commit ddb9f6eb8d8c35f46c1e3da68f375b85903e85c9
author Robert Greenwalt <rgreenwalt@google.com> Tue Aug 02 13:00:11 2011 -0700
committer Robert Greenwalt <rgreenwalt@google.com> Tue Aug 02 13:00:11 2011 -0700
tree 3b520c73bccbd3fdb075163c16636a8ad8d2829e
parent 4309f87d5baa54a2741f35e0cb09959c55ff1ab6

Add DROP rule for INVALID packets.

bug:5094583
Change-Id: Ib942c557e7f2694b6ee18cc6562df597165894ce

NatController.cpp

diff --git a/NatController.cpp b/NatController.cpp
index 8ec5d64..beba4ce 100644
--- a/NatController.cpp
+++ b/NatController.cpp
@@ -190,11 +190,29 @@
         return -1;
     }
 
+    snprintf(cmd, sizeof(cmd),
+            "-%s FORWARD -i %s -o %s -m state --state INVALID -j DROP",
+            (add ? "A" : "D"),
+            intIface, extIface);
+    if (runIptablesCmd(cmd)) {
+        snprintf(cmd, sizeof(cmd),
+                "-%s FORWARD -i %s -o %s -m state --state ESTABLISHED,RELATED -j ACCEPT",
+                (!add ? "A" : "D"),
+                extIface, intIface);
+        return -1;
+    }
+
     snprintf(cmd, sizeof(cmd), "-%s FORWARD -i %s -o %s -j ACCEPT", (add ? "A" : "D"),
             intIface, extIface);
     if (runIptablesCmd(cmd)) {
         // unwind what's been done, but don't care about success - what more could we do?
         snprintf(cmd, sizeof(cmd),
+                "-%s FORWARD -i %s -o %s -m state --state INVALID -j DROP",
+                (!add ? "A" : "D"),
+                intIface, extIface);
+        runIptablesCmd(cmd);
+
+        snprintf(cmd, sizeof(cmd),
                  "-%s FORWARD -i %s -o %s -m state --state ESTABLISHED,RELATED -j ACCEPT",
                  (!add ? "A" : "D"),
                  extIface, intIface);