From bbafb86e91ae3682a1811119d136203957df9061 Mon Sep 17 00:00:00 2001
From: Brad Davidson <brad.davidson@rancher.com>
Date: Tue, 7 Nov 2023 01:04:03 +0000
Subject: [PATCH] Don't use iptables-save/iptables-restore if it will corrupt
 rules

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
---
 install.sh           | 26 ++++++++++++++++++--------
 install.sh.sha256sum |  2 +-
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/install.sh b/install.sh
index 8c5fd970234c..c731c28be602 100644
--- a/install.sh
+++ b/install.sh
@@ -999,6 +999,19 @@ openrc_start() {
     $SUDO ${FILE_K3S_SERVICE} restart
 }
 
+has_working_xtables() {
+    if command -v "$1-save" 1> /dev/null && command -v "$1-restore" 1> /dev/null; then
+        if $SUDO $1-save 2>/dev/null | grep -q '^-A CNI-HOSTPORT-MASQ -j MASQUERADE$'; then
+            warn "Host $1-save/$1-restore tools are incompatible with existing rules"
+        else
+            return 0
+        fi
+    else
+        info "Host $1-save/$1-restore tools not found"
+    fi
+    return 1
+}
+
 # --- startup systemd or openrc service ---
 service_enable_and_start() {
     if [ -f "/proc/cgroups" ] && [ "$(grep memory /proc/cgroups | while read -r n n n enabled; do echo $enabled; done)" -eq 0 ];
@@ -1019,14 +1032,11 @@ service_enable_and_start() {
         return
     fi
 
-    if command -v iptables-save 1> /dev/null && command -v iptables-restore 1> /dev/null
-    then
-	    $SUDO iptables-save | grep -v KUBE- | grep -iv flannel | $SUDO iptables-restore
-    fi
-    if command -v ip6tables-save 1> /dev/null && command -v ip6tables-restore 1> /dev/null
-    then
-	    $SUDO ip6tables-save | grep -v KUBE- | grep -iv flannel | $SUDO ip6tables-restore
-    fi
+    for XTABLES in iptables ip6tables; do
+        if has_working_xtables ${XTABLES}; then
+            $SUDO ${XTABLES}-save 2>/dev/null | grep -v KUBE- | grep -iv flannel | $SUDO ${XTABLES}-restore
+        fi
+    done
 
     [ "${HAS_SYSTEMD}" = true ] && systemd_start
     [ "${HAS_OPENRC}" = true ] && openrc_start
diff --git a/install.sh.sha256sum b/install.sh.sha256sum
index d1e105edc1ff..60c141cc85ff 100644
--- a/install.sh.sha256sum
+++ b/install.sh.sha256sum
@@ -1 +1 @@
-ff8b7b4028299c878180c1288efa73205c54c7c3fbc2d313fcc666374526d221  install.sh
+8c71108b5602b40ab6a9e60fe66403302b458046cb8afd1980d3c183d25278ac  install.sh