Add DROP rule for INVALID packets.
bug:5094583
Change-Id: Ib942c557e7f2694b6ee18cc6562df597165894ce
diff --git a/NatController.cpp b/NatController.cpp
index 8ec5d64..beba4ce 100644
--- a/NatController.cpp
+++ b/NatController.cpp
@@ -190,11 +190,29 @@
return -1;
}
+ snprintf(cmd, sizeof(cmd),
+ "-%s FORWARD -i %s -o %s -m state --state INVALID -j DROP",
+ (add ? "A" : "D"),
+ intIface, extIface);
+ if (runIptablesCmd(cmd)) {
+ snprintf(cmd, sizeof(cmd),
+ "-%s FORWARD -i %s -o %s -m state --state ESTABLISHED,RELATED -j ACCEPT",
+ (!add ? "A" : "D"),
+ extIface, intIface);
+ return -1;
+ }
+
snprintf(cmd, sizeof(cmd), "-%s FORWARD -i %s -o %s -j ACCEPT", (add ? "A" : "D"),
intIface, extIface);
if (runIptablesCmd(cmd)) {
// unwind what's been done, but don't care about success - what more could we do?
snprintf(cmd, sizeof(cmd),
+ "-%s FORWARD -i %s -o %s -m state --state INVALID -j DROP",
+ (!add ? "A" : "D"),
+ intIface, extIface);
+ runIptablesCmd(cmd);
+
+ snprintf(cmd, sizeof(cmd),
"-%s FORWARD -i %s -o %s -m state --state ESTABLISHED,RELATED -j ACCEPT",
(!add ? "A" : "D"),
extIface, intIface);