feat(firewall): atomic iptables operations

- all operations rollback on failure - disabling the firewall means rolling back to its state before enabling it - aligns with nftables atomicity feature
2026-05-07 04:20:12 +02:00 · 2026-02-26 22:58:52 +00:00
parent 0d0c0fb143
commit 2bb4deccd5
7 changed files with 238 additions and 117 deletions
@@ -5,8 +5,19 @@ import (
 )

 func (c *Config) runMixedIptablesInstructions(ctx context.Context, instructions []string) error {
+	c.iptablesMutex.Lock()
+	c.ip6tablesMutex.Lock()
+	defer c.iptablesMutex.Unlock()
+	defer c.ip6tablesMutex.Unlock()
+
+	restore, err := c.saveAndRestore(ctx)
+	if err != nil {
+		return err
+	}
+
 	for _, instruction := range instructions {
-		if err := c.runMixedIptablesInstruction(ctx, instruction); err != nil {
+		if err := c.runMixedIptablesInstructionNoSave(ctx, instruction); err != nil {
+			restore(ctx)
 			return err
 		}
 	}
@@ -14,8 +25,25 @@ func (c *Config) runMixedIptablesInstructions(ctx context.Context, instructions
 }

 func (c *Config) runMixedIptablesInstruction(ctx context.Context, instruction string) error {
-	if err := c.runIptablesInstruction(ctx, instruction); err != nil {
+	c.iptablesMutex.Lock()
+	c.ip6tablesMutex.Lock()
+	defer c.iptablesMutex.Unlock()
+	defer c.ip6tablesMutex.Unlock()
+
+	restore, err := c.saveAndRestore(ctx)
+	if err != nil {
 		return err
 	}
-	return c.runIP6tablesInstruction(ctx, instruction)
+	err = c.runIptablesInstructionNoSave(ctx, instruction)
+	if err != nil {
+		restore(ctx)
+	}
+	return err
+}
+
+func (c *Config) runMixedIptablesInstructionNoSave(ctx context.Context, instruction string) error {
+	if err := c.runIptablesInstructionNoSave(ctx, instruction); err != nil {
+		return err
+	}
+	return c.runIP6tablesInstructionNoSave(ctx, instruction)
 }