From: Claudio Jeker Subject: Re: do not add default routes with blackhole or reject to the egress group To: tech@openbsd.org Date: Wed, 14 May 2025 08:22:07 +0200 On Wed, May 14, 2025 at 07:11:04AM +0100, Jason McIntyre wrote: > On Wed, May 14, 2025 at 08:06:28AM +0200, Claudio Jeker wrote: > > On Wed, May 14, 2025 at 06:50:13AM +0100, Jason McIntyre wrote: > > > On Wed, May 14, 2025 at 01:54:42AM +0200, Micha?? Markowski wrote: > > > > czw., 1 maj 2025 o 20:52 Micha?? Markowski napisa??(a): > > > > > Maybe this should be mentioned explicitly in ifconfig(8). > > > > > > > > > > --- sbin/ifconfig/ifconfig.8 > > > > > +++ sbin/ifconfig/ifconfig.8 > > > > > @@ -247,7 +247,11 @@ interface group. > > > > > .It > > > > > The interfaces the default routes point to are members of the > > > > > .Dq egress > > > > > -interface group. > > > > > +interface group, except for the ones marked with > > > > > +.Fl blackhole > > > > > +or > > > > > +.Fl reject > > > > > +flag. > > > > > .It > > > > > IEEE 802.11 wireless interfaces are members of the > > > > > .Dq wlan > > > > > > > > Any thoughts on this? > > > > > > > > > > i don;t understand it myself - don;t these flags apply to routes, rather > > > than interfaces? > > > > The problem is that 'the ones' in the text above refers to routes and not > > the interfaces. Interfaces are added to the egress group if a usable > > default route uses that interface to send traffic out. This now excludes > > blackhole and reject routes (a change made not that long ago). > > > > > having said that, for your language i suggest either > > > > > > marked with *the* -blackhole or -reject flag. > > > or > > > marked with -blackhole or -reject. > > > > > > jmc > > > > > > > -- > > :wq Claudio > > > > right, meaning that an interface can have blackhole or reject set on a > route, and still have a usable default route marked "egress". > > i.e. the diff is not correct? Yes, in theory that is possible but not very likely. -reject and -blackhole routes must use lo(4) as interface. I think we tell people to use 127.0.0.1 as nexthop for those routes. You need to add routes at different priority to have multiple default routes over the same interface. So something like: route add default -priority 56 -blackhole 127.0.0.1 route add default -priority 8 127.0.0.1 Would mark lo0 as egress but the -blackhole route will never match since it is fully covered by the higher priority (8) route. Side note: In general using egress in pf.conf nat-to rules is tricky if there are multiple default routes on the system. E.g. if you have wired and wireless and umb all active at once. The nat-to rule may select the wrong address for outgoing traffic. -- :wq Claudio