+
+ ## Now work through the interfaces.
+ for iface in $(net_interfaces FWHOST $net); do
+ nets=""
+ case $iface in
+
+ -)
+ ## A special `no interface' marker: we should not receive packets
+ ## from this network at all.
+ continue
+ ;;
+
+ *-+)
+ ## A special marker indicating a collection of point-to-point
+ ## interfaces. We should match an address to a particular interface.
+ ## Later, we'll cap this chain off by rejecting all other traffic.
+ eval hosts=\$net_hosts_$net
+ for host in $hosts; do
+ eval ha=\$host_inet_$host ha6=\$host_inet6_$host
+ trace "$host : $class -> $iface"
+ for a in $ha; do
+ run iptables -t mangle -A in-$iface \
+ -i ${iface%+}$host -s $a -g mark-from-$class
+ nets=$nets$a:
+ done
+ for a in $ha6; do
+ run ip6tables -t mangle -A in-$iface \
+ -i ${iface%+}$host -s $a -g mark-from-$class
+ nets=$nets$a:
+ done
+ done
+ ;;
+
+ *)
+ ## A normal interface. Classify incoming traffic according to the
+ ## source address.
+ trace "$net : $class -> $iface"
+ for a in $addr; do
+ run iptables -t mangle -A in-$iface -g mark-from-$class -s $a
+ nets=$nets$a:
+ done
+ for a in $addr6; do
+ run ip6tables -t mangle -A in-$iface -g mark-from-$class -s $a
+ nets=$nets$a:
+ done
+ case $net in default) nets=${nets}default: ;; esac
+ ;;
+ esac
+
+ ## Record that this interface receives traffic from this network.
+ unset nifnets
+ foundp=nil
+ for ifnet in $ifnets; do
+ case $ifnet in
+ $iface=*:$net:*) addword nifnets $ifnet; foundp=t ;;
+ $iface=*) addword nifnets $ifnet$nets; foundp=t ;;
+ *) addword nifnets $ifnet ;;
+ esac
+ done
+ case $foundp in nil) addword nifnets $iface=:$nets ;; esac
+ ifnets=$nifnets
+
+ done
+done
+
+## Wrap up all of the `in-IFACE' chains. A chain which matches the `default'
+## net should have unmatched but known networks blocked off, and then chain
+## onto `in-default'. Other chains should just chain onto
+## `bad-source-address'.
+trace "ifnets = $ifnets"
+for ifnet in $ifnets; do
+ iface=${ifnet%%=*} nets=${ifnet#*=}
+ case $nets in
+ *:default:*)
+ for n in $allnets; do
+ eval addr=\$net_inet_$n addr6=\$net_inet6_$n
+ for a in $addr; do
+ case $nets in *:$a:*) continue ;; esac
+ nets=$nets$a
+ run iptables -t mangle -A in-$iface -s $a -g bad-source-address
+ done
+ for a in $addr6; do
+ case $nets in *:$a:*) continue ;; esac
+ nets=$nets$a
+ run ip6tables -t mangle -A in-$iface -s $a -g bad-source-address
+ done