feat(firewall): atomic iptables operations

- all operations rollback on failure
- disabling the firewall means rolling back to its state before enabling it
- aligns with nftables atomicity feature

internal/firewall/interfaces.go

@@ -20,20 +20,20 @@ type Logger interface {
 }
 
 type firewallImpl interface { //nolint:interfacebloat
-	AcceptEstablishedRelatedTraffic(ctx context.Context, remove bool) error
-	AcceptInputThroughInterface(ctx context.Context, intf string, remove bool) error
+	SaveAndRestore(ctx context.Context) (restore func(context.Context), err error)
+	AcceptEstablishedRelatedTraffic(ctx context.Context) error
+	AcceptInputThroughInterface(ctx context.Context, intf string) error
 	AcceptInputToPort(ctx context.Context, intf string, port uint16, remove bool) error
-	AcceptInputToSubnet(ctx context.Context, intf string, subnet netip.Prefix, remove bool) error
-	AcceptIpv6MulticastOutput(ctx context.Context, intf string, remove bool) error
+	AcceptInputToSubnet(ctx context.Context, intf string, subnet netip.Prefix) error
+	AcceptIpv6MulticastOutput(ctx context.Context, intf string) error
 	AcceptOutputFromIPToSubnet(ctx context.Context, intf string, assignedIP netip.Addr,
 		subnet netip.Prefix, remove bool) error
 	AcceptOutputThroughInterface(ctx context.Context, intf string, remove bool) error
 	AcceptOutputTrafficToVPN(ctx context.Context, intf string,
 		connection models.Connection, remove bool) error
-	ClearAllRules(ctx context.Context) error
 	RedirectPort(ctx context.Context, intf string, sourcePort,
 		destinationPort uint16, remove bool) error
-	RunUserPostRules(ctx context.Context, customRulesPath string, remove bool) error
+	RunUserPostRules(ctx context.Context, customRulesPath string) error
 	SetIPv4AllPolicies(ctx context.Context, policy string) error
 	SetIPv6AllPolicies(ctx context.Context, policy string) error
 	TempDropOutputTCPRST(ctx context.Context, src, dst netip.AddrPort, excludeMark int) (