cli: introduce test mode and refuse firewall restart on errors

 - Introduce a new `fw4 [-q] check` command which tests the rendered ruleset
   using nftables' --check mode. This is useful to assert complex rulesets
   using external includes for correctness.

 - Extend the `fw4 restart` command to check the rendered ruleset before
   flushing the existing ruleset.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/root/sbin/fw4 b/root/sbin/fw4
index cf23e581d6a91d6fd0298655fb080cc755f6bcfc..c3e95c2cc1a42caa6f9b7e71fb0b6d3fa72b8778 100755 (executable)
--- a/root/sbin/fw4
+++ b/root/sbin/fw4
@@ -108,9 +108,18 @@ case "$1" in
                flush
        ;;
        restart)
+               QUIET=1 print | nft ${VERBOSE} -c -f $STDIN || die "The rendered ruleset contains errors, not doing firewall restart."
                stop || rm -f $STATE
                start
        ;;
+       check)
+               if [ -n "$QUIET" ]; then
+                       exec 1>/dev/null
+                       exec 2>/dev/null
+               fi
+
+               print | nft ${VERBOSE} -c -f $STDIN && echo "Ruleset passes nftables check."
+       ;;
        print)
                print
        ;;
@@ -140,6 +149,12 @@ Usage:
     Print the rendered ruleset.
 
 
+  $0 [-q] check
+
+    Test the rendered ruleset using nftables' check mode without
+    applying it to the running system.
+
+
   $0 [-q] network {net}
 
     Print the name of the firewall zone covering the given network.