Overhaul address classification for link-local and non-unicast addresses.

The previous attempts just weren't working.  Intead, assign them their
own classes, and work things using the forwarding masks.  There's a
minor wrinkle, that we must handle forwarded packets differently from
inbound ones if they involve link-local addresses, but this is handled
with a fixup in the mangle INPUT chain.

The other significant change here is that the mangle table is now
responsible for selecting packets with bogus destination addresses for
rejection -- though it can't do the rejection itself because of a
kernel restriction.