hotfix(firewall): save and restore behavior fixed

- restore if IPv4 set all policies fails
- fix deadlock when using iptables custom rules
- fix setting ipv6 rules when running runMixedIptablesInstruction

internal/firewall/enable.go

@@ -45,6 +45,12 @@ func (c *Config) enable(ctx context.Context) (err error) {
 		return fmt.Errorf("saving firewall rules: %w", err)
 	}
 
+	defer func() {
+		if err != nil {
+			c.restore(context.Background())
+		}
+	}()
+
 	if err = c.impl.SetIPv4AllPolicies(ctx, "DROP"); err != nil {
 		return err
 	}
@@ -53,12 +59,6 @@ func (c *Config) enable(ctx context.Context) (err error) {
 		return err
 	}
 
-	defer func() {
-		if err != nil {
-			c.restore(context.Background())
-		}
-	}()
-
 	// Loopback traffic
 	if err = c.impl.AcceptInputThroughInterface(ctx, "lo"); err != nil {
 		return err

internal/firewall/iptables/iptables.go

@@ -337,11 +337,11 @@ func (c *Config) RunUserPostRules(ctx context.Context, filepath string) error {
 
 		switch {
 		case ipv4:
-			err = c.runIptablesInstruction(ctx, rule)
+			err = c.runIptablesInstructionNoSave(ctx, rule)
 		case c.ip6Tables == "":
 			err = fmt.Errorf("running user ip6tables rule: %w", ErrNeedIP6Tables)
 		default: // ipv6
-			err = c.runIP6tablesInstruction(ctx, rule)
+			err = c.runIP6tablesInstructionNoSave(ctx, rule)
 		}
 		if err != nil {
 			restore(ctx)

internal/firewall/iptables/iptablesmix.go

@@ -34,7 +34,7 @@ func (c *Config) runMixedIptablesInstruction(ctx context.Context, instruction st
 	if err != nil {
 		return err
 	}
-	err = c.runIptablesInstructionNoSave(ctx, instruction)
+	err = c.runMixedIptablesInstructionNoSave(ctx, instruction)
 	if err != nil {
 		restore(ctx)
 	}