Apply a coarse filter to detect all multicast, and dispatch to a
finer-grained one to detect link-local multicast addresses. This
would be much easier if the flags and scope fields were the other way
around.
Also fix it to use the correct address range.
-m addrtype --dst-type BROADCAST
run iptables -A FORWARD -g bad-destination-address \
-d 224.0.0.0/24
+ clearchain check-fwd-multi
for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
- run ip6tables -A FORWARD -g bad-destination-address \
- -d fe${x}2::/16
+ run ip6tables -A check-fwd-multi -g bad-destination-address \
+ -d ff${x}2::/16
done
+ ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
;;
esac