stop () in /etc/init.d/iptables 1.2.11-r3 leaves the firewall open:
    poilcy ACCEPT for all chains in all tables.

If one does /etc/init.d/iptables stop, edits /var/lib/iptables/rules-save and then /etc/init.d/iptables start, the firewall is wide open. It will also be left open by start () if there was a syntax error in rules-save. This can be worked around while the system is up by manually downing the sensitive interfaces. But on boot, an error in rules-save will leave the firewall open instead of closed.

Can we have two more commands for /etc/init.d/iptables?
    securestop -- which downs interfaces before flushing the chains. Use an env
        var from /etc/conf.d/iptables to select which interface(s) to 
        automatically down.
    securestart -- which downs an interface if the rules fail to load. Uses the
        same env var as securestart.

Then make the normal start ()/stop () use the secure versions if the sensitive interface list is defined. You would also need to check to see if the default route was removed when an interface was downed.

BTW Do you really mean = instead of == in:
stop() {
    if [ "${SAVE_ON_STOP}" = "yes" ]; then


Reproducible: Always
Steps to Reproduce:
1. /etc/init.d/iptables stop
2. Manually edit /var/lib/iptables/rules-save
3. Introduce a syntax error in the file.
4. /etc/init.d/iptables start

Actual Results:  
During the editing time the firewall was open. The start failed, and the
firewall was left open.

Expected Results:  
Fail secure -- the system should not be vulnerable on startup errors or during
changes to the firewall rules.

# $Header:
/var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.2.9-r1.init,v 1.3
2004/08/18 22:08:21 aliz Exp $

The /etc/init.d/iptables says 1.2.9 even though version 1.2.11-r3 is installed,
emerge --pretend --verbose iptables:
    [ebuild   R   ] net-firewall/iptables-1.2.11-r3
        -debug -extensions +ipv6 -static 0 kB