+ if (t == FW3_FLAG_ACCEPT &&
+ zone->masq && !zone->masq_allow_invalid)
+ {
+ r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
+ fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID");
+ fw3_ipt_rule_comment(r, "Prevent NAT leakage");
+ fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_DROP]);
+ fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
+ fw3_flag_names[t]);
+ }
+