From: Mark Wooding <mdw@distorted.org.uk>
Date: Mon, 6 Jun 2011 23:29:46 +0000 (+0100)
Subject: prologue.m4: Use iptables-{save,restore} for the molly-guard.
X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/2a41fec3db9b76c1679151d725e576a855152571?ds=sidebyside

prologue.m4: Use iptables-{save,restore} for the molly-guard.

This seems generally more reliable than hoping that there's a saved copy
lying around which is likely to work, and also means that we have
an escape plan for an initial installation.
---

diff --git a/prologue.m4 b/prologue.m4
index 36f8b86..9f5d084 100644
--- a/prologue.m4
+++ b/prologue.m4
@@ -30,6 +30,16 @@ revert () {
   ## Report a firewall script failure and retreat to a safe place.
 
   echo "$2!  Retreating to safe version..."
+  if [ -f /var/run/firewall.save ] && [ -f /var/run/firewall6.save ]; then
+    echo "Trying to loading saved firewall state..."
+    if iptables-restore </var/run/firewall.save &&
+       ip6tables-restore </var/run/firewall6.save; then
+      echo "Previous firewall state restored."
+      return
+    else
+      echo "Failed!  Falling back to plan B."
+    fi
+  fi
   if ! "$1" revert; then
     echo >&2 "Safe firewall failed.  You're screwed.  Good luck."
     exit 1
@@ -52,10 +62,10 @@ try () {
   ## NEW.errors.
 
   ## Make sure we have an escape route.
-  if [ ! -x "$old" ]; then
-    echo >&2 "$0: no escape plan: \`$old' is missing"
-    exit 1
-  fi
+  iptables-save >/var/run/firewall.save.new
+  ip6tables-save >/var/run/firewall6.save.new
+  mv /var/run/firewall.save.new /var/run/firewall.save
+  mv /var/run/firewall6.save.new /var/run/firewall6.save
 
   ## Clear the air and make the errors file.
   rm -f "$new.errors" "$new.timebomb" "$new.grabbed"