This got lost when I split scary out of untrusted. Oops.
## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
## Inspect inbound packets from untrusted sources.
run ip46tables -A inbound -j forbidden
+run ip46tables -A INPUT -m mark --mark $from_scary/$MASK_FROM -g inbound
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Allow responses from the scary outside world into the untrusted net, but
run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
## Allow responses from the scary outside world into the untrusted net, but