Objective: to implement the send restrictions for BCP-38.
In FILTER/PREROUTING, FILTER/INPUT, and FILTER/FORWARD, the selectors
"fib saddr type <x>" and "fib saddr oif <x>" lets me examine the
characteristics of the packet's source address, such as BROADCAST,
PROHIBITED, &c.
In FILTER/FORWARD, FILTER/OUTPUT, and FILTER/POSTROUTING, the selector
"fib daddr type <x>" and "oif <x>" lets me examine the characteristics
of the packet's destination address.
Now, for packets generated by a local process, how can I filter packets
with spoofed source addresses? This is to block bad stuff if for some
reason the firewall box is compromised. Earlier comments indicated that
"fib saddr type <x>" and "fib saddr oif <x> are not allowed in the
FILTER/OUTPUT and FILTER/POSTROUTING chains.
Help?
