Harden rule health checks

lib/iptables_ops.sh

@@ -150,6 +150,36 @@ ipt_apply_rule() {
   fi
 }
 
+ipt_rule_healthy() {
+  local uuid=$1 proto=$2 lport=$3 tip_raw=$4 tport=$5 ipver=$6
+  local family protocol bin tip comment destination
+  comment=$(ipt_comment_tag "${uuid}")
+
+  while IFS= read -r family; do
+    [[ -n ${family} ]] || continue
+    bin=$(ipt_bin_for_family "${family}")
+    tip=$(ipt_target_for_family "${tip_raw}" "${family}")
+    destination=$(ipt_to_destination "${tip_raw}" "${tport}" "${family}")
+
+    while IFS= read -r protocol; do
+      [[ -n ${protocol} ]] || continue
+      _ipt_check_rule "${bin}" nat PREROUTING \
+        -p "${protocol}" --dport "${lport}" \
+        -j DNAT --to-destination "${destination}" \
+        -m comment --comment "${comment}" || return 1
+      _ipt_check_rule "${bin}" nat POSTROUTING \
+        -p "${protocol}" -d "${tip}" --dport "${tport}" \
+        -j MASQUERADE \
+        -m comment --comment "${comment}" || return 1
+      _ipt_check_rule "${bin}" '' FORWARD \
+        -p "${protocol}" -d "${tip}" --dport "${tport}" \
+        -m conntrack --ctstate NEW,ESTABLISHED,RELATED \
+        -j ACCEPT \
+        -m comment --comment "${comment}" || return 1
+    done < <(ipt_protocols_for "${proto}")
+  done < <(ipt_families_for "${ipver}")
+}
+
 ipt_remove_rule() {
   local uuid=$1 proto=$2 lport=$3 tip_raw=$4 tport=$5 ipver=$6
   local -a families protocols