Fix FORWARD-drop reply handling

tests/test_integration.sh

@@ -235,6 +235,10 @@ if [[ ${TRAFFIC_IPV6_READY} == 1 ]]; then
 fi
 
 traffic_setup_fixture
+iptables -P FORWARD DROP
+if [[ ${TRAFFIC_IPV6_READY} == 1 && -n ${BACKUP_IPV6_FORWARD} ]]; then
+  ip6tables -P FORWARD DROP
+fi
 
 export IPF_STORAGE_DIR="${TMP_DIR}/storage"
 export IPF_STORAGE_DB="${IPF_STORAGE_DIR}/rules.db"
@@ -262,6 +266,7 @@ assert_contains "$(iptables-save)" "MGMT:${uuid_v4}" 'IPv4 rule should appear in
 assert_contains "$("${ROOT_DIR}/iptables-forward.sh" --batch list)" "uuid=${uuid_v4}" 'batch list should include managed rule'
 assert_file_contains "${PERSIST_RULES_V4}" "MGMT:${uuid_v4}" 'persist save should write IPv4 rules snapshot'
 assert_file_contains "${PERSIST_FIXTURE_LOG}" 'persist-fixture.sh save' 'adding a rule should call persist save'
+assert_contains "$(iptables -S FORWARD)" "--sport ${TRAFFIC_TARGET_PORT_V4}" 'IPv4 rule should include reply-direction FORWARD allow'
 assert_contains "$(traffic_request_ok 4 "${TRAFFIC_ROUTER_EDGE_IP4}" "${TRAFFIC_LISTEN_PORT_V4}" "${TRAFFIC_TARGET_IP4}" "${TRAFFIC_TARGET_PORT_V4}")" 'OK' 'managed IPv4 rule should forward actual TCP traffic'
 
 iptables -t nat -D PREROUTING \
@@ -297,6 +302,7 @@ if [[ ${TRAFFIC_IPV6_READY} == 1 && -n ${BACKUP_IPV6_FORWARD} ]]; then
   uuid_v6=$("${ROOT_DIR}/iptables-forward.sh" --batch add tcp "${TRAFFIC_LISTEN_PORT_V6}" "${TRAFFIC_TARGET_IP6}" "${TRAFFIC_TARGET_PORT_V6}" 6 'integration-v6')
   assert_contains "$(ip6tables-save)" "MGMT:${uuid_v6}" 'IPv6 rule should appear in ip6tables-save output'
   assert_file_contains "${PERSIST_RULES_V6}" "MGMT:${uuid_v6}" 'persist save should write IPv6 rules snapshot'
+  assert_contains "$(ip6tables -S FORWARD)" "--sport ${TRAFFIC_TARGET_PORT_V6}" 'IPv6 rule should include reply-direction FORWARD allow'
   assert_contains "$(traffic_request_ok 6 "${TRAFFIC_ROUTER_EDGE_IP6}" "${TRAFFIC_LISTEN_PORT_V6}" "${TRAFFIC_TARGET_IP6}" "${TRAFFIC_TARGET_PORT_V6}")" 'OK' 'managed IPv6 rule should forward actual TCP traffic'
   ipt_remove_rule "${uuid_v6}" tcp "${TRAFFIC_LISTEN_PORT_V6}" "${TRAFFIC_TARGET_IP6}" "${TRAFFIC_TARGET_PORT_V6}" 6
   assert_status 1 "$(status_of grep -F "MGMT:${uuid_v6}" <(ip6tables-save))" 'manual runtime removal should clear managed IPv6 rule'

tests/test_interactive.sh

@@ -55,8 +55,8 @@ assert_contains "${output}" '已退出。' 'interactive flow should return clean
 
