Attached is a new "route" match, which matches against entries
in the kernel routing table.

Changes since v1:
  * IPv6 support in kernel
  * Invert support for ALL options
  * Various cleanup in userspace code (C99 initializers & unified v4/v6 parse)

I've tested the IPv6 support as best I can, but I'd appreciate someone who
actually has production v6 nets giving it a run through.


Options:

[!] --route-src-exists      Route for src exists
[!] --route-src-eq value    Route for src exists with prefix-length == value
[!] --route-src-gt value    Route for src exists with prefix-length  > value
[!] --route-src-lt value    Route for src exists with prefix-length  < value
[!] --route-dst-exists      Route for dst exists
[!] --route-dst-eq value    Route for dst exists with prefix-length == value
[!] --route-dst-gt value    Route for dst exists with prefix-length  > value
[!] --route-dst-lt value    Route for dst exists with prefix-length  < value


Examples:

        Egress filtering (similar to rp_filter, but not silently dropped):
                iptables -N spoofer -j LOG --log-prefix "Spoofed packet dropped: "
                iptables -N spoofer -j DROP
                iptables -A FORWARD -i $INTERNAL_IF -m route ! --route-src-exists -j spoofer

        rp_filter functionality on IPv6:
                ip6tables -A FORWARD -i $EXTERNAL_IF -m route --route-src-exists -j DROP

        Allow a user to only browse internal websites:
                iptables -A FORWARD -p tcp --dport 80 -m route --route-dst-exists -j ACCEPT

        Allow an SNMP collector to reach all internal routers (/30 or /32)
                iptables -A FORWARD -p udp --dport 161 -m route --route-dst-gt 29 -j ACCEPT


Comments?

Phil