Move blocking of invalid IPs behind rules

firewall/master.go

@@ -33,6 +33,7 @@ var defaultDeciders = []deciderFn{
 	checkConnectionType,
 	checkConnectionScope,
 	checkEndpointLists,
+	checkInvalidIP,
 	checkResolverScope,
 	checkConnectivityDomain,
 	checkBypassPrevention,
@@ -371,7 +372,8 @@ func checkConnectionScope(_ context.Context, conn *network.Connection, p *profil
 			return true
 		}
 	case netutils.Undefined, netutils.Invalid:
-		fallthrough
+		// Block Invalid / Undefined IPs _after_ the rules.
+		return false
 	default:
 		conn.Deny("invalid IP", noReasonOptionKey) // Block Outbound / Drop Inbound
 		return true
@@ -380,6 +382,22 @@ func checkConnectionScope(_ context.Context, conn *network.Connection, p *profil
 	return false
 }
 
+func checkInvalidIP(_ context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool {
+	// Only applies to IP connections.
+	if conn.Type != network.IPConnection {
+		return false
+	}
+
+	// Block Invalid / Undefined IPs.
+	switch conn.Entity.IPScope { //nolint:exhaustive // Only looking for specific values.
+	case netutils.Undefined, netutils.Invalid:
+		conn.Deny("invalid IP", noReasonOptionKey) // Block Outbound / Drop Inbound
+		return true
+	}
+
+	return false
+}
+
 func checkBypassPrevention(ctx context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool {
 	if p.PreventBypassing() {
 		// check for bypass protection