Re: rp_filter equivalent?

Reply: Mason Loring Bliss : "Re: rp_filter equivalent?"
In reply to: Mason Loring Bliss : "rp_filter equivalent?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Paul Procacci <pprocacci_at_gmail.com>
Date: Mon, 30 Jun 2025 01:48:58 UTC

On Sun, Jun 29, 2025 at 9:29 PM Mason Loring Bliss <mason@blisses.org> wrote:
>
> Hi all.
>
> I'm wondering what the equivalent to the Linux rp_filter is on FreeBSD. I'm
> asking because I've got a set-up on a hosting provider where I have a
> floating IP address that's not related to the main IP address of my system.
> Which is to say, my system is a.b.c.10 and routes through a.b.c.1, and I've
> got a floating IP that's x.y.z.50. Traffic from that x.y.z.50 address is
> supposed to route through a.b.c.1.
>
> I've got a vnet jail that's set up to use that x.y.z.50 address, and I've
> assigned x.y.z.50 to epair0b in the jail, but I ran into a problem. I
> couldn't tell that jail to use a.b.c.1 as its default gateway and that that
> was out through epair0a without assigning an a.b.c address to epair0a, even
> though I don't actually have a spare assigned to me.
>
> I believe I can just tell Linux to ram packets out an arbitrary interface
> if I turn off rp_filtering via a syscall, but I'm not sure how to cleanly
> do this with FreeBSD, hence my resorting to pilfering an IP address. I'll
> never receive traffic intended for this pilfered address and there's no
> risk of it causing confusion, but it doesn't feel like a clean answer.
>
> So, there's my question: is there some way I can have my vnet jail send
> packets out an interface that the system believes is unrelated to the IP
> address assigned to that interface?
>
> Thanks!
>
> --
> (defun main () (format t "Mason Loring Bliss  -  mason@blisses.org - ")
>  (format t "By the mysgydynge of the sterysman, he was set vpon the pylys")
>  (format t " of the brydge, and the barge whelmyd. - Chronicle of Fabyan~%"))


PF is the closest thing you'll get to rp_filter.

The "fix" your problem ......
You need to create a bridge.
Add your main interface to the bridge.
You can assign your .10 to the bridge.
Then, you can create your epair.
Assign the a side the bridge and the b side to your jail.
Add your .50 the the 'b' side, and add the default route of .1.

This allows L2+ traffic to work correctly for both the host and jail.

~Paul
-- 
__________________

:(){ :|:& };: