DROP INVALID packets (RHBZ#1169837)

Long time ago we were REJECTing INVALID packets as a *first* rule. That was removed in f03c76e because for example ICMPv6 Echo reply can be considered INVALID by conntrack even it's OK (RHBZ#806017). This time we are going to DROP INVALID packets as a *last but one* rule, just before we REJECT everything (that hasn't matched any rule).
firewalld · Dec 3, 2014 · 354dcab · 354dcab
1 parent 9cd1fb9
commit 354dcab
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
@@ -108,7 +108,8 @@
     "-I INPUT 4 -j INPUT_ZONES_SOURCE",
     "-I INPUT 5 -j INPUT_ZONES",
     "-I INPUT 6 -p %%ICMP%% -j ACCEPT",
-    "-I INPUT 7 -j %%REJECT%%",
+    "-I INPUT 7 -m conntrack --ctstate INVALID -j DROP",
+    "-I INPUT 8 -j %%REJECT%%",
 
     "-N FORWARD_direct",
     "-N FORWARD_IN_ZONES_SOURCE",
@@ -124,7 +125,8 @@
     "-I FORWARD 6 -j FORWARD_OUT_ZONES_SOURCE",
     "-I FORWARD 7 -j FORWARD_OUT_ZONES",
     "-I FORWARD 8 -p %%ICMP%% -j ACCEPT",
-    "-I FORWARD 9 -j %%REJECT%%",
+    "-I FORWARD 9 -m conntrack --ctstate INVALID -j DROP",
+    "-I FORWARD 10 -j %%REJECT%%",
 
     "-N OUTPUT_direct",