Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 1 | This module matches packets based on their |
| 2 | .B address type. |
| 3 | Address types are used within the kernel networking stack and categorize |
| 4 | addresses into various groups. The exact definition of that group depends on the specific layer three protocol. |
Jan Engelhardt | aeafdb8 | 2008-08-12 11:42:04 +0200 | [diff] [blame] | 5 | .PP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 6 | The following address types are possible: |
| 7 | .TP |
| 8 | .BI "UNSPEC" |
| 9 | an unspecified address (i.e. 0.0.0.0) |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 10 | .TP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 11 | .BI "UNICAST" |
| 12 | an unicast address |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 13 | .TP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 14 | .BI "LOCAL" |
| 15 | a local address |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 16 | .TP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 17 | .BI "BROADCAST" |
| 18 | a broadcast address |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 19 | .TP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 20 | .BI "ANYCAST" |
| 21 | an anycast packet |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 22 | .TP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 23 | .BI "MULTICAST" |
| 24 | a multicast address |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 25 | .TP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 26 | .BI "BLACKHOLE" |
| 27 | a blackhole address |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 28 | .TP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 29 | .BI "UNREACHABLE" |
| 30 | an unreachable address |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 31 | .TP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 32 | .BI "PROHIBIT" |
| 33 | a prohibited address |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 34 | .TP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 35 | .BI "THROW" |
| 36 | FIXME |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 37 | .TP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 38 | .BI "NAT" |
| 39 | FIXME |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 40 | .TP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 41 | .BI "XRESOLVE" |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 42 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 43 | [\fB!\fP] \fB\-\-src\-type\fP \fItype\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 44 | Matches if the source address is of given type |
| 45 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 46 | [\fB!\fP] \fB\-\-dst\-type\fP \fItype\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 47 | Matches if the destination address is of given type |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 48 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 49 | .BI "\-\-limit\-iface\-in" |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 50 | The address type checking can be limited to the interface the packet is coming |
| 51 | in. This option is only valid in the |
| 52 | .BR PREROUTING , |
| 53 | .B INPUT |
| 54 | and |
| 55 | .B FORWARD |
| 56 | chains. It cannot be specified with the |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 57 | \fB\-\-limit\-iface\-out\fP |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 58 | option. |
| 59 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 60 | \fB\-\-limit\-iface\-out\fP |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 61 | The address type checiking can be limited to the interface the packet is going |
| 62 | out. This option is only valid in the |
| 63 | .BR POSTROUTING , |
| 64 | .B OUTPUT |
| 65 | and |
| 66 | .B FORWARD |
| 67 | chains. It cannot be specified with the |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 68 | \fB\-\-limit\-iface\-in\fP |
Laszlo Attila Toth | 4dfd25a | 2008-06-06 14:17:53 +0200 | [diff] [blame] | 69 | option. |