I am looking for a way to ensure packets sent from downstream BGP customers only come from source IPs that they advertise to me via BGP, also known as BCP 38. I am aware that I could set IP rp-filter to strict to enforce this, but doing so would break multi-homing as I have multiple upstream transit providers as well.

My next thought was to block packets from downstreams that are not from their announced IP space with the firewall and address lists (I already do this for my network's own routes), but that would need a way to take the addresses learned from a BGP session and add them to an address list. As far as I can tell, there is no way to add addresses to an address list with the current routing filters. Is this correct?

An alternative could be to set set rp-filter per-interface, instead of globally so that my upstream interfaces are loose and the downstream interfaces are strict. But that also is not currently supported as far as I can tell.

Are there better ways to achieve what I'm looking to do? I could use a script, but that seems more hacky than ideal.

I believed there were similar request in the past that rp_filter can be turned on/off per interface but nothing come up to a fruition from MT camp

I just stumbled across this post from mrz claiming the ability to add address prefixes to address list with routing filters is on a future roadmap.

viewtopic.php?p=876053#p876230

One of the future features is the ability to add prefixes to the address lists with routing filters.

Hopefully it has not been forgotten about.