From ec24ffdfd8306157aa3cd4b578df012c39941a19 Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Sat, 28 Feb 2026 14:37:58 +0000
Subject: [PATCH] hotfix(firewall): save and restore behavior fixed - restore
 if IPv4 set all policies fails - fix deadlock when using iptables custom
 rules - fix setting ipv6 rules when running runMixedIptablesInstruction

---
 internal/firewall/enable.go               | 12 ++++++------
 internal/firewall/iptables/iptables.go    |  4 ++--
 internal/firewall/iptables/iptablesmix.go |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/internal/firewall/enable.go b/internal/firewall/enable.go
index c0f9aa8d..6f5cb18b 100644
--- a/internal/firewall/enable.go
+++ b/internal/firewall/enable.go
@@ -45,6 +45,12 @@ func (c *Config) enable(ctx context.Context) (err error) {
 		return fmt.Errorf("saving firewall rules: %w", err)
 	}
 
+	defer func() {
+		if err != nil {
+			c.restore(context.Background())
+		}
+	}()
+
 	if err = c.impl.SetIPv4AllPolicies(ctx, "DROP"); err != nil {
 		return err
 	}
@@ -53,12 +59,6 @@ func (c *Config) enable(ctx context.Context) (err error) {
 		return err
 	}
 
-	defer func() {
-		if err != nil {
-			c.restore(context.Background())
-		}
-	}()
-
 	// Loopback traffic
 	if err = c.impl.AcceptInputThroughInterface(ctx, "lo"); err != nil {
 		return err
diff --git a/internal/firewall/iptables/iptables.go b/internal/firewall/iptables/iptables.go
index 486e9fab..d97b306b 100644
--- a/internal/firewall/iptables/iptables.go
+++ b/internal/firewall/iptables/iptables.go
@@ -337,11 +337,11 @@ func (c *Config) RunUserPostRules(ctx context.Context, filepath string) error {
 
 		switch {
 		case ipv4:
-			err = c.runIptablesInstruction(ctx, rule)
+			err = c.runIptablesInstructionNoSave(ctx, rule)
 		case c.ip6Tables == "":
 			err = fmt.Errorf("running user ip6tables rule: %w", ErrNeedIP6Tables)
 		default: // ipv6
-			err = c.runIP6tablesInstruction(ctx, rule)
+			err = c.runIP6tablesInstructionNoSave(ctx, rule)
 		}
 		if err != nil {
 			restore(ctx)
diff --git a/internal/firewall/iptables/iptablesmix.go b/internal/firewall/iptables/iptablesmix.go
index 0ea85bf4..32c75c45 100644
--- a/internal/firewall/iptables/iptablesmix.go
+++ b/internal/firewall/iptables/iptablesmix.go
@@ -34,7 +34,7 @@ func (c *Config) runMixedIptablesInstruction(ctx context.Context, instruction st
 	if err != nil {
 		return err
 	}
-	err = c.runIptablesInstructionNoSave(ctx, instruction)
+	err = c.runMixedIptablesInstructionNoSave(ctx, instruction)
 	if err != nil {
 		restore(ctx)
 	}