It seems that simply enabling multipath is sufficient:
/etc/sysctl.conf
Code:
net.inet.ip.forwarding=1
net.inet.ip.multipath=1
The
hostname.if(5) need not have an explicit "
!route add -mpath default x.x.x.x" line. (I've realized x.x.x.x is the address of the gateway - that wasn't entirely clear to me in the
example). In my case, the gateway address for
re0 is static and easy enough to discover but the
ral0 interface receives a dynamic address and its gateway isn't always the same. Conveniently, enabling multipath seems to be sufficient to automatically set up the routes with the dynamic addresses.
$ netstat -rn | grep default
Code:
default 10.0.0.1 UGS 5 54150 - 8 re0
default 192.168.48.1 UGS 0 0 - 12 ral0
I am still a bit unsure of how to handle this situation in the firewall configuration.
$ doas cat /etc/pf.conf
Code:
int_if="em0"
table <martians> { 0.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick inet
pass in on $int_if inet
pass in on egress inet proto tcp from any to (egress) port 55666 rdr-to 192.168.0.3 port 55666
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
While I get the semantic gist of "egress", I am unaware of the specific constraints and requirements on its use in the configuration file.