sentinel-firewall: remove any preserved rules

This removes any preserved rules from firewall. Firewall3 removes any rules in chains and tables it manages but others ignores. This is considered as feature (as some lists survive reload) but for our use case it is not ideal as scripts just insert rules in appropriate location. Instead removing all rules we previously added and were preserved is better option in this case. There is one exception and those are our rules that are terminations for chains created by us. We are not removing those chains and so we do not want to remove those rules as well. We prevent that by using slightly different comment. We do not add additional commentary and drop colon. Because of missing colon this rule is not matched and is not removed. For termination rule additional comment about source is not necessary so we are not loosing anything.

sentinel-firewall: remove any preserved rules
This removes any preserved rules from firewall. Firewall3 removes any rules in chains and tables it manages but others ignores. This is considered as feature (as some lists survive reload) but for our use case it is not ideal as scripts just insert rules in appropriate location. Instead removing all rules we previously added and were preserved is better option in this case. There is one exception and those are our rules that are terminations for chains created by us. We are not removing those chains and so we do not want to remove those rules as well. We prevent that by using slightly different comment. We do not add additional commentary and drop colon. Because of missing colon this rule is not matched and is not removed. For termination rule additional comment about source is not necessary so we are not loosing anything.
30ba26e5 · Karel Koci · 89cd9537 · 30ba26e5
Verified Commit 30ba26e5 authored 4 years ago by Karel Koci
--- a/collect/sentinel/sentinel-firewall/files/firewall.sh
+++ b/collect/sentinel/sentinel-firewall/files/firewall.sh
@@ -7,6 +7,23 @@
 #		option family 'any'
 #		option reload '1'

+
+# Remove any existing rule
+# (firewall3 removes only rules in chains it knows so we have to do this to
+# potentially clean after ourselves)
+for table in filter nat mangle raw; do
+	iptables -t "$table" -S \
+		| grep -F ' --comment "!sentinel:' \
+		| while read -r operation rule; do
+			# Argument -A is dropped (variable 'operation' is intentionally left out)
+			# Note: xargs is used here because it handles quotes properly over
+			# just plain expansion
+			echo "$rule" | xargs -x iptables -t "$table" -D
+		done
+done
+
+
+# Run all sentinel firewall scripts
 cd /usr/libexec/sentinel/firewall.d
 for module in ./*; do
 	[ -x "$module" ] || continue