Index | Thread | Search

From:
Klemens Nanni <kn@openbsd.org>
Subject:
Re: do not add default routes with blackhole or reject to the egress group
To:
tech@openbsd.org, Theo Buehler <tb@theobuehler.org>
Date:
Wed, 14 May 2025 08:24:14 +0000

Download raw body.

Thread 
14 мая 2025 г. 06:29:03 UTC, Theo Buehler <tb@theobuehler.org> пишет:
>On Wed, May 14, 2025 at 08:22:07AM +0200, Claudio Jeker wrote:
>> On Wed, May 14, 2025 at 07:11:04AM +0100, Jason McIntyre wrote:
>> > On Wed, May 14, 2025 at 08:06:28AM +0200, Claudio Jeker wrote:
>> > > On Wed, May 14, 2025 at 06:50:13AM +0100, Jason McIntyre wrote:
>> > > > On Wed, May 14, 2025 at 01:54:42AM +0200, Micha?? Markowski wrote:
>> > > > > czw., 1 maj 2025 o 20:52 Micha?? Markowski <markowski1@gmail.com> napisa??(a):
>> > > > > > Maybe this should be mentioned explicitly in ifconfig(8).
>> > > > > >
>> > > > > > --- sbin/ifconfig/ifconfig.8
>> > > > > > +++ sbin/ifconfig/ifconfig.8
>> > > > > > @@ -247,7 +247,11 @@ interface group.
>> > > > > >  .It
>> > > > > >  The interfaces the default routes point to are members of the
>> > > > > >  .Dq egress
>> > > > > > -interface group.
>> > > > > > +interface group, except for the ones marked with
>> > > > > > +.Fl blackhole
>> > > > > > +or
>> > > > > > +.Fl reject
>> > > > > > +flag.
>> > > > > >  .It
>> > > > > >  IEEE 802.11 wireless interfaces are members of the
>> > > > > >  .Dq wlan
>> > > > > 
>> > > > > Any thoughts on this?
>> > > > > 
>> > > > 
>> > > > i don;t understand it myself - don;t these flags apply to routes, rather
>> > > > than interfaces?
>> > > 
>> > > The problem is that 'the ones' in the text above refers to routes and not
>> > > the interfaces. Interfaces are added to the egress group if a usable
>> > > default route uses that interface to send traffic out.  This now excludes
>> > > blackhole and reject routes (a change made not that long ago).
>> > > 
>> > > > having said that, for your language i suggest either
>> > > > 
>> > > > 	marked with *the* -blackhole or -reject flag.
>> > > > or
>> > > > 	marked with -blackhole or -reject.
>> > > > 
>> > > > jmc
>> > > > 
>> > > 
>> > > -- 
>> > > :wq Claudio
>> > > 
>> > 
>> > right, meaning that an interface can have blackhole or reject set on a
>> > route, and still have a usable default route marked "egress".
>> > 
>> > i.e. the diff is not correct?
>> 
>> Yes, in theory that is possible but not very likely.
>> 
>> -reject and -blackhole routes must use lo(4) as interface. I think we tell
>> people to use 127.0.0.1 as nexthop for those routes. 
>> 
>> You need to add routes at different priority to have multiple default
>> routes over the same interface.
>> 
>> So something like:
>> route add default -priority 56 -blackhole 127.0.0.1
>> route add default -priority 8 127.0.0.1
>> 
>> Would mark lo0 as egress but the -blackhole route will never match since
>> it is fully covered by the higher priority (8) route.
>> 
>> Side note:
>> In general using egress in pf.conf nat-to rules is tricky if there are
>> multiple default routes on the system. E.g. if you have wired and wireless
>> and umb all active at once. The nat-to rule may select the wrong address
>> for outgoing traffic.
>
>Does this work? I dropped the inline Xr since it always became awkward.

Sure, OK kn

Two variations online that perhaps read a tad better.
YMMV, feel free to incorporate or ignore.

What do native speakers say about all vs. any?
I used any where conditions applied, but can't really put a finger on any grammar rule to decide what's the right way.

>
>Index: ifconfig.8
>===================================================================
>RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
>diff -u -p -r1.404 ifconfig.8
>--- ifconfig.8	13 May 2025 15:11:54 -0000	1.404
>+++ ifconfig.8	14 May 2025 06:28:44 -0000
>@@ -231,9 +231,8 @@ Some interfaces belong to specific group
> .It Cm all
> All interfaces.
> .It Cm egress
>-Any interfaces in the default
>-.Xr rdomain 4
>-to which default routes point to.
>+All interfaces to which default routes point that are in rdomain 0
>+but not blackhole or reject routes.

Any interfaces in rdomain 0 to which default routes (except blackhole or reject) point.

Any interfaces to which default routes, not including blackhole or reject ones, point to in the default rdomain 0.

> .It Cm netboot
> Any interfaces used for network booting, e.g. via
> .Xr pxeboot 8 .
>@@ -2480,6 +2479,7 @@ tried to alter an interface's configurat
> .Xr inet 4 ,
> .Xr intro 4 ,
> .Xr netintro 4 ,
>+.Xr rdomain 4 ,
> .Xr rtable 4 ,
> .Xr hostname.if 5 ,
> .Xr hosts 5 ,
>