- ;;
-
- *)
- ## A normal interface. Classify incoming traffic according to the
- ## source address.
- trace "$net : $class -> $iface"
- for a in $addr; do
- run iptables -t mangle -A in-$iface -g mark-from-$class -s $a
- nets=$nets$a:
- done
- for a in $addr6; do
- run ip6tables -t mangle -A in-$iface -g mark-from-$class -s $a
- nets=$nets$a:
- done
- case $net in default) nets=${nets}default: ;; esac
- ;;
- esac
-
- ## Record that this interface receives traffic from this network.
- unset nifnets
- foundp=nil
- for ifnet in $ifnets; do
- case $ifnet in
- $iface=*:$net:*) addword nifnets $ifnet; foundp=t ;;
- $iface=*) addword nifnets $ifnet$nets; foundp=t ;;
- *) addword nifnets $ifnet ;;
- esac
- done
- case $foundp in nil) addword nifnets $iface=:$nets ;; esac
- ifnets=$nifnets
-
- done
-done
-
-## Wrap up all of the `in-IFACE' chains. A chain which matches the `default'
-## net should have unmatched but known networks blocked off, and then chain
-## onto `in-default'. Other chains should just chain onto
-## `bad-source-address'.
-trace "ifnets = $ifnets"
-for ifnet in $ifnets; do
- iface=${ifnet%%=*} nets=${ifnet#*=}
- case $nets in
- *:default:*)
- for n in $allnets; do
- eval addr=\$net_inet_$n addr6=\$net_inet6_$n
- for a in $addr; do
- case $nets in *:$a:*) continue ;; esac
- nets=$nets$a
- run iptables -t mangle -A in-$iface -s $a -g bad-source-address
- done
- for a in $addr6; do
- case $nets in *:$a:*) continue ;; esac
- nets=$nets$a
- run ip6tables -t mangle -A in-$iface -s $a -g bad-source-address
- done