-## Incoming broadcast multicast on a network interface associated with the
-## trusted network is OK, since it must have originated there (or been
-## forwarded, but we don't do that yet).
-run iptables -A inbound -j ACCEPT \
+## Incoming multicast on a network interface associated with a trusted
+## network is OK, since it must have originated there (or been forwarded, but
+## we don't do that yet).
+for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
+ echo $i
+done | {
+ seen=:
+ while read i; do
+ case "$seen" in *:$i:*) continue ;; esac
+ seen=$seen$i:
+ run iptables -A inbound -j ACCEPT \