 assert_eq '0' "$(wc -l < "${IPF_STORAGE_DB}")" 'interactive add/delete flow should leave storage empty'
 assert_eq '0' "$(wc -l < "${IPTABLES_MOCK_DIR}/state.v4")" 'interactive add/delete flow should leave runtime mock state empty'
-assert_eq '3' "$(grep -Ec ' -A ' "${IPTABLES_MOCK_LOG}")" 'interactive add flow should emit three IPv4 add commands'
-assert_eq '3' "$(grep -Ec ' -D ' "${IPTABLES_MOCK_LOG}")" 'interactive delete should emit three delete commands'
+assert_eq '4' "$(grep -Ec ' -A ' "${IPTABLES_MOCK_LOG}")" 'interactive add flow should emit four IPv4 add commands'
+assert_eq '4' "$(grep -Ec ' -D ' "${IPTABLES_MOCK_LOG}")" 'interactive delete should emit four delete commands'
 assert_eq '3' "$(grep -Ec 'persist-mock\.sh save' "${PERSIST_MOCK_LOG}")" 'interactive add/menu-save/delete flow should persist three times'
 
 pass 'test_interactive.sh'

tests/test_rules_unit.sh

@@ -62,15 +62,17 @@ reset_mock_state
 uuid_v4=$(cmd_add_batch tcp 8080 127.0.0.1 80 4 'web service')
 line_v4=$(storage_get "${uuid_v4}")
 assert_eq '1' "$(storage_count)" 'cmd_add_batch should persist one rule'
-assert_eq '3' "$(grep -Ec '^iptables ' "${IPTABLES_MOCK_LOG}")" 'tcp/ipv4 add should emit three iptables commands'
+assert_eq '4' "$(grep -Ec '^iptables ' "${IPTABLES_MOCK_LOG}")" 'tcp/ipv4 add should emit four iptables commands'
 assert_contains "${line_v4}" "uuid=${uuid_v4}" 'stored line should contain generated uuid'
 assert_eq '1' "$(grep -Ec 'persist-mock\.sh save' "${PERSIST_MOCK_LOG}")" 'successful add should trigger persist_save'
 assert_contains "$(ipt_find_by_uuid "${uuid_v4}")" "MGMT:${uuid_v4}" 'ipt_find_by_uuid should locate saved mock rules'
+assert_contains "$(cat "${IPTABLES_MOCK_LOG}")" '--sport 80' 'add should include reply-direction FORWARD rule'
 assert_eq '✓' "$(rule_health_mark "${line_v4}")" 'healthy runtime rule should show ok marker'
 
-"${IPTABLES_BIN}" -t nat -D PREROUTING \
-  -p tcp --dport 8080 \
-  -j DNAT --to-destination 127.0.0.1:80 \
+"${IPTABLES_BIN}" -D FORWARD \
+  -p tcp -s 127.0.0.1 --sport 80 \
+  -m conntrack --ctstate ESTABLISHED,RELATED \
+  -j ACCEPT \
   -m comment --comment "MGMT:${uuid_v4}"
 assert_contains "$(ipt_find_by_uuid "${uuid_v4}")" "MGMT:${uuid_v4}" 'partial runtime loss should still leave uuid-tagged rules'
 assert_eq '!' "$(rule_health_mark "${line_v4}")" 'partial runtime loss should mark rule unhealthy'
@@ -80,11 +82,11 @@ list_output=$(cmd_list 0)
 reset_mock_state
 uuid_both=$(cmd_add_batch both 5353 '127.0.0.1,::1' 53 both 'dual stack dns')
 add_count=$(grep -Ec '^(iptables|ip6tables) ' "${IPTABLES_MOCK_LOG}")
-assert_eq '12' "${add_count}" 'both/both add should emit twelve commands'
+assert_eq '16' "${add_count}" 'both/both add should emit sixteen commands'
 
 cmd_delete_uuid "${uuid_both}"
 del_count=$(grep -Ec ' -D ' "${IPTABLES_MOCK_LOG}")
-assert_eq '12' "${del_count}" 'deleting both/both rule should emit twelve delete commands'
+assert_eq '16' "${del_count}" 'deleting both/both rule should emit sixteen delete commands'
 assert_eq '0' "$(storage_count)" 'cmd_delete_uuid should remove rule from storage'
 
 reset_mock_state