You are not logged in.
- Topics: Active | Unanswered
#1 2018-10-17 06:05:44
- /dev/zero
- Member
- From: Melbourne, Australia
- Registered: 2011-10-20
- Posts: 1,247
[SOLVED] IPv4 address validation in iptables
Hi Archers, long time no see 
I started writing a program to do certain types of calculations involving IP addresses. Basically, I want something like ipcalc except more scriptable and written in C.
I want the output of the program to be sensible to iptables, and in the course of writing the program the question came to my mind about how to do IPv4 address validation.
And what a can of worms that opens, as you can see at, for example, https://news.ycombinator.com/item?id=6580592
And so TIL validating ip addresses is a hard problem. Now, whereas I don't mind putting arbitrary constraints on my own program, still, I want to make sure what it hands over to iptables will be understood correctly.
Don't let the context distract you. Regardless of my own program, this is about iptables. I want to know about iptables.
What kinds of crazy input can I put into iptables that it will understand, and how will it interpret, say, leading zeros on an octet? Will it treat it as octal, or not? What are the rules iptables uses to deal with all the crazy ways to write ip addresses?
Naturally, google has very little ability to help with this kind of problem. I found one or two decent overviews of iptables, but nothing beyond what's in the Arch wiki. In particular, nothing that goes into how iptables validates its input.
And maybe I could go trawling through the iptables source code, but please be sympathetic, I get the feeling it would definitely be a harrowing experience, amiright? Please don't make me take one for the team.
So, does anyone have any resources or pointers or experience at hand about how various IPv4 address formats will be interpreted by iptables?
Edit: Also, whether ipset does things differently to iptables would also be relevant.
But if they perform different validations to each other, that would be a little frightening ...
Last edited by /dev/zero (2018-10-18 08:24:46)
Offline
#2 2018-10-18 08:24:31
- /dev/zero
- Member
- From: Melbourne, Australia
- Registered: 2011-10-20
- Posts: 1,247
Re: [SOLVED] IPv4 address validation in iptables
Okay, so I ended up looking through the source for iptables and ipset.
It turns out that iptables does what you might naively expect an IP address parser to do:
Grab octets one at a time
Convert them to unsigned integers
Bit-shift them to the left
Add them to the running total
Complain if there aren't exactly four octets
This works well enough most of the time, but it has the consequence that iptables wouldn't be able to handle the kind of crazy abbreviations that pop up now and then, such as the example where 127.1 is interpreted as equal to 127.0.0.1
IPSet, on the other hand, relies on netdb, which uses inet_aton, and all of this ships with glibc. This code is quite complicated and I can't quite work out how it does its magic, but it understands a wide variety of crazy abbreviations.
This has the consequence that if, for some reason, you needed iptables to understand odd abbreviated IP addresses, you could use ipset to sneak them in, since ipset would convert them into a form that iptables understands.
And if, as I am, you're writing code where the output will be given to ipset, it is probably a good idea (although not essential) to also use inet_aton to parse IP addresses, in order to not pre-emptively limit the variety of inputs your program can accept.
Offline