ruleset: drop ctstate invalid traffic for masq-enabled zones

[project/firewall4.git] / tests / 02_zones / 03_masq_src_dest_restrictions

diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions
index 2cb0ce459f6365c949c6a58947d75ad4f5772832..011ef8912adea405c77bd18675c5760c2d8e1e23 100644 (file)
--- a/tests/02_zones/03_masq_src_dest_restrictions
+++ b/tests/02_zones/03_masq_src_dest_restrictions
@@ -171,6 +171,7 @@ table inet fw4 {
        }
 
        chain accept_to_test1 {
+               meta nfproto ipv4 oifname "zone1" ct state invalid counter drop comment "!fw4: Prevent NAT leakage"
                oifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic"
        }