prologue.m4: Use iptables-{save,restore} for the molly-guard.

This seems generally more reliable than hoping that there's a saved copy
lying around which is likely to work, and also means that we have
an escape plan for an initial installation.

diff --git a/prologue.m4 b/prologue.m4
index 36f8b863eec615102c71985d622df7a7b30bc48b..9f5d08451bbfc0395f8f0e9800855981d7f8b811 100644 (file)
--- a/prologue.m4
+++ b/prologue.m4
@@ -30,6 +30,16 @@ revert () {
   ## Report a firewall script failure and retreat to a safe place.
 
   echo "$2!  Retreating to safe version..."
   ## Report a firewall script failure and retreat to a safe place.
 
   echo "$2!  Retreating to safe version..."

+  if [ -f /var/run/firewall.save ] && [ -f /var/run/firewall6.save ]; then
+    echo "Trying to loading saved firewall state..."
+    if iptables-restore </var/run/firewall.save &&
+       ip6tables-restore </var/run/firewall6.save; then
+      echo "Previous firewall state restored."
+      return
+    else
+      echo "Failed!  Falling back to plan B."
+    fi
+  fi

   if ! "$1" revert; then
     echo >&2 "Safe firewall failed.  You're screwed.  Good luck."
     exit 1
   if ! "$1" revert; then
     echo >&2 "Safe firewall failed.  You're screwed.  Good luck."
     exit 1


@@ -52,10 +62,10 @@ try () {
   ## NEW.errors.
 
   ## Make sure we have an escape route.
   ## NEW.errors.
 
   ## Make sure we have an escape route.

-  if [ ! -x "$old" ]; then
-    echo >&2 "$0: no escape plan: \`$old' is missing"
-    exit 1
-  fi
+  iptables-save >/var/run/firewall.save.new
+  ip6tables-save >/var/run/firewall6.save.new
+  mv /var/run/firewall.save.new /var/run/firewall.save
+  mv /var/run/firewall6.save.new /var/run/firewall6.save

 
   ## Clear the air and make the errors file.
   rm -f "$new.errors" "$new.timebomb" "$new.grabbed"
 
   ## Clear the air and make the errors file.
   rm -f "$new.errors" "$new.timebomb" "$new.grabbed"