Version: 54.0.2826.0
OS: Chrome

IpTables::ApplyVpnSetup seems to be written with the intention of not leaking firewall rules in failure cases. However, due to the fact that each of IpTables::ApplyRuleForUserTraffic, IpTables::ApplyMasquerade, and IpTables::ApplyMarkForUserTraffic issue two calls to ExecvNonRoot and fail if at least one of them returns a non-zero exit code, it is possible for ApplyVpnSetup to leak a firewall rule if only one of the shell commands issued by on of these function fails but the other succeeds. This is evident from the fact that usernames are not tracked unless their corresponding calls to ApplyMarkForUserTraffic return true.