Merge pull request #329 from cybozu-go/add-iptables-rule-for-dropping-invalid-packet

terassyi · web-flow · commit 314fc3a33314 · 2025-06-02T09:39:50.000+09:00
egress: Add new iptabels rule for dropping invalid packets
diff --git a/v2/pkg/founat/egress.go b/v2/pkg/founat/egress.go
@@ -76,6 +76,9 @@ func (e *egress) Init() error {
 		if err != nil {
 			return fmt.Errorf("failed to setup masquerade rule for IPv4: %w", err)
 		}
+		if err := ipt.Append("filter", "FORWARD", "-o", e.iface, "-m", "state", "--state", "INVALID", "-j", "DROP"); err != nil {
+			return fmt.Errorf("failed to setup drop rule for invalid packets: %w", err)
+		}
 
 		rule := e.newRule(netlink.FAMILY_V4)
 		if err := netlink.RuleAdd(rule); err != nil {
@@ -92,6 +95,9 @@ func (e *egress) Init() error {
 		if err != nil {
 			return fmt.Errorf("failed to setup masquerade rule for IPv6: %w", err)
 		}
+		if err := ipt.Append("filter", "FORWARD", "-o", e.iface, "-m", "state", "--state", "INVALID", "-j", "DROP"); err != nil {
+			return fmt.Errorf("failed to setup drop rule for invalid packets: %w", err)
+		}
 
 		rule := e.newRule(netlink.FAMILY_V6)
 		if err := netlink.RuleAdd(rule); err != nil {
diff --git a/v2/pkg/founat/egress_test.go b/v2/pkg/founat/egress_test.go
@@ -48,6 +48,13 @@ func testEgressDual(t *testing.T) {
 		if !exist {
 			return errors.New("NAT rule not found for IPv4")
 		}
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if !exist {
+			return errors.New("Filter rule not found for IPv4")
+		}
 
 		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
 		if err != nil {
@@ -61,6 +68,14 @@ func testEgressDual(t *testing.T) {
 			return errors.New("NAT rule not found for IPv6")
 		}
 
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if !exist {
+			return errors.New("Filter rule not found for IPv6")
+		}
+
 		rm, err := ruleMap(netlink.FAMILY_V4)
 		if err != nil {
 			return err
@@ -168,6 +183,14 @@ func testEgressV4(t *testing.T) {
 			return errors.New("NAT rule not found for IPv4")
 		}
 
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if !exist {
+			return errors.New("Filter rule not found for IPv4")
+		}
+
 		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
 		if err != nil {
 			return err
@@ -180,6 +203,14 @@ func testEgressV4(t *testing.T) {
 			return errors.New("NAT rule found for IPv6")
 		}
 
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if exist {
+			return errors.New("Filter rule found for IPv6")
+		}
+
 		rm, err := ruleMap(netlink.FAMILY_V4)
 		if err != nil {
 			return err
@@ -256,6 +287,14 @@ func testEgressV6(t *testing.T) {
 			return errors.New("NAT rule found for IPv4")
 		}
 
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if exist {
+			return errors.New("Filter rule found for IPv4")
+		}
+
 		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
 		if err != nil {
 			return err
@@ -268,6 +307,14 @@ func testEgressV6(t *testing.T) {
 			return errors.New("NAT rule not found for IPv6")
 		}
 
+		exist, err = ipt.Exists("filter", "FORWARD", "-o", "lo", "-m", "state", "--state", "INVALID", "-j", "DROP")
+		if err != nil {
+			return err
+		}
+		if !exist {
+			return errors.New("Filter rule not found for IPv6")
+		}
+
 		rm, err := ruleMap(netlink.FAMILY_V4)
 		if err != nil {
 			return err
