iptables中的addrtype的定义是什么？

我热衷于addrtype在-src我的过滤器链之一中结合使用，例如，这样可以丢弃一些Bogon ip：

-A INPUT -p tcp --dport 80 -m addrtype --src-type UNICAST ! -s 127.0.0.0/8 -j WEB

手册页显示以下内容

addrtype
此模块根据数据包的地址类型匹配数据包。地址类型用于内核网络堆栈中，并将地址分为各种组。该组的确切定义取决于特定的第三层协议。

以下地址类型是可能的：

UNSPEC一个未指定的地址（即0.0.0.0）

UNICAST单播地址

本地地址

广播广播地址

ANYCAST任播数据包

多播多播地址

黑洞黑洞地址

无法访问的地址

禁止使用禁止的地址

扔固定

NAT修复程序

XRESOLVE

目前尚不清楚确切的定义是什么，它是否取决于特定的第3层协议。我是这样认为的：

UNICAST（！广播，！MULTICAST，！ANYCAST）
当地（127.0.0.0/8）
广播（*.*.*.255）
ANYCAST（*.*.*.*）
多播（224.0.0.0/4）

是否有人清楚这意味着什么以及如何通过iptables实现它（例如，它如何知道黑洞在哪里）？

iptables

— 问题溢出
source

LOCAL肯定不是127.0.0.0/8。我发现硬盘的方式:( ......显然是一个本地地址是指分配给接口的任何地址。

— 0xC0000022L

@ 0xC0000022L根据RFC990，127.0.0.0/8 是专门为环回保留，然而LOCAL不限于只是这个范围内。

— Qwerty01年

我认为让您知道内核是黑洞地址类型取决于您。

从iptables源代码中的xt_addrtype.h文件中，您可以看到：

/* rtn_type enum values from rtnetlink.h, but shifted */                        
enum {                                                                          
    XT_ADDRTYPE_UNSPEC = 1 << 0,                                                
    XT_ADDRTYPE_UNICAST = 1 << 1,   /* 1 << RTN_UNICAST */                      
    XT_ADDRTYPE_LOCAL  = 1 << 2,    /* 1 << RTN_LOCAL, etc */                   
    XT_ADDRTYPE_BROADCAST = 1 << 3,                                             
    XT_ADDRTYPE_ANYCAST = 1 << 4,                                               
    XT_ADDRTYPE_MULTICAST = 1 << 5,                                             
    XT_ADDRTYPE_BLACKHOLE = 1 << 6,                                             
    XT_ADDRTYPE_UNREACHABLE = 1 << 7,                                           
    XT_ADDRTYPE_PROHIBIT = 1 << 8,                                              
    XT_ADDRTYPE_THROW = 1 << 9,                                                 
    XT_ADDRTYPE_NAT = 1 << 10,                                                  
    XT_ADDRTYPE_XRESOLVE = 1 << 11,                                             
};

在中rtnetlink.h，您将看到相同的定义：

enum {                                                                          
    RTN_UNSPEC,                                                                 
    RTN_UNICAST,        /* Gateway or direct route  */                          
    RTN_LOCAL,      /* Accept locally       */                                  
    RTN_BROADCAST,      /* Accept locally as broadcast,                         
                   send as broadcast */                                         
    RTN_ANYCAST,        /* Accept locally as broadcast,                         
                   but send as unicast */                                       
    RTN_MULTICAST,      /* Multicast route      */                              
    RTN_BLACKHOLE,      /* Drop             */                                  
    RTN_UNREACHABLE,    /* Destination is unreachable   */                      
    RTN_PROHIBIT,       /* Administratively prohibited  */                      
    RTN_THROW,      /* Not in this table        */                              
    RTN_NAT,        /* Translate this address   */                              
    RTN_XRESOLVE,       /* Use external resolver    */                          
    __RTN_MAX                                                                   
};

您可以看到iptables在内核tcp网络堆栈中使用相同的地址类型定义。

然后从man ip：

Route types:

      unicast - the route entry describes real paths to the destinations covered by the route prefix.

      unreachable  - these destinations are unreachable.  Packets are discarded and the ICMP message host unreachable is generated.
               The local senders get an EHOSTUNREACH error.

      blackhole - these destinations are unreachable.  Packets are discarded silently.  The local senders get an EINVAL error.

      prohibit - these destinations are unreachable.  Packets are discarded and the  ICMP  message  communication  administratively
               prohibited is generated.  The local senders get an EACCES error.

      local - the destinations are assigned to this host.  The packets are looped back and delivered locally.

      broadcast - the destinations are broadcast addresses.  The packets are sent as link broadcasts.

      throw  - a special control route used together with policy rules. If such a route is selected, lookup in this table is termi‐
               nated pretending that no route was found.  Without policy routing it is equivalent to the absence of the route in the routing
               table.   The  packets  are  dropped  and the ICMP message net unreachable is generated.  The local senders get an ENETUNREACH
               error.

      nat - a special NAT route.  Destinations covered by the prefix are considered to  be  dummy  (or  external)  addresses  which
               require  translation  to  real  (or  internal)  ones  before forwarding.  The addresses to translate to are selected with the
               attribute Warning: Route NAT is no longer supported in Linux 2.6.

               via.

      anycast - not implemented the destinations are anycast addresses assigned to this host.  They are mainly equivalent to  local
               with one difference: such addresses are invalid when used as the source address of any packet.

      multicast - a special type used for multicast routing.  It is not present in normal routing tables.

因此，当您通过ip命令定义到网络的路由并将其标记为黑洞路由时，内核现在使该网络地址成为黑洞类型：

ip route add blackhole X.X.X.X/24

— cuonglm
source

您正在显示系统头文件，并说这取决于管理员吗？

— PavelŠimerda'14

我说的是blackhole地址类型，而不是所有的地址类型。我展示了iptables addrtype扩展使用与内核相同的定义addrtype。地址类型的内核定义可以参见man ip。

— cuonglm

谢谢，这只能解决黑洞问题。我尝试像这样从ip命令列出ips，ip route list type local但所有类型都会产生空字符串，但单播会给出

default via 192.168.1.1 dev eth0  proto static  metric 1024  192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.2

。您能否提供有关如何解释这些的更多信息？谢谢。

— 2014年

@cuonglm ip route add blackhole与使用防火墙阻止该特定子网相比，使用的优势是什么？在功能/性能上是否有所不同，或者达到同一目的的方式是否有所不同？

— 布拉奇利，2015年

@Bratchley：这取决于您的系统，但空路由通常会更好，因为您的路由表通常很小，而iptables规则通常包含大量规则。通过规则进行处理会导致巨大的性能影响。

— cuonglm