Bug#1022156: iptables-persistent: This patch allows optional testing of the iptables/ip6tables rules using the --test flag to `iptables-restore` and `ip6tables-restore` prior to loading them.

[Phillip Smith]

Source: iptables-persistent
Severity: normal
Tags: patch upstream

Dear Maintainer,

   * What led up to the situation? Errors in the rules file causes a
   * blank set of rules to be loaded to the kernel. This patch means the
   * existing rule set will remain loaded if the test of the new rules
   * fails.

>From 68b596ba43e9a906512cefefd86717a6d5acfef2 Mon Sep 17 00:00:00 2001
From: Phillip Smith <fuka...@gmail.com>
Date: Tue, 18 Oct 2022 12:44:41 +1100
Subject: [PATCH] Add option to test rules before loading.

If the rule set has an error, currently the load fails and the kernel is left
without a valid ruleset running. With this option, we call iptables-restore
with the --test flag prior to the actual load in order to detect errors before
we alter the running ruleset.
---
 debian/netfilter-persistent.default |  6 ++++++
 plugins/15-ip4tables                | 12 ++++++++++--
 plugins/25-ip6tables                | 11 +++++++++--
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git debian/netfilter-persistent.default 
debian/netfilter-persistent.default
index cf92317..2131cab 100644
--- debian/netfilter-persistent.default
+++ debian/netfilter-persistent.default
@@ -14,3 +14,9 @@ FLUSH_ON_STOP=0
 # is called with the start parameter
 # IPTABLES_RESTORE_NOFLUSH=yes
 # IP6TABLES_RESTORE_NOFLUSH=yes
+
+
+# Set to yes to test load the rules before applying them. This avoids loading 
failure
+# from causing no rules to be loaded in the kernel
+# IPTABLES_TEST_RULESET=yes
+# IP6TABLES_TEST_RULESET=yes
diff --git plugins/15-ip4tables plugins/15-ip4tables
index a29ab4f..adbbcd3 100755
--- plugins/15-ip4tables
+++ plugins/15-ip4tables
@@ -30,9 +30,17 @@ load_rules()
     #load IPv4 rules
     if [ ! -f /etc/iptables/rules.v4 ]; then
         echo "Warning: skipping IPv4 (no rules to load)"
-    else
-        iptables-restore $NOFLUSH < /etc/iptables/rules.v4
+        return
+    fi
+
+    if [ "${IPTABLES_TEST_RULESET}x" = "yesx" ] ; then
+        if ! iptables-restore --test $NOFLUSH < /etc/iptables/rules.v4 ; then
+            echo "Error: IPv4 rules failed test load. New rules NOT loaded"
+            return
+        fi
     fi
+
+    iptables-restore $NOFLUSH < /etc/iptables/rules.v4
 }
 
 save_rules()
diff --git plugins/25-ip6tables plugins/25-ip6tables
index 90b213e..aa2adf3 100755
--- plugins/25-ip6tables
+++ plugins/25-ip6tables
@@ -33,9 +33,16 @@ load_rules()
     #load IPv6 rules
     if [ ! -f /etc/iptables/rules.v6 ]; then
         echo "Warning: skipping IPv6 (no rules to load)"
-    else
-        ip6tables-restore $NOFLUSH < /etc/iptables/rules.v6
     fi
+
+    if [ "${IP6TABLES_TEST_RULESET}x" = "yesx" ] ; then
+        if ! ip6tables-restore --test $NOFLUSH < /etc/iptables/rules.v6 ; then
+            echo "Error: IPv6 rules failed test load. New rules NOT loaded"
+            return
+        fi
+    fi
+
+    ip6tables-restore $NOFLUSH < /etc/iptables/rules.v6
 }
 
 save_rules()
-- 
2.36.0