I am looking for a way to ensure packets sent from downstream BGP customers only come from source IPs that they advertise to me via BGP, also known as BCP 38. I am aware that I could set IP rp-filter to strict to enforce this, but doing so would break multi-homing as I have multiple upstream transit providers as well.
My next thought was to block packets from downstreams that are not from their announced IP space with the firewall and address lists (I already do this for my network's own routes), but that would need a way to take the addresses learned from a BGP session and add them to an address list. As far as I can tell, there is no way to add addresses to an address list with the current routing filters. Is this correct?
An alternative could be to set set rp-filter per-interface, instead of globally so that my upstream interfaces are loose and the downstream interfaces are strict. But that also is not currently supported as far as I can tell.
Are there better ways to achieve what I'm looking to do? I could use a script, but that seems more hacky than ideal.