{
    $OUT = "";
    my $locals = "@locals";
    if (@locals)
    {
        # Make a new local_chk chain and add any networks found in networks db
        foreach my $local (@locals)
        {
            # If the network is a remote vpn subnet, restrict it to the VPN
            # interface.
            my ($net, $msk) = split /\//, $local;
            my $netrec = $nets->get($net);
            die "Can't find network $net in networks db!\n" unless $netrec;
            $OUT .= "/sbin/iptables -A \$NEW_local_chk -s $local";
            $OUT .= " --in-interface " . $netrec->prop('VPNif') if ( $netrec->prop('VPNif') );
            $OUT .= " -j ACCEPT\n";
        }
    }
}
