From: Jason McIntyre Subject: Re: do not add default routes with blackhole or reject to the egress group To: tech@openbsd.org Date: Wed, 14 May 2025 11:24:31 +0100 On Wed, May 14, 2025 at 08:24:14AM +0000, Klemens Nanni wrote: > 14 ?????? 2025?????. 06:29:03 UTC, Theo Buehler ??????????: > >On Wed, May 14, 2025 at 08:22:07AM +0200, Claudio Jeker wrote: > >> On Wed, May 14, 2025 at 07:11:04AM +0100, Jason McIntyre wrote: > >> > On Wed, May 14, 2025 at 08:06:28AM +0200, Claudio Jeker wrote: > >> > > On Wed, May 14, 2025 at 06:50:13AM +0100, Jason McIntyre wrote: > >> > > > On Wed, May 14, 2025 at 01:54:42AM +0200, Micha?? Markowski wrote: > >> > > > > czw., 1 maj 2025 o 20:52 Micha?? Markowski napisa??(a): > >> > > > > > Maybe this should be mentioned explicitly in ifconfig(8). > >> > > > > > > >> > > > > > --- sbin/ifconfig/ifconfig.8 > >> > > > > > +++ sbin/ifconfig/ifconfig.8 > >> > > > > > @@ -247,7 +247,11 @@ interface group. > >> > > > > > .It > >> > > > > > The interfaces the default routes point to are members of the > >> > > > > > .Dq egress > >> > > > > > -interface group. > >> > > > > > +interface group, except for the ones marked with > >> > > > > > +.Fl blackhole > >> > > > > > +or > >> > > > > > +.Fl reject > >> > > > > > +flag. > >> > > > > > .It > >> > > > > > IEEE 802.11 wireless interfaces are members of the > >> > > > > > .Dq wlan > >> > > > > > >> > > > > Any thoughts on this? > >> > > > > > >> > > > > >> > > > i don;t understand it myself - don;t these flags apply to routes, rather > >> > > > than interfaces? > >> > > > >> > > The problem is that 'the ones' in the text above refers to routes and not > >> > > the interfaces. Interfaces are added to the egress group if a usable > >> > > default route uses that interface to send traffic out. This now excludes > >> > > blackhole and reject routes (a change made not that long ago). > >> > > > >> > > > having said that, for your language i suggest either > >> > > > > >> > > > marked with *the* -blackhole or -reject flag. > >> > > > or > >> > > > marked with -blackhole or -reject. > >> > > > > >> > > > jmc > >> > > > > >> > > > >> > > -- > >> > > :wq Claudio > >> > > > >> > > >> > right, meaning that an interface can have blackhole or reject set on a > >> > route, and still have a usable default route marked "egress". > >> > > >> > i.e. the diff is not correct? > >> > >> Yes, in theory that is possible but not very likely. > >> > >> -reject and -blackhole routes must use lo(4) as interface. I think we tell > >> people to use 127.0.0.1 as nexthop for those routes. > >> > >> You need to add routes at different priority to have multiple default > >> routes over the same interface. > >> > >> So something like: > >> route add default -priority 56 -blackhole 127.0.0.1 > >> route add default -priority 8 127.0.0.1 > >> > >> Would mark lo0 as egress but the -blackhole route will never match since > >> it is fully covered by the higher priority (8) route. > >> > >> Side note: > >> In general using egress in pf.conf nat-to rules is tricky if there are > >> multiple default routes on the system. E.g. if you have wired and wireless > >> and umb all active at once. The nat-to rule may select the wrong address > >> for outgoing traffic. > > > >Does this work? I dropped the inline Xr since it always became awkward. > > Sure, OK kn > > Two variations online that perhaps read a tad better. > YMMV, feel free to incorporate or ignore. > > What do native speakers say about all vs. any? > I used any where conditions applied, but can't really put a finger on any grammar rule to decide what's the right way. > i don;t discern much difference myself. i guess it's a matter of taste. in all honesty, you could remove "all" or "any" and it would make sense. i think "any" is there because it was used as a starting point to edit the text. jmc > > > >Index: ifconfig.8 > >=================================================================== > >RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v > >diff -u -p -r1.404 ifconfig.8 > >--- ifconfig.8 13 May 2025 15:11:54 -0000 1.404 > >+++ ifconfig.8 14 May 2025 06:28:44 -0000 > >@@ -231,9 +231,8 @@ Some interfaces belong to specific group > > .It Cm all > > All interfaces. > > .It Cm egress > >-Any interfaces in the default > >-.Xr rdomain 4 > >-to which default routes point to. > >+All interfaces to which default routes point that are in rdomain 0 > >+but not blackhole or reject routes. > > Any interfaces in rdomain 0 to which default routes (except blackhole or reject) point. > > Any interfaces to which default routes, not including blackhole or reject ones, point to in the default rdomain 0. > > > .It Cm netboot > > Any interfaces used for network booting, e.g. via > > .Xr pxeboot 8 . > >@@ -2480,6 +2479,7 @@ tried to alter an interface's configurat > > .Xr inet 4 , > > .Xr intro 4 , > > .Xr netintro 4 , > >+.Xr rdomain 4 , > > .Xr rtable 4 , > > .Xr hostname.if 5 , > > .Xr hosts 5 , > > >