Add DROP rule for INVALID packets.

bug:5094583
Change-Id: Ib942c557e7f2694b6ee18cc6562df597165894ce
diff --git a/NatController.cpp b/NatController.cpp
index 8ec5d64..beba4ce 100644
--- a/NatController.cpp
+++ b/NatController.cpp
@@ -190,11 +190,29 @@
         return -1;
     }
 
+    snprintf(cmd, sizeof(cmd),
+            "-%s FORWARD -i %s -o %s -m state --state INVALID -j DROP",
+            (add ? "A" : "D"),
+            intIface, extIface);
+    if (runIptablesCmd(cmd)) {
+        snprintf(cmd, sizeof(cmd),
+                "-%s FORWARD -i %s -o %s -m state --state ESTABLISHED,RELATED -j ACCEPT",
+                (!add ? "A" : "D"),
+                extIface, intIface);
+        return -1;
+    }
+
     snprintf(cmd, sizeof(cmd), "-%s FORWARD -i %s -o %s -j ACCEPT", (add ? "A" : "D"),
             intIface, extIface);
     if (runIptablesCmd(cmd)) {
         // unwind what's been done, but don't care about success - what more could we do?
         snprintf(cmd, sizeof(cmd),
+                "-%s FORWARD -i %s -o %s -m state --state INVALID -j DROP",
+                (!add ? "A" : "D"),
+                intIface, extIface);
+        runIptablesCmd(cmd);
+
+        snprintf(cmd, sizeof(cmd),
                  "-%s FORWARD -i %s -o %s -m state --state ESTABLISHED,RELATED -j ACCEPT",
                  (!add ? "A" : "D"),
                  extIface, intIface);