What is ACL addrtype IPROUTER?

  • 7 September 2017
  • 2 replies

I've been pursuing the default control plane ACL policies to become more familiar with how they work and I noticed in the 99control_plane_catch_all policy file it references an addrtype of IPROUTER. Based on the manual page for iptables-extensions it looks like this was added as a part of Cumulus because I don't see the option listed in the man page on debian.

What does the target description of "an unressolved destination address" mean?

-A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100 --set-class 0

2 replies

Userlevel 5
See this blurb from our docs --> https://docs.cumulusnetworks.com/display/DOCS/Default+Cumulus+Linux+ACL+Configuration

"IPROUTER is any unresolved address -> On a l2/l3 boundary receiving a packet from L3 and needs to go to CPU in order to ARP for the destination."

Essentially it is much like a packet that is to be punted to the control plane prior to transmission.
Awesome, I missed the child page which was part of the ACL page. That description makes sense to me.