egress: Add new iptabels rule for dropping invalid packets

terassyi · terassyi · commit 54499350e59d · 2025-05-15T06:21:05.000Z
Signed-off-by: terashima &lt;tomoya-terashima@cybozu.co.jp&gt;
diff --git a/v2/pkg/founat/egress.go b/v2/pkg/founat/egress.go
@@ -76,6 +76,10 @@ func (e *egress) Init() error {
 		if err != nil {
 			return fmt.Errorf("failed to setup masquerade rule for IPv4: %w", err)
 		}
+		err = ipt.Append("filter", "FORWARD", "-o", e.iface, "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return fmt.Errorf("failed to setup drop rule for invalid packets: %w", err)
+		}
 
 		rule := e.newRule(netlink.FAMILY_V4)
 		if err := netlink.RuleAdd(rule); err != nil {
@@ -92,6 +96,10 @@ func (e *egress) Init() error {
 		if err != nil {
 			return fmt.Errorf("failed to setup masquerade rule for IPv6: %w", err)
 		}
+		err = ipt.Append("filter", "FORWARD", "-o", e.iface, "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return fmt.Errorf("failed to setup drop rule for invalid packets: %w", err)
+		}
 
 		rule := e.newRule(netlink.FAMILY_V6)
 		if err := netlink.RuleAdd(rule); err != nil {
diff --git a/v2/pkg/founat/egress_test.go b/v2/pkg/founat/egress_test.go
@@ -48,6 +48,13 @@ func testEgressDual(t *testing.T) {
 		if !exist {
 			return errors.New("NAT rule not found for IPv4")
 		}
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if !exist {
+			return errors.New("Filter rule not found for IPv4")
+		}
 
 		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
 		if err != nil {
@@ -61,6 +68,14 @@ func testEgressDual(t *testing.T) {
 			return errors.New("NAT rule not found for IPv6")
 		}
 
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if !exist {
+			return errors.New("Filter rule not found for IPv6")
+		}
+
 		rm, err := ruleMap(netlink.FAMILY_V4)
 		if err != nil {
 			return err
@@ -168,6 +183,14 @@ func testEgressV4(t *testing.T) {
 			return errors.New("NAT rule not found for IPv4")
 		}
 
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if !exist {
+			return errors.New("Filter rule not found for IPv4")
+		}
+
 		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
 		if err != nil {
 			return err
@@ -180,6 +203,14 @@ func testEgressV4(t *testing.T) {
 			return errors.New("NAT rule found for IPv6")
 		}
 
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if exist {
+			return errors.New("Filter rule found for IPv6")
+		}
+
 		rm, err := ruleMap(netlink.FAMILY_V4)
 		if err != nil {
 			return err
@@ -256,6 +287,14 @@ func testEgressV6(t *testing.T) {
 			return errors.New("NAT rule found for IPv4")
 		}
 
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if exist {
+			return errors.New("Filter rule found for IPv4")
+		}
+
 		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
 		if err != nil {
 			return err
@@ -268,6 +307,14 @@ func testEgressV6(t *testing.T) {
 			return errors.New("NAT rule not found for IPv6")
 		}
 
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if !exist {
+			return errors.New("Filter rule not found for IPv6")
+		}
+
 		rm, err := ruleMap(netlink.FAMILY_V4)
 		if err != nil {
 			return err
