i'd like to find a short, efficient way to filter incoming packets with bogus source addresses, but i don't see an elegant way of doing it. as we all know, there are a number of clearly bogus source addresses on incoming packets: - broadcast - your own IP address - any of the private class A, B or C addresses - class D addresses and on and on. so it's natural to want to discard them and, just for fun, log them as well. for elegance, i can create a user-defined chain called, say, "reject_bad_source_addresses" to which i jump with every incoming packet. this user-defined chain will test for all of the bad source addresses, one at a time, and DROP/REJECT each one. however, if i want to log all of these rejections, i'd have to double the number of rules in this chain, so that each test would first LOG that packet, then be followed by a second rule to DROP it. kind of a pain. if i could rewrite the rules all backwards, i could have the user-defined chain full of ACCEPT rules, and only terminate the chain with a rule for LOG, followed by one for DROP. but i don't see how that's possible. so, is there a solution i'm missing that's clean, elegant and short? rday
