What are the definitions of addrtype in iptables?

Question

I am keen to use addrtype in combination with -src as a rule in one of my filter chain like so to drop some bogon ips:

-A INPUT -p tcp --dport 80 -m addrtype --src-type UNICAST ! -s 127.0.0.0/8 -j WEB

The man page says the following

addrtype
This module matches packets based on their address type. Address types are used within the kernel networking stack and categorize addresses into various groups. The exact definition of that group depends on the specific layer three protocol.

The following address types are possible:

UNSPEC an unspecified address (i.e. 0.0.0.0)

UNICAST an unicast address

LOCAL a local address

BROADCAST a broadcast address

ANYCAST an anycast packet

MULTICAST a multicast address

BLACKHOLE a blackhole address

UNREACHABLE an unreachable address

PROHIBIT a prohibited address

THROW FIXME

NAT FIXME

XRESOLVE

It is not clear on what are the exact definitions and says it depends on the specific layer 3 protocol. This is what I think:

UNICAST (!BROADCAST, !MULTICAST, !ANYCAST)
LOCAL (127.0.0.0/8)
BROADCAST (*.*.*.255)
ANYCAST (*.*.*.*)
MULTICAST (224.0.0.0/4)

Does anyone has a clear idea what that means and how it is implemented by iptables (for example, how it knows where the hell is BLACKHOLE)?

LOCAL is most certainly not 127.0.0.0/8. I found out the hard way :( ... apparently a local address refers to any address assigned to an interface. — 0xC0000022L, Jun 05 '14 at 02:52
@0xC0000022L According to RFC990, 127.0.0.0/8 is reserved specifically for loopback, however LOCAL isn't limited to just that range. — Qwerty01, Jun 16 '16 at 23:56

cuonglm · Answer 1 · 2014-05-18T18:09:16.560

I think it depends on you to make the kernel knows which is blackhole address type.

From xt_addrtype.h file in iptables source code, you can see:

/* rtn_type enum values from rtnetlink.h, but shifted */                        
enum {                                                                          
    XT_ADDRTYPE_UNSPEC = 1 << 0,                                                
    XT_ADDRTYPE_UNICAST = 1 << 1,   /* 1 << RTN_UNICAST */                      
    XT_ADDRTYPE_LOCAL  = 1 << 2,    /* 1 << RTN_LOCAL, etc */                   
    XT_ADDRTYPE_BROADCAST = 1 << 3,                                             
    XT_ADDRTYPE_ANYCAST = 1 << 4,                                               
    XT_ADDRTYPE_MULTICAST = 1 << 5,                                             
    XT_ADDRTYPE_BLACKHOLE = 1 << 6,                                             
    XT_ADDRTYPE_UNREACHABLE = 1 << 7,                                           
    XT_ADDRTYPE_PROHIBIT = 1 << 8,                                              
    XT_ADDRTYPE_THROW = 1 << 9,                                                 
    XT_ADDRTYPE_NAT = 1 << 10,                                                  
    XT_ADDRTYPE_XRESOLVE = 1 << 11,                                             
};

And in rtnetlink.h, you will see the same definition:

enum {                                                                          
    RTN_UNSPEC,                                                                 
    RTN_UNICAST,        /* Gateway or direct route  */                          
    RTN_LOCAL,      /* Accept locally       */                                  
    RTN_BROADCAST,      /* Accept locally as broadcast,                         
                   send as broadcast */                                         
    RTN_ANYCAST,        /* Accept locally as broadcast,                         
                   but send as unicast */                                       
    RTN_MULTICAST,      /* Multicast route      */                              
    RTN_BLACKHOLE,      /* Drop             */                                  
    RTN_UNREACHABLE,    /* Destination is unreachable   */                      
    RTN_PROHIBIT,       /* Administratively prohibited  */                      
    RTN_THROW,      /* Not in this table        */                              
    RTN_NAT,        /* Translate this address   */                              
    RTN_XRESOLVE,       /* Use external resolver    */                          
    __RTN_MAX                                                                   
};

You can see iptables use the same definition of address type with kernel tcp networking stack.

Then from man ip:

Route types:

      unicast - the route entry describes real paths to the destinations covered by the route prefix.

      unreachable  - these destinations are unreachable.  Packets are discarded and the ICMP message host unreachable is generated.
               The local senders get an EHOSTUNREACH error.

      blackhole - these destinations are unreachable.  Packets are discarded silently.  The local senders get an EINVAL error.

      prohibit - these destinations are unreachable.  Packets are discarded and the  ICMP  message  communication  administratively
               prohibited is generated.  The local senders get an EACCES error.

      local - the destinations are assigned to this host.  The packets are looped back and delivered locally.

      broadcast - the destinations are broadcast addresses.  The packets are sent as link broadcasts.

      throw  - a special control route used together with policy rules. If such a route is selected, lookup in this table is termi‐
               nated pretending that no route was found.  Without policy routing it is equivalent to the absence of the route in the routing
               table.   The  packets  are  dropped  and the ICMP message net unreachable is generated.  The local senders get an ENETUNREACH
               error.

      nat - a special NAT route.  Destinations covered by the prefix are considered to  be  dummy  (or  external)  addresses  which
               require  translation  to  real  (or  internal)  ones  before forwarding.  The addresses to translate to are selected with the
               attribute Warning: Route NAT is no longer supported in Linux 2.6.

               via.

      anycast - not implemented the destinations are anycast addresses assigned to this host.  They are mainly equivalent to  local
               with one difference: such addresses are invalid when used as the source address of any packet.

      multicast - a special type used for multicast routing.  It is not present in normal routing tables.

So when you define a route to a network by ip command and mark it as a blackhole route, the kernel now make this network address blackhole type:

ip route add blackhole X.X.X.X/24

You are showing system header files and saying that it depends on the administrator? — Pavel Šimerda, May 18 '14 at 17:16
I said the blackhole address type, not all address type. I show that iptables addrtype extension use the same definition addrtype with the kernel. And the kernel definition of address type can see in man ip. — cuonglm, May 18 '14 at 17:43
Thanks, that only answers the part on blackhole. I tried listing the ips from ip command like so ip route list type local but all types produces empty string except for unicast which gives default via 192.168.1.1 dev eth0 proto static metric 1024 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2. Can you provide more info on how to interpret these? Thanks. — Question Overflow, May 19 '14 at 09:34
@Gnouc: I'm afraid that doesn't change much. Blackhole is defined in the header file as well. This part of your answer seems to be plain wrong. — Pavel Šimerda, May 26 '14 at 21:22
@cuonglm what's the advantage to using ip route add blackhole versus using the firewall to block that particular subnet? Is there a functional/performance difference or a different way to accomplish the same end? — Bratchley, Oct 06 '15 at 16:44
@Bratchley: it depends on your system, but null route is often better, because your route table is often small, while iptables rules often contains huge of rules. Processing through the rules can lead to huge performance impact. — cuonglm, Oct 06 '15 at 17:08

What are the definitions of addrtype in iptables?

1 Answers1