I am keen to use addrtype
in combination with -src
as a rule in one of my filter chain like so to drop some bogon ips:
-A INPUT -p tcp --dport 80 -m addrtype --src-type UNICAST ! -s 127.0.0.0/8 -j WEB
The man page says the following
addrtype
This module matches packets based on their address type. Address types are used within the kernel networking stack and
categorize addresses into various groups. The exact definition of that
group depends on the specific layer three protocol.The following address types are possible:
- UNSPEC an unspecified address (i.e. 0.0.0.0)
- UNICAST an unicast address
- LOCAL a local address
- BROADCAST a broadcast address
- ANYCAST an anycast packet
- MULTICAST a multicast address
- BLACKHOLE a blackhole address
- UNREACHABLE an unreachable address
- PROHIBIT a prohibited address
- THROW FIXME
- NAT FIXME
- XRESOLVE
It is not clear on what are the exact definitions and says it depends on the specific layer 3 protocol. This is what I think:
- UNICAST (!BROADCAST, !MULTICAST, !ANYCAST)
- LOCAL (
127.0.0.0/8
) - BROADCAST (
*.*.*.255
) - ANYCAST (
*.*.*.*
) - MULTICAST (
224.0.0.0/4
)
Does anyone has a clear idea what that means and how it is implemented by iptables (for example, how it knows where the hell is BLACKHOLE)?
Best Answer
I think it depends on you to make the kernel knows which is blackhole address type.
From xt_addrtype.h file in iptables source code, you can see:
And in
rtnetlink.h
, you will see the same definition:You can see
iptables
use the same definition of address type with kernel tcp networking stack.Then from
man ip
:So when you define a route to a network by
ip
command and mark it as a blackhole route, the kernel now make this network address blackhole type: