After reviewing the comments from people on NANOG and some other
locations, I have updated my list of routes to blackhole. The
information at the end of this contribution is taken from the
RHEL/CentOS NetworkManager dispatcher.d source file, which I use to
install and remove the blackhole routes when the WAN interface is
started and stopped.
First, let me expand on what I'm trying to do. The NetFilter NFTABLES
includes in its tests the ability to determine if the source address of
a packet is routeable, and further classifies the result as LOCAL,
BROADCAST, UNICAST, BLACKHOLE, and PROHIBITED, among others, as well as
the interface that would be selected.
By using the routing table in this way, maintaining the configuration of
the firewall is simplified, particularly when interfaces are brought up
or taken down. There is no coding change to the firewall.
The fact that I can't send packets upstream with bad destinations is not
the goal here. The goal is to detect packets inbound with bad source
addresses that would affect my network, as well as ensuring that
outbound packets have good source addresses.
Herewith is the revised information for your constructive criticism: