feat(firewall): atomic iptables operations

- all operations rollback on failure - disabling the firewall means rolling back to its state before enabling it - aligns with nftables atomicity feature
2026-06-14 23:43:56 +02:00 · 2026-02-26 22:58:52 +00:00
parent 0d0c0fb143
commit 2bb4deccd5
7 changed files with 238 additions and 117 deletions
@@ -24,8 +24,23 @@ func findIP6tablesSupported(ctx context.Context, runner CmdRunner) (
 }

 func (c *Config) runIP6tablesInstructions(ctx context.Context, instructions []string) error {
+	c.ip6tablesMutex.Lock() // only one ip6tables command at once
+	defer c.ip6tablesMutex.Unlock()
+
+	restore, err := c.saveAndRestoreIPv6(ctx)
+	if err != nil {
+		return err
+	}
+	err = c.runIP6tablesInstructionsNoSave(ctx, instructions)
+	if err != nil {
+		restore(ctx)
+	}
+	return err
+}
+
+func (c *Config) runIP6tablesInstructionsNoSave(ctx context.Context, instructions []string) error {
 	for _, instruction := range instructions {
-		if err := c.runIP6tablesInstruction(ctx, instruction); err != nil {
+		if err := c.runIP6tablesInstructionNoSave(ctx, instruction); err != nil {
 			return err
 		}
 	}
@@ -33,11 +48,24 @@ func (c *Config) runIP6tablesInstructions(ctx context.Context, instructions []st
 }

 func (c *Config) runIP6tablesInstruction(ctx context.Context, instruction string) error {
+	c.ip6tablesMutex.Lock() // only one ip6tables command at once
+	defer c.ip6tablesMutex.Unlock()
+
+	restore, err := c.saveAndRestoreIPv6(ctx)
+	if err != nil {
+		return err
+	}
+	err = c.runIP6tablesInstructionNoSave(ctx, instruction)
+	if err != nil {
+		restore(ctx)
+	}
+	return err
+}
+
+func (c *Config) runIP6tablesInstructionNoSave(ctx context.Context, instruction string) error {
 	if c.ip6Tables == "" {
 		return nil
 	}
-	c.ip6tablesMutex.Lock() // only one ip6tables command at once
-	defer c.ip6tablesMutex.Unlock()

 	if isDeleteMatchInstruction(instruction) {
 		return deleteIPTablesRule(ctx, c.ip6Tables, instruction,