-### The PREROUTING hook simply invokes in-classify and out-classify chains as
-### subroutines. These will tail-call appropriate classification chains.
+### The INPUT and FORWARD hooks simply invoke in-classify and out-classify
+### chains as subroutines. These will tail-call appropriate classification
+### chains.
###
### The in-classify chain is responsible for both source address
### classification and verifying that the packet arrived from the correct
###
### The in-classify chain is responsible for both source address
### classification and verifying that the packet arrived from the correct
### goes to bad-source-address, which logs a message and drops the packet.
### The default interface is special. If no explicit matches are found, it
### dispatches to in-default which forbids a few obviously evil things and
### goes to bad-source-address, which logs a message and drops the packet.
### The default interface is special. If no explicit matches are found, it
### dispatches to in-default which forbids a few obviously evil things and
###
### The out-classify is simpler because it doesn't care about the interface.
### It simply checks each network range in turn, dispatching to mark-to-CLASS
###
### The out-classify is simpler because it doesn't care about the interface.
### It simply checks each network range in turn, dispatching to mark-to-CLASS
## over the loopback interface, I shouldn't see a packet from me over any
## other interface. Except that I will if I sent a broadcast or multicast.
## Allow the broadcasts, and remember not to trust them. There are no
## over the loopback interface, I shouldn't see a packet from me over any
## other interface. Except that I will if I sent a broadcast or multicast.
## Allow the broadcasts, and remember not to trust them. There are no
## Populate the `out-classify' chain, matching networks.
prepare_to () { mode=goto fail=mark-to-$net_class_default; }
## Populate the `out-classify' chain, matching networks.
prepare_to () { mode=goto fail=mark-to-$net_class_default; }
-## known networks, so don't fill those in again.
+## known networks, so don't fill those in again. See RFC5735 and RFC4291,
+## and their successors.
-run ip46tables -t mangle -A PREROUTING -j in-classify
-run ip46tables -t mangle -A PREROUTING -j out-classify
+chains="INPUT"
+case $forward in 1) chains="$chains FORWARD" ;; esac
+for c in $chains; do
+ run ip46tables -t mangle -A $c -j in-classify
+ run ip46tables -t mangle -A $c -j out-classify
+done