b5e2 with SMTP id a640c23a62f3a-ae35019ddc5mr1217238566b.48.1751252159938; Sun, 29 Jun 2025 19:55:59 -0700 (PDT) List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 References: In-Reply-To: From: Paul Procacci Date: Sun, 29 Jun 2025 22:55:49 -0400 X-Gm-Features: Ac12FXyHcChGWuQNsDV6VUTueG7gYPH8Q1sWlko1NHXBMP0ktoRRxUIfnhvjElo Message-ID: Subject: Re: rp_filter equivalent? To: Mason Loring Bliss Cc: freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4bVrQC3Lmwz3f7Z X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] On Sun, Jun 29, 2025 at 10:22=E2=80=AFPM Mason Loring Bliss wrote: > > On Sun, Jun 29, 2025 at 09:48:58PM -0400, Paul Procacci wrote: > > > The "fix" your problem ...... > > You need to create a bridge. > > Add your main interface to the bridge. > > You can assign your .10 to the bridge. > > Then, you can create your epair. > > Assign the a side the bridge and the b side to your jail. > > Add your .50 the the 'b' side, and add the default route of .1. > > Hrm, hrm. That's what I was doing first. I was basing it off what I use > here: > > https://wiki.freebsd.org/MasonLoringBliss/JailsEpair > > In fact... I... am pretty sure I did exactly what you're suggesting, but > the system told me I couldn't set a default route in the jail because it > wasn't a legal address. > > So: NIC, epair0a in bridge0; epair0b in vnet jail. If epair0b had the > correct (floating) address I couldn't set the default route, because the > default route was in an unrelated /24. I had to set epair0a to something = in > the same /24 for me to get a default route set for epair0b, and I had to > break epair0a out of the bridge. > > I'll mess with it again sometime soon because I feel like it really ought > to have worked the way I set it up first. I'll report back here with more > details. It's working now, but I really don't like *how* it's working. > > -- > Mason Loring Bliss (( If I have not seen as far as others, it is becau= se > mason@blisses.org )) giants were standing on my shoulders. - Hal Abe= lson Ok, I misunderstood what you initially wrote because the language you're using isn't exactly what I'd expect in the world of networking. To clear up any confusion ... you have two ip addresses, each one being in different subnets. The ip assigned to the host and the gateway that the host talks to are in one subnet while the other ip address assigned to the jail/vnet is in an entirely different subnet. The easiest solution here is asking the provider for a gateway you can use with the ip address in the second subnet, assuming it's anything but a /32. Without that, you'd have to forgo using VNET and instead first add the ip address as an alias to the main interface, only then to be assigned to the jail upon startup. It would share the system networking but there'd be no confusion at that point how things get routed. Using VNET, you can try the following within the jail but I've never tried: route add -net w.x.y.z/mask a.b.c.1 route add default a.b.c.1 Not sure if that'd work but seems reasonable. ~Paul -- __________________ :(){ :|:& };: