###
### The mangle chains are arranged as follows.
###
-### The PREROUTING hook simply invokes in-classify and out-classify chains as
-### subroutines. These will tail-call appropriate classification chains.
+### The INPUT and FORWARD hooks simply invokes in-classify and out-classify
+### chains as subroutines. These will tail-call appropriate classification
+### chains.
###
### The in-classify chain is responsible for both source address
### classification and verifying that the packet arrived from the correct
## Populate the `out-classify' chain, matching networks.
prepare_to () { mode=goto fail=mark-to-$net_class_default; }
-matchnets -d mark-from : prepare_to out-classify "" 0 $allnets
+matchnets -d mark-to : prepare_to out-classify "" 0 $allnets
## A `finish' hook for rejecting known address ranges arriving on a
## default-reachable interface.
m4_divert(92)m4_dnl
## Put the final default decision on the in-default chain, and attach the
-## classification chains to the PREROUTING hook.
+## classification chains to the INPUT and (maybe) FORWARD hooks.
for iface in $defaultifaces; do
run ip46tables -t mangle -A in-$iface -g in-default
done
-run ip46tables -t mangle -A PREROUTING -j in-classify
-run ip46tables -t mangle -A PREROUTING -j out-classify
+chains="INPUT"
+case $forward in 1) chains="$chains FORWARD" ;; esac
+for c in $chains; do
+ run ip46tables -t mangle -A $c -j in-classify
+ run ip46tables -t mangle -A $c -j out-classify
+done
## Incoming stuff to or from a link-local address is OK.
run ip46tables -t mangle -A INPUT \