Книга: Iptables Tutorial 1.2.2
Addrtype match
Addrtype match
The addrtype module matches packets based on the address type. The address type is used inside the kernel to put different packets into different categories. With this match you will be able to match all packets based on their address type according to the kernel. It should be noted that the exact meaning of the different address types varies between the layer 3 protocols. I will give a brief general description here however, but for more information I suggest reading Linux Advanced Routing and Traffic Control HOW-TO and Policy Routing using Linux. The available types are as follows:
Table 10-6. Address types
Type | Description |
---|---|
ANYCAST | This is a one-to-many associative connection type, where only one of the many receiver hosts actually receives the data. This is for example implemented in DNS. You have single address to a root server, but it actually has several locations and your packet will be directed to the closest working server. Not implemented in Linux IPv4. |
BLACKHOLE | A blackhole address will simply delete the packet and send no reply. It works as a black hole in space basically. This is configured in the routing tables of linux. |
BROADCAST | A broadcast packet is a single packet sent to everyone in a specific network in a one-to-many relation. This is for example used in ARP resolution, where a single packet is sent out requesting information on how to reach a specific IP, and then the host that is authoritative replies with the proper MAC address of that host. |
LOCAL | An address that is local to the host we are working on. 127.0.0.1 for example. |
MULTICAST | A multicast packet is sent to several hosts using the shortest distance and only one packet is sent to each waypoint where it will be multiple copies for each host/router subscribing to the specific multicast address. Commonly used in one way streaming media such as video or sound. |
NAT | An address that has been NAT'ed by the kernel. |
PROHIBIT | Same as blackhole except that a prohibited answer will be generated. In the IPv4 case, this means an ICMP communication prohibited (type 3, code 13) answer will be generated. |
THROW | Special route in the Linux kernel. If a packet is thrown in a routing table it will behave as if no route was found in the table. In normal routing, this means that the packet will behave as if it had no route. In policy routing, another route might be found in another routing table. |
UNICAST | A real routable address for a single address. The most common type of route. |
UNREACHABLE | This signals an unreachable address that we do not know how to reach. The packets will be discarded and an ICMP Host unreachable (type 3, code 1) will be generated. |
UNSPEC | An unspecified address that has no real meaning. |
XRESOLVE | This address type is used to send route lookups to userland applications which will do the lookup for the kernel. This might be wanted to send ugly lookups to the outside of the kernel, or to have an application do lookups for you. Not implemented in Linux. |
The addrtype match is loaded by using the -m addrtype keyword. When this is done, the extra match options in the following table will be available for usage.
Table 10-7. Addrtype match options
Match | --src-type |
Kernel | 2.6 |
Example | iptables -A INPUT -m addrtype --src-type UNICAST |
Explanation | The --src-type match option is used to match the source address type of the packet. It can either take a single address type or several separated by coma signs, for example --src-type BROADCAST,MULTICAST. The match option may also be inverted by adding an exclamation sign before it, for example ! --src-type BROADCAST,MULTICAST. |
Match | --dst-type |
Kernel | 2.6 |
Example | iptables -A INPUT -m addrtype --dst-type UNICAST |
Explanation | The --dst-type works exactly the same way as --src-type and has the same syntax. The only difference is that it will match packets based on their destination address type. |
- Addrtype match
- AH/ESP match
- Comment match
- Connmark match
- Conntrack match
- Dscp match
- Ecn match
- Hashlimit match
- Helper match
- IP range match
- Length match
- Limit match
- Mac match
- Mark match
- Multiport match
- Owner match
- Packet type match
- Realm match
- Recent match
- State match
- Tcpmss match
- Tos match
- Ttl match
- Unclean match