Thanks for the feedback. I've applied the iptables -L with a callback handler. The callback handler then decides whether or not to create the base chains.
I changed the commit message from "nwfilter: Avoid firewall hole during VM startup by checking rule presence" to "nwfilter: Check before removing and reinserting iptable base chains". I also edited nwfilterxml2firewalltest, so it pretends that currently there are no chains and I changed the expected order of the commonRules. Dion Bosschieter (1): nwfilter: Check before removing and reinserting iptable base chains src/nwfilter/nwfilter_ebiptables_driver.c | 203 +++++++++++++--------- tests/nwfilterxml2firewalltest.c | 58 +++++-- 2 files changed, 163 insertions(+), 98 deletions(-) -- 2.43.0