Overhaul address classification for link-local and non-unicast addresses.
The previous attempts just weren't working. Intead, assign them their
own classes, and work things using the forwarding masks. There's a
minor wrinkle, that we must handle forwarded packets differently from
inbound ones if they involve link-local addresses, but this is handled
with a fixup in the mangle INPUT chain.
The other significant change here is that the mangle table is now
responsible for selecting packets with bogus destination addresses for
rejection -- though it can't do the rejection itself because of a
kernel restriction.